from Hacker News

One of my Drupal sites was hacked

by woutersf on 4/30/14, 8:53 AM with 97 comments

• by patio11 on 4/30/14, 10:13 AM

  This is fairly straightforward ratware. Is there anything in particular you wish to know about how it operates?

  browser.php is an amusing one for reversing obfuscation tricks, if anyone wants practice.

  You should treat the server as compromised and rebuild from metal, by the way. I know that is annoying as heck but they clearly got code execution and you can therefore assume they had root if they wanted it and that any attempts to detect whether they did are useless because their rootkit makes the box lie to you about its current state.

• by wernerb on 4/30/14, 9:15 AM

  Well you can decode the code where you have no idea at http://www.unphp.net.

  Here is what main.php does: http://www.unphp.net/decode/3aaa2bc88be0e162fc3ca8786a2f8f82...

  Found the following url somewhere: 78.138.127.174/2701dfbvcxff.php

  Use http://ip-lookup.net/index.php to get to some abuse email addresses and inform them that the ip is involved in hacking.

  Anyway this was just my quick glance, good luck!

• by crypt1d on 4/30/14, 9:48 AM

  So I took index.php with preg_replace :)

  I took the first function and decoded the first bytes of hex, which gave the infamous eval(gzinflate(base64_decode( function. Then I used http://www.whitefirdesign.com/tools/deobfuscate-php-hack-cod... to decode rest and got a group of variables with hex data that were being grouped together like this eval($xwq2ay . $xq9mar . $xb4jym . $xm0hy3); (full version available here - http://pastebin.com/7V951cRK

  Decoding this hex gave me another set of preg_replace functions, which were doing the same thing pretty much. And then again the same, except two preg_replace were being called. Eventually I got something like this http://pastebin.com/JP1eukca

  The hex stored in $a and $b are just a clever way of masking gzinflate(base64_decode( so I took the rest of the data, put it into the decoder and finally got to some proper code - http://pastebin.com/A0G290cE

• by joshvm on 4/30/14, 11:53 AM

  Simple python script to deobfuscate the hex and replace the junk variables:

      import re
  
      a = open('test.php')
      line = a.readlines()
      
      # Replace hex values with ASCII, regex to find the \x values and a lambda to replace each match individually
      def decoder(char):
          return char[2:].decode("hex")
  
      unhex =  re.sub("\\\\x[a-f0-9][a-f0-9]", lambda m: decoder(m.group()), line[0])
  
      # Replace ${"GLOBALS"}["foo"] = "bar"
      for match in re.findall('\${"GLOBALS"}["[a-z0-9]+"]="[a-z0-9]+"', unhex):
          variable = re.findall(r'"(.*?)"', match)
         pattern = '\${\${"GLOBALS"}\["'+variable[1]+'"\]}'
          unhex = re.sub(pattern, variable[2], unhex)
          unhex = unhex.replace(match+";", '')
  
      # Replace $bar = "foo"
      for match in re.findall('\$[a-z0-9]+="[a-z0-9]+"', unhex):
          replace = re.findall(r'"(.*?)"', match)[0]
          pattern = re.findall(r'\$[a-z]+', match)[0]
          unhex = unhex.replace(pattern, replace)
      
      # Chuck in newlines
      unhex = unhex.replace(";", ";\n ")
  
      b = open('out.php', 'w')
      b.writelines(unhex)
  

  The files all seemed to be one liners, so this works. More work to replace everything else though. Blergh.

  Edited to include variable replacement. I think there are some catches with things like ${sgasklgna} but it largely works. Just needs prettifying.

• by rschmitty on 4/30/14, 9:56 AM

  Rather than trying to undo the damage (will you ever be 100% sure you caught everything?) why not create a new site (edit: as in a new VM/box/image from scratch) and import your data fresh.

  If I was hacked and files were placed on my server, including a 'web shell' I would be very afraid I don't catch everything and it just gets re-hacked.

  Unless this is just a pure curiosity adventure in deobfuscation... then nevermind :)

• by msantos on 4/30/14, 4:01 PM

  Looks like OP is another victim of Asprox Botnet.

  Create a full snapshot of the machine for forensic analysis later. Then follow @patio11 advice and rebuild from the metal up.

  That's the only sure way you have a "clean" machine, then sieve through‎ the snapshot and try and find the hacker's entry point.

• by michaelmior on 4/30/14, 12:22 PM

  Fun way to start off the morning. He's a pull request that deobfuscates the code to the point where it's pretty readable https://github.com/wouters-frederik/help_me_clear_this_up/pu....

  Aside from decoding the escaped characters, there's a bunch of simple regex replacements to remove all the random variable usage and then a pass through PHP_Beautifier to fix the formatting.

• by Theodores on 4/30/14, 10:50 AM

  I have been there too. When it happened to one of our clients I Googled the site URL and found some script kiddie had boasted of his antics on Twitter. A bit more Googling and I had his mum's house (he lived there, presumably there was a basement). I was wanting to take matters further, as in get the police to arrest the guy and get him prosecuted for criminal damage. However, my 'superiors' told me to just restore the backup and leave it at that.

