Hi, A quick Google search was inconclusive but seemed to point towards a possible automated hack attempt. Earlier today we received the php code below in the form of a support ticket which someone/something created in our system. Should we be concerned? Can somebody please shed a little light? Thanks... WebDev
That decodes to Then the base_64 text in teh base64_decode function in the decoded text is So I would suggest checking the file "templates_c/mxm.php" to make sure there was not a PHP backdoor implanted
Hi, Thanks for your response. I've looked in templates_c/mxm.php and I cannot even find that file, however? WebDev
Yea was a "hack" attempt. https://www.google.com/webhp?complete=0#hl=en&safe=off&complete=0&site=webhp&source=hp&q=Abu+6aLaL Mainly just trying to hijack index pages on sites. What software are you using? You can Google 'software' version whatever exploits and see if there's anything that needs to be patched.
Was this likely to be an attack aimed specifically at our site, or is it an automated attack which targets random sites for exploits? WebDev
These type of "attacks" are generally just "hackers" who look to get their name on as many sites as possible, mainly just an index page hack with their name on it for bragging rights (Google his handle Abu 6aLaL and you can see his YouTube video of sites he "hacked"). They generally find exploits on certain site s0ft-w4r3 (didn't post in my last response, word filter I guess), and Google what sites are using that along with version, why I asked. The echo 'Abu 6aLaL / '; is probably a test to see if the exploit is there, if so the file upload code then would kick in and he could upload a shell to root the server possibly. Then he'd probably go on to change your index page to his lame "I h4x dis site lololol". And if he successfully roots the server he then could change every site on that server too. I'm may be wrong about the code but that's my first glance assumption. So to quickly answer you, no you weren't directly targeted most likely, just probably because they saw a posted exploit for certain s0ft-w4r3 you use and they found your site in Google.