[nycphp-talk] I've been hit with an eval(base64_decode("....")) injection attack
David Mintz
david at davidmintz.org
Fri Feb 24 13:07:29 EST 2012
My Dreamhost shared hosting account just had its *.php injected with some
garbage. People were getting stuff about "CHEAP High Quality Christian
Louboutin replica shoes, pumps and boots." Someone also reported to me that
he was redirected to a porn site. I also found a slew of images and all
kinds of... stuff.
I changed my shell password, and I did this:
egrep -lr '<\?php.+eval\(base64_decode\("[^"]+"\)\);\?>' *| xargs
perl -i -p -e 's/<\?php.+eval\(base64_decode\("[^"]+"\)\);\?>//'
which appears to have purged everything of the injected code. (I am pretty
confident that I have never used eval(base64_decode()) for any purpose
myself.) Now I kinds of regret not saving a few of the compromised files
for study.
Any other suggestions as to what I should do? Unfortunately I do not know
how this happened; don't know if there is a huge vulnerability in one of
the apps up there that was exploited, or if it was an inside job, or what.
I do know Dreamhost had a well-publicized security compromise recently. The
php injection that happened to me seems to have happened on Feb 21, based
on the file modification times.
You can lecture me about being a fool to use Dreamhost if you like.
Thanks.
--
David Mintz
http://davidmintz.org/
It ain't over:
http://www.healthcare-now.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20120224/3161b7b2/attachment.html>
More information about the talk
mailing list