Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Hacked, what does this piece of code do?

Tags:

WARNING: This is a possible exploit. Do not run directly on your server if you're not sure what to do with this.

http://pastehtml.com/view/1b1m2r6.txt

I believe this was uploaded via an insecure upload script. How do I decode and uncompress this code? Running it in the browser might execute it as a shell script, open up a port or something.

I can do a base64 decode online but i couldn't really decompress it.

like image 668
HyderA Avatar asked Sep 14 '10 11:09

HyderA


People also ask

What does hack code mean?

As a noun, a hack is the source code of a program. For example, the phrase "it must be done through a hack" means someone has to write programming code to solve the problem because there is no pre-written software that does the job.

Does *# 21 mean your phone is hacked?

Use the code *#21# to see if hackers track your phone with malicious intent. You can also use this code to verify if your calls, messages, or other data are being diverted. It also shows your diverted information's status and the number to which the information is transferred.

What is the code to check if your phone is tapped?

Code to check if phone is tapped: *#21# Some hackers go further and forward all your calls and messages, no matter if you're available or out of reach. This type of attack is called unconditional data forwarding or diversion. Such activity is harder to spot.

Why do hackers code?

Access Hardware: Hackers use C programming to access and manipulate system resources and hardware components such as the RAM. Security professionals mostly use C when they are required to manipulate system resources and hardware. C also helps penetration testers write programming scripts.


2 Answers

So there's a string. It's gzipped and base64 encoded, and the code decodes the base64 and then uncompresses it.

When that's done, I am resulted with this:

<? eval(base64_decode('...')); ?> 

Another layer of base64, which is 720440 bytes long.

Now, base64 decoding that, we have 506961 bytes of exploit code.

I'm still examining the code, and will update this answer when I have more understanding. The code is huge.

Still reading through the code, and the (very well-done) exploit allows these tools to be exposed to the hacker:

  • TCP backdoor setup
  • unauthorised shell access
  • reading of all htpasswd, htaccess, password and configuration files
  • log wiping
  • MySQL access (read, write)
  • append code to all files matching a name pattern (mass exploit)
  • RFI/LFI scanner
  • UDP flooding
  • kernel information

This is probably a professional PHP-based server-wide exploit toolkit, and seeing as it's got a nice HTML interface and the whole lot, it could be easily used by a pro hacker, or even a script kiddie.

This exploit is called c99shell (thanks Yi Jiang) and it turns out to have been quite popular, being talked about and running for a few years already. There are many results on Google for this exploit.

like image 63
Delan Azabani Avatar answered Oct 03 '22 04:10

Delan Azabani


Looking at Delan's decoded source, it appears to be a full-fledged backdoor providing a web interface that can be used to control the server in various ways. Telling fragments from the source:

echo '<center>Are you sure you want to install an IP:Port proxy on this website/server?<br /> 

or

<b>Mass Code Injection:</b><br><br> Use this to add PHP to the end of every .php page in the directory specified. 

or

echo "<br><b>UDP Flood</b><br>Completed with $pakits (" .       round(($pakits*65)/1024, 2) . " MB) packets averaging ".       round($pakits/$exec_time, 2) . " packets per second \n"; 

or

if (!$fp) {echo "Can't get /etc/passwd for password-list.";} 

I'd advise you to scrub that server and reinstall everything from scratch.

like image 40
Michael Borgwardt Avatar answered Oct 03 '22 05:10

Michael Borgwardt