Re: RES: [PHP] Re: {ATTENTION} Re: [PHP] base64_decode
On Tue, 2012-10-02 at 15:04 -0300, Samuel Lopes Grigolato wrote:
> Another way to decode and inspect such data is to use utilities like:
> http://www.motobit.com/util/base64-decoder-encoder.asp
>
> By the way, never saw before this kind of sloppy irritating malicious
> "obfuscation" =).
>
> Does your server allow execution of the "eval" function? I consider this a
> security breach especially if your apache user is not correctly "sandboxed".
> I wonder if there is a way to disable execution of this method on shared
> servers. AFAIK there is a way, I just can't remember how to do it.
>
> Cheers.
>
> -Mensagem original-
> De: John Taylor-Johnston [mailto:john.taylor-johns...@cegepsherbrooke.qc.ca]
>
> Enviada em: terça-feira, 2 de outubro de 2012 14:46
> Para: Rodrigo Silva dos Santos
> Cc: PHP-General
> Assunto: [PHP] Re: {ATTENTION} Re: [PHP] base64_decode
>
> Interesting.
> Thanks.
> It was a footer.php in a webpress theme.
> I was wondering if it was a portal someone was using to get onto my server.
> I changted ftp passwords and begun using sftp, but phishing code is still
> leaking onto my sites. My wordpress copies are up to date and DreamHost has
> no real answers as to how someone is uploading and expanding *.tar.gz files.
>
> Thanks,
> john
>
> Rodrigo Silva dos Santos wrote:
> >
> >
> > Hello John.
> >
> > This code generates the following html:
> >
> >
> > ?>
> > > attempt from "web-hosting-click.com" claiming to be*
> > "http://web-hosting-click.com/"; title="Web hosting">Web hosting
> >
> >
> >
> >
> > >
> > Appears that is nothing dangerous, only "unauthorized advertising".
> >
> >
> >
> >
> > Em 02-10-2012 14:27, John Taylor-Johnston escreveu:
> >> Without anyone infecting their machines, can someone tell me what
> >> this is? I found a phishing site on my DreamHost server. DreamHost
> >> has been very helpful.
> >> We found a file containing this code.
> >> What is it? What does it contain?
> >>
> >> >> eval(base64_decode('Pz4gPC9kaXY+DQo8ZGl2IGlkPSJmb290ZXIiPjxhIGhyZWY9I
> >> mh0dHA6Ly93ZWItaG9zdGluZy1jbGljay5jb20vIiB0aXRsZT0iV2ViIGhvc3RpbmciPl
> >> dlYiBob3N0aW5nPC9hPg0KPCEtLSAyNyBxdWVyaWVzLiAwLjU2MSBzZWNvbmRzLiAtLT4
> >> NCjwvZGl2Pg0KPD9waHAgd3BfZm9vdGVyKCk7ID8+DQo8L2JvZHk+DQo8L2h0bWw+IDw/
> >> '));?>
> >>
> >
>
> --
> John Taylor-Johnston
>
> Département de Langues modernes
> Cégep de Sherbrooke, Sherbrooke, Québec
> http://cegepsherbrooke.qc.ca/~languesmodernes/
> http://cegepsherbrooke.qc.ca/~languesmodernes/wiki/
>
>
>
I'd say the first step is to remove or disable any unnecessary plugins
and make sure all the necessary ones are as up-to-date as they can be. I
recall reading an article recently about the most popular thumbnail
generation plugin for Wordpress (I'm not a Wordpress user, don't recall
the plugin name) that had a security flaw that would allow unauthorised
access to your server.
Look at server logs. See if there is any useful information in them that
would tell you what pages were requested just prior to the .tar.gz
archives being uploaded.
Change login details for both FTP and Wordpress itself for all users if
you can, and maybe check for any added users who shouldn't be there.
If you have a backup of the code files try and restore it. If you don't,
compare a fresh Wordpress install with the plugins you're using to what
you have on the live site to see if there are any other dodgy files on
the server that ought not to be.
Hope that helps some!
--
Thanks,
Ash
http://www.ashleysheridan.co.uk
RES: [PHP] Re: {ATTENTION} Re: [PHP] base64_decode
Another way to decode and inspect such data is to use utilities like:
http://www.motobit.com/util/base64-decoder-encoder.asp
By the way, never saw before this kind of sloppy irritating malicious
"obfuscation" =).
