One of my Drupal sites was hacked

This is fairly straightforward ratware. Is there anything in particular you wish to know about how it operates?

browser.php is an amusing one for reversing obfuscation tricks, if anyone wants practice.

You should treat the server as compromised and rebuild from metal, by the way. I know that is annoying as heck but they clearly got code execution and you can therefore assume they had root if they wanted it and that any attempts to detect whether they did are useless because their rootkit makes the box lie to you about its current state.

Well you can decode the code where you have no idea at http://www.unphp.net.

Here is what main.php does: http://www.unphp.net/decode/3aaa2bc88be0e162fc3ca8786a2f8f82...

Found the following url somewhere: 78.138.127.174/2701dfbvcxff.php

Use http://ip-lookup.net/index.php to get to some abuse email addresses and inform them that the ip is involved in hacking.

Anyway this was just my quick glance, good luck!

So I took index.php with preg_replace :)

I took the first function and decoded the first bytes of hex, which gave the infamous eval(gzinflate(base64_decode( function. Then I used http://www.whitefirdesign.com/tools/deobfuscate-php-hack-cod... to decode rest and got a group of variables with hex data that were being grouped together like this eval($xwq2ay . $xq9mar . $xb4jym . $xm0hy3); (full version available here - http://pastebin.com/7V951cRK

Decoding this hex gave me another set of preg_replace functions, which were doing the same thing pretty much. And then again the same, except two preg_replace were being called. Eventually I got something like this http://pastebin.com/JP1eukca

The hex stored in $a and $b are just a clever way of masking gzinflate(base64_decode( so I took the rest of the data, put it into the decoder and finally got to some proper code - http://pastebin.com/A0G290cE

Simple python script to deobfuscate the hex and replace the junk variables:

    import re

    a = open('test.php')
    line = a.readlines()
    
    # Replace hex values with ASCII, regex to find the \x values and a lambda to replace each match individually
    def decoder(char):
        return char[2:].decode("hex")

    unhex =  re.sub("\\\\x[a-f0-9][a-f0-9]", lambda m: decoder(m.group()), line[0])

    # Replace ${"GLOBALS"}["foo"] = "bar"
    for match in re.findall('\${"GLOBALS"}["[a-z0-9]+"]="[a-z0-9]+"', unhex):
        variable = re.findall(r'"(.*?)"', match)
       pattern = '\${\${"GLOBALS"}\["'+variable[1]+'"\]}'
        unhex = re.sub(pattern, variable[2], unhex)
        unhex = unhex.replace(match+";", '')

    # Replace $bar = "foo"
    for match in re.findall('\$[a-z0-9]+="[a-z0-9]+"', unhex):
        replace = re.findall(r'"(.*?)"', match)[0]
        pattern = re.findall(r'\$[a-z]+', match)[0]
        unhex = unhex.replace(pattern, replace)
    
    # Chuck in newlines
    unhex = unhex.replace(";", ";\n ")

    b = open('out.php', 'w')
    b.writelines(unhex)

The files all seemed to be one liners, so this works. More work to replace everything else though. Blergh.

Edited to include variable replacement. I think there are some catches with things like ${sgasklgna} but it largely works. Just needs prettifying.

    str.decode('string-escape')

Rather than trying to undo the damage (will you ever be 100% sure you caught everything?) why not create a new site (edit: as in a new VM/box/image from scratch) and import your data fresh.

If I was hacked and files were placed on my server, including a 'web shell' I would be very afraid I don't catch everything and it just gets re-hacked.

Unless this is just a pure curiosity adventure in deobfuscation... then nevermind :)

Looks like OP is another victim of Asprox Botnet.

Create a full snapshot of the machine for forensic analysis later. Then follow @patio11 advice and rebuild from the metal up.

That's the only sure way you have a "clean" machine, then sieve through‎ the snapshot and try and find the hacker's entry point.

    grep --color=auto -i -s -P "(\/cgi-bin\/|\.exe|phpmyadmin|awstats|acunetix|(%22|%27|'|\")(%20| |\+)*and[^\w]|sqlmap|xss|BENCHMARK|eval[^\w]|phpinfo|[^\w]ord[^\w]|md5[^\w]|substr|information_schema|prompt|iframe|base64|waitfor|script[^\w]|[^\w]sleep[^\w]|hex[^\w]|unhex|chr[^\w]|char[^\w]|concat[^\w]|concat_ws|windows.*?win\.ini|union.*?select|etc.*?shadow|etc.*?passwd|\.\.\/|%(25)*2E%(25)*2E%(25)*2F|\.\.%(25)*2F|\/\.\/|%(25)*2F%(25)*2E%(25)*2F|%(25)*2F\.%(25)*2F|\\|%(25)*5C|%(25)*45%(25)*45|%[01][0-9ABCDEF])" access_log

Fun way to start off the morning. He's a pull request that deobfuscates the code to the point where it's pretty readable https://github.com/wouters-frederik/help_me_clear_this_up/pu....

