Backdoor shell

02/29/2012 10:30 jadeyisafuckingscammer#1
Background story: my server's account DB got wiped twice (yesterday and 2 days ago). No idea how, ofc billing and SMC ports are blocked, only necessary ports are open. (Maybe the registration page was vulnerable, and they managed to SQLi.) After that, I noticed unusual activities such as PHP pages not working as intended, even after reinstalling the webserver. I noticed that someone created two administrator accounts with these usernames: ntusers, Anyonymous. But that's not everything... after I deleted those admin accounts, I believe that they tried to bruteforce the Administrator account's password. I checked Windows Event Viewer, and there was 2-3 failed logon attempts every second. WTF? After that I installed a firewall and an antivirus, and it found 2 shells (C100 and R57) in C:\XAMPP\webdav\
Anyone else's server got backdoor'd recently? I'm running XAMPP 1.7.3 with Apache 2.2.4 and PHP 5.2.2. Perhaps this version of PHP is vulnerable?
02/29/2012 11:17 LastThief*#2
Nah it was retarded register page
02/29/2012 11:54 ThElitEyeS#3
use sqlsrv, odbc at IIS
Just download IIS php manager
its will be better than using IIS,Apache at same time...
02/29/2012 12:06 jadeyisafuckingscammer#4
Quote:
Originally Posted by ThElitEyeS View Post
use sqlsrv, odbc at IIS
Just download IIS php manager
its will be better than using IIS,Apache at same time...
Just saying, we used a registration page that was made by you, and it's vulnerable.
02/29/2012 12:38 Dr.Abdelfattah#5
my suggest to re-install your root windows, before that take only databases backups
then after the windows installed again, setup plesk panel as the webserv manager (best control panel for windows server) that's like wamp etc etc but those are nothing if you compare them with plesk
2nd just use for now normal php script just register and change pass , and make the normal protection like open only TCP ports of gateway and downloadserver and agentserver , and run your billing on 127.0.0.1 ip and the rest ..

But you are now must do those steps cuz your server completely hacked .. (warring : never open any UDP ports even for gateway etc , )

Quote:
Originally Posted by jadeyisafuckingscammer View Post
Just saying, we used a registration page that was made by you, and it's vulnerable.
if we say yes, the problem with the web server too .

Edit :
did you use ftp on the same machine (for guild/union pic for example) ?
02/29/2012 13:07 Schickl#6
Quote:
Originally Posted by jadeyisafuckingscammer View Post
Just saying, we used a registration page that was made by you, and it's vulnerable.
What did you expect????
oh and even if others say that it's safe you should still check it
making a safe site isn't that hard, you just need to look at everything twice before you use it
02/29/2012 13:08 ThElitEyeS#7
Quote:
Originally Posted by jadeyisafuckingscammer View Post
Just saying, we used a registration page that was made by you, and it's vulnerable.
well prove it and ill fix it.
you the first one who told me this

Quote:
Originally Posted by Schickl View Post
What did you expect????
oh and even if others say that it's safe you should still check it
making a safe site isn't that hard, you just need to look at everything twice before you use it
[Only registered and activated users can see links. Click Here To Register...]
02/29/2012 13:46 ahmed4ever2u#8
OnTopic: i do have the same problem in my server. ( solution ) unknown hope you share it (after you find it) :D
02/29/2012 17:25 Schickl#9
Quote:
Originally Posted by ThElitEyeS View Post
well prove it and ill fix it.
you the first one who told me this


[Only registered and activated users can see links. Click Here To Register...]
I already told you that I'm not going to make an account on your site lol
If someone gives me the code I'll check(and I'm not the only one who could do this, so posting it here wouldn't be bad i guess)
02/29/2012 17:53 ThElitEyeS#10
idc if you register or not.
02/29/2012 18:42 Mykha*#11
why the hell on earth do you have WebDav enabled?! go straight right now and disable it.
if you don't believe you can be backdoor-ed through it. gimme your server ip and i will also check for other vulnerabilities for you. -Mykha
02/29/2012 20:21 Schickl#12
Well I think I found the problem
This query:
Code:
$check = odbc_exec($connect, "SELECT * FROM TB_User WHERE StrUserID = '".$user."'");
if (odbc_num_rows($check) > 0) {
   $error[] = "Account with such username already exists please chose another one";
}
is ALWAYS executed(if "go" is set, but that's nothing to care about)

Now you may think "Oh well I espaced it already"(The $user variable), BUT in mssql the escape char of
Code:
'
is NOT a
Code:
\
.
It is another
Code:
'
!!!!!

This being said it should be obvious how it's been done:
Code:
SELECT * FROM TB_User WHERE StrUserID = '\'; evil query n shit here --';
So what do we have here?
'\'; evil query n shit here --';

' <--indicates start of the string. as set in the query
\'; evil query n shit here -- <-- This is the bad part now. The backslash you can see here is the one addslashes added to the string, but sadly, this doesn't escape the following ' . now the end of the query is marked with ; (because mssql thinks the string already ended) everything after it is a NEW query. So you could enter pretty much everything there
The last part of this string is "--". It marks the left chars of the original query as a comment.


This + MSSQL 2000 allows someone to start a shell


Solution?
You can see
Code:
if (@count($error) > 0) {
[...]
} else {
[...]
}
after this query
Just put the query in the else part and change it, so it looks like this:
Code:
$check = odbc_exec($connect, "SELECT * FROM TB_User WHERE StrUserID = '".$user."'");
if (odbc_num_rows($check) > 0) {
   echo "Account with such username already exists please chose another one";
   echo "</Body></HTML>"; //finish the HTML file so there it's valid
   odbc_close($connect);   //close the connection
   die();    //Stop the script right now
}
This should prevent SQL Injection
I strongly suggest everyone who's using this site to change it asap


oh there are two more mistakes i noticed:
- If one of the fields is not set(user, password, etc) PHP will generate an error(not important, but shouldn't happen)
-The connection to the database is never closed
It should be closed, though
You can do this by adding
Code:
<?php @odbc_close($connect); ?>
After "</html>" at the bottom of the file
02/29/2012 20:43 ms​#13
Don't use XAMPP with the default settings! That trick is pretty old since the Webdav-service under XAMPP uses default credentials, which I believe was something like WAMPP:XAMPP. Everyone can connect and upload their shell.
02/29/2012 20:47 jadeyisafuckingscammer#14
Quote:
Originally Posted by Metin2Spieler97 View Post
Don't use XAMPP with the default settings! That trick is pretty old since the Webdav-service under XAMPP uses default credentials, which I believe was something like WAMPP:XAMPP. Everyone can connect and upload their shell.
Disabled webdav now, and got a whole new website by a professional PHP developer. should be fine now.. thanks for all replies
02/29/2012 20:53 Mykha*#15
Quote:
Originally Posted by Metin2Spieler97 View Post
Don't use XAMPP with the default settings! That trick is pretty old since the Webdav-service under XAMPP uses default credentials, which I believe was something like WAMPP:XAMPP. Everyone can connect and upload their shell.
EXACTLY what i pointed it and even tho it was the problem >.<, he got it disabled now. hope everything goes fine. Gl