

One of my Drupal sites was hacked - woutersf
https://github.com/wouters-frederik/help_me_clear_this_up
I&#x27;m just curious, what thid he&#x2F;she install (listed the php files in the github repo).
It would be nice to know what those php files do. Any help demistifying&#x2F;decoding&#x2F; the php files is much appreciated.
======
patio11
This is fairly straightforward ratware. Is there anything in particular you
wish to know about how it operates?

browser.php is an amusing one for reversing obfuscation tricks, if anyone
wants practice.

You should treat the server as compromised and rebuild from metal, by the way.
I know that is annoying as heck but they clearly got code execution and you
can therefore assume they had root if they wanted it and that any attempts to
detect whether they did are useless because their rootkit makes the box lie to
you about its current state.

~~~
porker
> You should treat the server as compromised and rebuild from metal, by the
> way. I know that is annoying as heck but they clearly got code execution and
> you can therefore assume they had root if they wanted it and that any
> attempts to detect whether they did are useless because their rootkit makes
> the box lie to you about its current state.

Is privilege escalation that easy/common? Thinking esp of the number of shared
hosting providers out there, if a user account is compromised they don't
assume the entire server is compromised.

Now ok, www-data isn't any old user account, but the same principle applies?

~~~
peterwwillis
Shared hosting providers stay in business with the principle that somehow they
provide a relatively secure platform for their users, so a few of them do
harden their systems enough to prevent _most_ priv escalation. But one buffer
overflow and a lack of mandatory access control later and you've got gold.
Priv escalation exploits have been so common in Linux in the past decade that
I would consider local access the same as root access [without MAC like grsec
or selinux enabled].

~~~
porker
I am definitely going to reinvestigate putting every user's data in their own
container. When I last looked the options were FreeBSD Jails (not appealing)
or Solaris Zones (interesting but a whole new OS); now with LXC maybe that can
assist? There must be a way to harden things further...

~~~
jafaku
Why not Docker? (lxc)

~~~
peterwwillis
Docker is not designed to isolate the root user from the rest of your system,
and containers/capabilities are not MAC-based security. Docker strips 16
capabilities when it runs a container, leaving 23 additional capabilities to
be abused by root, and whatever other vulnerabilities are left that
capabilities don't cover. To prevent this you need guest isolation via
virtualization.

[https://wiki.ubuntu.com/LxcSecurity](https://wiki.ubuntu.com/LxcSecurity)
[http://www.infoq.com/news/2013/09/docker-container-
security](http://www.infoq.com/news/2013/09/docker-container-security)
[http://s3hh.wordpress.com/2013/07/19/creating-and-using-
cont...](http://s3hh.wordpress.com/2013/07/19/creating-and-using-containers-
without-privilege/)

------
wernerb
Well you can decode the code where you have no idea at
[http://www.unphp.net](http://www.unphp.net).

Here is what main.php does:
[http://www.unphp.net/decode/3aaa2bc88be0e162fc3ca8786a2f8f82...](http://www.unphp.net/decode/3aaa2bc88be0e162fc3ca8786a2f8f82/)

Found the following url somewhere: 78.138.127.174/2701dfbvcxff.php

Use [http://ip-lookup.net/index.php](http://ip-lookup.net/index.php) to get to
some abuse email addresses and inform them that the ip is involved in hacking.

Anyway this was just my quick glance, good luck!

------
crypt1d
So I took index.php with preg_replace :)

I took the first function and decoded the first bytes of hex, which gave the
infamous eval(gzinflate(base64_decode( function. Then I used
[http://www.whitefirdesign.com/tools/deobfuscate-php-hack-
cod...](http://www.whitefirdesign.com/tools/deobfuscate-php-hack-code.html) to
decode rest and got a group of variables with hex data that were being grouped
together like this eval($xwq2ay . $xq9mar . $xb4jym . $xm0hy3); (full version
available here - [http://pastebin.com/7V951cRK](http://pastebin.com/7V951cRK)

Decoding this hex gave me another set of preg_replace functions, which were
doing the same thing pretty much. And then again the same, except two
preg_replace were being called. Eventually I got something like this
[http://pastebin.com/JP1eukca](http://pastebin.com/JP1eukca)

The hex stored in $a and $b are just a clever way of masking
gzinflate(base64_decode( so I took the rest of the data, put it into the
decoder and finally got to some proper code -
[http://pastebin.com/A0G290cE](http://pastebin.com/A0G290cE)

