Dreamhost Hacked?
3/06/12

Today I noticed that every PHP file in every Dreamhost site I administer has this garbled php script prepended to it:

http://pastebin.com/jBwB7yHU

Which, if you decode it, looks like this: http://pastebin.com/Fb6fx9x4

As it turns out, it's not just me...

Update: Here's a possible fix by Dan Hill.

Update 7-Mar-12: The ruby script in Dan Hill's post isn't very effective, but you should still use his examples of closing down world-writable directories: (run this from your home directory)
find . -type d -perm -o=w -print -exec chmod 770 {} \;

In one of his comments, however, there's a very simple and effective line of code that'll go through all php files recursively and remove the infected code: (run this from your home directory)
for f in `find . -name "*.php"`; do perl -p -i.bak -e 's/<\?php \/\*\*\/ eval\(base64_decode\(\"[^\"]+"\)\);\?>//' $f; done

This will create .php.bak of every infected file. If you want to get rid of those, try this:
find . -iname "*.php.bak" -print -exec rm -rf {} \;
Tags: elsewhere, fyi



Entry ID: 000505