Need Help about hacking

[kerrghann]

I use this piece of PHP code to find base64 and other uglies that might have been injected or placed on my server.

Note: This will not look through your hooks, this looks through all the PHP files on your server.

It'll most likely bring up a large list, so I recommend skimming through the list and finding anything that mentions base64_decode()

Then open up that file and find the base64 string in it and decode it yourself with an online decoder or using the php base64_decode($string)

Place this in your forum root and then navigate to it ( http://www.yourforumhere.com/base64-check.php
best of luck:

base64-check.php

PHP Code:

<html><head><title>Find String</title></head><body>
<?php
find_files('.');
function find_files($seed)
{
if(! is_dir($seed)) return false;
$files = array();
$dirs = array($seed);
while(NULL !== ($dir = array_pop($dirs)))
{
if($dh = opendir($dir))
{
while( false !== ($file = readdir($dh)))
{
if($file == '.' || $file == '..') continue;
$path = $dir . '/' . $file;
if(is_dir($path)) { $dirs[] = $path; }
else { if(preg_match('/^.*\.(php[\d]?|js|txt)$/i', $path)) { check_files($path); }}
}
closedir($dh);
}}} function check_files($this_file)
{
$str_to_find[]='base64_decode';
$str_to_find[]='edoced_46esab';
$str_to_find[]='preg_replace';
$str_to_find[]='HTTP_REFERER';
$str_to_find[]='HTTP_USER_AGENT';
$str_to_find[]='assert('; $str_to_find[]='create_function('; $str_to_find[]='$_REQUEST['; if(!($content = file_get_contents($this_file)))
{ echo("<p>Could not check $this_file You should check the contents manually!</p>\n"); }
else
{
while(list(,$value)=each($str_to_find))
{
if (stripos($content, $value) !== false)
{
echo("<p>$this_file -> contains $value</p>\n");
}
}
}
unset($content);
}?>
</body></html>