Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


weird php code on customer site
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

weird php code on customer site

dedicadosdedicados Member
edited March 2014 in Help

hello, i found this code on a customer site, what is it?

-removed-

was before
<!DOCTYPE html>

Comments

  • wordpress on his site by any chance?

    It's definitely a breach of security. The variables are randomised to avoid detection. That code will get decrypted and most likely will inject links into the site for SEO purposes.

  • DerekDerek Member
    edited March 2014

    What software was he running, version(s)?

    http://pastebin.com/weaq0XmZ
    looks somewhat obfuscated and malicious.

  • is a simple web page, with php, no wordpress, just a web site.

  • Yup and you could check the website's source code to see if there is some random text there. Mostly it has links to viagra medicines etc. Also just remove it and see if there is any effect on the website, I am also guessing its wordpress and this type of encryption isn't common in plugins or themes.

  • If your customer doesn't have Wordpress or other CMS, check if he has a mail php function on his page (contact us) or a file upload page, most of the hacks I have found on MX were due to those kind of pages (basic security or none on the file upload script)

  • 90% its some malicious script uploaded by a hacker to your client's site.

  • well, let me take a look on all the site,

  • edited March 2014

    http://pastebin.com/6vDMAYWK

    Here's the partially decoded PHP file. The long string was Base64. It was encoded about 7 or 8 times.

  • ehabehab Member

    anything encrypted / encoded / obfuscated like that wants to hide something.
    my advise, contact site owner and give them time to clarify or remove file until client responded back.

  • According to the decrypted code daxterfellowes posted, it is indeed SEO related, and it's cloaking based on user-agent. You won't see anything on the public side of the site unless you use a UA like 'googlebot'.

  • @ricardo said:
    According to the decrypted code daxterfellowes posted, it is indeed SEO related, and it's cloaking based on user-agent. You won't see anything on the public side of the site unless you use a UA like 'googlebot'.

    Why would SEO need anything to do with listing temporary directories? Also, known IP's that correlate to Spain and Ukraine? I'm not buying SEO.

  • maybe can be a code from ATTRACTA software?

    also i found this file named "N2W3Y0qaFA" with many ips there:

    130.0.233.18
    130.0.237.24
    149.154.154.191
    151.236.17.13
    151.236.18.8
    178.209.52.218
    178.73.210.163
    37.235.53.202
    46.17.57.141
    46.246.93.130
    5.61.45.110
    176.99.6.245
    151.236.25.47
    151.236.28.97
    151.236.26.86
    151.236.20.19
    144.76.178.235
    188.116.23.77
    80.67.12.206
    5.61.38.129
    37.230.118.51
    5.187.5.185
    5.187.1.129
    5.187.4.155
    209.159.153.165
    144.76.178.236
    176.9.193.201

    some are listed on the file you decode

  • dnwkdnwk Member
    edited March 2014

    Does SEO hurt IP reputation?

  • @dedicados said:
    maybe can be a code from ATTRACTA software?

    also i found this file named "N2W3Y0qaFA" with many ips there:

    Googling those IP´s makes it look like those ip´s are used in french website attacks.

    Thanked by 1daxterfellowes
  • @Floris said:

    These were my findings.

    Here's a more readable version with some comments: https://gist.github.com/gMagicScott/8107042

    It does appear to be a PHP injection attack.

  • thanks Floris, i found http://ninjafirewall.com/malware/index.php?threat=2013-09-03.01

    TARGET OSCommerce v2.3

    i never use it, but for the moment im going to block those ips on all the servers.

  • @dedicados said:
    thanks Floris, i found http://ninjafirewall.com/malware/index.php?threat=2013-09-03.01

    TARGET OSCommerce v2.3

    i never use it, but for the moment im going to block those ips on all the servers.

    It was used on Wordpress and other CMS'es aswell, as it's basic PHP it can attack anything basicly.

  • well, that site is only html/php, my question is how that code gets there...

    thanks to all, you are awesome guys.

  • daxterfellowes said: Why would SEO need anything to do with listing temporary directories? Also, known IP's that correlate to Spain and Ukraine? I'm not buying SEO.

    The code performs a remote fetch and it cloaks on two search engine user agents. Invariably it's to affect search engine rankings.

    Wouldn't worry about the IPs. Could be a botnet, could be a guy in a bedroom, just the conduit to perform a means to an end, much like the infected site.

Sign In or Register to comment.