Recently I analyzed a porn doorway script and found an interesting way to obfuscate an IP address there.
$adr1 = ".............................................................................................................................................................................";
$adr2 = "............................................................................................................................................................................................................................................";
$adr3 = ".................................................................";
$adr4 = "........................";
$ard = strlen($adr1).".".strlen($adr2).".".strlen($adr3).".".strlen($adr4);
In the above code, you can see that each byte of the IP address $adr is represented by a string of dots, where the number of dots in the string is the byte value.
This give us the following IP address: 173 .236 .65 .24, which is used to generate a redirect URL for the doorway visitors:
header("Location: hxxp://$ard/input/?mark=20151119-$s");
In our case, the final redirect URL was hxxp://173 . 236 . 65 . 24/input/?mark=20151119-/azq9mzo3v
This code was found in thousands of .php doorway files created by the attackers. This is the sort of a hack that may cause troubles even after you have completely cleaned your site. You can read about such scenarios on our blog. To prevent Googlebot from indexing and re-indexing tons of pages that shouldn\’t have been there in the first place, it may be a good idea to close spammy directories on your server with robots.txt directives.
If you find something like this on your server, it\’s only a tip of an iceberg. To stop the hackers, you need also to find and close all security holes (including the backdoors that they uploaded to your site). If you need a professional help in malware cleanup and site protection, please check our Website AntiVirus service.