Urgent security issue - php files are downloaded as text

Discussion in 'General' started by LiteSpeeder, Oct 6, 2009.

  1. LiteSpeeder

    LiteSpeeder Well-Known Member

    iframe in my templates again :( i don't know what to do...
  2. PSS

    PSS Well-Known Member

    Set in php.ini

    disable_functions = exec,passthru,system,shell_exec,base64_decode,posix_getpwuid,phpinfo
    allow_url_fopen = Off
    allow_url_include = Off

    That should help some. Note that with exec functions disabled, you need to set vB to use GD2 graphics library as Imagemagick won't work any more.

    Here's the interesting bit from script, it tells what apps it uses:
    $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl'); 
    $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja'); 
    $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror'); 
    Last edited: Nov 16, 2009
  3. LiteSpeeder

    LiteSpeeder Well-Known Member

    Thanks for the help. The iframe came again after i deleted that shell. I'm searching the server for another shells but i couldn't find any. I can request a server reinstall but it may not be a permanent solution if there are some vulnerable scripts etc. don't know how to find them though..
  4. PSS

    PSS Well-Known Member

    First I would disable upload of avatars and profile images. Then I would search file contents of all image files (gif, jpg, jpeg, png), maybe also attachments, for strings,




    ( Linux: grep -liR base64_decode /path/to/your/avatars/ )

    If you find none, backup your db and files (download all!), do system restore and install original vB php files (not from backup!) and restore database. You'll have a clean vbulletin. If you still get that iframe then I'm clueless :)

    If you seem to be ok after above, add other scripts after you carefully check them for vulnerabilities - if you are not 100% sure do not install them.
    Last edited: Nov 16, 2009
  5. LiteSpeeder

    LiteSpeeder Well-Known Member

    I've found the other shells:

    forum/albumpics/0/r57.php	Trojan.Shell-2				
    forum/albumpics/0/099.picture.php	Trojan.PHP.C99Shell				
    forum/albumthmbs/0/c99.php	Trojan.PHP.C99Shell
    Now i changed all 777 directory permissions to 755 but that will stop image uploading :(
  6. PSS

    PSS Well-Known Member

    "forum/albumpics" seems to suggest that the vulnerable script is an album script you have for vbulletin (a plugin?). Anyways, not forcing a valid image extension for uploaded images is a clear security leak.
  7. bhanuprasad1981

    bhanuprasad1981 Well-Known Member

    just a small suggestion , i came across csf website where they are offering some script which scan each and every file uploaded to server with clamav maybe it should help you in some way :)
  8. LiteSpeeder

    LiteSpeeder Well-Known Member

    Yes, i even ordered it but they ask for confirmation... i had no time to reply, so they refunded the payment. I'm not sure if it'll work with litespeed though...
  9. anewday

    anewday Moderator

    It should work with litespeed.
  10. LiteSpeeder

    LiteSpeeder Well-Known Member

    so... end of the story i guess...

Share This Page