Technical Articles, Software Reviews, and Howtos.

When looking into possibly compromised sites I find the use of phpshells to be a growing trend in attacks especially as a secondary attack. While I’m sure the phpshell can be used as a main attack against sloppy configurations, vulnerable and neglected applications,  the phpshell is a great tool in deeping your hold on a server especially when used on shared hosting since you can pop the shell on other sites that you’ve not directly attacked. It’s also a great tool to help pull data from databases since you can read db config files and can even be used to take root of the server when used to get netcat shells that overcome the statelessness of the shell.

To find and combat against the phpshell I’ve I’ve been using the following oneliner:

find . -size -200k -type f -print0 | xargs -0 grep -iE "r57|c99|g00nshell|phpjackal" | uniq -c | sort -u | cut -d":" -f1 | awk '{ print $2 }' | uniq

This isn’t a a perfect solution, can take a while on servers with many sites, and will pop up a few false positives, it has helped me in preventing sites from spamming and obeying their bot leaders 30 minutes after you’ve “fixed” the problem.

I had a client who needed me to verify if a site he was hosting had indeed been hacked. The site had several obfuscated lines of JavaScript throughout most if not all of the pages of the site.

I was able to confirm the site was compromised without running the code on a VM or chancing with noscript on my machine by replacing all document.write() calls with alert().

Just as expected there was a nice iframe. Using wget I then confirmed that the iframe redirected to another iframe which redirected to a payload. The same network delivering the payload had also uploaded the modified files via ftp a few days earlier.

Since I found no cracking attempts on the sites ftp account I’m thinking the client’s client machine is part of the happy botnet.

This is the first time I’ve ran into an encrypted iframe and thought it was interesting.

First open up your up a file in your text editor of choice. In this example I’m going to call the file ad.php and just include it in the page I wish for it to show up in.

Second I’ll define my ads:

<?php
$ad[1] = "We got the goods here";
$ad[2] = "Give us your money";
$ad[3] = "blah blah blah";


Now that you’ve got an array defined for your ads we will use rand() to call them up randomly:


$random = rand(1, sizeof($ad));
echo $ad[$random];
?>

That’s it. Hope this is helpful.