Page 2 of 2
Re: Site hacked (config.php), how come?
Posted: Wed Mar 19, 2008 11:35 pm
by blast2007
LeisureLarry wrote:
@blast2007:
Did the decode class work for you on the image one? I would like to know what this file does, in order to use this informations for my german cmsms security guide.
- LeisureLarry
Hi Larry,
yep, that class works decoding the malicious script "image".
Here following how to proceed.
- Save the class file as "decode.php"
- Remove first rows in image.txt and leave only the row starting with "eval...."
- Go to bottom of decode.php and replace "test.php" with image.txt
- Call in your bash shell:
Code: Select all
php decode.php > malicious_script_decoded.txt
and you can see all the 2500 rows of script in malicious_script_decoded.txt
Regards
blast
P.S. if you need file already decoded I can send you by pm or mail
Re: Site hacked (config.php), how come?
Posted: Thu Mar 20, 2008 8:44 am
by HeinzVoerbakje
The stupid thing is I need the upload folder to be executable as the stylesheet I use is located there (/uploads/images/templates). So I just made the upload folder read-execute, so no-one can drop any-stuff there. The down-side of that is that I need to change permission everytime I upload a picture.....
Re: Site hacked (config.php), how come?
Posted: Thu Mar 20, 2008 9:48 am
by LeisureLarry
It´s added to the wiki. This change doesn´t prevent anybody from uploading malicous files to your uploads directory, but it prevents them from executing php-files in this folder.
Greats from Germany
LeisureLarry
Re: Site hacked (config.php), how come?
Posted: Fri Mar 21, 2008 5:43 pm
by Pierre M.
LeisureLarry wrote:
It´s added to the wiki.
Thank you LeisureLarry
Pierre