Author |
Topic  |
weeweeslap
Senior Member
   
USA
1077 Posts |
Posted - 17 December 2007 : 10:13:05
|
On occasion when visiting http://www.weeweeslap.com/forum/active.asp I get a popup like so: http://www.weeweeslap.com/forum/file_attachments/weeweeslap/200712179629_digi_cert.jpg I found 4 files that were placed into my root directory of that site: omega.php omega.html gharbeyya.html jman.php
the first 3 are files that display "this site hacked ____" where the blank isfilled out by who hacked. The thrid file seems encrypted. I think so anyway, I am not php friendly and it's just a bunch of text and numbers between the php tags. I did fix active.asp the same day the fix was released and since that digital certificate thing only shows up on active.asp I was wondering if there might be something else that should be checked out? That digital certificate thing pops up rarely. I've gotten it twice in the past week and with finding those 4 files placed in root I felt it might be related thouse they all show dirrent dates of creation. Do you guys have any additional info on this? Or what can I do to find outhow they were placed or through where. We have a good firewall and only allow port80 and another port to manage the firewall, other than that the rest of the ports are hammered down. Well, the files were just placed and never seen by the gneral public so maybe they got scared and ran away? Or maybe a time bomb of sorts was placed on the server but after runing a thorough scan of adaware, viruses and all that juicy stuff, the box came back clean. I appreciate any info you can provide. Thank you. |
coaster crazy |
|
ruirib
Snitz Forums Admin
    
Portugal
26364 Posts |
Posted - 17 December 2007 : 10:23:43
|
No Snitz hack would allow the installation of files on the root folder. That was either caused by a server hack or some other issue (php or some other server stuff). |
Snitz 3.4 Readme | Like the support? Support Snitz too |
 |
|
weeweeslap
Senior Member
   
USA
1077 Posts |
Posted - 17 December 2007 : 10:29:44
|
ok. Thanks ruirib! |
coaster crazy |
 |
|
AnonJr
Moderator
    
United States
5768 Posts |
Posted - 17 December 2007 : 10:31:02
|
Didn't someone mention an issue with one of the file upload MODs based off of active.asp? |
 |
|
ruirib
Snitz Forums Admin
    
Portugal
26364 Posts |
|
weeweeslap
Senior Member
   
USA
1077 Posts |
Posted - 17 December 2007 : 10:55:27
|
only file upload mod I have is mikes file attachment mod and I've checked to make sure it only allows the allowed files. html, php, asp, exe, zip etc are prohibited on there and the directory have no executeable rights. Thanks  |
coaster crazy |
 |
|
bobby131313
Senior Member
   
USA
1163 Posts |
Posted - 17 December 2007 : 11:09:45
|
unanswered.asp (OWM's Unanswered Topic mod) is based on active.asp. |
Switch the order of your title tags |
Edited by - bobby131313 on 17 December 2007 11:10:37 |
 |
|
AnonJr
Moderator
    
United States
5768 Posts |
Posted - 17 December 2007 : 11:36:55
|
That must have been the one I was thinking of. |
 |
|
weeweeslap
Senior Member
   
USA
1077 Posts |
Posted - 17 December 2007 : 11:44:35
|
ah, I don't use that. Anyone wanna take a look at the files that got uploaded just for kicks?  |
coaster crazy |
 |
|
phy1729
Average Member
  
USA
589 Posts |
Posted - 17 December 2007 : 12:11:58
|
Can you post/e-mail a txt copy of jman.php ? My native language is php. |
 |
|
weeweeslap
Senior Member
   
USA
1077 Posts |
Posted - 17 December 2007 : 12:20:44
|
quote: Originally posted by phy1729
Can you post/e-mail a txt copy of jman.php ? My native language is php.
http://www.weeweeslap.com/file.rar here it is. I placed it in a rar. If you want it in a zip file let me know. Or email me through forum mail and I'll attach it to an email. Thanks -wws |
coaster crazy |
 |
|
weeweeslap
Senior Member
   
USA
1077 Posts |
Posted - 17 December 2007 : 12:23:43
|
I forgot the windows 2003 securiy settings we have don't allow .rar or .zip direct downloads, so here's a txt file. If that doesn't work, send me en email throguh forum mail and I'll attach the file, it's 42kb in size. http://www.weeweeslap.com/jman.txt |
coaster crazy |
 |
|
phy1729
Average Member
  
USA
589 Posts |
Posted - 17 December 2007 : 12:39:36
|
Base 64 and gz compressed well someone has something to hide. And I love the first line: "This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited." |
 |
|
weeweeslap
Senior Member
   
USA
1077 Posts |
Posted - 17 December 2007 : 12:51:34
|
yeah, I am going to go ahead and remove it. Thanks for looking at it Any chance we could get it decoded to see what they're hiding? Thanks phy1729 |
coaster crazy |
 |
|
phy1729
Average Member
  
USA
589 Posts |
Posted - 17 December 2007 : 13:05:10
|
I'm working on it but it may take a while. A long while.  I'm decoding by running it while sanitizing anything possibly harmful not a fast procedure but it works. |
 |
|
phy1729
Average Member
  
USA
589 Posts |
Posted - 17 December 2007 : 14:38:17
|
From Googleing it looks like c99 v0.0.1 SYN-MOD [SYNSTA] . I've never hear of it before but seems like a back door.
Slightly Later
From more Googleing this is a personal web based shell made by Synsta he has now stopped using it and others have starting using it for other things. It has a brute force FTP cracker so I would change my username and password. Link to discussion between Synsta an another cracker here |
 |
|
Topic  |
|