Login

dstamatoiu · 04-14-2023, 10:08 PM

I need some help this is the 2nd time this has happened and its annoying. My server got infect with wordpress and well I patched wordpress but now I cant log into my panel. All i get is a blank page. Can some one please post the code so I can log into my panel.my url is http://brokendesignhosting.info/ehcp/

Also i ran a script to look for back door scripts and got this. DOnt mind shell.php Can someone pin point something.

./ehcp/webmail2/.htaccess contains RewriteRule - check it manually for malicious redirects.
./ehcp/config/adodb/adodb-time.inc.php MATCHES REGEX: /`.+`/
./ehcp/config/adodb/drivers/adodb-mysqli.inc.php MATCHES REGEX: /`.+`/
./ehcp/config/adodb/drivers/adodb-mysql.inc.php MATCHES REGEX: /`.+`/
./ehcp/config/adodb/drivers/adodb-pdo_mysql.inc.php MATCHES REGEX: /`.+`/
./ehcp/config/adodb/adodb-xmlschema.inc.php MATCHES REGEX: /`.+`/
./ehcp/config/adodb/session/crypt.inc.php MATCHES REGEX: /base64_decode *\(/i
./ehcp/config/adodb/session/old/crypt.inc.php MATCHES REGEX: /base64_decode *\(/i
./ehcp/config/adodb/adodb-xmlschema03.inc.php MATCHES REGEX: /`.+`/
./ehcp/config/adodb/datadict/datadict-firebird.inc.php MATCHES REGEX: /`.+`/
./ehcp/config/adodb/adodb-datadict.inc.php MATCHES REGEX: /`.+`/
./ehcp/config/adodb/adodb.inc.php MATCHES REGEX: /system *\(/i
./ehcp/config/adodb/adodb.inc.php MATCHES REGEX: /`.+`/
./ehcp/config/dbutil.php MATCHES REGEX: /passthru *\(/i
./ehcp/webmail2/program/include/rcube_ldap.php MATCHES REGEX: /base64_decode *\(/i
./ehcp/webmail2/program/include/rcube_vcard.php MATCHES REGEX: /base64_decode *\(/i
./ehcp/webmail2/program/include/rcmail.php MATCHES REGEX: /base64_decode *\(/i
./ehcp/webmail2/program/include/rcube_imap.php MATCHES REGEX: /base64_decode *\(/i
./ehcp/webmail2/program/include/rcube_template.php MATCHES REGEX: /shell_exec *\(/i
./ehcp/webmail/contrib/decrypt_headers.php MATCHES REGEX: /base64_decode *\(/i
./ehcp/webmail/src/options_highlight.php MATCHES REGEX: /c99/i
./ehcp/webmail/themes/classic_blue.php MATCHES REGEX: /c99/i
./ehcp/webmail/themes/simple_green2.php MATCHES REGEX: /c99/i
./ehcp/webmail/functions/strings.php MATCHES REGEX: /base64_decode *\(/i
./ehcp/webmail/functions/mime.php MATCHES REGEX: /base64_decode *\(/i
./ehcp/webmail/functions/auth.php MATCHES REGEX: /base64_decode *\(/i
./ehcp/webmail/functions/imap_general.php MATCHES REGEX: /`.+`/
./ehcp/webmail/plugins/fortune/fortune_functions.php MATCHES REGEX: /shell_exec *\(/i
./ehcp/classapp.php MATCHES REGEX: /passthru *\(/i
./ehcp/classapp.php MATCHES REGEX: /shell_exec *\(/i
./ehcp/classapp.php MATCHES REGEX: /system *\(/i
./ehcp/classapp.php MATCHES REGEX: /`.+`/
./ehcp/net2ftp/languages/tc.inc.php MATCHES REGEX: /`.+`/
./ehcp/net2ftp/modules/jupload/jupload.inc.php MATCHES REGEX: /base64_decode *\(/i
./ehcp/net2ftp/includes/filesystem.inc.php MATCHES REGEX: /passthru *\(/i
./ehcp/net2ftp/includes/pclzip.lib.php MATCHES REGEX: /system *\(/i
./ehcp/net2ftp/includes/authorizations.inc.php MATCHES REGEX: /`.+`/
./ehcp/net2ftp/plugins/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php MATCHES REGEX: /shell_exec *\(/i
./ehcp/net2ftp/plugins/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php MATCHES REGEX: /`.+`/
./ehcp/net2ftp/plugins/geshi/geshi/apache.php contains RewriteRule - check it manually for malicious redirects.
./ehcp/net2ftp/plugins/geshi/geshi/apache.php contains AddHandler - make sure it does not make ordinary files like images executable.
./ehcp/net2ftp/plugins/geshi/geshi/vbnet.php contains AddHandler - make sure it does not make ordinary files like images executable.
./shell.php MATCHES REGEX: /edoced_46esab/i
./shell.php MATCHES REGEX: /system *\(/i
./shell.php MATCHES REGEX: /`.+`/
./shell.php MATCHES REGEX: /hacked by /i
./shell.php MATCHES REGEX: /web[\s-]*shell/i
./shell.php MATCHES REGEX: /c99/i
./shell.php MATCHES REGEX: /r57/i
./shell.php MATCHES REGEX: /gooqle/i
./shell.php MATCHES REGEX: /_analist/i
./shell.php MATCHES REGEX: /anaiytics/i
./shell.php contains RewriteRule - check it manually for malicious redirects.
./shell.php contains AddHandler - make sure it does not make ordinary files like images executable.
./ehcp/net2ftp/modules/help/03-administrator.html MATCHES REGEX: /`.+`/
./ehcp/webmail2/program/lib/imap.inc MATCHES REGEX: /base64_decode *\(/i
./ehcp/webmail2/program/include/main.inc MATCHES REGEX: /base64_decode *\(/i
./ehcp/webmail2/program/js/jquery-1.3.min.js MATCHES REGEX: /`.+`/
./ehcp/webmail2/program/js/tiny_mce/tiny_mce_src.js MATCHES REGEX: /c99/i
./ehcp/webmail2/program/js/tiny_mce/tiny_mce.js MATCHES REGEX: /c99/i
./ehcp/webmail2/program/js/tiny_mce/themes/advanced/js/color_picker.js MATCHES REGEX: /c99/i
./ehcp/webmail2/program/js/tiny_mce/utils/validate.js MATCHES REGEX: /`.+`/
./ehcp/net2ftp/plugins/fckeditor/fckconfig.js MATCHES REGEX: /c99/i
./ehcp/net2ftp/plugins/tinymce/tiny_mce_src.j

