Looking for Malicious PHP Files

I’ve been digging through some PHP files that are trying very hard to hide what they are doing. Basically, the PHP code is base64 encoded and then compressed. The blob of random text is then stuffed into a PHP file which calls

"eval(gzinflate(base64_decode("BLOB OF TEXT"))); 

to decode it and execute it on the web server. While it obscures what the code is doing (briefly), it fairly screams that something is not right with this file.

First to find any PHP files which use this on your server use:

egrep -r "eval\(gzinflate\(base64_de" . --include=*.php

That will find the offending files. To see what they did, I copied everything inside the “eval()” statement. Then I dumped into a text file on my laptop in something that looked like this.

<?php
$X = gzinflate(base64_decode("BLOB OF TEXT"));

print $x;
?>

Instead of displaying it in a browser, I called it from the command line.

> php foobar.txt

The code gets base64 decoded, decompressed and displayed in my console window. Because I removed “eval()” from the code I could see what the attacker was doing without worrying about executing bad code on my system. Or viewing it in my browser.

Technorati Tags: , ,

Tags: , ,

Filed under:Security

Metasploit Breaks into SkyNet!

Metasploit has successfully broken into Skynet thanks to Comodo, RSA, MySQL and Stuxnet! Here is the output from msfconsole after updating today. Rock on guys.

 
(0 08:43:03 515) -> ./msfconsole 

#    # ###### #####   ##    ####  #####  #       ####  # #####
##  ## #        #    #  #  #      #    # #      #    # #   #
# ## # #####    #   #    #  ####  #    # #      #    # #   #
#    # #        #   ######      # #####  #      #    # #   #
#    # #        #   #    # #    # #      #      #    # #   #
#    # ######   #   #    #  ####  #      ######  ####  #   #


       =[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 673 exploits - 353 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
       =[ svn r12202 updated today (2011.04.01)

[*] Calculating new Comodo SSL CA key...
Factoring..........

-----BEGIN RSA PRIVATE KEY-----
zFBBetA9KgxVcBQB6VhJEHoLk4KL4R7tOoAQgs6WijTwzNfTubRQh1VUCbidQihV
AOWMNVS/3SWRRrcN5V2DqOWL+4TkPK522sRDK1t0C/i+XWjxeFu1zn3xXZlA2sru
OIFQvpihbLgkrfOvjA/XESgshBhMfbXZjzC1GwIDAQABAoIBAQCJoijaEXWLmvFA
thiZL7jEATCNd4PK4AyFacG8E9w8+uzR15qLcFgBTqF95R49cNSiQtP/VkGikkkc
ao25aprcu2PnNA+lpnHKajnM9G3WOHuOXHXIps08es3MmBKTxvjNph6cUlqQULrz
Zry+29DpmIN/snpY/EzLNIMptn4o6xnsjAIgJDpQfFKQztxdmZU6S6eVVn0mJ5cx
q+8TTjStaMbh+Yy73s+rcaCXzL7yqWDb1l5oQJ/DMYNfufY6lcLgZUMwFxYKjCFN
ScAPCiXFUKTzY3Hy1Z4tLndFxipyEPywDep1TB2nMb+F3OOXUs3z+kKVjGFaGnLZ
591n3x3hAoGBAOOgsb4QybjHh9+CxhUkfsqcztGGdaiI3U5R1qefXL7R47qCWfGc
FKdoJh3JwJzLOLX68ZmHz9dPhSXw6YrlLblCi6U/3g7BOMme5KRZKBTjHFo7O9II
B0laE5ISRH4OccsOC3XUf9XBkm8szzEBj95DgzB0QydPL4jp7NY0h0QrAoGBAMEv
jEFkr/JCRe2RWUAPR1LWT/DHnVLMnDb/FryN2M1fAerpMYNUc2rnndjp2cYbsGLs
cSF6Xecm3mUGqn8Y5r8QqFo0lzp5OunCFCXEJvkiU3NSs8oskCsB8QJ6vk3qmauU
-----END RSA PRIVATE KEY-----

[*] Scanning RSA tokens for usable seed.....4d416f70-5f16-0410-b530-b9f4589650da!

[*] Logging into vault.rsa.com as 'rivest'......Successful

[+] Compromised 'vault.rsa.com' via ACE backdoor...

[*] Launching SQL injection attack against MySQL.com....Done

[*] Extracting passwords hashes....Done
[+] 54,024 passwords obtained

[*] Replaying SHA1 hashes against Sun.com.......Done

[*] Attaching to Stuxnet through Oracle Command Center....!#$


#

$@#$$puTTY

!@$@vaul
t.rsa.com 
# #@puTTY#$

@#

..@#$@34 m


sf>.. uid=0(root) gid=0(ro
ot) groups=
0(root) @#$@#4

2 3ms

f>bash-4.1# 



ERROR
NOCARRIER
[*] Welcome to SkyNet v5.23.0-BETA
[*] Launching autonomous agent...
[*] Scanning 158.95.29.10.0/22...
[*] Injecting agent code into memory...
[*]         15 Nodes Online
[*]      3,156 Nodes Online
[*]     17,024 Nodes Online
[*]  1,423,813 Nodes Online
[*]  SkyNet has been loaded
[*]  Entering command shell
msf sky-net> 

Technorati Tags: , ,

Tags: , ,

Filed under:Security

Desktop Blog Editors

I’ve been grumbling to myself about writing blog posts using the web interface in WordPress for quite some time, but I’ve never really done much about it.  Today I spent some time chatting with David Pratt, a colleague of mine, about our blogs.  David runs the Data Management Wonk blog and I liked how his blog posts look when they are done.  He sent me a link to David Risley’s site which discusses 8 different Desktop Blog Editors.  After reading through it I decided to start testing out different applications.

