NYCPHP Meetup

NYPHP.org

[nycphp-talk] I've been hit with an eval(base64_decode("....")) injection attack

federico ulfo rainelemental at gmail.com
Fri Feb 24 13:23:17 EST 2012


Search for any type of form in your web folder, that's a common way to
upload new php files!

I could search for any occourrence of exec, system and eval as well!

Good luck

Sent from my iPhone

On Feb 24, 2012, at 1:07 PM, David Mintz <david at davidmintz.org> wrote:

My Dreamhost shared hosting account just had its *.php injected with some
garbage. People were getting stuff about "CHEAP High Quality Christian
Louboutin replica shoes, pumps and boots." Someone also reported to me that
he was redirected to a porn site. I also found a slew of images and all
kinds of... stuff.

I changed my shell password, and I did this:

       egrep -lr '<\?php.+eval\(base64_decode\("[^"]+"\)\);\?>'  *| xargs
perl -i -p -e 's/<\?php.+eval\(base64_decode\("[^"]+"\)\);\?>//'

which appears to have purged everything of the injected code. (I am pretty
confident that I have never used eval(base64_decode()) for any purpose
myself.) Now I kinds of regret not saving a few of the compromised files
for study.

Any other suggestions as to what I should do? Unfortunately I do not know
how this happened; don't know if there is a huge vulnerability in one of
the apps up there that was exploited, or if it was an inside job, or what.
I do know Dreamhost had a well-publicized security compromise recently. The
php injection that happened to me seems to have happened on Feb 21, based
on the file modification times.

You can lecture me about being a fool to use Dreamhost if you like.

Thanks.

-- 
David Mintz
http://davidmintz.org/
It ain't over:
http://www.healthcare-now.org/


_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

http://www.nyphp.org/show-participation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20120224/7004260e/attachment.html>


More information about the talk mailing list