  I have to say that I was impressed by the way the hack worked, in this incident and others, I felt that I was up against a far superior adversary.

• by ibrad on 4/30/14, 9:34 AM

  I had dealt with a similar hack recently and documented it [1]. The difference is mine was in Wordpress. There was a simple file called post.php that evaled anything that was sent in the post var. Have you found out how your server was hacked in the first place ? Check your Apache logs for errors hackers are usually careless when it comes to errors or warnings.

  [1]: http://idiallo.com/blog/2013/11/fixing-3-year-old-hack

• by johnnyfaehell on 4/30/14, 9:19 AM

  I'm at work otherwise I would be wasting a good few hours deobfuscating that code. So far I've decoded two files which for the most part seem the same but the line counts are different

  Edit: So far php_display seems to allow the attacker the ability to download a file. In common.php at at least.

  Edit : https://github.com/icambridge/help_me_clear_this_up/blob/mas... what I've deobfuscated.

• by juanrossi on 4/30/14, 12:38 PM

  I used to work for a web hosting company and we saw this kind of attacks ALL the time.

  Most of the cases was because of old CMS versions, but in same others the computer uploading the files was infected and the FTP credentials were stolen (Change your user/password and analyze ftp logs).

  I would also check the database and do a clean install of the CMS.

  The server could be compromised but I don't think this is the case.

• by mercer on 4/30/14, 7:12 PM

  At the risk of not adding much of substance to this conversation, I do feel compelled to point out how happy (giddy, even!) it makes me to see so many people jump right on this and investigate, and in part just for the hell of it.

  It's infectious!

  I'm here because I share many of the interests of the people here, and I'm convinced that a big reason why I started 'hacking' more and more over the past years, in part just for the hell of it, is because of the enthusiasm I find in comment sections for links like these.

  Some links show me tricks I didn't know or tools/libraries/frameworks I haven't used before. Some make me curious to try different programming languages. Some articles go way over my head but make me strive harder to get better at whatever it is the article is about. And some, like this one, make me want to code or tinker just for fun.

  I just wanted to say that once, and this seemed like an appropriate moment. Move along.

• by rawb92 on 4/30/14, 3:06 PM

  I just wanted to chip in here.

  Our website and 2 of our client websites have been compromised like this in the last couple of weeks and they are all across different hosting providers (Zen Hosting and Unlimited Web hosting)

  http://pastebin.com/PkJFTeGs

  Here is a link to the code we found injected into the index page on our FTP and my attempt at decoding it.. interestingly enough it does relay to javaterm.com as the authors comprimsed site does as well..

  We are fairly certain it wasn't achieved through our code as one of the sites is literally 6-7 pages of static html content.

  From what we can tell it only ever effects the index page in the root of a servers FTP. In my case all of the shells were deleted(Looking from the FTP logs there were 2-3 uploaded all with different names)

• by woutersf on 4/30/14, 9:14 AM

  I have also added somme older scripts I found over time in this repo: https://github.com/wouters-frederik/hack_scripts They are not obfuscated as much.

• by freshyill on 4/30/14, 1:33 PM

  What version of Drupal were you running when the hack happened?

• by level09 on 4/30/14, 10:03 AM

  Follow your access log and find out how those files got written/requested. in order to solve the problem you need to identify it first. you probably need to check your permissions as well, prevent apache process from writing to your website root, it should only be able to write to "sites/default/files".

• by aleem on 4/30/14, 10:33 AM

  The PHP Shell Detector has a large DB of shells that it can help you identify: https://github.com/emposha/PHP-Shell-Detector

  As others have noted, a compromised shell can never be trusted again and you should re-deploy from scratch.

• by cbg0 on 4/30/14, 9:16 AM

  Use this to deobfuscate: http://www.unphp.net/

• by mechazawa on 4/30/14, 9:34 AM

  After checking en.php (Sorry didn't have time to check more files) I found two ip's. You could use unphp to deobfuscate the code a bit but You'll have to do a lot of it by hand which should not be that hard.

  125.89.44.28 <- Chinese 62.122.75.2 <- Polish

• by jetzz on 4/30/14, 9:24 PM

  I understand SQL injections they access as if normal db client. XSS attack can steal cookie data. But how do they hack a php app and get root? Apart from system command running capable functions like eval how do they do

• by marlin on 4/30/14, 12:22 PM

  I started on a tool dealing with analysis, https://github.com/martinlindhe/PhpDeobfuscator

• by MisterBastahrd on 4/30/14, 10:13 AM

  I've seen something like this before. They tend to go after index files and javascript files.

• by marlin on 4/30/14, 12:42 PM

  the malware has XERATUTA string, https://github.com/wouters-frederik/help_me_clear_this_up/bl...

  google reveals several posts about this one

• by gcb0 on 4/30/14, 3:11 PM

  Op is probably unaware of other things... Most script kids use rootkits that instal modified ps, ls, md5sum, etc... So you can't see the real evil files/Daemons

• by javaboy on 4/30/14, 9:15 AM

  You can found decoder for this on the web see: http://ddecode.com/hexdecoder/?results=513a9e783affb79a578fd...

• by DonaldDerek on 4/30/14, 11:56 AM

  I'm glad. Because you use Drupal.