PHP Ratel class in Drupal 7 - Ratel is a spam bot, Remove it.

Here is what I found:

  • We have a Drupal 7 website that has a frontend that load very slowly (> 15 seconds per load, sometimes).  A performance problem.
    • It looks like it is trying to call some remote URL/APIs that causes the timeout problem.
  • Our colleague did a research by installing a PHP profiling tool called xhprof to do profiling on the page.
  • It turns out that there is a PHP class called "Ratel" that takes quite a long time to execute.
  • However, even if we are doing a code-scan, we can't even see a file that contains the word "Ratel"
  • Thanks to this article, and this gist, it turns out that there is a SEO spam bot that is executed ONLY when you are login to the site.
    • In other words, you will see this performance problem more likely when you are logging in to Drupal.
    • I recommend you to read the article above.
    • I wonder, this is not just affecting Drupal, but mainly on Wordpress, as mentioned in the article above. 

Here is how to solve:

  • Once I know how this bot works, I quickly located a .jpg file (named a.jpg) that is actually a PHP script.
  • You open this file via text editor, and you will see the code.  
    • There are two reasons (to us) why you can't find this code
      • Since this is an "image uploading attack", your text editor will not scan image.  
        • Which means, if you are doing a grep or code scan and you only search for *.php, *.txt or other "text" files, you will not find anything.
      • This Ratel class is base64_encode(), which means, again, you cannot find it even if it is not .jpg.
  • To quickly fix this, you can either 
    • Trace the source and see which function is calling this file, and remove the malicious code.
    • Or you edit the .jpg file using text editor and simply comment out the code that execute the function (in order to make it not running)
  • Hola! You fix the problem.

Lesson learned:

  • Update your software, when you can
  • If you scan your code again and again and you cannot find anything, chances are the code is hiding from you.  And normally it is via base64_encode() or other functions.  Take a look at that.
  • Normally when you spot a problem, but you cannot find the code that causes it even if you have done a code-scan, chances are very high that your website is exploited/attacked/hacked.  This would be a serious problem and you need to pay serious attention to it.  This is not an easily ignored small incident.
  • Nowadays spammers/hackers are so smart to hide the code from any text file, but other commonly ignored files, like .jpg, .png or others (because they are programmer!).  Take a look at that if you don't have any idea.
  • Do not allow executing any PHP in image directory, there is a config in Apache .htaccess which can do that.  I saw that in iTheme Security, in which there is a config for that.  Not sure if Nginx can do that, but I think so.
  • Install necessary tool to do profiling.  In this case my colleague used xhprof
Hope it helps someone.
    

Comments

Post a Comment

Popular posts from this blog

TCPDF How to show/display Chinese Character?

Thanks to this article (in Simplified Chinese, updated new link), there is a way to embed a TTF that can display Chinese (Traditional and Simplify, and possibly Japanese). Environment:  TCPDF 6.0.020 PHP 5.3.8 Windows 7 The problem: If you follow this post that said: using cid0cs or cid0ct to display Chinese, it can display the character correctly, only to the extend that user installed a correct font package.  However, chances are other users who didn't install that package cannot view that PDF since there are several packages and versions of PDF viewer (mainly Adobe).  And even worse: even if user installed certain CJK font package, the PDF still not displayed correctly (show empty page). And according to the official TCPDF documentation about font : The fonts that could be not embedded are only the standard core fonts and CID-0 fonts . The solution: Again, thanks to the post above (in simplified Chinese), now developer can use a font that: Can disp...
Read more

How to fix fancy box/Easy Fancybox scroll not work in mobile

Hi The Problem: If you are working on EasyFancybox or just normal fancybox JS , and you have this problem: In your iOS device when a popup is opened, if the page is too wide and your pop up cannot show all, when user taps and drag the screen, the background will be dragged instead of the pop-up content. To fix, add this in your CSS: -webkit-overflow-scrolling: touch !important; So which element should you apply it to? In Easy Fancybox, you will see these 2 lines: <div id="fancybox-content"........>         <iframe id="fancybox-frame" name............... Apply to fancybox-content, not fancybox-frame So in your CSS, it should be: #fancybox-content{         overflow: scroll !important;         -webkit-overflow-scrolling: touch !important; } It works for me, and I hope it helps someone also.
Read more

Wordpress Load balancing: 2 web servers 1 MySQL without any Cloud services

Image
This is the exact config that I need to configure a load balancing without other cloud services like Amazon, rackspace or GoGrid, completely customized. I put my question on stackoverflow.com but no luck, so I put it on Quora.com and immediately I got response: My Notes: The load balancer is done by my colleagues so I am not sure what is the config of it.  But one thing to note: Your LB should enable "session stickiness" so that the session will follow visitor.  By the way, I am using Round-robins. Session: Actually I did not use session, but it seems that other plugins (like WPML) will use it.  If I use Apache load balancer, when I go to wp-admin through load balancing IP, I will not able to login, given the username and password is the same.  I will be redirected to login page.  So ask your load balancer providers or check your load balancer config and see how to manage the "Session Stickiness" issue. Shared folder: your wp-content/uploads folder...
Read more