GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Fuck - Server corrupted

Pushcube · 03-29-2011, 05:12 PM

It's a XSS exploit. It's simple to fix so don't panic

If you have access to your .htaccess file add the following to prevent it happening:

Code:

RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR]
RewriteRule ^(.*)$ ? [F,L]

If you have SSH you can hunt down modified files by:

Code:

grep -r "eval(base64_decode" *

I don't think I should post the infection PHP code here(obviously), but it will appear at the top of all the modified files, you will know it when you see it. Something like this:

PHP Code:


			
eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQblahblahblahblahblahblah etc et etc etc"));

I'd also update to the latest version of PHP on your server(s) if you haven't already. Hope this helps

03-29-2011, 05:12 PM
Pushcube Registered User Industry Role: Join Date: Dec 2007 Location: Ireland Posts: 54	It's a XSS exploit. It's simple to fix so don't panic If you have access to your .htaccess file add the following to prevent it happening: Code: RewriteCond %{QUERY_STRING} base64_encode.(.) [NC,OR] RewriteRule ^(.)$ ? [F,L] If you have SSH you can hunt down modified files by: Code: grep -r "eval(base64_decode" I don't think I should post the infection PHP code here(obviously), but it will appear at the top of all the modified files, you will know it when you see it. Something like this: PHP Code: `eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQblahblahblahblahblahblah etc et etc etc"));` I'd also update to the latest version of PHP on your server(s) if you haven't already. Hope this helps __________________ Server Optimisation - Pentesting - Secure WP Installs.