Search for any type of form in your web folder, that's a common way to
upload new php files!
I could search for any occourrence of exec, system and eval as well!
Good luck
Sent from my iPhone
On Feb 24, 2012, at 1:07 PM, David Mintz <da...@davidmintz.org> wrote:
My Dreamhost shared hosting account just had its *.php injected with some
garbage. People were getting stuff about "CHEAP High Quality Christian
Louboutin replica shoes, pumps and boots." Someone also reported to me that
he was redirected to a porn site. I also found a slew of images and all
kinds of... stuff.
I changed my shell password, and I did this:
egrep -lr '<\?php.+eval\(base64_decode\("[^"]+"\)\);\?>' *| xargs
perl -i -p -e 's/<\?php.+eval\(base64_decode\("[^"]+"\)\);\?>//'
which appears to have purged everything of the injected code. (I am pretty
confident that I have never used eval(base64_decode()) for any purpose
myself.) Now I kinds of regret not saving a few of the compromised files
for study.
Any other suggestions as to what I should do? Unfortunately I do not know
how this happened; don't know if there is a huge vulnerability in one of
the apps up there that was exploited, or if it was an inside job, or what.
I do know Dreamhost had a well-publicized security compromise recently. The
php injection that happened to me seems to have happened on Feb 21, based
on the file modification times.
You can lecture me about being a fool to use Dreamhost if you like.
Thanks.
--
David Mintz
http://davidmintz.org/
It ain't over:
http://www.healthcare-now.org/
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show-participation
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show-participation