Does your server allow execution of the "eval" function? I consider this a
security breach especially if your apache user is not correctly "sandboxed".
I wonder if there is a way to disable execution of this method on shared
servers. AFAIK there is a way, I just can't remember how to do it.
Cheers.
-Mensagem original-
De: John Taylor-Johnston [mailto:john.taylor-johns...@cegepsherbrooke.qc.ca]
Enviada em: terça-feira, 2 de outubro de 2012 14:46
Para: Rodrigo Silva dos Santos
Cc: PHP-General
Assunto: [PHP] Re: {ATTENTION} Re: [PHP] base64_decode
Interesting.
Thanks.
It was a footer.php in a webpress theme.
I was wondering if it was a portal someone was using to get onto my server.
I changted ftp passwords and begun using sftp, but phishing code is still
leaking onto my sites. My wordpress copies are up to date and DreamHost has
no real answers as to how someone is uploading and expanding *.tar.gz files.
Thanks,
john
Rodrigo Silva dos Santos wrote:
>
>
> Hello John.
>
> This code generates the following html:
>
>
> ?>
> attempt from "web-hosting-click.com" claiming to be*
> "http://web-hosting-click.com/"; title="Web hosting">Web hosting
>
>
>
>
>
> Appears that is nothing dangerous, only "unauthorized advertising".
>
>
>
>
> Em 02-10-2012 14:27, John Taylor-Johnston escreveu:
>> Without anyone infecting their machines, can someone tell me what
>> this is? I found a phishing site on my DreamHost server. DreamHost
>> has been very helpful.
>> We found a file containing this code.
>> What is it? What does it contain?
>>
>> > eval(base64_decode('Pz4gPC9kaXY+DQo8ZGl2IGlkPSJmb290ZXIiPjxhIGhyZWY9I
>> mh0dHA6Ly93ZWItaG9zdGluZy1jbGljay5jb20vIiB0aXRsZT0iV2ViIGhvc3RpbmciPl
>> dlYiBob3N0aW5nPC9hPg0KPCEtLSAyNyBxdWVyaWVzLiAwLjU2MSBzZWNvbmRzLiAtLT4
>> NCjwvZGl2Pg0KPD9waHAgd3BfZm9vdGVyKCk7ID8+DQo8L2JvZHk+DQo8L2h0bWw+IDw/
>> '));?>
>>
>
--
John Taylor-Johnston
Département de Langues modernes
Cégep de Sherbrooke, Sherbrooke, Québec
http://cegepsherbrooke.qc.ca/~languesmodernes/
http://cegepsherbrooke.qc.ca/~languesmodernes/wiki/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: {ATTENTION} Re: [PHP] base64_decode
Interesting.
Thanks.
It was a footer.php in a webpress theme.
I was wondering if it was a portal someone was using to get onto my server.
I changted ftp passwords and begun using sftp, but phishing code is
still leaking onto my sites. My wordpress copies are up to date and
DreamHost has no real answers as to how someone is uploading and
expanding *.tar.gz files.
Thanks,
john
Rodrigo Silva dos Santos wrote:
Hello John.
This code generates the following html:
?>
attempt from "web-hosting-click.com" claiming to be*
"http://web-hosting-click.com/"; title="Web hosting">Web hosting
Without anyone infecting their machines, can someone tell me what
this is? I found a phishing site on my DreamHost server. DreamHost
has been very helpful.
We found a file containing this code.
What is it? What does it contain?
eval(base64_decode('Pz4gPC9kaXY+DQo8ZGl2IGlkPSJmb290ZXIiPjxhIGhyZWY9Imh0dHA6Ly93ZWItaG9zdGluZy1jbGljay5jb20vIiB0aXRsZT0iV2ViIGhvc3RpbmciPldlYiBob3N0aW5nPC9hPg0KPCEtLSAyNyBxdWVyaWVzLiAwLjU2MSBzZWNvbmRzLiAtLT4NCjwvZGl2Pg0KPD9waHAgd3BfZm9vdGVyKCk7ID8+DQo8L2JvZHk+DQo8L2h0bWw+IDw/'));?>
--
John Taylor-Johnston
Département de Langues modernes
Cégep de Sherbrooke, Sherbrooke, Québec
http://cegepsherbrooke.qc.ca/~languesmodernes/
http://cegepsherbrooke.qc.ca/~languesmodernes/wiki/
