4

My site was hacked and I found on it the 

<?php
echo eval(base64_decode(str_replace('*','a',str_replace('%','B',str_replace('~','F',str_replace('_','z',str_replace('$','x',str_replace('@','d',str_replace('^','3','SOMEVERYLONGTEXT')))))))));

if I decode base64 without executing, I got some script, starting with:

$__authentication_pass = "52b1d005abc139cc281a32d8aa7cd1c2";
$color = "#df5";
$__default__action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
if (!empty($_SERVER['HTTP_USER_AGENT'])) {
    $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
    if (preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
        header('HTTP/1.0 404 Not Found');
        exit;
    }
}
@ini_set('error_log', NULL);
.... and many lines below ....

I this file manager? Can it be identified somehow (name, author and so on)?

George Stocker
  • 57,289
  • 29
  • 176
  • 237
Dims
  • 47,675
  • 117
  • 331
  • 600
  • It appears to send a 404 header for the bots supplied in `$userAgents` – Gerben Jacobs Apr 24 '14 at 09:41
  • What you posted doesn't do anything but check whether the client is a web crawler or not. There must be more after this that contains the actual malware. – Barmar Apr 24 '14 at 09:42
  • it appears to stop various bots from crawling your site by displaying a 404 error if it is one of the useragents – mic Apr 24 '14 at 09:42
  • 5
    Simple: it sends a 404 to all major bots, effectively ensuring that your site won't be crawled (and thus won't show up in search results) by google, bing, Yahoo etc... Then, it disables error logging, and probably does all sorts of bad stuff you're not posting here – Elias Van Ootegem Apr 24 '14 at 09:43
  • Guys, I didn't post entire file, since was thinking posting viruses is illegal. Can post though. – Dims Apr 24 '14 at 09:44
  • @EliasVanOotegem this probably just hides file manager from bots making them (like Webmaster Tools) to identify it. – Dims Apr 24 '14 at 09:46
  • @Dims: No need. We know the code is malicious, explaining what it does and how it does is not what this site is for. Even though this is off topic, you could provide some clues as to what exploit the attacker used, and ask us how to best prevent further damage? – Elias Van Ootegem Apr 24 '14 at 09:46
  • I don't know yet. This is what I am trying to understand. – Dims Apr 24 '14 at 09:47
  • @Dims Post the entire code. No problem – samayo Apr 24 '14 at 09:54
  • 1
    is this is site made from Wordpress, Joomla etc etc if so they are regularly attacked with common known methods, it may also be worth looking at plugins for sites that can monitor failed login attempts and other file manipulations. – mic Apr 24 '14 at 09:54
  • 1
    SO is not a farm of human VM's. – Ja͢ck Apr 24 '14 at 10:23
  • @Jack hey, I was asked to post code! My request was for general revision, since I am not very fluent with PHP – Dims Apr 24 '14 at 10:47

0 Answers0