Results 1 to 9 of 9

Thread: PHP Malware

  1. #1

    PHP Malware

    Hi there,

    today I found an interesting index.php on a client's website.
    The original index.php was renamed to index.php~ and the malicious one tried to send email all day. Fortunately (for the client) the email address was not valid. I guess the site was compromised via an outdated Joomla installation.
    The evil .php file also tried to backdoor the host. There are two backdoor routines - one in Perl and one in C (Base64 encoded ELF file). Due to the invalid email there was no further damage. At least I didn't find any other easteregg so far. I attach the file here.
    Right now I'm waiting for midnight because this is the time when the logs are provided for today (infection was right after midnight), so I might find out, how the infection was done.
    It's fx29shell by Fatalz or FaTaLisTiCz.


    edit: I just found out that the sever was infected using RFI (Remote File Inclusion).
    This is the first time I hear about this technique and I find it pretty scary because of it's simplicity.

    Password: malware
    Attached Files Attached Files
    Last edited by Darkelf; April 15th, 2010 at 13:06. Reason: Found the way it infected the server

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries

    Thanks for the change of pace. I haven't looked at it closely yet but from the multitude of google hits it looks somewhat similar to the c99.php shell.

    C99 is something I found out about from the book Detecting Malice by RSnake,

    If you're not familiar with it I recommend finding a copy of the book and browsing around that site (whitehat).

    Remote File Inclusion

    Another interesting thing about a lot of requesting URLs that you will see in your logs, especially if you are running an open source PHP application, is a large chunk of PHP remote file inclusion (RFI) attacks. These attacks are attempting to pull in remote files and execute them on your website. They do this as a way of adding more servers to their networks of compromised machines (or botnets), as well as to gain access to potentially sensitive information on your website. Here’s what one such attack might look like:

    GET /index.php?a= HTTP/1.0

    There is one thing about this URL that stands out beyond the fact that it’s pulling a c99 shell (which is a well known PHP backdoor), and that is the fact that it’s pulling in a remote file at all. This is a bit of anomaly detection because it’s probably not a URL that anyone has ever gone to on your site before. However, it’s also especially likely to be an attack if you don’t have any form of website redirection or any part of your site that allows 3rd party URLs to be inputted as part of the URL structure of your site.

    Note: There is a significant trend towards not doing a first attack with a c99 shell, instead using a small script that just outputs a pre-defined number. If the attacker sees the number in output they will know the attack worked. Every c99 shell invocation usually includes the username and password (specific to the attacker), which in turn gives not only access but control over your machine. They typically control your compromised computer through IRC channels as well as many other previously compromised systems.

    I'll try running it later on my WAMP setup and see what happens. Please post any further info if anyone digs into it deeper.


  3. #3

    I see this shit almost daily. I just checked another one a few minutes ago.
    Another server I maintain unrelated to this place was infected with same type of exploit. The funny thing was they put the scripts in the image folder.
    They didnt use anything intelligent when naming the file so it was pretty obvious when I saw it was being called in the log files.
    I hardened PHP to stop it.

    Beware when hardening PHP, there seems to be a fine line between not enough and too much.

    Learn Or Die.

  4. #4
    Hi guys,

    I guess the reason why I didn't come across this yet, is my client's site being really unimportant. He is running a small real-estate company. I think it was a script-kiddie making some automated scan and exploit. What nags me is, that I'm unable to find anything suspicious in the logs. At the time when infection happened, I see only a chain of calls from a proxy (brazil based), but none of the calls looks unusual. Nothing like the call Kayaker posted - nothing that points away from the server. So I'm still clueless how this guy managed to come in. Well, I'm fairly sure it was this RFI thingy and that's quite an itch where I can't scratch . If I find something, I will let you know and if someone wants to see the log, please tell me (I will only remove the sitename).


    Thank you very much for the link. I will try to get a copy of this book. It looks like an interesting read.

    Best regards
    Last edited by Darkelf; April 15th, 2010 at 20:06. Reason: removed some ambiguities. Sorry.

  5. #5
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Ring -1
    Blog Entries
    If the hackers gained control of the server, they may very well have cleaned out the sensitive parts of the log files before you got to them.

    Also, if the payload was injected by means of a POST request, you won't necessarily see anything special in the web logs to begin with.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  6. #6
    you won't necessarily see anything special in the web logs to begin with
    I suppose it depends on your level of logging.

    I dont think they are that technical to remove log entries.

    Learn Or Die.

  7. #7
    Hi dELTA,

    the server in question is a shared-host were the logfile of a day is provided when the day is over. Usually a few minutes after midnight. I noticed the infection the same day it happened, so they were not able to clean the logs. The other logs were also untouched. I'm sure that the calls from brazil are the ones in charge. Among these, there is also a single POST request (the ONLY one in the whole logfile). I'm not very skilled when it comes to webhacking, but I'm trying to dig a bit deeper, now that I'm affected .

    Best regards

  8. #8
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    That's actually very cool. I was going to attach a snapshot of what it looks like on my Windows system but it doesn't come out very well. If interested google for 'Fx29Sh' and look for a black GUI/green text showing a victims directory listing.

    Actually, here's an example image

    and another version of the script (sans backdoor)

    I extracted the base64 encoded 'backdoor' functions and have attached them for interest. 'Backc' and 'Shdb' are ELF files, 'Back' is a Perl script. The small php script I used to decode them, basically ripped from the main file, is included. Even the icon images are base64 encoded and rendered inline.
    Attached Files Attached Files

  9. #9
    I was doing the same as Kayaker yesterday,

    as for logs, no big surprise that it doesn't shows anything interesting, look at that.

    array("wget WIPELOGS PT1","wget"),
    array("gcc WIPELOGS PT2","gcc zap2.c -o zap2"),
    array("Run WIPELOGS PT3","./zap2"),
    It is not only looking/acting like c99 shell but also r57 and w4ck1ng shells.
    Please consider donating to help staying online (here is why).
    Any amount greatly appreciated. Thank you.

Similar Threads

  1. Autorun Malware
    By AttonRand in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: April 3rd, 2010, 18:47
  2. Malware Analyser
    By beenu in forum Mini Project Area
    Replies: 1
    Last Post: December 10th, 2009, 14:30
  3. Exotic Malware ?
    By shakuni in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: August 10th, 2008, 05:53
  4. Malware fight
    By naides in forum Malware Analysis and Unpacking Forum
    Replies: 22
    Last Post: July 1st, 2007, 04:46


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts