PHP/Spam – sm3 Script

 Spam  1 Response »
Oct 312011
 

This PHP based spam script has been around for a reasonable amount of time. I commonly see it use a variety of names, all in the format, sm3 followed by 2 letters and one number which makes it relatively easy to find. In all cases where I have found this script it has been heavily obfuscated. Another common give-away for this script is it is usually located in an directory with an “_” at the start of the directory name, or as the actual directory name.

Script name: sm3rm1.php / sm3ht4.php / other names similar

Script MD5: 91492e2187437f08a0a66dea2e106790 / bd24fafaaf91898b8fb606461a7cbd1f (gzipped)

Compromise Method: Vulnerable osCommerce / Potentially Other

Notes: PHP script that finds its way onto compromised osCommerce (in all cases I have found) accounts used then to send out spam.

Example file(s): Original / Human Readable (Also see below)

Detail: Every case where I have found this script there has been a vulnerable version of osCommerce installed. This has lead to the compromise of the webspace allowing the attacker to upload this file.

Click here to continue reading

 Posted at 11:30 PM

Security Tip – Permission Based Attacks

 Tips/Hints  No Responses »
Oct 242011
 

It isn’t uncommon to see web based attacks leverage weak file permissions to attack whole shared hosting servers and read sensitive files such as database configurations and API configurations. Quite often file permissions for web applications are completely ignored and just left at what ever the defaults are on the server. Many shared hosting servers are configured so that files default to 644 and folders 755. This is so that the web server who runs as a different user is able to access the files required. If the web server runs an extension such as suPHP or suexec to execute scripts under the user ID that actually owns the file, such open permissions are not needed on any files that will be executed under those extensions (most, if not all shared hosting servers do this otherwise there would be massive security flaws). This post only covers that run such extensions – if they do not these file permissions will not work and it will just break your website.

Click here to continue reading

 Posted at 9:42 PM

New Mass Defacement – Not Just WordPress!

 Other Hacks/Exploits/etc.  No Responses »
Oct 242011
 

Earlier I wrote about a new defacement script I am starting to see alot, see this post for more information. I am starting to see the same defacement files also find their way onto Joomla sites now, I have come across a few that have also been also defaced by “MA^D4NG3R”.

Click here to continue reading

 Posted at 5:40 PM

PHP/WordPress Defacement – wp_index.php

 Wordpress  No Responses »
Oct 242011
 

I received a large amount of notifications this morning for defaced websites. It isn’t unusual to receive a few defacement notifications per week – I find that most hacked sites are used for sending out spam or hosting a phishing site or something else generally more constructive. With defaced sites its usually a big red flag that the account has been hacked, so it usually means that the problem is fixed much sooner rather than with a script somewhere used to occasionally send spam.

Script name: wp_index.php

Script MD5: f3df22ce267a781e92ec9870b22bb0e7 (original human readable) / 537005a85e5654c6faf8815bc2e96bee (obfuscated) / 33780a2eeb8d2523083ebbd0d24db458 (gzipped)

Compromise Method: Weak permissions/server setup

Notes: Script appears to be on already compromised WordPress sites. Defaces other Worpdress sites by using stolen database credentials.

Example file(s): Obfuscated / Human Readable

Detail: This script has multiple attack methods and is used to reset the ‘admin’ user password for WordPress, enabling the attacker to replace files in the site. Commonly used to deface WordPress websites.

For cleanup/mitigation of this attack please see page 3.

Edit: I have noticed this attack is causing problems for users of Joomla as well, please see my other post here.

Click here to continue reading

Pages: 1 2 3
 Posted at 12:28 PM  Tagged with: , , ,

Security Tip – Protect your cache/images

 Tips/Hints  No Responses »
Oct 232011
 

A lot of common hacks at the moment leverage thumbnail generation scripts or cache scripts to write remote files to the target allowing the attacker a good entry point to the server. RFI Bugs in these scripts can usually be solved by disabling execution of scripts in the cache directory as they should generally never run from there.

Click here to continue reading

 Posted at 7:03 AM  Tagged with: , ,

timthumb.php – Still Causing Problems

 Other Hacks/Exploits/etc., Phishing/Scams, Wordpress  No Responses »
Oct 232011
 

One of the most common thumbnail scripts used on a lot of WordPress sites, timthumb.php, has had a large amount of coverage over the last few months due to a few gaping holes. This has left a vast amount of WordPress sites, among others, vulnerable to a very simple remote file inclusion (RFI) exploit. The timthumb.php script is used to generate thumbnails on the fly and many WordPress themes and plugins use it for resizing images. Having a Google for this problem it is obvious a large amount of people are having problems with this – it has been some what of a slow problem to fix.

Click here to continue reading

 Posted at 6:26 AM  Tagged with: , , ,

PHP/Spam – l_backuptoster.php

 Malicious PHP  1 Response »
Oct 232011
 

I have been seeing this pop up a lot lately, it used to be very common a few months ago on quite a few web hosting accounts that I saw. The MD5 from the samples has remained consistent so the script has not changed much for a while.

Script name: l_backuptoster.php

Script MD5: 01eacef79925d81d8d4a30751adcab3c / 33780a2eeb8d2523083ebbd0d24db458 (gzipped)

Compromise Method: FTP (Compromised password)

Notes: PHP script that is uploaded along with text files for sending spam.

Example file(s): l_backuptoster.php

Detail: In all cases of this I have found the script has been uploaded via FTP. From what I gather the FTP details have been compromised most likely by a trojan or perhaps stolen email accounts that have the FTP details stored.

Click here to continue reading

 Posted at 4:48 AM  Tagged with: , ,

Welcome

 Uncategorized  No Responses »
Oct 232011
 

Welcome to my blog. I work at a large web hosting company and see a very large amount of hacked sites on a daily basis and sometimes there is not a lot of info out there about how it actually happened. A lot of the hacks are done en masse and can be prevented with a few simple steps. This blog is to post samples of scripts and binaries that have been uploaded via holes in web applications as well as analyse how the hacking happened with methods to prevent it.

 Posted at 3:54 AM
© 2012 Web Hack Blog