tags:

views:

104

answers:

2
+5  Q: 

Odd code added just before close body tag

My client is reporting that code looking like this has been automatically added to the end of all PHP files (just before the close body tag):

<b1><!--J5qN2aS2eNoNycENgCAMAMCNqEoUnYZA04DRUgI1rC+f+xxwUdDQEuliwe5u3U+wzm3HBWMMkxpR0Qnmr2E2KAyDIqAUnQGM3H0NiXwUed67q6m5/t4jHpA=--></b1>

He tried manually deleting that line, but of course it reappears. Googleing returns very little:

Can anyone help point us in the right direction? Anything particular to look for?

+1  A: 

That looks like a encrypted base 64 encoded string.

J5qN2aS2eNoNycENgCAMAMCNqEoUnYZA04DRUgI1rC+f+xxwUdDQEuliwe5u3U+wzm3HBWMMkxpR0Qnmr2E2KAyDIqAUnQGM3H0NiXwUed67q6m5/t4jHpA=

Decoding doesn't seem to provide any useful information. I would assume the host is compromised.

One of my clients had a similar problem on one of his websites: turns out there was an upload form that didn't had proper file validation, a Perl script was uploaded and executed via the web server and gave the attacker almost root access to the server by creating a deamon.

Alix Axel  2009-12-17 21:03:08
It is possible that something like that is what happened. I believe they have a few custom forms on the site. Where would you suggest checking to see evidence of this, and potentially remove it? Will there be a tell-tale file, or is this all going to be happening in memory?
shanebonham  2009-12-17 21:40:02
I lost my giant comment so I'm gonna be brief. You might have a better luck posting this @ ServerFault and asking your sysadmin / host provider what happened. In my case all the log files (all the files starting with "log*" actually) disappeared, so I made a diff between the files and the backup and some addicional files came up, among those was the rootkit.
Alix Axel  2009-12-17 23:24:21
A: 

change FTP password. maybe it was stole from total commander or other FTP client by some trojan.

there was a similar problem with bunch iframes added to the code before the closing tag. password change is the only thing that helps.

dusoft  2009-12-17 21:25:15
Changing the password didn't help me a bit. I also had to remove the rootkit.
Alix Axel  2009-12-17 21:29:12
Client *did* change the FTP password, but that did not help.
shanebonham  2009-12-17 21:38:41

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?