Results 1 to 22 of 22
  1. #1
    Join Date
    Aug 2004
    Posts
    346

    Question Website hacked, code added to top of all pages, somebody can decode it???

    My websites is hacked and he added some php code to all my pages but for me that is not easy to decode, if somebody know what is this please help me, I want to see decoded php code of this:
    http://pastebin.com/GumkwvXP

    Thanks.

  2. #2
    Join Date
    Nov 2005
    Posts
    3,944
    I'd be afraid to run this on a non-sandbox environment but it comes down to this actually being run:

    Code:
    $qrkhbdbmht($ivgafnkywx, $skcnswjmwb, NULL);
    Every variable in it is obfuscated so you'd have to figure out what each variable is.

  3. #3
    Join Date
    Nov 2005
    Posts
    3,944
    I did some more digging, that is a preg_replace with more obfuscation. So there are multiple levels of obfuscation on this code. I suspect it would take a little while to figure out exactly what it is doing. If you are concerned about it, I suggest either you restore all files from a backup or hire a security consultant who can get to the bottom of it.

  4. #4
    Join Date
    Apr 2013
    Posts
    36
    If you can figure out what the data block at the bottom

    "\x20\57\x2a\40\x76\147\x69\151\x62\145\x72\146\x6c\171\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\ x28\50\x31\62\x39\55\x39\62\x29\51\x2c\40\x63\150\x72\50\x28\63\x36\62\x2d\62\x37\60\x29\51\x2c\40\x6c\157\x6a\150\x75\145\x78\171\x6e\167\x28\44\x68\ 165\x6e\172\x62\167\x62\147\x64\160\x2c\44\x6d\165\x79\157\x73\155\x75\167\x62\162\x29\51\x29\73\x20\57\x2a\40\x67\172\x74\151\x75\171\x61\162\x74\144 \x20\52\x2f\40"

    is it may give you an idea

  5. #5
    Join Date
    Aug 2004
    Posts
    346
    That is:
    /* vgiiberfly */ eval(str_replace(chr\ x28(129-92)), chr((362-270)), lojhuexynw($h\ 165nzbwbgdp,$muyosmuwbr))); /* gztiuyartd */

    But still I can`t know what this code doing...

  6. #6
    You can try this tool: http://ddecode.com/phpdecoder/

    No matter what the code is doing, you should clean up your site.


    Quote Originally Posted by gurika View Post
    That is:
    /* vgiiberfly */ eval(str_replace(chr\ x28(129-92)), chr((362-270)), lojhuexynw($h\ 165nzbwbgdp,$muyosmuwbr))); /* gztiuyartd */

    But still I can`t know what this code doing...

  7. #7
    Join Date
    Nov 2013
    Posts
    42
    Why not restore your site from a backup?

  8. #8
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Quote Originally Posted by NT-James View Post
    Why not restore your site from a backup?
    Or just remove the code.
    It certainly can't do any more harm than it already is
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  9. #9
    Join Date
    Feb 2006
    Location
    Kepler 62f
    Posts
    16,703
    Google this:
    muyosmuwbr
    Several cache results are there. Several things are going on:
    - injecting porn ads
    - changing (or trying to change) PHP settings
    - scanning site users/passwords
    || Need a good host?
    || See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives
    ||

  10. #10

    Exclamation

    Removing this file would solve the hacking problem. Try to scan all the files and folder in the server to completely remove all vulnerable exploits.

    As for the code, @kpmedia should be right. Pretty sure it scans username & password throughout the server since I did had a similar file like this once in one of our client's unmanaged server.

  11. #11
    Join Date
    Aug 2004
    Posts
    346
    I already removed all of this codes from hundred php files but I need to know what this doing...

    Thanks.

  12. #12
    Join Date
    Dec 2005
    Location
    Finland
    Posts
    1,471
    Is this a WordPress site, or something else? Can't help you much without knowing something about the technology.

    In any case, you probably have old or unsafe script somewhere.

  13. #13
    Join Date
    Aug 2004
    Posts
    346
    I have wordpress and phpfox...

  14. #14
    Join Date
    Dec 2005
    Location
    Finland
    Posts
    1,471
    Quote Originally Posted by gurika View Post
    I have wordpress and phpfox...
    Well, that's a start.