~~~
crypt1d
So since you nerd snipped me already, I took all three functions from
index.php and decoded them, here is the output:
[http://pastebin.com/8vq5S94A](http://pastebin.com/8vq5S94A)

The code uses a curl to [removed]

html source code of the link shows another obfuscated javascript code:
[http://pastebin.com/1WLYMp0E](http://pastebin.com/1WLYMp0E)

EDIT: I removed the curl link to as it might be some unpatched exploit

~~~
crypt1d
Finally, the javascript decodes to something like this
[http://pastebin.com/13HrVgBr](http://pastebin.com/13HrVgBr)

~~~
userbinator
The next level below that:

[http://pastebin.com/zYgcjtK1](http://pastebin.com/zYgcjtK1)

And Googling the URL there gets us to something familiar, which someone else
has written up before:

[http://tweetypage.com/wordpress-hacked/](http://tweetypage.com/wordpress-
hacked/)

The "IE9 Bugfix" and "IE 4 compatible" comments made me chuckle a little.

However, it looks like the page is somehow referer or IP-sensitive, since
Google's cache of it goes to something intended to show popups while curling
from my machine gets a fake Adobe Flash page with a nice binary to download -
only 13.5KB (I only _wish_ the real plugin was so small!) but packed and
obfuscated. Nevertheless it's a pretty dismal obfuscation as I can see some
strings like "qemu" and "vbox" which suggest it has VM detection. Google
doesn't know its SHA-1 so there's no other public analysis of this one yet.

I don't have time right now but looks like this rabbit hole gets deeper and
deeper...

------
joshvm
Simple python script to deobfuscate the hex and replace the junk variables:

    
    
        import re
    
        a = open('test.php')
        line = a.readlines()
        
        # Replace hex values with ASCII, regex to find the \x values and a lambda to replace each match individually
        def decoder(char):
            return char[2:].decode("hex")
    
        unhex =  re.sub("\\\\x[a-f0-9][a-f0-9]", lambda m: decoder(m.group()), line[0])
    
        # Replace ${"GLOBALS"}["foo"] = "bar"
        for match in re.findall('\${"GLOBALS"}["[a-z0-9]+"]="[a-z0-9]+"', unhex):
            variable = re.findall(r'"(.*?)"', match)
           pattern = '\${\${"GLOBALS"}\["'+variable[1]+'"\]}'
            unhex = re.sub(pattern, variable[2], unhex)
            unhex = unhex.replace(match+";", '')
    
        # Replace $bar = "foo"
        for match in re.findall('\$[a-z0-9]+="[a-z0-9]+"', unhex):
            replace = re.findall(r'"(.*?)"', match)[0]
            pattern = re.findall(r'\$[a-z]+', match)[0]
            unhex = unhex.replace(pattern, replace)
        
        # Chuck in newlines
        unhex = unhex.replace(";", ";\n ")
    
        b = open('out.php', 'w')
        b.writelines(unhex)
    

The files all seemed to be one liners, so this works. More work to replace
everything else though. Blergh.

Edited to include variable replacement. I think there are some catches with
things like ${sgasklgna} but it largely works. Just needs prettifying.

~~~
michaelmior
Note that to decode escaped characters you can just use

    
    
        str.decode('string-escape')

~~~
joshvm
Thanks for that, I wasn't aware there was a built-in to handle strings where
there's mixed ascii/hex content.

------
rschmitty
Rather than trying to undo the damage (will you ever be 100% sure you caught
everything?) why not create a new site (edit: as in a new VM/box/image from
scratch) and import your data fresh.

If I was hacked and files were placed on my server, including a 'web shell' I
would be very afraid I don't catch everything and it just gets re-hacked.

Unless this is just a pure curiosity adventure in deobfuscation... then
nevermind :)

~~~
mixedbit
One problem is that a truly full cleanup of a hacked website should in theory
include manual cleanup of all clients' caches (not really practical).
Otherwise, malicious index.html (for example with JavaScript that sends
cookies to an attacker) could remain cached by the clients forever.

~~~
sgentle
That's a really interesting point, I'd never thought of that. Worse still, you
could do some trickery with app cache manifests to prevent cache cleans/page
refreshes from fixing it, maybe even forever.

