Forum and the Website are hacked...?

[bebe]

For some reasons, my forum and website are hacked or someone changed and add some php code and Javascripts to all my web pages. So my forum is down and has the fatal error message is "Fatal error: Cannot redeclare pxbr() (previously declared in /homepages/.../htdocs/forum/index.php(1) : eval()'d code:1) in /homepages/.../htdocs/forum/config.php(1) : eval()'d code on line 1".

I don't know how my website got this problem. So in the last few days I just edit the infected files and removed the javascript and php code. But after about one day, all the files will changes with the javascript and php code to all my files again and again. The forum will get the Fatal error again and again everyday...

Here is the infected php code to all my php files. "<?php eval(base64_decode(/JGE6MDtldmFsKGJhc......2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKTs=')); ?>"

Here is the infected javascript code in the all the HTML files: "<script src=http://www.abcdefg.com/autosuggest/boll ... isweek.php ></script>"

Can you tell me how to fix this problmes? Thanks.

[fixcomp]

How to remove the infection from a website?

This is caused by a trojan on your (or another user's) computer.

The trojan spreads by downloading itself to your computer through a malicious PDF or Flash file. You may not even notice it has happened if it's in an iframe or script tag like the one that was added to your site. The trojan then scans for FTP accounts (ie. stored passwords from FTP clients) and sometimes watches the network traffic.

You (and all other users with FTP access) need to scan your computer for viruses and spyware. Typically we don't recommend particular scanning software, however due to the very low detection rate of this latest trojan, you might want to try the trial of NOD32. Their heuristics will pick it up.

Once your computer is clean, all passwords should be changed. If your web host supports SFTP connections, you should use it.

You can use this script to clean the files:

代碼: 選擇全部

    <?php

    $eval = 'eval(base64_decode(';
    $script = '<script src=http://abcdefgh.com/autosuggest/bollywoodthisweek.php ></script>';
   //the $script variable will need to be changed, as it varies from site to site.

    function clean(&$file, $extension)
    {
        global $eval, $script;

        if($extension == 'php')
        {
            if(strpos($file[0], $eval) !== false)
            {
                $file[0] = "<?php\n";
                return true;
            }
        }
        else
        {
            for($i = 0; $i < sizeof($file); $i++)
            {
                if(strpos($file[$i], $script) !== false)
                {
                    $file[$i] = str_replace($script, '', $file[$i]);
                    return true;
                }
            }
        }
        
        return false;
    }

    function traverseDirTree($base)
    {
        $subdirectories = opendir($base);
        while(($subdirectory = readdir($subdirectories)) !== FALSE)
        {
            $path = $base . $subdirectory;
            if((basename($path) == '.') || (basename($path) == '..') || (basename($path) == 'error_log'))
                continue;

            if(is_file($path))
            {
                $path_array = pathinfo($path);
                $extension = strtolower($path_array['extension']);

                if($extension == 'php' || $extension == 'htm' || $extension == 'html' || $extension == 'js')
                {
                    $file = file($path);
                    if(clean($file, $extension))
                    {
                        $fp = @fopen($path, 'wb');
                        if($fp)
                        {
                            foreach($file as $line)
                            {
                                fwrite($fp, $line);
                            }
                            fclose($fp);
                            echo 'Cleaned ' . $path . '<br />';
                        }
                        else
                        {
                            echo 'Failed to clean ' . $path . '<br />';
                        }
                    }
                }
            }

            if(is_dir($path))
            {
                traverseDirTree($path . '/');
            }
        }
    }

    traverseDirTree('./');

    ?>

However, there is a problem with it. It could potentially timeout in the middle of a file write. So you will need to increase PHP's timeout limit (max_execution_time) to a large value. A half-hour (1800) should be more than enough. Be sure to make a backup first.

If you can set the timeout value, then just place this script in the website root and run it.

This script currently doesn't check custom error pages, like .shtml files so you will need to fix those manually.

Be sure to heed the previous warnings before running it.

Also, be sure to post the warnings, since a lot of shared hosts won't let you change the timeout. If they know that it will timeout, they can move the script into each subdirectory so that it runs on a smaller set of files. Also, the $script variable will need to be changed, as it varies from site to site.

Source: PhpBB.com Tech Support ...

How your machine gets infected by Gumblar, or a “Gumblaroid” (Gumblar-type exploit) such as Martuz
http://blog.unmaskparasites.com/2009/05 ... ed-script/
http://blog.unmaskparasites.com/2009/05 ... r-exploit/
http://www.pcauthority.com.au/forums/ya ... mblar.aspx

http://www.danielansari.com/wordpress/2 ... uz-trojan/