Home/ Questions/Q 495953
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T05:38:25+00:00

Most of the sites we were serving were down, parsing errors in the index.php

  • 0

Most of the sites we were serving were down, parsing errors in the index.php file. Looking at the file, our previous versions of the said file were prepended with:

<?php @register_shutdown_function("__sfd1260709780__");function __sfd1260709780__() { global $__sdv1260709780__; if (!empty($__sdv1260709780__)) return; $__sdv1260709780__=1; echo <<<DOC__DOC

<!-- [7a61f37a57877a02feb836559e68fd46 --><!-- 0879070621 --><a href="javascript:document.getElementById('block25').style.display='block';" title="more"> </a><div id="block25" style="display:none"><ul><li><a href="http://florijani.com/verzija15beta/?qsa=5">took 100mg intagra</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=49">where can you buy silagra cheap</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=25">where can i get real generic viagra</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=27">silagra suppliers in india</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=9">silagra online sales</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=45">cheap uk vigora</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=40">discount generic intagra online</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=19">discount viagra 10 pack generic</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=43">how to buy viagra online</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=34">generic vigora overnight</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=24">generic viagra information</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=22">generic viagra perception</a></li></ul></div><!-- 7a61f37a57877a02feb836559e68fd46] -->

DOC__DOC;

} ?>

<?php @register_shutdown_function("__sfd1260623256__");function __sfd1260623256__() { global $__sdv1260623256__; if (!empty($__sdv1260623256__)) return; $__sdv1260623256__=1; echo <<<DOC__DOC



DOC__DOC;

} ?>

<?php @register_shutdown_function("__sfd1260513491__");function __sfd1260513491__() { global $__sdv1260513491__; if (!empty($__sdv1260513491__)) return; $__sdv1260513491__=1; echo <<<DOC__DOC



DOC__DOC;

} ?>

And appended with,

<?php error_reporting(0); echo "\n"; @__sfd1260513491__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1260623256__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1260709780__(); ?>

Has anyone of you encountered this?

(I have also been seeing in the script lots of recommendation for viagra doses.)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Looks like someone has root access to your PHP folder. They traversed it with a bot which replaces the existing content to kill the PHP serving function and replace it with an echo’ed HTML page for a viagra add.

    Probably want to look for user accounts you havent seen before and restore your scripts from source. Look for admin accounts that are infrequently used and may still have default passwords.

    Otherwise the bot is most likely on the internal network with access to the root folder.

    • 0