any ideas what it's trying to do?
Is it trying to make the slight look like a spam site?
Where can I download AVG free?
Main Topics
Browse All Topicshi EE,
can anyone tell me what the hell this is?
It appeared across my site, within the actual php code!
how can I stop it happening because it keeps coming back..
ah crap, its on all my sites. (shared)
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
go to this site
http://www.tools4noobs.com
put all the values (xx...xx) and decode it, then we can understand what the heck it is...
eval(base64_decode('xx...x
"It appeared across my site, within the actual php code!"
can you please attach an actual page, infected with the code, here... dont copy paste anything...
or give us a url to test it...
yes, it looks like somebody logs in to your server, finds php codes and inserts some codes, hidden iframes, opening some pages...
it is maybe someone, or some malware on the web server...
To the initial question, "hacked?" the answer is almost certainly yes. I assume you have alerted your hosting provider, right? They will want to change all the passwords (so will you) and probably restore the server scripts and data bases from the last clean backup.
This is a wretched problem. Going forward, you might want to follow the work of Chris Shiflett (the security expert, not the Foo Fighter) who writes and speaks extensively on the essentials of online security. His site is available to the public at http://shiflett.org
Sorry you got bit, ~Ray
- you are speaking of your site, not your computer.
- your site has been and presumably still is HACKED.
1 - Be sure your own computer has not been polluted. Update your antivirus and launch a complete test. If you have no antivirus or it is not up to date, you are living dangerously: consider downloading and installing Avast or AVG from Grisoft. If this is for non-commercial use, their use and updates are free.
2 - Your web site has been hacked, and you should really consider closing it down and displaying a page "down for maintenance". Not elegant, but you risk to contaminate all your visitors...
3 - Then clean-up your site. Plan for 2-5 hours.
I made a check-list of actions you may want to accomplish to be almost sure that your site is cleaned up and will be protected against new attacks. Not a totally secure protection, but secure enough for "friendly botnets" to let you quiet while turning to more promising targets.
Have a look at http://www.experts-exchang
4 - Anticipate your friendly vistors will come back... you need to clean your code: in each user input (eg, forms), be sure to clean and escape all data
You do not need to reinstall windows, always an adventurous adventure.
If you reinstall, either you do that with reformatting your disk (plan for a minimum of a complete day, and 2-4 hours of your time if you take into account your applications), or you do that "over" the existing windows. In taht case, be aware that you need to clean up viruses first, otherwise there are high "chances" that the process will break somewhere.
Installing AVG is 20 minutes. Then plan for a complete thourough analysis of you machine, 2-6 hours. You do not need to be there, and if you are ther e working on the computer everything will be slowed down --> install avg, update to be sure to have the last version for all files, then launch the complete scan and ignore your computer for 6 hours. Then restart your computer.
I would think that would be enough and you do not need to reinstall... except if there are too many virusses detected and cleaning them deletes some important files (but then you do not really have a choice).
>>You do not need to reinstall windows
Last time I encountered this, I tried various antivirus software and none managed to remove it completely.
>>my computer has a virus
Yes, and it is your computer the one that is infecting your own sites. You need to change your FTP passwords (From a Clean computer) and reinstall windows. While windows is being reinstalled, clean your website(s). Be sure to check the cgi-bin folder of your site as well. There might be a backdoor/replicator installed. If it helps, look a the last modification time on your files to figure out which files are infected.
its something on the server, probably got there from my machine but i've reinstalled windows xp and the code references are automatically being placed in the markup periodically so something is on the server checking whether or not the code is there or something is just simply logging into when it likes.. im waiting for my hostage to sort it out... :(
i've put a down splash page for all sites.. but what about all the urls, do I have to put any header redirects to the splash page?? obviously right now in google I have indexed pages that dont exist for the moment?
Thanks,
if your pages are not accessable for one or two days, search engine will probably be tolerant.
note however that they might have ALREADY banned your page if they have been hacked: you will need to check that with webmasters tools (WMT) in each of GYM (Google, Yahoo, Microsoft)
Since your own machine seems clean, I would try the following:
a - download all files form the remote site to my own machine
b - run an anti-virus scan on the corresponding directory - AVG will detect most troyan and hacker script [I found that the hard way: I had placed some of them on my machine to study them, and had to fight with AVG which really wanted to quarantine or delete them]
c - take a note of all the files that AVG finds suspect or infected: you will have to delete or heal them on your won machine, then delete them on the remote or replace them with healed copies
d - now go thru all the files, looking for strange names or sizes or dates [NOTE: if your sites are registered with webmasters tools from GYM, you probably have for each of them a special file, usually empty or very small, which it would be wise not to delete]
e - make a general update: deleting on the remote files that you have deleted on the local, upload healed files, etc.
f - then check all files and access rights
i've looked at the cached version of my indexed pages in google and it looks like google hasnt come around in recent times since this happened so hopefully all is good.. what happens if google comes? Is that it, i'll get kicked out of google or are there 'mitigating circumstances' that gets taken into consideration?
If the search engine does not find the page when coming on "usual search", it will simply ignore the problem. However, if this is a "deep search" like a "google dance" where all pages are updated and all their links explored, most unavailable page might be dropped.
So don't worry, you should be back online in one day and all will be fine.
Note that you really will need to check with webmasters tools from each of GYM if your site has not been banned by the corresponding serach engine. If it has been, you can resubmit your pages after your clean-up.
>>What else can I do?
Did you read my TWO posts above?
>>I'm waiting for the hostage company to sort it
You can also STOP waiting on your webhost and do something about it. I'm sure you are not the only client who needs help. Again, look through your files for "odd-named" executable files, starting in the cgi-bin folder. It will also help you pinpoint the problematic files if you sort them by date. For example, if you have not FTP anything in the last 48 hours and you find a file whose last update was 5 hours ago,
chances are, that file has been infected.
Business Accounts
Answer for Membership
by: HainKurtPosted on 2009-10-25 at 02:05:02ID: 25656048
thank you, I guess I got a virus :) when I try to open it...
virus