It looks to me as if you have a server wide infection.
The code returns once in awhile and sets a cookie with this:
<scr ipt type="text/jav ascript" lan guage="java script"> var yxojmlr=new Date( ); yxojmlr.setT ime(yxojmlr.getTime( )+12*60*60*1000); docu ment.cookie="n\x5fs\x65\x73s_id=17b\x30\x329b7924fcc2c25\x645\x3095398\x38fff\x37a"+"\x3b p\x61\164\x68=/; ex\x70ires\x3d"+yxojmlr.toGMTString( ); </scr ipt >
I looked at your site earlier and did not see this code.
Search through all of your .php files for a string that starts with:
<?php eval(base64_decode(…
It might in an images folder and might be named gifimg.php or it might be found elsewhere and named something completely different.
What’s happening is that the hackers are able to send code to this file which runs as a separate child in Apache. That’s why it only shows itself sometimes – because that child is only selected to respond to a browser request when it’s next in line. The other child threads or processes are the normal Apache processes so they act normally.
Scan all the files for the above string and let the forum here know what you find.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
It’s really strange. Sometimes your site returns one malscript, other times it returns your normal webpage and other times it returns a totally different malscript.
I wonder if you have more than one remote control .php file on your site.
Please let the forum know what you find.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Hello Thomas,
Thank you for your help, it’s greatly appreciated. With assistance from our webhost I was able to go into Terminal (Mac) and use the grep command to search for the base64_decode you mentioned. What I found was that it had been spawned in numerous files, both PHP and not PHP, and I believe I’ve found all instances of it.
The only further question I have is, once I’ve changed passwords for user entry to our server, is there any chance of another script being on our site that is incorporating the base64 into pages, and if so what would be the search term to use for that?
Again, thank you
I haven’t seen any other code yet. But to be safe, check all files for any rogue php code. It’s going to be fairly well hidden so you may have to have someone with a good knowledge of php to look at them.
If you need assistance with this, let me know and I can help.
The only thing I would do is to also look at any files with the same modification date as those you found with the malicious php code in them. This is typically another good method to use for finding other malscripted files.
Please keep the forum here up-to-date on what you find so that others may learn from your experience.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Hi,
If you have access to apache logs, I would also check for suspcious POST requests. This is how hackers activate the malicious process. This may help identify backdoor scripts.
You can check for other commands and detection techniques in the comments to the following post: http://blog.unmaskparasites.com/2009/07/23/goscanpark-13-facts-about-malicious-server-wide-meta-redirects/
Denis – www.UnmaskParasites.com
Thank you for the help. I will try to get access to the Apache logs. Meantime, our site has an email client called Roundcube loaded that has the following lines with base64_decode in them:
roundcube/program/include/main.inc: $pass = des(get_des_key(), base64_decode($cypher), 0, 0, NULL);
roundcube/program/include/rcube_imap.inc: $rest = base64_decode($rest);
roundcube/program/include/rcube_imap.inc: return base64_decode($input);
roundcube/program/include/rcube_ldap.inc: $this→ldap_result = @ldap_read($this→conn, base64_decode($dn), “(objectclass=*)”, array_values($this→fieldmap));
roundcube/program/lib/Auth/SASL/CramMD5.php: * this should be already base64_decoded.
roundcube/program/lib/icl_commons.inc: return base64_decode(str_replace(“,”,“/”,$data));
roundcube/program/lib/imap.inc: $hash = md5(iil_xor($pass,$opad).pack(“H*”,md5(iil_xor($pass, $ipad).base64_decode($encChallenge))));
roundcube/program/lib/imap.inc: else if ($mode3) echo base64_decode(substr($line, $from, $len));
roundcube/program/lib/imap.inc: else if ($mode3){ echo base64_decode($line); flush(); }
roundcube/program/lib/Mail/mimeDecode.php: $text = base64_decode($text);
roundcube/program/lib/Mail/mimeDecode.php: return base64_decode($input);
roundcube/program/lib/Net/SMTP.php: $challenge = base64_decode($this→arguments0);
roundcube/program/lib/Net/SMTP.php: $challenge = base64_decode($this→arguments0);
can base64_decode be used safely, or is this always a trigger for malicious coding?
Thank you again
base64_decode is used safely for many applications.
The key is to look for:
<?php eval(base64_decode('aWYo...
This is only a temporary find. As we speak, hackers have already been obfuscating this by reversing it and then running a script that re-reverses it and also by embedding various characters between the string characters such as:
###e##v#####a###l##(#####b#####a###s#####e###6###4####_####d##e
You get the idea.
So, if you can’t find the eval(base64_decode string, look through your files for other strange looking strings and see if they look legit.
Do you have a back-up from before your site was hacked? Check with your hosting provider to see if they back-up automatically.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
