• Tag Archives script
  • Hacking the Code

    Last Post i was talking about how to clean up a hacked web server, hopeful your server is clean now and you can get back to what you do best. But what was the hacker trying to do? What does that long string mean? I will tell you how to decode the string the safe way, and understand how it was constructed.

    The Example that I am going to use is from a real hacked website, the code that I will display is only partial but the construct will be complete. Any identifiable URLs will be changed to prevent identification and your safety.
    Lets start by identifying the code, this is what i had found at the very beginning of the page.
    <? /**/eval(base64_decode(aWYoZnVuY3Rpb25<–>KTt9fX0=)); ?>

    lets start with /**/, it looks innocent but its a way to hide the code, what the code usually used for is large blocks of comments instead of using // on each line you would start it with /* and  end with */ but what i noticed is that in bluefish and notepad++ when these are highlighted the whole line appears to be a comment, my guess is that other code scanners will look like one long comment  on that line and skip it. But this is just my conclusion and testing, very clever way to use comments.

    almost forgot the first thing to notice is the use of short tags(<?) that they use, on my personal server I have short tags disabled, I had learned that it should be disabled for security purposes, I don’t know if this holds true today. but the reason they use it is it helps hide it as a comment adding php to   it (<?php),makes it show up as php code not a comment, now its starting to unravel………

    evalEvaluate a string as PHP code

    very simple right, they need something to run there code, eval does this trick, you can even add html to the string. just another peice of the pie.

    base64_decode – it decodes base64 code, now what is base64? It was originally for email to send binary data in emails, and other uses like binary data in urls and other variables but newest use is hiding php code in a long string, the string was 2692 characters long. So what did that string have in it.

    Continue reading  Post ID 220


  • twitter script for linux

    Well let me give you an interesting script i found on Tech Republic………..

    Its how to Tweet from the command line using cURL, its very simple and to the point….just like a script should be
    tweet.sh
    #!/bin/sh
    tweet="${@}"
    user="username"
    pass="sekret"
    if [ $(echo "${tweet}" | wc -c) -gt 140 ]; then
    echo "FATAL: The tweet is longer than 140 characters!"
    exit 1
    fi
    curl -k -u ${user}:${pass} -d status="${tweet}" https://twitter.com/statuses/update.xml >/dev/null 2>&1
    if [ "$?" == "0" ]; then
    echo "Successful tweet!"
    fi

    to us it just type this
    $ ~/bin/tweet "social server rules"
    the only other thing to worry about is you have to escape “?”, “!” -> “?”, “!”


  • easy LFS chroot script

    In chapter 6.4 in the stable release of LFS you need to chroot into your build environment, and I have to keep rebuilding the chroot, and i keep going back to my PDF and retyping all the commands so i created on that would rebuild the environment by just calling my new script, then make it one better CP it into /usr/bin and make it executable
    #!/bin/bash
    mount -v --bind /dev $LFS/dev
    mount -vt devpts devpts $LFS/dev/pts
    mount -vt tmpfs shm $LFS/dev/shm
    mount -vt proc proc $LFS/proc
    mount -vt sysfs sysfs $LFS/sys
    chroot "$LFS" /tools/bin/env -i
    HOME=/root TERM="$TERM" PS1='u:w$ '
    PATH=/bin:/usr/bin:/sbin:/usr/sbin:/tools/bin
    /tools/bin/bash --login +h

    just copy and past the above code into a new file and called it lfsroot then if you just want to make it into a command copy it into /usr/bin and you are ready to go, the script will mount the file systems and the enter the chroot environment
    This has saved me plenty of time by not typing or copying and pasting commands, My next script will be a script that will tar and cd into the directory of source packages……look for it soon