I realize that this is most probably not of interest to most of our readers, but since this is part of our current life, I decided to drop a short post about it anyway.
Yesterday morning, while uploading the Jugo Verde movie to our server, I’ve noticed a few folders that really didn’t belong. And the funny thing is that they were just being created. A quick glance at their contents, and I realized there’s been a cyber break-in in progress! Looking at the time stamps of all the files on the server, I quickly localized the suspect. I copied it to my local hard drive before deleting from the web server. I’ll have time to look at it later, now the most important thing was to find the vulnerability in the system.
That wasn’t really very difficult, since recently I’ve been working on a new script and I knew it wasn’t properly secured. Whoever broke in, used one of the forms in the script to inject a malformed SQL command, which allowed him to create a Trojan horse file giving access to the file system. The Trojan horse was the script, I mentioned before, so after securing my new script with additional measures, it was time to look at the file.
The script looks gibberish at first – just a one-liner with a couple of commands and a string of random looking characters. But once I started to reverse engineer the decryption methods used in it, it started to reveal it’s potential. And for the more geek among you: it’s a thing beauty!
It actually took 42 loops of encoding and decoding using three different algorithms, before I could see any code. And even then, parts of it were still masked. The script itself is an exploit, which gives full access to the machine’s file system and variables. It even had the authors signature and web address, which I obviously visited right away. Obviously the script’s author wasn’t the one trying to hack into our system and his website has been shut down couple of years ago. I may still drop him a line or send an email, just to discuss about such poetic code…
So, all in all, the attack attempt was not very serious and it didn’t interrupt any of the services. In fact, since the hacker was trying to use our server in a phishing scheme, none of our files were ever at risk. However, when I realized how powerful the script is, I realized that a more malicious person could have made a lot of damage…