Site Defacement Code

Screen Shot 2016-03-18 at 10.22.32 AM

My server got hacked last night, though my hosting company immediately quarantined the files so no harm was done. But the resulting files are really kind of beautiful from an aesthetic and code-studies level. Below is the “forensic log file” from my host, a little ASCII text file generated by some programmer with a few lines of code listing the suspect file as zebi.php. It actually missed a few other malicious files: cp.php, xp.php, bassimo.php, and bassimo1.php.

The files themselves are obfuscated PHP, but a few hints are left behind. One of the files includes a credit line for FOPO (Free Online PHP Obfuscator) and lists the date/time for obfuscation as Thursday, February 11th, 2016 at 18:47 UTC. It also lists the IP address as 41.227.238.37. A quick whois lookup shows the location of the hackers is (probably/possibly) in Tunisia, and that they use the service provider Agence Tunisienne Internet.

What does it do? I believe it defaces a site, something like this:

HackedByZebi_web

Most of the code is PHP, with some HTML, CSS, and a little JavaScript. One notable bit of JavaScript is this one, hosted on w0rms.com, a Turkish hacker site. This script (I think) generates an image of the page it is hacking by passing the URL to a PHP script:

I won’t post the full files here, since they are malware, after all (and readily found online if you want them). But here are a few excerpted screenshots that show a real abstract beauty.

Screen Shot 2016-03-18 at 10.20.53 AM

Screen Shot 2016-03-18 at 10.21.04 AM

Screen Shot 2016-03-18 at 10.23.02 AM

Screen Shot 2016-03-18 at 10.23.21 AM

Screen Shot 2016-03-18 at 10.23.36 AM

Screen Shot 2016-03-18 at 10.23.40 AM

Some of the code above was run through PHP Formatter for cleaning up indentation to more clearly view the code. For a more forensic look at how the code works, try UnPHP for decoding obfuscated code.

Leave a Reply

Your email address will not be published. Required fields are marked *