* * * * *

            Funny, I didn't think the IRS had offices in Russia …

Ah, the Ides of April, otherwise known as Tax Day [1] whereby millions of
Americans madly rush to get their tax returns postmarked by 11:59 pm.

And wouldn't you know it, one of the sites we host got hacked and a PHP [2]
script installed that would redirect an unsuspecting person to a phishing
site [3], which claims to be the IRS (Internal Revenue Serivce) [4] where you
can fill in a form to get your government refund.

Lovely.

I could have deleted the PHP redirection script, but there was a chance the
crackers would just re-upload the script before I got a chance to find how
they got in. The easiest thing to do therefore, was to change ownership of
the script to root (the script was owned by the apache user, which leads me
to believe that it was an errant PHP script to blame) and the permissions so
no one could read the file (in hindsight, it might have been interesting to
change the script so it didn't redirect, but basically told the user they
fell for a phishing attempt; maybe next time).

That way, the script was disabled, but the crackers wouldn't be able to
overwrite it. My feeling was that the crackers in question were giving out a
particular link in some spam so they can't just change the location of the
script, so they would just have to give up on this server.

I then spent some time figuring out how the PHP script got in there in the
first place. It seems that the site in question has a rather popular PHP
application that is not only sizeable (around 60,000 lines of code) but one
that hasn't been updated in quite a while. Worse, the administration portion
of this application was not protected by a password.

Yeah.

The perpetrators in question not only uploaded the redirection PHP script,
but another PHP script that allows them to upload other files, list and kill
processes, run backdoors and other crackish stuff. That particular script is
from a Russian cracking site (because there were links to said site all over
that PHP script). And the redirection PHP script would redirect people to a
Russian site. And they didn't even bother to try to hide the URL (Uniform
Resource Locator). Sigh.

[1] http://en.wikipedia.org/wiki/Tax_Day
[2] http://www.php.net/
[3] http://en.wikipedia.org/wiki/Phishing
[4] http://www.irs.gov/

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.