I spent a bit of time messing around with that approach, and came up with
this:
[https://github.com/sgentle/hackcache](https://github.com/sgentle/hackcache)

------
msantos
Looks like OP is another victim of Asprox Botnet.

Create a full snapshot of the machine for forensic analysis later. Then follow
@patio11 advice and rebuild from the metal up.

That's the only sure way you have a "clean" machine, then sieve through‎ the
snapshot and try and find the hacker's entry point.

~~~
msantos
An easy start point is checking for large number of XSS-alike requests in your
httpd logs.

... a dirty example (I apologise in advance)

    
    
        grep --color=auto -i -s -P "(\/cgi-bin\/|\.exe|phpmyadmin|awstats|acunetix|(%22|%27|'|\")(%20| |\+)*and[^\w]|sqlmap|xss|BENCHMARK|eval[^\w]|phpinfo|[^\w]ord[^\w]|md5[^\w]|substr|information_schema|prompt|iframe|base64|waitfor|script[^\w]|[^\w]sleep[^\w]|hex[^\w]|unhex|chr[^\w]|char[^\w]|concat[^\w]|concat_ws|windows.*?win\.ini|union.*?select|etc.*?shadow|etc.*?passwd|\.\.\/|%(25)*2E%(25)*2E%(25)*2F|\.\.%(25)*2F|\/\.\/|%(25)*2F%(25)*2E%(25)*2F|%(25)*2F\.%(25)*2F|\\|%(25)*5C|%(25)*45%(25)*45|%[01][0-9ABCDEF])" access_log

------
michaelmior
Fun way to start off the morning. He's a pull request that deobfuscates the
code to the point where it's pretty readable [https://github.com/wouters-
frederik/help_me_clear_this_up/pu...](https://github.com/wouters-
frederik/help_me_clear_this_up/pull/4).

Aside from decoding the escaped characters, there's a bunch of simple regex
replacements to remove all the random variable usage and then a pass through
PHP_Beautifier to fix the formatting.

------
Theodores
I have been there too. When it happened to one of our clients I Googled the
site URL and found some script kiddie had boasted of his antics on Twitter. A
bit more Googling and I had his mum's house (he lived there, presumably there
was a basement). I was wanting to take matters further, as in get the police
to arrest the guy and get him prosecuted for criminal damage. However, my
'superiors' told me to just restore the backup and leave it at that.

I have to say that I was impressed by the way the hack worked, in this
incident and others, I felt that I was up against a far superior adversary.

------
ibrad
I had dealt with a similar hack recently and documented it [1]. The difference
is mine was in Wordpress. There was a simple file called post.php that evaled
anything that was sent in the post var. Have you found out how your server was
hacked in the first place ? Check your Apache logs for errors hackers are
usually careless when it comes to errors or warnings.

[1]: [http://idiallo.com/blog/2013/11/fixing-3-year-old-
hack](http://idiallo.com/blog/2013/11/fixing-3-year-old-hack)

------
johnnyfaehell
I'm at work otherwise I would be wasting a good few hours deobfuscating that
code. So far I've decoded two files which for the most part seem the same but
the line counts are different

Edit: So far php_display seems to allow the attacker the ability to download a
file. In common.php at at least.

Edit :
[https://github.com/icambridge/help_me_clear_this_up/blob/mas...](https://github.com/icambridge/help_me_clear_this_up/blob/master/common.php)
what I've deobfuscated.

------
juanrossi
I used to work for a web hosting company and we saw this kind of attacks ALL
the time.

Most of the cases was because of old CMS versions, but in same others the
computer uploading the files was infected and the FTP credentials were stolen
(Change your user/password and analyze ftp logs).

I would also check the database and do a clean install of the CMS.

The server could be compromised but I don't think this is the case.

~~~
themodelplumber
Best answer I've seen so far. The takeaway from the guys on the front lines is
usually that a full server compromise is rare and that FTP creds were stolen
from a client via malware. The result is a simple drive-by that is relatively
easy to clean up.

------
mercer
At the risk of not adding much of substance to this conversation, I do feel
compelled to point out how happy (giddy, even!) it makes me to see so many
people jump right on this and investigate, and in part just for the hell of
it.

It's infectious!

