Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Other Webspace Security Re: Webspace Security

#50010
mikes
Member

There were five files each containing the same php code:

/index.php
/sjy.php
/tey.php
/cgi-bin/index.php
/sofye/del.php

Here is a snippet of the code:

Code:
(.*)“, “”, $fin);
$fin = ereg_replace(“(.*)“, “”, $fin);
$fin = preg_replace(‘#]+_lm[^>]*>.*?#is’, ”, $fin);
$fin = preg_replace(“/http(.*?)tmp6(.*?)/”, “”, $fin);
$fin = ereg_replace(““, “”, $fin);
$fin = ereg_replace(““, “”, $fin);
$fin = ereg_replace(““, “”, $fin);
$fmrd = fopen($pt, “w+”);
fwrite($fmrd, $fin);
fclose($fmrd);
echo ” upt-ok”;
}

function Main()
{
if (isset($_POST[‘u’]) || isset($_GET[‘u’]))
{
Update();
exit();
}

if (isset($_POST[‘c’]) || isset($_GET[‘c’]))
{
Com();
exit();
}

if (isset($_POST[‘g’]) || isset($_GET[‘g’]))
{
Gen();
exit();
}

if (isset($_POST[‘s’]) || isset($_GET[‘s’]))
{
MRepl();
exit();
}

if (isset($_POST[‘cl’]) || isset($_GET[‘cl’]))
{
Clear();
exit();
}

if (isset($_POST[‘cl2’]) || isset($_GET[‘cl2’]))
{
Clear2();
exit();
}

echo ““;

}

Main();

?>

I left out the other functions as I don’t think they should be listed in a public forum.

After numerous emails back and forth to my host, the issue finally got bumped to someone who was knowledgable and diligent about looking into the matter. The files came from the Czech Republic. Well, at least the /cgi-bin/index.php file was only accessed once and that was from the Czech Republic. Unfortunately, I deleted the files before I noted the ownership on them which might have been enlightening. Also, they were uploaded prior to my oldest activity logs so I can’t get any further information. Fortunately though, this means that the files were uploaded prior to the installation of my various security measures which means my security wasn’t circumvented after all; it just wasn’t in place soon enough.

The important thing I got from all this was that I need to download my logs daily so that I may keep them as long as I want instead of relying on my host (who only keeps them for seven days).