Latest Posts »
Latest Comments »
Popular Posts »

Script kiddies have awesome tools

Written by Toomas Römer on November 4, 2008 – 7:05 pm

About 10 years ago a friend of mine showed me an exploit. It was written in C and it tried to spawn a shell at a remote host. It seemed pretty cool. I did not understand the code but the mere idea that almost anybody equipped with a script like that could deface a webpage seemed scary.

You did have to compile the c file, have the right devel packages installed and use the correct flags. And then you had to figure out how to use it. A 14yr old could do it.

Today I spent many hours grepping logs, checking the filesystem for new/changed files to figure out how an old Wordpress instance was hacked and what had the hacker done there.

Going through the changed files I stumbled upon a php file which had some code prepended. The script had a very long line that started like this:

PLAIN TEXT
PHP:
  1. eval(gzinflate(base64_decode(‘FJ3HcqPsFkUf……..

Ok, lets check what does the script do. Lets assign the long string to a variable and base64 decode it and inflate the compression.

PLAIN TEXT
PHP:
  1. $scriptbase64_decode($script);
  2. $script = gzinflate($script);
  3. echo $script;

The output was not what I expected.

PLAIN TEXT
PHP:
  1. eval(gzinflate(base64_decode(‘FJ3HjqPcGkUf57……..

The strings looked similar and I was already looking for an error in my code. Nope, code is correct. There is a slight change in the string. It seems it was compressed and encoded couple of times. Wow, it means I can have many evals inside evals. Fun!

PLAIN TEXT
PHP:
  1. do {
  2.   // extract the first 28 characters
  3.   // the eval(gzinflate(base64_decode part
  4.   $startsubstr($string, 0, 28);
  5.   // remove the first 30 chars, the eval(gzinflate(base64_decode(‘ part
  6.   $string = substr($string, 30);
  7.   // remove the last )));
  8.   $string = substr($string, 0, strlen($string)-4);
  9.  
  10.   $stringbase64_decode($string);
  11.   $string = gzinflate($string);
  12.   echo “Iteration:”.$i++.\n;
  13.   // iterate as long as we get a eval(gzinflat start
  14. } while ($start == “eval(gzinflate(base64_decode”);

After 11 iterations I got the code. Kind of reminded me a challenge that was posted to a mailing list and the question was what was the output of the program. That time it was more difficult: base64 encoded perl, that outputted base64 encoded bytecode, that outputted Java source file with a byte array that was byte code for the class file of the solution.

Anyways the 11 iterations gave me this (shot is made from my home computer).
Wow!

Lets see the functionality that it has to offer:

  • Full blown file manager
  • Quick menu for
    • Finding all suid files
    • Finding all sgid files
    • Finding all htaccess files
    • Finding all writeable folders
  • Interface for the UNIX tool find
  • Input field for executing commands as webserver user
  • Tools for installing a backdoor
    • Perl/C flavoured programs that are downloaded from a Singapore server
    • Compiled/Interpreted – depending what is available
  • Processes viewer
  • FTP brute force cracker using users from /etc/passwd
  • System info (CPU, Memory, installed binaries, passwd file, configuration files)
  • SQL dump utility
  • Interface for executing PHP code
  • Self removal
  • Adding a password for the script
  • Fancy design!

I’m just amazed. This is way too eazy. So this is how it works:

  • Lets scan the internet for Wordpress installation (automated)
  • Look for vulnerable versions (automated)
  • Exploit (in this case themes were filled with hidden links – semi automated)
  • PROFIT! (automated)

How to avoid being hacked:

  • Keep an eye on your Wordpress installations
  • Subscribe to WordPress release emails/RSS and upgrade when needed
  • Monitor for changed files (for example fcheck)
  • Run Apache in chroot to minimize the available software for the Apache user
  • Any other ideas?

PS. The script is 2500 lines of code, supports Windows and Linux and looks great :)


Tags: ,
Posted in Featured, report | 28 Comments »

28 Comments to “Script kiddies have awesome tools”

  1. Nikem Says:
    November 4th, 2008 at 7:50 pm

    Run Apache in virtual machine/OpenVZ and to mount needed external filesystems with data read-only?