Aside from decoding the escaped characters, there's a bunch of simple regex replacements to remove all the random variable usage and then a pass through PHP_Beautifier to fix the formatting.

I have been there too. When it happened to one of our clients I Googled the site URL and found some script kiddie had boasted of his antics on Twitter. A bit more Googling and I had his mum's house (he lived there, presumably there was a basement). I was wanting to take matters further, as in get the police to arrest the guy and get him prosecuted for criminal damage. However, my 'superiors' told me to just restore the backup and leave it at that.

I have to say that I was impressed by the way the hack worked, in this incident and others, I felt that I was up against a far superior adversary.

I had dealt with a similar hack recently and documented it [1]. The difference is mine was in Wordpress. There was a simple file called post.php that evaled anything that was sent in the post var. Have you found out how your server was hacked in the first place ? Check your Apache logs for errors hackers are usually careless when it comes to errors or warnings.

[1]: http://idiallo.com/blog/2013/11/fixing-3-year-old-hack

I'm at work otherwise I would be wasting a good few hours deobfuscating that code. So far I've decoded two files which for the most part seem the same but the line counts are different

Edit: So far php_display seems to allow the attacker the ability to download a file. In common.php at at least.

Edit : https://github.com/icambridge/help_me_clear_this_up/blob/mas... what I've deobfuscated.

I used to work for a web hosting company and we saw this kind of attacks ALL the time.

Most of the cases was because of old CMS versions, but in same others the computer uploading the files was infected and the FTP credentials were stolen (Change your user/password and analyze ftp logs).

I would also check the database and do a clean install of the CMS.

The server could be compromised but I don't think this is the case.

At the risk of not adding much of substance to this conversation, I do feel compelled to point out how happy (giddy, even!) it makes me to see so many people jump right on this and investigate, and in part just for the hell of it.

It's infectious!

I'm here because I share many of the interests of the people here, and I'm convinced that a big reason why I started 'hacking' more and more over the past years, in part just for the hell of it, is because of the enthusiasm I find in comment sections for links like these.

Some links show me tricks I didn't know or tools/libraries/frameworks I haven't used before. Some make me curious to try different programming languages. Some articles go way over my head but make me strive harder to get better at whatever it is the article is about. And some, like this one, make me want to code or tinker just for fun.

I just wanted to say that once, and this seemed like an appropriate moment. Move along.

I just wanted to chip in here.

Our website and 2 of our client websites have been compromised like this in the last couple of weeks and they are all across different hosting providers (Zen Hosting and Unlimited Web hosting)

http://pastebin.com/PkJFTeGs

Here is a link to the code we found injected into the index page on our FTP and my attempt at decoding it.. interestingly enough it does relay to javaterm.com as the authors comprimsed site does as well..

We are fairly certain it wasn't achieved through our code as one of the sites is literally 6-7 pages of static html content.

From what we can tell it only ever effects the index page in the root of a servers FTP. In my case all of the shells were deleted(Looking from the FTP logs there were 2-3 uploaded all with different names)

I have also added somme older scripts I found over time in this repo: https://github.com/wouters-frederik/hack_scripts They are not obfuscated as much.

What version of Drupal were you running when the hack happened?

Follow your access log and find out how those files got written/requested. in order to solve the problem you need to identify it first. you probably need to check your permissions as well, prevent apache process from writing to your website root, it should only be able to write to "sites/default/files".

The PHP Shell Detector has a large DB of shells that it can help you identify: https://github.com/emposha/PHP-Shell-Detector

As others have noted, a compromised shell can never be trusted again and you should re-deploy from scratch.

Use this to deobfuscate: http://www.unphp.net/

After checking en.php (Sorry didn't have time to check more files) I found two ip's. You could use unphp to deobfuscate the code a bit but You'll have to do a lot of it by hand which should not be that hard.

125.89.44.28 <- Chinese 62.122.75.2 <- Polish