I'm here because I share many of the interests of the people here, and I'm
convinced that a big reason why I started 'hacking' more and more over the
past years, in part just for the hell of it, is because of the enthusiasm I
find in comment sections for links like these.

Some links show me tricks I didn't know or tools/libraries/frameworks I
haven't used before. Some make me curious to try different programming
languages. Some articles go way over my head but make me strive harder to get
better at whatever it is the article is about. And some, like this one, make
me want to code or tinker just for fun.

I just wanted to say that once, and this seemed like an appropriate moment.
Move along.

------
rawb92
I just wanted to chip in here.

Our website and 2 of our client websites have been compromised like this in
the last couple of weeks and they are all across different hosting providers
(Zen Hosting and Unlimited Web hosting)

[http://pastebin.com/PkJFTeGs](http://pastebin.com/PkJFTeGs)

Here is a link to the code we found injected into the index page on our FTP
and my attempt at decoding it.. interestingly enough it does relay to
javaterm.com as the authors comprimsed site does as well..

We are fairly certain it wasn't achieved through our code as one of the sites
is literally 6-7 pages of static html content.

From what we can tell it only ever effects the index page in the root of a
servers FTP. In my case all of the shells were deleted(Looking from the FTP
logs there were 2-3 uploaded all with different names)

------
woutersf
I have also added somme older scripts I found over time in this repo:
[https://github.com/wouters-frederik/hack_scripts](https://github.com/wouters-
frederik/hack_scripts) They are not obfuscated as much.

~~~
slang800
Do your sites get "hacked" frequently, or are you just really interested in
finding and dissecting viruses installed into servers?

~~~
woutersf
haha no, the 1-5.php I found a long time ago (7 Yrs or something like that). I
just kept it becaus I thought it was cool you could'n mail them (gmail thinks
they are viruses). The drupal 7.22 hack was for a client who against my advice
wanted to choose own hosting server (from a friend). So I'm not really
bothered they got hacked. It's just cool dissecting this stuff.

------
freshyill
What version of Drupal were you running when the hack happened?

------
level09
Follow your access log and find out how those files got written/requested. in
order to solve the problem you need to identify it first. you probably need to
check your permissions as well, prevent apache process from writing to your
website root, it should only be able to write to "sites/default/files".

~~~
woutersf
Thanks for your comment. I will advise my client to take a proper hosting
instead. "Getting hacked" was only one of the many trouble we had (and I
advised for other hosting in the past already).

------
aleem
The PHP Shell Detector has a large DB of shells that it can help you identify:
[https://github.com/emposha/PHP-Shell-
Detector](https://github.com/emposha/PHP-Shell-Detector)

As others have noted, a compromised shell can never be trusted again and you
should re-deploy from scratch.

------
cbg0
Use this to deobfuscate: [http://www.unphp.net/](http://www.unphp.net/)

------
mechazawa
After checking en.php (Sorry didn't have time to check more files) I found two
ip's. You could use unphp to deobfuscate the code a bit but You'll have to do
a lot of it by hand which should not be that hard.

125.89.44.28 <\- Chinese 62.122.75.2 <\- Polish

------
jetzz
I understand SQL injections they access as if normal db client. XSS attack can
steal cookie data. But how do they hack a php app and get root? Apart from
system command running capable functions like eval how do they do

------
marlin
I started on a tool dealing with analysis,
[https://github.com/martinlindhe/PhpDeobfuscator](https://github.com/martinlindhe/PhpDeobfuscator)

------
MisterBastahrd
I've seen something like this before. They tend to go after index files and
javascript files.

------
marlin
the malware has XERATUTA string, [https://github.com/wouters-
frederik/help_me_clear_this_up/bl...](https://github.com/wouters-
frederik/help_me_clear_this_up/blob/master/Y8QRtVMn.php#L5)

google reveals several posts about this one

------
gcb0
Op is probably unaware of other things... Most script kids use rootkits that
instal modified ps, ls, md5sum, etc... So you can't see the real evil
files/Daemons

------
javaboy
You can found decoder for this on the web see:
[http://ddecode.com/hexdecoder/?results=513a9e783affb79a578fd...](http://ddecode.com/hexdecoder/?results=513a9e783affb79a578fd48d10b8a570)

------
DonaldDerek
I'm glad. Because you use Drupal.

