Originally posted by minestrone
View Post
-
Yes, the desktop runtime seems to be prime time hacker magnet and a great way to hijack your PC. -
Runtime on the desktop has issues, java servers are very robust.Originally posted by DimPrawn View PostLeave a comment:
-
sounds a like a man who knows some stuff from previous experience of it happening to him. That or that he needs to know some stuff to stop the techie's on his forum accusing him of some stuff when the sh!t goes down and hits the fan.. if you know what I'm saying.Originally posted by administrator View PostLeave a comment:
-
If you could be arsed you could also decode the base64 somewhere like here:
Base64 Decode and Encode - OnlineLeave a comment:
-
And this is probably the source of the infection, not your passwords from filezilla getting hacked. Make sure the Wordpress installation and all plugins are up to date.Originally posted by xoggoth View Post
Also the base64 code will create the iframe I expect, that's why you won't find it.Leave a comment:
-
The line I suggested adding will stop dodgy scripts server wide so there should be no need to specify directories and I'm not sure that can be done anyway. It shouldn't affect WP functionality at all but check the permissions on the WP config file and make sure it's locked down, suggest 600 if you know what that means then test.Originally posted by xoggoth View PostLeave a comment:
-
Darn it!!!! When I said I didn't use Wordpress earlier I forgot my sister has got this webby person to set up a thing for her where she can do educational blogs etc, it's an addon domain in a subdirectory. A quick search shows Wordpress uses many of those functions so that php.ini wil probably stop it working. Any way of restricting what directories php.ini applies to?Last edited by xoggoth; 9 January 2013, 20:13.Leave a comment:
-
I've had this sort attack on the past - slack permissions on a config file so check that firstly.Originally posted by xoggoth View Post
Once you've added the above and restarted Apache or whatever none of that crap stuff can be injected or executed. Delete the files of course.Leave a comment:
-
Yes. They all start with <?php eval(gzinflate(base64_decode("...gibberish...It's not uncommon for PHP malware to encode its files in various ways. The most common is simple base64 encoding,
Apparently, if you change eval to echo then change the evals in that to echo etc you can discover the code, although don't think I want to bother trying it. Can't find any link to the iframe thing though.
Cheers. I'll try that one.disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_openLeave a comment:
-
Add this to your php.ini
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
Stops dodgy php files that may have been added to your system from running.Leave a comment:
-
It's not uncommon for PHP malware to encode its files in various ways. The most common is simple base64 encoding, as that's easy to reverse; it just serves to obfuscate things. Search through your other files for any calls to base64_decode() that oughtn't to be there, and if you find any, work out what they're trying to decode and make sure it isn't thereOriginally posted by xoggoth View Post
Leave a comment:
-
Everytime I've found a machine compromised the source of the infection seems to be bloody Java!
Seems most common exploits these days are holes in the Java runtime.
If you need need Java, don't have it on your systems!Leave a comment:
Leave a comment: