开发者

How can I determine what scripts are making use of fopen?

My websites have been assaulted by a script kiddy very successfully. On a automated basis, a hidden script is accessed on my server that ca开发者_如何学Gouses a modification of all my index.php files, and adds an iframe to the top of them (base 64 encoded).

I'm having trouble getting my hosting provider to help, as they say they are rather helpless in this matter.

I suspect that If I can determine which scripts are making use of php's fopen function then I will be able to discover the location of the master tamper script and remove it.

Any advice?


Next steps

  1. Shut everything down
  2. Re-setup your server freshly
  3. Analyse your code, bit by bit, to find the hole.

It's irresponsible to keep a hacked server running. Apart from changing the index.php files, really malicious tools may have been installed - your server might be an open proxy for criminals in the meantime.

fopen

There are a dozen ways of changing files from within PHP apart from fopen. Examples

  • file_put_contents
  • move_uploaded_file
  • exec('echo foo > /path/to/bar')
  • same with system, passthru, shell_exec, proc_open

If it's really fopen, you're very lucky.


Use find to find all of the PHP scripts and then grep for fopen. If you don't have shell access, download the whole directory with the scripts and do it on your machine.

find /base/dir/with/your/scripts -name '*.php' | xargs grep 'fopen'


I'm still in the process of using grep and ssh access to discover and weed out problems. It could be that instead of an embedded script re-writing my files, php code is being executed by an input form somewhere on the site. I'm not sure just yet. In the mean-time I've written a script that combats the eval(base64_decode injections to my index.php files. This checks and removes eval(base64_decode(''); in index.php files and searches my file structure to 5 directory levels deep, which is sufficient for my site. I have it set to run on a cronjob every 5 minutes. It seems not to be server intensive at all.

<?php
$level=5;
function get_sorted($path)
{
    //$ignore = array('.',"'","error_log");
    $dh = @opendir( $path );
    while ($file = @readdir( $dh ))
    {
        if (!strstr($file,'.')&&!strstr($file,"'")&&!strstr($file,"error_log")&&!strstr($file,"README")&&!strstr($file,"cookietxt")&&$file!='.'&&$file!='..')
        {
            $directories[] = $file;
        }
        else
        {
            if ($file!='.'&&$file!='..')
            {
                $files[] = $file;
            }
        }
    }

    $array = array($directories,$files);
    return $array;
}

function clean_files($files, $path)
{
    //echo 1;exit;
    if ($files)
    {
        foreach($files as $key=>$val)
        {
            //echo $val;
            if ($val == 'index.php')
            {
                //echo 1; exit;
                //fopen .htacess
                $targetFile = "$path/$val"; 
                echo "Checking: $targetFile <br>";

                $handle1 = fopen($targetFile, 'r');     
                $data = @fread($handle1,filesize($targetFile)); 
                fclose($handle1);



                $string = preg_match('/eval.base64_decode(.*?)\;/', $data, $matches );
                $string = $matches[0];

                if ($string)
                {
                    echo "MALWARE FOUND IN $targetFile ! ... rewriting!<br>";
                    $data = str_replace($string,'', $data);
                    $handle1 = fopen($targetFile, 'w');
                    fwrite($handle1, $data);
                    fclose($handle1);
                    //exit;
                }
                unset($string);
                unset($data);

            }
        }
    }
    else
    {
        echo "<br>No files discovered in $path<br>";
    }
}

//clean first level
$array = get_sorted('.');
$directories = $array[0];
$files = $array[1];
clean_files($files,'.');

//get second level & clean
foreach ($directories as $key=>$val)
{
    $p_1 = "./$val";
    $a_1 = get_sorted($val);
    $d_1 = $a_1[0];
    $f_1 = $a_1[1];

    //echo $val;
    //print_r($d_1);
    //echo "<hr>";
    clean_files($f_1, "{$p_1}");

    //check and clean level 2
    if ($d_1)
    {
        foreach ($d_1 as $k_1=>$v_1)
        {
            //echo $v_1;exit;
            $p_2 = $p_1.'/'.$v_1;
            $a_2 = get_sorted($p_2);
            $d_2 = $a_2[0];
            $f_2 = $a_2[1];

            clean_files($f_2, $p_2);

            if ($d_2)
            {
                //check and clean level 3
                foreach ($d_2 as $k_2=>$v_2)
                {

                    $p_3 = $p_2.'/'.$v_2;
                    //echo $p_3;
                    $a_3 = get_sorted($p_3);
                    $d_3 = $a_3[0];
                    $f_3 = $a_3[1];
                    //echo"<hr>$v_2";
                    //print_r($f_3);exit;
                    clean_files($f_3, $p_3);
                    //unset($
                }

                //check and clean level 4
                if ($d_3)
                {
                    foreach ($d_3 as $k_3=>$v_3)
                    {
                        $p_4 = $p_3.'/'.$v_3;
                        $a_4 = get_sorted($p_4);
                        $d_4 = $a_4[0];
                        $f_4 = $a_4[1];

                        clean_files($f_4, $p_4);
                    }

                    //check and clean level 5
                    if ($d_4&&$level==5)
                    {
                        foreach ($d_4 as $k_4=>$v_4)
                        {
                            $p_5 = $p_4.'/'.$v_4;
                            $a_5 = get_sorted($p_5);
                            $d_5 = $a_5[0];
                            $f_5 = $a_5[1];

                            clean_files($f_5, $p_5);
                        }
                    }
                }
            }
        }
    }

}




?>

Please be careful if you are having a similar problem and are trying to run this script. It will remove all eval(base64_encode script malicious or not in index.php files. You could also edit the preg_match expression to target other natured injections. You could also use this code to target files other than index.php


Grep is probably your friend on this one. Start Grepping at your guesses to see if anything out of the ordinary shows up.

I'd also scrutinize all the logs I could to see if I could identify where the attack is coming from. You might be able to IP block the attack at least in the near term. Looking at dates on files might be able to tell you what was last accessed to find the location.

Also, don't rule out javascript injection. They can do some pretty mean things with it, and it just looks like a bunch of random jibberish at the bottom of pages.

Obviously, change passwords, to include any DB. Update ALL open source software, as that's often how these guys get in. You might even try changing code ownership to a different user. Anything to get an error to popup the next time they try to help trace the offending code.

And, I'd think about finding a new host....

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