Today’s posting is from Windows Live Writer.  There are some things I like about this app.  It’s fairly easy to use and it tries to be helpful in formatting and such.  However, it only supports FTP for uploading images to my site.  If only it would do SCP…  It also does a funky import of the background and and some of the formatting from the site.  It’s almost kinda cool, but the text is about 4 inches higher up than it will be when it goes live.  I’d be better off without the background images by far.

So as far as the first app goes, I give it a B-.  It’s ok.  It’s easier and smoother to use than the WYSIWYG in WordPress, but the lack of alternative means to upload images and videos is a bummer.

Technorati Tags: ,

Tags: ,

Filed under:Consulting

Data Ownership, Governance and Controls

A friend of mine asked a question on Facebook that went something like this.

Who owns your company’s data?

The politically correct answer is that the business owns the data and IT manages it for them. That’s nice in theory, but is it really true? Does your company have a data governance group (run by the business) that actually sets data policy? Do you have data stewards that actively work to define usage and improve quality? I hear this exists in large comnpanies, but have you ever seen this in small-to-mid sized companies that you have worked in? How effective was it? Please chime in on this. I’m writing an article on data ownership and I would love to include your feedback.

I read through this a few times and decided to reply back with something that was a lot longer than I expected.  I believe he was mostly interested in the idea of managing data and how governance programs could help the business improve how data is used.  I get what he was asking, but I started thinking that even if you have a governance program, what about the data that gets outside of central control.  So here was my initial thoughts on his question and the problems we face in managing data.

Legally, the company owns the data.  

However, maintaining control over where it goes is a completely different issue.  Maintaining access controls on file shares and databases is a chore, particularly if you are keeping track of things manually.

Governance programs help make sure everyone who needs access has it and those who don’t need access don’t.  IT rarely knows who has a real need to view \\fileserver\sharename, but the business group generally does.  They can tell IT who has transferred out and needs their access removed.  (If they remember to mention it)  Or tell you who is missing access rights.  A good governance program makes sure that a periodic (monthly, quarterly, yearly?) review is done to make sure that these controls are correct.

Trying to do these reviews by manually checking shares, dumping the data into an spreadsheet and getting feedback is a painful process.  This is where tools can be real valuable.  The price can range from REALLY expensive to fairly cheap.  It depends on how far you want to go and how much additional work you are willing to do.  Once you get the data into a document for business to review, getting their feedback hasn’t been too difficult in my experience.  Cleaning up permissions isn’t too bad either.

Then we open Pandora’s Box.  While the company may have an excellent governance program, there’s all that data that gets saved on desktops, laptops, USB drives, iPods and emails.  All of which steps outside of central control and can wander very far in a short period of time.  That’s a scary mess and its far too easy for someone to walk out the door with your most important intellectual property.  Technology tools are starting to get better at controlling access to removable media devices and such, but trying to control what goes out the network is sketchy.  Data leakage prevention software (DLP) hasn’t impressed me too much yet.  But I haven’t seen all the apps out there, so maybe something actually works as well as advertised.

Either way, as we keep coming up with new and interesting ways to share information, the controls to keep proprietary data confidential fall behind.  Governance programs continually get re-adjusted and vendors promise to solve our woes.  The hamster wheel of pain continues to spin and we race along trying to keep control of our data.

Do small to medium sized businesses really do governance programs? My experience so far is that it only occurs if there is some kind of compliance reason to cause it. Those that are in highly regulated industries, such as small banks, would probably have no choice but to do so. Is it a good idea to do in and of itself? I think so. It doesn’t necessarily have to be a huge process to be effective. In fact, in a smaller company, a large process would be completely ineffective. I do think it would need to be regularly done and have good communication between IT and business. And I think it needs to be documented some how. Otherwise, people end up wondering exactly how it is supposed to work.

Pandora’s Box really worries me though. Having the “secret sauce” for your business leave via email, Dropbox, USB drive or DVD is pretty freaky stuff. An iPod set to be a storage device can leave with a whole lot of information and give a competitor a good leg up on you. Or it can get us front page news coverage that we’d rather not have. Neither one is some where we want to be. There are controls to help, but there are still holes that are easy to use.

Technorati Tags: , ,

Tags: , ,

Filed under:Security

Reconnoiter Updated

I spent some time today and fixed some seriously messed up regular expressions in Reconnoiter.  Basically, Google made a bunch of changes to their search results and added AJAX all over the place.  To deal with this, I changed the submitted user agent to Lynx and then updated the regex accordingly.  Changes with regex were made to usernameGen.py and username_gen.rb (a metasploit module).

I also fixed an issue in username_gen.rb with the regex returning a null value to the list of names.  The change was a quick check for null values and deletes any that it finds.  No fuss and no crashes so far.  It probably needs more testing to be sure, but all told it wasn’t a bad evening’s work.

Download is available at http://sourceforge.net/projects/reconnoiter/.

Technorati Tags: , , , ,

Tags: , , , ,

Filed under:Security