  2. Darek Says:
    November 4th, 2008 at 10:28 pm

    Yep, Your wordpress files should be read-only :D
    I know this code, i had this too

  3. Tim Says:
    November 4th, 2008 at 10:56 pm

    Hehe, small world. We recently found 2 scripts similar to this at an organization I do some work for. Very cool stuff. This one included spam zips that were dropped on the system. If you decode those, they also tend to lead to some pretty interesting discoveries; obfuscated javascript and more goodies.

  4. Toomas Römer Says:
    November 5th, 2008 at 12:24 am

    @Nikem – seems overkill. Having the upload dir as no-php seems good idea.

    @Darek – yeah and owned by somebody else than the apache user but as the upload dir is usually writable and once a bug of the software is used to write there the site gets hijacked.

    @Tim – At least most the languages used for such cases are interpreted, don’t want to find a binary laying around :)

  5. Jon Says:
    November 5th, 2008 at 2:21 am

    What, no download for the source?

  6. Martin Smith Says:
    November 5th, 2008 at 4:14 am

    If you run Wordpress, you might also want to run the Wordpress SVN, then you can update to the latest version with a simple ’svn up’

  7. jasonWheelie Says:
    November 5th, 2008 at 4:20 am

    Wow, dont you just love exploits! LOL

    Jiff
    http://www.anolite.echoz.com

  8. Matt Simmons Says:
    November 5th, 2008 at 4:35 am

    I had this installed into a PHP Nuke installation a while back. I was impressed as well.

    I’ve got to admit, I took a somewhat less thorough methodology in learning what the exploit did…I just tracked down the url from the apache logs and went there.

  9. matt Says:
    November 5th, 2008 at 4:56 am

    i’ve seen some stuff very similar to this… some source code would be pretty interesting to review. ;)

  10. Bill Says:
    November 5th, 2008 at 6:13 am

    I got an idea!

    rm -Rf /dev/internet/*.php

  11. sn1ffle Says:
    November 5th, 2008 at 6:23 am

    your like 9 years behind everything.

  12. Peter Says:
    November 5th, 2008 at 6:30 am

    My blog was hacked a few months ago and it had an obfuscated script using four different types of encoding including base64, hex, substitution and math equations! The end result was a script that redirected to somewhere in Asia via five other redirects on hacked blogs. The final site was down and the trail ended there.

    Pointless and annoying, but sort of interesting too.

  13. biz Says:
    November 5th, 2008 at 6:58 am

    Simple:

    DONT USE CHMOD -R 777 ON ANYTHING ;)

  14. Mic Says:
    November 5th, 2008 at 8:39 am

    It’s called c99madshell.php

    This guy does a full break down of the code.
    http://www.derekfountain.org/security_c99madshell.php

  15. Trevor Says:
    November 5th, 2008 at 8:50 am

    On how to avoid being hacked:
    Do not use SQL without sanitizing your data, adding slashes.

    ALWAYS patch 3rd party code.

    AVOID THESE SUBSTRINGS IN YOUR PHP WHENEVER POSSIBLE unless you ABSOLUTELY know the risks of what you’re doing:
    include($
    include_once($
    require($
    require_once($
    file_get_contents($
    file($
    copy($
    fget($

    ESPECIALLY if the trailing $ is the start of $_GET, $_POST, or $_REQUEST

  16. erikh Says:
    November 5th, 2008 at 9:05 am

    Trevor, I hate to be the bad guy here, but you, and the coding practices you insist on here, is what everyone else finds laudable about the PHP community.

    Add slashes? Sure! Just add more slashes in your exploit! Seriously though, use a database with client-side binding at the database engine’s client API (and ensure your database layer uses it), or use a well-tested, battle-hardened database layer that has a zillion cases of their “slashes” not working that are in regression tests and break when those routines are messed with.

    Patch 3rd party code to do what? Or did you mean upgrade it?

    And lastly:

    Evaluating the result of untrusted input (which typically *includes* your database… how did it get in there?) in a context where it will be *executed* is just moronic, nay, juvenile. Use some form of hard taint checking at least, but better to not do it at all (and it’s almost never needed). This is where PHP fails it as a language: it should distinguish between these methods at an API level, not a configuration one.

