How to Dissect a Website Attack -page 2

(Cont.)

Having discovered that my website had an infected .htaccess file, I replaced it with a clean .htaccess file and felt I was safe to focus on updating my version of Joomla as well as all addon web applications. Unfortunately, I soon discovered that the infected .htaccess file was all of sudden back, and not only that, all of my websites on my web hosting account also had infected .htaccess files. Ouch!

Quickly, I was brought back to reality. My belief that I had removed the website infection was just wishful thinking. It was now time to ask ‘the oracle’ for help, so I decided to do some Google searches using a few of the key words found in the infected file, like “.htaccessfile infected with mod_rewrite.c,” and “.htaccessfile infected with phonesthouguploader.” The Google searches revealed a couple of entries on the Joomla forum, that were posted by people experiencing the same problem. I also discovered a helpful Joomla wiki page with a security checklist in the event of a hacked Joomla website. Once again a technology forum came to the rescue. In this situation, the forum posts gave me the idea to look for specific files and file types, and the directories the malicious files might be hiding in. The forum suggested that I needed to look for a hidden “.php” file (in Linux hidden files start with a ‘.’) in my webhost’s root ‘tmp’ folder or the Joomla website’s ‘images’ folder.

The Malicious PHP File

In the websites joomla ‘images’ directory, two interesting files were found. The files were a text file and a hidden php file:

  • images/stories/error_log
  • images/banners/.cache_m66q99.php

The error_log text file was noticed by a student (Eddie), and the .cache_m66q99.php file, which I believe is the culprit, was found by me. The error_log file points to the php file as you can see below, as well as alerting to the possibility of another malicious file story.php, a known malicious script which was not found.

 The images/stories/error_log text file

Here are screenshots showing portions of the malicious .cache_m66q99.php file. Beside the name of the file looking very suspicious the top of the file seemed normal enough (see below). However, most php files in a Joomla website have the following two lines of code near the top of the file, just below the comments:

// no direct access
defined( ‘_JEXEC’ ) or die( ‘Restricted access’ );

The two lines above ensure that the file cannot be executed directly. These lines will probably be missing from a malicious script uploaded to your webhost . Notice the “defined( ‘_JEXEC’ ) or die( ‘Restricted access’ ); line is missing from the top portion of the file below (see lines 14 and 15).

The top of portion of the .cache_m66q99.php file with a missing line between lines 14 and 15

A few lines down on line  I found a preg_replace() function call which can though a normal function can sometimes be used for malicious purposes (see image below). On a side note, searching online, I found a script that you can download, configure a few settings, and then upload and run on your webserver. The script will examine the contents of all files in a directory of your choice, and output a report alerting you to which files have possible malicious code (http://25yearsofprogramming.com/php/findmaliciouscode.htm).

Suspicious preg_replace function

When I scrolled to the bottom of the PHP file I noticed one long line of code that clearly was not normal, looking instead like an embedded exploit (see image below).

At the bottom of the file there is a long line of obfuscated code, in a preg_replace function, indicative of an embedded exploit

Here is the bottom portion of the exploit

Now that we know there is an exploit in the file we can learn more about what it is doing.

<< Page 2- How to Dissect a Website Attack                      How to Dissect a Website Attack -Page 3 >>

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published. Required fields are marked *