Understanding Spam Scripts

Hey,

So the company I work for has about 150 domains hosted. Every once in a while one gets compromised with some spam scripts. I've cat'd these files and it's just garble. Is there a way to understand how it's written? I'm curious on how it works. More curious to how it got there in the first place but how it's run is a good step as well.

Thanks!

Sounds like the files are "minified" which is what they call removing all the whitespace and shortening all the variable names. What you need to do is use a script to "unminify" sometimes called "beautify", the script, which will make it more readable although you'll still probably have one letter variable names.

This site hosts a script that does this for javascript, there is probably a version for whatever scripting language you need somewhere.
http://unminify.com/

You probably have some buffer overflow or SQL injection vulnerability on the web hosts.

Minifying the scripts is a hassle in and of itself when you have a hard limit or specific amount of characters used to trigger the vulnerability.

Is absolutely everything on every page being input validated so that no unexpected data can be input?

Check the server logs and go backwards from there.

Any comments? Have you tried googling for parts of the code? Others may have researched it and posted their findings.

https://isc.sans.edu/ periodically posts an example analysis of some server side scripts. There are different ways to obfuscate/minify the files, so it takes some practice/expertise to figure out how to decode them properly.