    -Erik

  17. Hak Says:
    November 5th, 2008 at 9:52 am

    Trevor,
    You should be using the database’s native escape function, not simple strip slashes. erikh has a point…

  18. Toomas Römer Says:
    November 5th, 2008 at 10:18 am

    Once you have to support multiple platforms the slashes part in PHP is quite scary. You have to have lots of detection code in place of the settings. Only then apply the correct strategy.

  19. Toomas Römer Says:
    November 5th, 2008 at 10:23 am

    @Jon There is a link in the reddit thread, http://www.reddit.com/r/programming/comments/7bcsj/script_kiddies_have_awesome_tools/

  20. Bert Heymans Says:
    November 5th, 2008 at 1:50 pm

    Thanks for the Wordpress security awareness!

  21. Flux Says:
    November 25th, 2008 at 8:28 pm

    Not sure if it would have helped in this case, but run your web applications behind an application firewall like ModSecurity (http://www.modsecurity.org).

    If you do use an app firewall, make sure that is actually blocking bad stuff and not just logging that it happened.

  22. Toomas Römer Says:
    November 25th, 2008 at 9:38 pm

    @Flux Cool product, seems to be a firewall for HTTP :) Had not heard about it before.

  23. Mitty Stone Says:
    January 30th, 2009 at 1:21 pm

    Shell creator site
    http://madnet.name/files/1/10.html

  24. Tagz | "Script kiddies have awesome tools | dow.ngra.de" | Comments Says:
    May 16th, 2009 at 7:55 pm

    [...] [upmod] [downmod] Script kiddies have awesome tools | dow.ngra.de (dow.ngra.de) 3 points posted 6 months, 1 week ago by SixSixSix tags imported programming [...]

  25. BEWERK | web dingetjes Says:
    May 18th, 2009 at 11:37 pm

    [...] Script kiddies have awesome tools | dow.ngra.de. Categories: Besturings systemen, IT – Tags: [...]

  26. B Says:
    September 24th, 2009 at 4:31 pm

    Yeah I recently found a similar thing on a compromised site. It called itself “Locus7s Modified c100 Shell”. It had the expected stuff like a file manager and self removal stuff but it also had some hardcore features for privilege escalation and kernel attacks. I was surprised at how advanced some of it was.

  27. Dennis Yusupoff Says:
    October 1st, 2009 at 12:11 pm

    I’ve got compromize my website even after installed mod_security. Moreover, php.ini has a lot of hardening options:
    [code]
    disable_functions = exec,system,shell_exec,passthru,phpinfo,proc_open,popen,shows_source
    allow_url_include=0
    allow_url_fopen=0
    enable_dl=0
    [/code]

    and in apache conf set “php_admin_value open_basedir /usr/local/www/site:/usr/local/php”!

    Thanks god, ClamAV knows about this script:
    [code]
    /usr/local/www/forum.site/httpdocs/c99.php: PHP.Rst-1 FOUND
    /usr/local/www/forum.site/httpdocs/cache/drfgtt.php: PHP.Rst-1 FOUND
    /usr/local/www/forum.site/httpdocs/xs_mod/images/index.php: PHP.Rst-1 FOUND
    /usr/local/www/site/httpdocs/shop/images/other/prodaves/owertime.php: PHP.Rst-1 FOUND
    /usr/local/www/site/httpdocs/shop/smarty/internals/lool.php: PHP.Rst-1 FOUND
    /usr/local/www/site/httpdocs/shop/smarty/plugins/conf.phpmodifier.uppers.php: PHP.Rst-1 FOUND
    /usr/local/www/site/httpdocs/reviews/rc_models/Protech_Razor/thumbnails/c99.php: PHP.Rst-1 FOUND
    /usr/local/www/site/httpdocs/reviews/rc_models/Reflex_XTR/c99.php: PHP.Rst-1 FOUND
    /usr/local/www/site/httpdocs/SHIP/mod.php: PHP.Rst-1 FOUND
    [/code]

  28. read this Says:
    November 6th, 2009 at 10:56 pm

    Dman script kids, they got my WP infected with the “eval(gzinflate(base64_decode(‘FJ3HcqPsFkUf” crap, and never new what the hell it was behind it. I always kept deleting and reinstalling WP until I got the idea to change ALL my passwords and do a clean install. That took care of them.
    Since then I always upgrade.

Leave a Comment

Additional comments powered by BackType