Understanding Spam Scripts

[Karandras]

Hey,

So the company I work for has about 150 domains hosted. Every once in a while one gets compromised with some spam scripts. I've cat'd these files and it's just garble. Is there a way to understand how it's written? I'm curious on how it works. More curious to how it got there in the first place but how it's run is a good step as well.

Thanks!

 

[Quix]

Sounds like the files are "minified" which is what they call removing all the whitespace and shortening all the variable names. What you need to do is use a script to "unminify" sometimes called "beautify", the script, which will make it more readable although you'll still probably have one letter variable names.

This site hosts a script that does this for javascript, there is probably a version for whatever scripting language you need somewhere.
http://unminify.com/

 

[cyclone3d]

You probably have some buffer overflow or SQL injection vulnerability on the web hosts.

Minifying the scripts is a hassle in and of itself when you have a hard limit or specific amount of characters used to trigger the vulnerability.

Is absolutely everything on every page being input validated so that no unexpected data can be input?

 

[Snowknight26]

Check the server logs and go backwards from there.

 

[mikeblas]

Any comments? Have you tried googling for parts of the code? Others may have researched it and posted their findings.

 

[ambientZ]

https://isc.sans.edu/ periodically posts an example analysis of some server side scripts. There are different ways to obfuscate/minify the files, so it takes some practice/expertise to figure out how to decode them properly.