Hacked

Tryder · August 24, 2015, 9:51pm

I’ve been helping a friend of mine with his website writing some html, Javascript, css, php and such. Anyway today I went in to upload some files to the site and noticed there were a bunch of new php files scattered throughout the site. Knowing that my friend doesn’t know php I downloaded a few to see what they were and found they had code in them that was written in such a way so as to conceal what the code was doing.

I’ll give an example, not from the actual script:

$var1=“941eb”;$var2=“3*v&”;$var3="(thr";$var4="$ j7";$var5="&08a93ez";

$var1[2]. $var2[0]. $var2[0]. $var4[3]. $var5[3]. $var3[1]. $var3[3]. $var4[1]. $var1[1]. $var5[6]. $var2[2]. $var3[3];

If you’re familiar with php or programming in general you can see that this is essentially a cipher. In the code I downloaded I was able to decipher some of it, I didn’t care to spend that much time on it, to find that it said ‘create_function lambda_1’ so it was creating a function and then appeared to be passing some arguments to that function which would’ve been run on the server.

The php files were scattered throughout the site and most of them had filenames that were the same as files that already existed on the server, but had the .php extension and something like ‘_infoold’ or ‘_ver1’ appended before the extension. I’m thinking the idea would’ve been to hide the files so they would’ve been easily overlooked, because they had the same names as other files existing on the server you’d just pass over them and not notice them. I noticed because I created an FTP application for my friend to use with his website and this application gives icons to certain file types so the extra php icons stood out immediately.

Does anyone know what someone might have been trying to do? There isn’t anything particularly relevant on my friends site worth hacking I don’t think and none of the files on the server appeared to have been modified. Anyone have some experience with this?

BluePrintRandom · August 25, 2015, 12:17am

sounds like a worm?

sdfgeoff · August 25, 2015, 12:38am

That is an awesome way to hide code. I like it.

If you have a copy of the files I’d be very interested to take a look at them.

Tryder · August 25, 2015, 2:09am

I’ll double check, but I’m pretty sure I deleted all the files. Since I didn’t know what they did I didn’t want to leave them lying around ya know. It seemed as though it might have been auto-generated, the code was all over the place with multiple line breaks in the middle of statements and numerous statements on single lines with no white space between. I’m thinking someone wrote the code and then passed it through an application to turn it into the cipher.

Edit:
Yeah I deleted all the files, but I did notice that the .htaccess file in the root directory was modified to include the following line:
RewriteRule ^(.*)$ concentrated-frivolous.php?$1 [L]

the file in that line, concentrated-frivolous.php, was one of the strange php files I found and deleted. There were two things different from that particular file when compared to the others. First it was the only one that didn’t copy the name of another existing file on the server and second it didn’t contain that much cipher, instead it had some code in it combined with one long encrypted string.

fdfxd · August 25, 2015, 6:06am

Yeah it really does look like a worm,

as for info on how to solve it… I don’t really know… at all…It even took me a while to realise “$var1=“941eb”;$var2=“3*v&”;$var3=”(thr";$var4="$ j7";$var5="&08a93ez";"
was a variable and was replicating itself.

Tryder · August 25, 2015, 5:36pm

I certainly don’t know if it was a worm or not. He has a paypal donation button setup on his site so I wonder if maybe someone was trying to hijack that or something, though the button code itself was not modified.

Mentioning a worm did get me thinking about something else though. I’m getting ready to setup a blog on his site and rather than use Word Press I’m going to write my own blogging system to tie into the administration site I wrote for him so he doesn’t need multiple logins and multiple admin pages to worry about. Mentioning worm got me thinking about uploading images for the blog, if he deletes a blog it can’t delete the images associated with the blog because other blog posts might be using the same images and deleting them with the blog would break those links, but not deleting them would eat up his limited storage space in the long run. I think I’ll add a script that he can run that will search through all his blogs to determine what images are still in use and then delete all the unused images.

P.S. The admin site I wrote for him wasn’t hacked so I think the custom password salting/hashing I wrote works well enough