Reputation: 2279
Odd code added just before close body tag
My client is reporting that code looking like this has been automatically added to the end of all PHP files (just before the close body tag):
<b1><!--J5qN2aS2eNoNycENgCAMAMCNqEoUnYZA04DRUgI1rC+f+xxwUdDQEuliwe5u3U+wzm3HBWMMkxpR0Qnmr2E2KAyDIqAUnQGM3H0NiXwUed67q6m5/t4jHpA=--></b1>
He tried manually deleting that line, but of course it reappears. Googleing returns very little:
Can anyone help point us in the right direction? Anything particular to look for?
Upvotes: 5
Views: 224
Answers (2)
Reputation: 11479
change FTP password. maybe it was stole from total commander or other FTP client by some trojan.
there was a similar problem with bunch iframes added to the code before the closing tag. password change is the only thing that helps.
Upvotes: 0
Reputation: 154513
That looks like a encrypted base 64 encoded string.
J5qN2aS2eNoNycENgCAMAMCNqEoUnYZA04DRUgI1rC+f+xxwUdDQEuliwe5u3U+wzm3HBWMMkxpR0Qnmr2E2KAyDIqAUnQGM3H0NiXwUed67q6m5/t4jHpA=
Decoding doesn't seem to provide any useful information. I would assume the host is compromised.
One of my clients had a similar problem on one of his websites: turns out there was an upload form that didn't had proper file validation, a Perl script was uploaded and executed via the web server and gave the attacker almost root access to the server by creating a deamon.
Upvotes: 1
Related Questions
- A weird syntax from a php file
- Why is php adding a <pre> tag at the end of my html?
- Wordpress adding additional html for seemingly no reason
- Strange code added in all php files
- Unknown scripts are prepending before html body close tag
- Strange PHP code found in file on server
- Strange code on wordpress website
- PHP - HTML Script being placed within 'body' tags
- Where is this HTML closing bracket coming from?
- PHP stop closing tag being automatically added