Archive

Posts Tagged ‘priemIframe’

Update on priemIframe hacks

2011/01/24 3 comments

From all the feedback I receive, it seems like the attack is focused on german websites. I drew a flow explaining how the circle of death & destruction works:

Roland Bollmann from www.robodurden.com wrote a php script to cleanup hacked servers. Thanks for the submission:


<?php
// hacked.php version 1.01 2011/01/24
// upload this script somewhere onto your server
// call "find -name php" to get the path to php (like /usr/lib/cgi-bin/php)
// and then call "/usr/lib/cgi-bin/php /home/www/web6/hacked.php path=/"
// to scan and repair the entire server ;-)
//
// www.robodurden.com usage at your own risk :-)

$hC = array(
'filereg'    => '/^.+index\.[^.]+$/i',
'hackmatch'    => '<iframe.+?priemIframe\.php.+?<\/iframe>',
'path'        => '.',
'test'    => 0
);

$sHtml = $_SERVER['PHP_SELF'] ? '<br/>' : '';

if ($sHtml)
{
print "run from http$sHtml\n";
foreach($hC AS $name => $var)
{
if (isset($_GET[$name]))    $hC[$name] = $_GET[$name];
}
}
else
{
print "run from console. usage: hacked.php [option1=value1] [option2=value2] ..\n";
for ($i=1; $i<count($argv); $i++)
{
list($name,$var) = explode('=',$argv[$i]);
if (isset($hC[$name]))
{
$hC[$name] = $var;
}
else    die("unkown command '$name'. possible commands:
'filereg'    = '/^.+index\.[^.]+\$/i'
'hackmatch'    = '<iframe.+?priemIframe\.php.+?<\/iframe>'
'path'        = '.'
'test'        = 0
");
}
}

foreach($hC AS $name => $var)
{
if ($sHtml)    print "$name = ".htmlspecialchars($var)."$sHtml\n";
else    print "$name = $var $sHtml\n";
}

$Directory = new RecursiveDirectoryIterator($hC['path']);
$Iterator = new RecursiveIteratorIterator($Directory);
$Regex = new RegexIterator($Iterator, $hC['filereg'], RecursiveRegexIterator::GET_MATCH);

$iTotal = 0;
$iTotalHits = 0;
foreach($Regex AS $a)
{
foreach($a AS $sPath)
{
$iTotal++;
if ($hC['test'])    print "$sPath$sHtml\n";

if (Load($sPath,$s))
{
$iHits = 0;
while(preg_match('/^(.*)'.$hC['hackmatch'].'(.*)$/s',$s,$aM))
{
$iHits++;
$s = $aM[1].$aM[2];
}
if ($iHits)
{
print "$sPath hits: $iHits$sHtml\n";
if (!$hC['test'])    Save($sPath,$s);

$iTotalHits += $iHits;
}
}
}
}

print "total matches: $iTotal$sHtml\ntotal hits: $iTotalHits$sHtml\n";

function Load($sPath,&$sData)
{
error_reporting(E_ERROR | E_PARSE);
$sData = file_get_contents($sPath);
error_reporting(E_ERROR | E_WARNING | E_PARSE);

if ($sData === FALSE)
{
return 0;
}
return 1;
}

function Save($sPath,$sData)
{
$hfile = fopen($sPath, "w");
if (!$hfile)
{
print("the file $sPath could not be opened for writing :-($sHtml\n");
return 0;
}
fwrite($hfile, $sData);
fclose($hfile);
return 1;
}

?>

 

I just got feedback from german abuse department of 1&1 Server Provider, they will check for these links in their access filters. So the world is a little bit safer now. 🙂