dow.ngra.deno buzzwords allowed

About 10 years ago a friend of mine showed me an exploit. It was written in C and it tried to spawn a shell at a remote host. It seemed pretty cool. I did not understand the code but the mere idea that almost anybody equipped with a script like that could deface a webpage seemed scary.

You did have to compile the c file, have the right devel packages installed and use the correct flags. And then you had to figure out how to use it. A 14yr old could do it.

Today I spent many hours grepping logs, checking the filesystem for new/changed files to figure out how an old WordPress instance was hacked and what had the hacker done there.

Going through the changed files I stumbled upon a php file which had some code prepended. The script had a very long line that started like this:
[PHP]
eval(gzinflate(base64_decode(‘FJ3HcqPsFkUf……..
[/PHP]

Ok, lets check what does the script do. Lets assign the long string to a variable and base64 decode it and inflate the compression.
[PHP]
$script = base64_decode($script);
$script = gzinflate($script);
echo $script;
[/PHP]

The output was not what I expected.
[PHP]
eval(gzinflate(base64_decode(‘FJ3HjqPcGkUf57……..
[/PHP]

The strings looked similar and I was already looking for an error in my code. Nope, code is correct. There is a slight change in the string. It seems it was compressed and encoded couple of times. Wow, it means I can have many evals inside evals. Fun!
[PHP]
do {
// extract the first 28 characters
// the eval(gzinflate(base64_decode part
$start = substr($string, 0, 28);
// remove the first 30 chars, the eval(gzinflate(base64_decode(‘ part
$string = substr($string, 30);
// remove the last )));
$string = substr($string, 0, strlen($string)-4);

$string = base64_decode($string);
$string = gzinflate($string);
echo “Iteration:”.$i++.”\n”;
// iterate as long as we get a eval(gzinflat start
} while ($start == “eval(gzinflate(base64_decode”);
[/PHP]

After 11 iterations I got the code. Kind of reminded me a challenge that was posted to a mailing list and the question was what was the output of the program. That time it was more difficult: base64 encoded perl, that outputted base64 encoded bytecode, that outputted Java source file with a byte array that was byte code for the class file of the solution.

Anyways the 11 iterations gave me this (shot is made from my home computer).

Lets see the functionality that it has to offer:

• Full blown file manager
• Quick menu for
• Finding all suid files
• Finding all sgid files
• Finding all htaccess files
• Finding all writeable folders
• …
• Interface for the UNIX tool find
• Input field for executing commands as webserver user
• Tools for installing a backdoor
• Perl/C flavoured programs that are downloaded from a Singapore server
• Compiled/Interpreted – depending what is available
• Processes viewer
• FTP brute force cracker using users from /etc/passwd
• System info (CPU, Memory, installed binaries, passwd file, configuration files)
• SQL dump utility
• Interface for executing PHP code
• Self removal
• Adding a password for the script
• Fancy design!

I’m just amazed. This is way too eazy. So this is how it works:

• Lets scan the internet for WordPress installation (automated)
• Look for vulnerable versions (automated)
• Exploit (in this case themes were filled with hidden links – semi automated)
• PROFIT! (automated)

How to avoid being hacked:

• Keep an eye on your WordPress installations
• Subscribe to WordPress release emails/RSS and upgrade when needed
• Monitor for changed files (for example fcheck)
• Run Apache in chroot to minimize the available software for the Apache user
• Any other ideas?

PS. The script is 2500 lines of code, supports Windows and Linux and looks great :)