NYCPHP Meetup

NYPHP.org

[nycphp-talk] I've been hit with an eval(base64_decode("....")) injection attack

Ronald Bradford ronald.bradford at gmail.com
Fri Feb 24 13:35:50 EST 2012


Have you compared your code with a backup before the injection date, or the
last version of code from your version control system.
On Feb 24, 2012 12:24 PM, "federico ulfo" <rainelemental at gmail.com> wrote:

> Search for any type of form in your web folder, that's a common way to
> upload new php files!
>
> I could search for any occourrence of exec, system and eval as well!
>
> Good luck
>
> Sent from my iPhone
>
> On Feb 24, 2012, at 1:07 PM, David Mintz <david at davidmintz.org> wrote:
>
> My Dreamhost shared hosting account just had its *.php injected with some
> garbage. People were getting stuff about "CHEAP High Quality Christian
> Louboutin replica shoes, pumps and boots." Someone also reported to me that
> he was redirected to a porn site. I also found a slew of images and all
> kinds of... stuff.
>
> I changed my shell password, and I did this:
>
>        egrep -lr '<\?php.+eval\(base64_decode\("[^"]+"\)\);\?>'  *| xargs
>   perl -i -p -e 's/<\?php.+eval\(base64_decode\("[^"]+"\)\);\?>//'
>
> which appears to have purged everything of the injected code. (I am pretty
> confident that I have never used eval(base64_decode()) for any purpose
> myself.) Now I kinds of regret not saving a few of the compromised files
> for study.
>
> Any other suggestions as to what I should do? Unfortunately I do not know
> how this happened; don't know if there is a huge vulnerability in one of
> the apps up there that was exploited, or if it was an inside job, or what.
> I do know Dreamhost had a well-publicized security compromise recently. The
> php injection that happened to me seems to have happened on Feb 21, based
> on the file modification times.
>
> You can lecture me about being a fool to use Dreamhost if you like.
>
> Thanks.
>
> --
> David Mintz
> http://davidmintz.org/
> It ain't over:
> http://www.healthcare-now.org/
>
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show-participation
>
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show-participation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20120224/0c17d007/attachment.html>


More information about the talk mailing list