Interesting.
Thanks.
It was a footer.php in a webpress theme.
I was wondering if it was a portal someone was using to get onto my server.
I changted ftp passwords and begun using sftp, but phishing code is
still leaking onto my sites. My wordpress copies are up to date and
DreamHost has no real answers as to how someone is uploading and
expanding *.tar.gz files.
Thanks,
john
Rodrigo Silva dos Santos wrote:
Hello John.
This code generates the following html:
?> </div>
<div id="footer"><a href=*MailScanner has detected a possible fraud
attempt from "web-hosting-click.com" claiming to be*
"http://web-hosting-click.com/"; title="Web hosting">Web hosting</a>
<!-- 27 queries. 0.561 seconds. -->
</div>
<?php wp_footer(); ?>
</body>
</html> <?
Appears that is nothing dangerous, only "unauthorized advertising".
Em 02-10-2012 14:27, John Taylor-Johnston escreveu:
Without anyone infecting their machines, can someone tell me what
this is? I found a phishing site on my DreamHost server. DreamHost
has been very helpful.
We found a file containing this code.
What is it? What does it contain?
<?php
eval(base64_decode('Pz4gPC9kaXY+DQo8ZGl2IGlkPSJmb290ZXIiPjxhIGhyZWY9Imh0dHA6Ly93ZWItaG9zdGluZy1jbGljay5jb20vIiB0aXRsZT0iV2ViIGhvc3RpbmciPldlYiBob3N0aW5nPC9hPg0KPCEtLSAyNyBxdWVyaWVzLiAwLjU2MSBzZWNvbmRzLiAtLT4NCjwvZGl2Pg0KPD9waHAgd3BfZm9vdGVyKCk7ID8+DQo8L2JvZHk+DQo8L2h0bWw+IDw/'));?>
--
John Taylor-Johnston
Département de Langues modernes
Cégep de Sherbrooke, Sherbrooke, Québec
http://cegepsherbrooke.qc.ca/~languesmodernes/
http://cegepsherbrooke.qc.ca/~languesmodernes/wiki/