ehcpdeveloper · 04-14-2023, 10:08 PM

if you server has hacked using wordpress,
then, most probably, hacker did altered some or many of your files.
replace your all ehcp files with original ehcp from
www.ehcp.net/ehcp_latest.tgz, put db pass etc in config.php
this way, your ehcp will be working.
afterthat, search your system for other backdoors and malicious code.

php regex match that you posted on http://ehcp.net/?q=node/1108 I
think are not so important as long as related file contains many codes
like that.
shell.php is such example, it seems a malicious code.

search on your php/html files for safe-host.info text, it is a site that is used by that hacker.especially this code:
<iframe src='http://safe-host.info/' width=0 height=0></iframe>

for other/all people: do not write this code directly here,in ehcp.net use special chars like:
<code>&lt;iframe src='http://safe-host.info/' width=0 height=0>&lt;/iframe>

otherwise, you put same code here too... so, ehcp also will be redirected, possibly.

also have a look at this, important: http://ehcp.net/?q=node/1106
for everybody: do not forget to upgrade to ehcp 0.29.15.2 at least,
take care of applications that you install. they may contain vulnerable code.

Restored from old drupal forum, for user uid:3979 username:dstamatoiu
You may reset your password to access your new account here.

dstamatoiu · 04-14-2023, 10:08 PM

I did say that shell.php was the script I ran to find the backdoor scripts. I did replace all the files and the control panel is still not showing. I also did find all the links to the iframe and got rid of them. What files does the cp need to log into the panel? I want to see if its missing.

Restored from old drupal forum, for user uid:1 username:ehcpdeveloper
You may reset your password to access your new account here.

dstamatoiu · 04-14-2023, 10:08 PM

THanks for your help. I was up pretty late but I got it working. I copied an old backup of my files when it was working into the ehcp dir. I got into the cp did a backup just in case something happened and then replace the classapp with the newest one.

Restored from old drupal forum, for user uid:3979 username:dstamatoiu
You may reset your password to access your new account here.

ehcpdeveloper · 04-14-2023, 10:08 PM

you cannot find all backdoors using a php shell. php can find backdoors only in its path. not outside. normally, you should use console based backdoor scanners.

if you were using ehcp 0.29.15:
to fix ehcp, try:
cd /var/www/new
cp ehcp/config.php ./
rm -rvf ehcp
wget www.ehcp.net/ehcp_latest.tgz
tar -zxvf ehcp_latest.tgz
(after this, fill in ehcp/config.php with your correct user/pass settings)

/etc/init.d/ehcp restart

this way, it should be fixed.

if you are using pre-0.29.15 versions, you need to a normal upgrade: http://www.ehcp.net/?q=node/529

Restored from old drupal forum, for user uid:3979 username:dstamatoiu
You may reset your password to access your new account here.

Login
Username:
Password:	Lost Password?
	Remember me