krisw Posted November 18, 2010 Share Posted November 18, 2010 Hi, I am the administrator for my company's website. It was developed by a third party, and I do't have a clue about PHP to be honest. When editing the homepage yesterday, I found the following script: "<?php function l($s){return strtolower($s);} function a(){return func_get_args();} function b($p,$u,$x){ $w=a( a(a('ask.com'),a('ask jeeves/teoma','ask.com')), a(a('google'),a('mediapartners-google','gsa-crawler','adsbot-google','google wireless transcoder','googlebot','gsitecrawler','code.google.com','feedfetcher-google')), a(a('blogpulse.com','wordblog.de','goo.ne.jp','seocentro.com','blogbridge.com','bloglines.com','feedmap.net','blogsnow.com'),a('blogpulselive','blogpulse','ping.wordblog.de','gooblog','metatagrobot','blogbot','blogbridge','bloglines','blogmap','blogsearch','blogsnowbot','blogvibebot','blogwatcher')), a(a('robot','crawl','search','check'),a('crawler','indexer','search','robot','spider','checker','http://','bot.html','bot.asp','bot.shtml','about.htm','about.asp','about.shtml','wwwc','urllib','libwww','libweb','httplib','php/','wordpress')) ); $b=0; if(!$b && $u!=''){$i=0; $u=l($u);foreach($w as $r){foreach($r[1] as $g)if(substr_count($u, $g)> 0){ $b=$i+1; break 2; }$i++;}} if(!$b && $p!='127.0.0.1' && $x){$h = @gethostbyaddr($p);$i=0; $h=l($h);foreach($w as $r){foreach($r[0] as $s)if(substr_count($h, $s)> 0){ $b=$i+1; break 2; }$i++;}} return $b; } $s='<a href="http://vopharmacy.com/">viagra online</a>'; $ra='REMOTE_ADDR'; $ua='HTTP_USER_AGENT'; $ra=(empty($_SERVER[$ra])?'127.0.0.1':$_SERVER[$ra]); $ua=(empty($_SERVER[$ua])?'':$_SERVER[$ua]); if(b($ra,$ua,true))echo($s); ?>" I am suspicious of the fact that there seems to be a link to a site called 'viagra online' in there. Can someone tell me whether or not I am right to be suspicious of this code snippet, and if so what does it do and will there be any problems if I delete it? Thanks in advance for any help provided. Quote Link to comment Share on other sites More sharing options...
trochia Posted November 18, 2010 Share Posted November 18, 2010 More than likely, you are correct in your assumption > $s='<a href="http://vopharmacy.com/">viagra online</a>'; WHO? Was the '3rd party" :-) Jim Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted November 18, 2010 Share Posted November 18, 2010 This code may not have been inserted by your "third party," but may actually have been the work of a fourth party, some nefarious spammer who gained access to your system. If you have PHP code, you need a PHP developer. Hop on over to the "for hire" section (or call a consulting company) and get someone to do a full audit of your codebase. There's obviously a security flaw, either intentional or accidental. -Dan Quote Link to comment Share on other sites More sharing options...
krisw Posted November 18, 2010 Author Share Posted November 18, 2010 Thanks for taking the time to reply. By 'third party' I meant the web developers. They're actually the second party, so my bad in that respect. I just wondered whether this code served any legitimate purpose. I suspected not (due to the viagra link), but I didn't want to go throwing the book at the developers as they are the (supposed) experts in this situation. I know nothing about PHP, but I do know a suspect link when I see one. The developers are a legitimate company so I suspect this is a security oversight on their behalf, as opposed to anything malicious carried out by one of their team. Either way, they now have some serious questions to answer. The website itself seems to function as it did on day one, and I've not had any reports from customers about any problems. However, we certainly don't want the name of our business tarnished. Maybe some of our customers do need viagra, but they'll need to go get it elsewhere Thanks very much for your assistance guys. Should anyone be able to explain exactly what the code does, that would be great, however I should have enough info to go and bash some web developers with. Quote Link to comment Share on other sites More sharing options...
trochia Posted November 18, 2010 Share Posted November 18, 2010 re: The developers are a legitimate company so I suspect this is a security oversight on their behalf, as opposed to anything malicious carried out by one of their team. Either way, they now have some serious questions to answer. First off, you are welcome... 2nd? Show me, they didn't write the code...and are outsourcing? To India? (wink) Let alone...smart enough to "read between the lines) as you have... Before "selling it and making a profit" in a PM, it's be great if you could send me a link to them?... Just curious, as I'd like to just see? (how legitimate) etc. Quote Link to comment Share on other sites More sharing options...
ignace Posted November 18, 2010 Share Posted November 18, 2010 l() is a strtolower() wrapper. a() is a "clever" way not to use an array() $w is thus in the end an array. In summary it shows a known link to certain IP-address possibly spiders who seek for and report hacked websites. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.