    Are the scripts updated to the latest versions? What kind of theme are you using on the WordPress site? Do you have plugins that may have known vulnerabilities?

    If you can restore from a recent backup, that's probably your best bet. I guess there's no such backup or you'd have told us about that. You may want to check if your host is automatically backing up your site, but they're not exactly required to do so.

    If you can log in, reinstalling WordPress should remove most instances of code in the system core files. Then you need to check the upload folders, themes, plugins, and config files.

    You could install Wordfence to scan the site for any remnants of the hack. It's not always able to find everything, but it's much better than just randomly poking around.

    That's a start at least. If it seems overwhelming, please hire a professional to do the cleaning.

  15. #15
    Join Date
    May 2013
    Posts
    177
    By the way that script itself seems to do absolutely nothing.

  16. #16
    Join Date
    Dec 2005
    Location
    Finland
    Posts
    1,471
    Quote Originally Posted by derp View Post
    By the way that script itself seems to do absolutely nothing.
    That's expected. It's likely that there's some sort of trigger or condition, and the script doesn't run if that's not met. It's intended to stay as hidden as possible. It's also possible that the payload or backdoor is somewhere under the site, and that piece is just calling that code.

  17. #17
    Join Date
    Apr 2013
    Posts
    36
    Yeah I decoded bits of it as well - all it seemed to do was wrap itself up about 121 times I think it was and do nothing else - so unless I missed something buried somewhere between the first ten wraps and the last few - it doesn't do anything.

    I ran it on a scratch domain on my laptop and it produced zero output.

    So i don't know.

  18. #18

    Talking

    Quote Originally Posted by Cryptonomicon View Post
    it doesn't do anything.
    Oh but maybe it does? Perhaps the intent was to waste a bunch of people's time.

  19. #19
    Join Date
    Apr 2013
    Posts
    36
    Quote Originally Posted by Nullified View Post
    Perhaps the intent was to waste a bunch of people's time.
    Well it sure did that - once I locked onto the damned thing I just couldn't let go
    HostComparator.com
    VPS and Dedicated Server Comparison
    The web hosts your mother wouldn't tell you about.

  20. #20
    Join Date
    Aug 2004
    Posts
    346
    Look like this hacker is very good coder or using some very good tool to encode this code...

  21. #21
    Join Date
    May 2013
    Posts
    177
    No, it simply doesn't do anything and you can discover that in about 5 minutes.

    If you use a PHP formatting tool, you'll see everything is simple string manipulation (without echoing, saving or doing anything to any strings - just manipulating them).

    This is the only questionable code.
    Code:
    $qrkhbdbmht($ivgafnkywx, $skcnswjmwb, NULL);
    But if you dig just a bit deeper, $qrkhbdbmht = preg_replace and the code doesn't actually make use of the return from this function.

    So there, in 3-5 minutes you have discovered that this code performs absolutely nothing at all. No password scanning, nothing at all.

    It might be likely that there is other parts involved, and this part along with the others can do something malicious, but given just this code it is completely harmless.

  22. #22
    Join Date
    Apr 2013
    Posts
    36
    it has an eval in there that executes the string $skcnswjmwb returned from the previous manipulation.

    It returns a version of the same thing with another $muyosmuwbr
    HostComparator.com
    VPS and Dedicated Server Comparison
    The web hosts your mother wouldn't tell you about.

Similar Threads

  1. Is your wordpress blog hacked with base64 code, iframe code, etc? Let us clean it!
    By ipexperts in forum Other Web Hosting Related Offers
    Replies: 0
    Last Post: 02-10-2012, 09:49 PM
  2. Decode HTML code
    By fast_fusion in forum Programming Discussion
    Replies: 8
    Last Post: 06-25-2010, 08:17 AM
  3. Danger code in my website pages
    By majdiy in forum Hosting Security and Technology
    Replies: 6
    Last Post: 07-27-2009, 03:04 AM
  4. Hacked - code inserted into many users pages
    By FULLAMHRD in forum Hosting Security and Technology
    Replies: 3
    Last Post: 06-25-2007, 09:23 PM
  5. Hacked: How to find javascript added to pages in /home
    By FULLAMHRD in forum Hosting Security and Technology
    Replies: 5
    Last Post: 04-24-2007, 03:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •