Site Defacement Code

Screen Shot 2016-03-18 at 10.22.32 AM

My server got hacked last night, though my hosting company immediately quarantined the files so no harm was done. But the resulting files are really kind of beautiful from an aesthetic and code-studies level. Below is the “forensic log file” from my host, a little ASCII text file generated by some programmer with a few lines of code listing the suspect file as zebi.php. It actually missed a few other malicious files: cp.php, xp.php, bassimo.php, and bassimo1.php.

The files themselves are obfuscated PHP, but a few hints are left behind. One of the files includes a credit line for FOPO (Free Online PHP Obfuscator) and lists the date/time for obfuscation as Thursday, February 11th, 2016 at 18:47 UTC. It also lists the IP address as 41.227.238.37. A quick whois lookup shows the location of the hackers is (probably/possibly) in Tunisia, and that they use the service provider Agence Tunisienne Internet.

What does it do? I believe it defaces a site, something like this:

HackedByZebi_web

Most of the code is PHP, with some HTML, CSS, and a little JavaScript. One notable bit of JavaScript is this one, hosted on w0rms.com, a Turkish hacker site. This script (I think) generates an image of the page it is hacking by passing the URL to a PHP script:

I won’t post the full files here, since they are malware, after all (and readily found online if you want them). But here are a few excerpted screenshots that show a real abstract beauty.

Screen Shot 2016-03-18 at 10.20.53 AM

Screen Shot 2016-03-18 at 10.21.04 AM

Screen Shot 2016-03-18 at 10.23.02 AM

Screen Shot 2016-03-18 at 10.23.21 AM

Screen Shot 2016-03-18 at 10.23.36 AM

Screen Shot 2016-03-18 at 10.23.40 AM

Some of the code above was run through PHP Formatter for cleaning up indentation to more clearly view the code. For a more forensic look at how the code works, try UnPHP for decoding obfuscated code.

Javascript Variable Names from Amazon.com

AmazonHomepage

This month, I’m participating in the Critical Code Studies Working Group. As part of that, this post focuses on a detail of tiny size but vast proliferation: JavaScript variable names. They are created by humans or machines for other humans or machines. Regardless of how they were generated, variable names are chosen by someone (a programmer) or something (minimizing or obfuscation software). They are texts written across the web, hidden just below the surface of the browser and easily accessible, yet they do not form the written text we see on the screen or the semantic markup of HTML.

Specifically, this post focuses on a list of all 175 JavaScript variable names from amazon.com, which can be viewed here: http://bit.ly/1Oe7ic9. At first glance the JavaScript variable names are seemingly random, but on a closer read they fall into a few different categories, which may help us better understand them.

Continue reading “Javascript Variable Names from Amazon.com”