Wednesday, April 15, 2009
Funny, I didn't think the IRS had offices in Russia …
Ah, the Ides of April, otherwise known as Tax Day whereby millions of Americans madly rush to get their tax returns postmarked by 11:59 pm.
And wouldn't you know it, one of the sites we host got hacked and a PHP script installed that would redirect an unsuspecting person to a phishing site, which claims to be the IRS where you can fill in a form to get your government refund.
Lovely.
I could have deleted the PHP redirection script, but there was a chance the crackers would just re-upload the script before I got a chance to find how they got in. The easiest thing to do therefore, was to change ownership of the script to root
(the script was owned by the apache
user, which leads me to believe that it was an errant PHP script to blame) and the permissions so no one could read the file (in hindsight, it might have been interesting to change the script so it didn't redirect, but basically told the user they fell for a phishing attempt; maybe next time).
That way, the script was disabled, but the crackers wouldn't be able to overwrite it. My feeling was that the crackers in question were giving out a particular link in some spam so they can't just change the location of the script, so they would just have to give up on this server.
I then spent some time figuring out how the PHP script got in there in the first place. It seems that the site in question has a rather popular PHP application that is not only sizeable (around 60,000 lines of code) but one that hasn't been updated in quite a while. Worse, the administration portion of this application was not protected by a password.
Yeah.
The perpetrators in question not only uploaded the redirection PHP script, but another PHP script that allows them to upload other files, list and kill processes, run backdoors and other crackish stuff. That particular script is from a Russian cracking site (because there were links to said site all over that PHP script). And the redirection PHP script would redirect people to a Russian site. And they didn't even bother to try to hide the URL. Sigh.