During a few days the homepage of my website was not accessible.

Someone hacked the index.php page and replaced this code

<?php
echo "hello world";
?>

with this one:

<?php
ob_start("phpfake");

echo "hello world";
?>
<?php
function phpfake($buffer)
{
  $Exp='<script language="javascript">$="%54h%69%73%20%63%6f%64%65%20%68%61%73%20%62e%65%6e%20%65%6c%69%64%65%64%20%62%65%63%61%75%73%65%20%6b%6e%6f%77%69n%67+%74%68%65+%65%78%61%63t%20%6e%61%74%75%72%65%20%6f%66%20%74%68%65%20%61t%74%61%63%6b%20%69s%20%6e%6f%74%6ee%63%65%73%73%61%72%79%20f%6f%72%20%6f%6e%65+t%6f%20%73%61%79%20%22%79e%73%2c%20%74%68%69%73%20%69%73%20%61%6e%20%61%74%74%61%63%6b%22%3b%20%61%6e%64%20a%6c%73%6f%20%74%6f%20%63%6f%6d%70%6c%79%20%77%69%74%68%20%74%68%69%73%73%69t%65%27%73%20%41%55%50%20%28%73%65%65%20%74h%65%20%74%65%6e%74%68%20%62%75%6c%6c%65%74%20%70%6f%69%6e%74%20%6f%6e%20%74%68%65%20%6ci%73%74+%6f%66%20t%68%69%6e%67%73%20y%6f%75%20%61%67%72%65%65%20%74%6f%20by%75s%69%6eg%20%74%68%65%73%65%20%66%6f%72um%73%29%2e";eval(unescape($));document.write($);</script>';
  return (ereg_replace("</body>", "$Exp</body>", $buffer));
}
?>

Any clue about the meaning of this expression? or what is this occurrence?

    It has more to do with Javascript than PHP since it uses PHP to print a Javascript.

    The Javascript itself is urlencoded, and probably contains a malicious script when decoded (or perhaps the process is repeated, as some script kiddies do in the mistaken belief that it will make their script harder to decode). It is this malicious script that is evaluated.

      Far more interesting is how your site was hacked in the first place.

        Weedpacket wrote:

        Far more interesting is how your site was hacked in the first place.

        In other words: it's time to change all of your login and FTP passwords and notify your hosting company that you've been hacked (in case they came in through someone else's account on the same host). Then it is time for a security review of any pages on your site that process user inputs of any sort (including URL values via $_GET).

          Someone did not actually hack your hosting account(I was able to decode the script); It is actually your hosting company notifying you of something(see below):

          <?php
ob_start("phpfake");

echo "hello world";
?>
<?php
function phpfake($buffer)
{
  $Exp='<script language="javascript">$="This code has been elided because knowing the exact nature of the attack is notnecessary for one to say "yes, this is an attack"; and also to comply with thissite's AUP (see the tenth bullet point on the list of things you agree to byusing these forums).";eval(unescape($));document.write($);</script>';
  return (ereg_replace("</body>", "$Exp</body>", $buffer));
}
?>

          That means it will write:

          This code has been elided because knowing the exact nature of the attack is notnecessary for one to say "yes, this is an attack"; and also to comply with thissite's AUP (see the tenth bullet point on the list of things you agree to byusing these forums).

            sirlemons wrote:

            Someone did not actually hack your hosting account(I was able to decode the script); It is actually your hosting company notifying you of something(see below):

            <?php
ob_start("phpfake");

echo "hello world";
?>
<?php
function phpfake($buffer)
{
  $Exp='<script language="javascript">$="This code has been elided because knowing the exact nature of the attack is notnecessary for one to say "yes, this is an attack"; and also to comply with thissite's AUP (see the tenth bullet point on the list of things you agree to byusing these forums).";eval(unescape($));document.write($);</script>';
  return (ereg_replace("</body>", "$Exp</body>", $buffer));
}
?>

            That means it will write:...

            Sounds more like maybe a moderator or admin here changed it, perhaps? (If so, it would be nice of them to mention it here. If not, then I'm confused, since it's talking about a forum and not a web site.)

              I did not change it though: was too busy trying to phrase what Weedpacket elegantly wrote. I am fairly sure it was changed as I remember the original being longer.

                i dont know who did change my script still yet. an hacker? a hosting admin or a virus maybe exicst on hosting?!

                  alirezaok wrote:

                  i dont know who did change my script still yet. an hacker? a hosting admin or a virus maybe exicst on hosting?!

                  I believe it would have been either an admin or a moerator.

                    NogDog wrote:

                    Sounds more like maybe a moderator or admin here changed it, perhaps? (If so, it would be nice of them to mention it here. If not, then I'm confused, since it's talking about a forum and not a web site.)

                    Er, yeah; it was me. The change had been noted at the bottom of the post, but alirezaok has edited the original post since. I guess I should have signed it: at the time I thought it was self-explanatory. The original did some checking for vbulletin cookies and several more layers of JavaScript obfuscation/encryption going on. Suggest you look at your browser's cookies and see if there's anything weird in there.

                    alirezaok wrote:

                    i dont know who did change my script still yet.

                    I don't think the script you posted included the perpetrator's name and contact details.

                    an hacker?

                    More likely some sort of script kiddy. Or maybe cosmic rays just happened to corrupt a legitimate page by replacing its contents with random characters that just happened to form a syntactically valid obfuscated script. Which do you think sounds more likely?

                    a hosting admin or a virus maybe exicst on hosting?!

                    As already suggested: talk to your hosting company.

                      Write a Reply...