1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
  • Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Sites hacked

Collapse
X
11 to 20 of 21 Previous 1 2 3 template Next
Collapse
Reply to Thread
  •  
  • Filter
  • Time
  • Show
Clear All
new posts
11 to 20 of 21 Previous 1 2 3 template Next
    #11
    Add this to your php.ini

    disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

    Stops dodgy php files that may have been added to your system from running.
    Me, me, me...

    Comment

      #12
      It's not uncommon for PHP malware to encode its files in various ways. The most common is simple base64 encoding,
      Yes. They all start with <?php eval(gzinflate(base64_decode("...gibberish...

      Apparently, if you change eval to echo then change the evals in that to echo etc you can discover the code, although don't think I want to bother trying it. Can't find any link to the iframe thing though.

      disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
      Cheers. I'll try that one.
      bloggoth

      If everything isn't black and white, I say, 'Why the hell not?'
      John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

      Comment

        #13
        Originally posted by xoggoth View Post
        Yes. They all start with <?php eval(gzinflate(base64_decode("...gibberish...
        I've had this sort attack on the past - slack permissions on a config file so check that firstly.

        Once you've added the above and restarted Apache or whatever none of that crap stuff can be injected or executed. Delete the files of course.
        Me, me, me...

        Comment

          #14
          Darn it!!!! When I said I didn't use Wordpress earlier I forgot my sister has got this webby person to set up a thing for her where she can do educational blogs etc, it's an addon domain in a subdirectory. A quick search shows Wordpress uses many of those functions so that php.ini wil probably stop it working. Any way of restricting what directories php.ini applies to?
          Last edited by xoggoth; 9 January 2013, 20:13.
          bloggoth

          If everything isn't black and white, I say, 'Why the hell not?'
          John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

          Comment

            #15
            Originally posted by xoggoth View Post
            Darn it!!!! When I said I didn't use Wordpress earlier I forgot my sister has got this webby person to set up a thing for her where she can do educational blogs etc, it's an addon domain in a subdirectory. A quick search shows Wordpress uses many of those functions so that php.ini wil probably stop it working. Any way of restricting what directories php.ino applies to?
            The line I suggested adding will stop dodgy scripts server wide so there should be no need to specify directories and I'm not sure that can be done anyway. It shouldn't affect WP functionality at all but check the permissions on the WP config file and make sure it's locked down, suggest 600 if you know what that means then test.
            Me, me, me...

            Comment

              #16
              Originally posted by xoggoth View Post
              Darn it!!!! When I said I didn't use Wordpress earlier I forgot my sister has got this webby person to set up a thing for her where she can do educational blogs etc, it's an addon domain in a subdirectory. A quick search shows Wordpress uses many of those functions so that php.ini wil probably stop it working. Any way of restricting what directories php.ini applies to?
              And this is probably the source of the infection, not your passwords from filezilla getting hacked. Make sure the Wordpress installation and all plugins are up to date.

              Also the base64 code will create the iframe I expect, that's why you won't find it.

              Comment

                #17
                If you could be arsed you could also decode the base64 somewhere like here:
                Base64 Decode and Encode - Online

                Comment

                  #18
                  Originally posted by administrator View Post
                  If you could be arsed you could also decode the base64 somewhere like here:
                  Base64 Decode and Encode - Online
                  sounds a like a man who knows some stuff from previous experience of it happening to him. That or that he needs to know some stuff to stop the techie's on his forum accusing him of some stuff when the sh!t goes down and hits the fan.. if you know what I'm saying.
                  The proud owner of 125 Xeno Geek Points

                  Comment

                    #19
                    Ta but tried that link, all formats, and it came out as gibberish.
                    bloggoth

                    If everything isn't black and white, I say, 'Why the hell not?'
                    John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

                    Comment

                      #20
                      Originally posted by DimPrawn View Post
                      Everytime I've found a machine compromised the source of the infection seems to be bloody Java!

                      Seems most common exploits these days are holes in the Java runtime.

                      If you need need Java, don't have it on your systems!
                      Runtime on the desktop has issues, java servers are very robust.

                      Comment

                      Reply to Thread
                      11 to 20 of 21 Previous 1 2 3 template Next

                      Advertisers

                      1. Contracting
                        1. General
                          1. Brexit
                        2. Business / Contracts
                          1. Coronavirus Assistance
                        3. Accounting / Legal
                          1. Umbrella Companies
                          2. HMRC Scheme Enquiries
                          3. The Future of Contracting
                          4. IR35 Reform
                        4. Technical
                        5. Welcome / FAQs
                      2. Social
                        1. Light Relief
                        2. Social / Events
                      Working...
                      X