It seems I've been hacked?
Craig18
New
When I tried logging into my Yahoo e-mail, I got the following message...
<?PHP
ini_set('display_errors', 0);
$data = yahoo_reg_login_setup();
if ( $data === FALSE )
{
exit();
}
else if ( ! isset( $data ) )
{
error_log( "yahoo_reg_login_setup didn't set the DISPLAY_FORM field" );
header( "Location: http://login.yahoo.com/");
exit();
}
$tstname = @$data;
$src = @$data;
$partner = @$data;
$intl = @$data;
// This is a hack put in place so that persistancy files are
// picked from the regular html directory.
// yinst packaging didn't allow for the multiple links to be created
// with one single command.
if($tstname == "tst_pst") {
$tstname = "";
}
// Adding support for pkg using PHP
if((@$data != null) && (@$data != "" ))
{
$data = "/home/y/share/htdocs/idaho/php/${intl}_shrkwp";
$res=include("/home/y/share/pear/Yahoo/reg/logic/shrkwp.inc");
}
// Adding support for .partner via PHP
// If both .src and .partner are present, and .src=ym, then .src takes
// precedence, else .partner takes precedence. - Aanchal, Bug #368481
// Please note that if in future, a more complicated pprecednce has to
// be added, the priorityMap array from propTemplate.inc.ros and
// header.inc.ros should be used.
// Disabling the src=ym precedence over the partner user as ym is not
// converted in intls like ca and cf and users end up seeing the older
// login_verify page for ym. It is better if we show them the partner
// branding. - bug # 652617
//else if(($src != null) && ($src != "") && ($src == "ym"))
//{
//$data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}";
//$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data}");
//}
else if(($partner != null) && ($partner != ""))
{
$data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}";
$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}/login/${data}");
}
else if(($src != null) && ($src != ""))
{
$data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}";
$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data}");
}
else
{
$data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}";
$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}/login/${data}");
}
// This check is put in place to avoid showing a blank login page
// when some test is set in common_login.conf and that test package is not
// installed on the machine.
// Ideally this should not happen. - Aanchal, Feb 3, 2005
// Bug # 305858
if($res != '1')
{
if(!is_dir($data)){
// reset abs_path only if it didn't exist before
// a temp fix for ym logout issue
// Bug 1146959
$data = "/home/y/share/htdocs/idaho/php/${intl}";
}
include("/home/y/share/htdocs/idaho/php/${intl}/login/${data}");
}
?>
I logged in again successfully. I logged out and got this message...
<?PHPini_set('display_errors', 0); $data = yahoo_reg_login_setup();if ( $data === FALSE ){ exit();}else if ( ! isset( $data ) ){ error_log( "yahoo_reg_login_setup didn't set the DISPLAY_FORM field" ); header( "Location: http://login.yahoo.com/"); exit();}$tstname = @$data;$src = @$data;$partner = @$data;$intl = @$data;// This is a hack put in place so that persistancy files are // picked from the regular html directory.// yinst packaging didn't allow for the multiple links to be created// with one single command.if($tstname == "tst_pst") { $tstname = "";}// Adding support for pkg using PHPif((@$data != null) && (@$data != "" )){ $data = "/home/y/share/htdocs/idaho/php/${intl}_shrkwp"; $res=include("/home/y/share/pear/Yahoo/reg/logic/shrkwp.inc");}// Adding support for .partner via PHP// If both .src and .partner are present, and .src=ym, then .src takes// precedence, else .partner takes precedence. - Aanchal, Bug #368481 // Please note that if in future, a more complicated pprecednce has to// be added, the priorityMap array from propTemplate.inc.ros and// header.inc.ros should be used.// Disabling the src=""ym precedence over the partner user as ym is not// converted in intls like ca and cf and users end up seeing the older// login_verify page for ym. It is better if we show them the partner// branding. - bug # 652617//else if(($src != null) && ($src != "") && ($src == "ym"))//{ //$data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}"; //$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data}");//}else if(($partner != null) && ($partner != "")){ $data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}"; $res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}/login/${data}");}else if(($src != null) && ($src != "")){ $data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}"; $res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data}");}else{ $data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}"; $res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}/login/${data}");}// This check is put in place to avoid showing a blank login page// when some test is set in common_login.conf and that test package is not// installed on the machine.// Ideally this should not happen. - Aanchal, Feb 3, 2005// Bug # 305858if($res != '1'){ if(!is_dir($data)){ // reset abs_path only if it didn't exist before // a temp fix for ym logout issue // Bug 1146959 $data = "/home/y/share/htdocs/idaho/php/${intl}"; } include("/home/y/share/htdocs/idaho/php/${intl}/login/${data}");}?>
</PRE>
</PRE>
I was using Comodo but I'm currently using ZoneAlarm and two intrusion attempts have been blocked.
</PRE>
<?PHP
ini_set('display_errors', 0);
$data = yahoo_reg_login_setup();
if ( $data === FALSE )
{
exit();
}
else if ( ! isset( $data ) )
{
error_log( "yahoo_reg_login_setup didn't set the DISPLAY_FORM field" );
header( "Location: http://login.yahoo.com/");
exit();
}
$tstname = @$data;
$src = @$data;
$partner = @$data;
$intl = @$data;
// This is a hack put in place so that persistancy files are
// picked from the regular html directory.
// yinst packaging didn't allow for the multiple links to be created
// with one single command.
if($tstname == "tst_pst") {
$tstname = "";
}
// Adding support for pkg using PHP
if((@$data != null) && (@$data != "" ))
{
$data = "/home/y/share/htdocs/idaho/php/${intl}_shrkwp";
$res=include("/home/y/share/pear/Yahoo/reg/logic/shrkwp.inc");
}
// Adding support for .partner via PHP
// If both .src and .partner are present, and .src=ym, then .src takes
// precedence, else .partner takes precedence. - Aanchal, Bug #368481
// Please note that if in future, a more complicated pprecednce has to
// be added, the priorityMap array from propTemplate.inc.ros and
// header.inc.ros should be used.
// Disabling the src=ym precedence over the partner user as ym is not
// converted in intls like ca and cf and users end up seeing the older
// login_verify page for ym. It is better if we show them the partner
// branding. - bug # 652617
//else if(($src != null) && ($src != "") && ($src == "ym"))
//{
//$data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}";
//$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data}");
//}
else if(($partner != null) && ($partner != ""))
{
$data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}";
$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}/login/${data}");
}
else if(($src != null) && ($src != ""))
{
$data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}";
$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data}");
}
else
{
$data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}";
$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}/login/${data}");
}
// This check is put in place to avoid showing a blank login page
// when some test is set in common_login.conf and that test package is not
// installed on the machine.
// Ideally this should not happen. - Aanchal, Feb 3, 2005
// Bug # 305858
if($res != '1')
{
if(!is_dir($data)){
// reset abs_path only if it didn't exist before
// a temp fix for ym logout issue
// Bug 1146959
$data = "/home/y/share/htdocs/idaho/php/${intl}";
}
include("/home/y/share/htdocs/idaho/php/${intl}/login/${data}");
}
?>
I logged in again successfully. I logged out and got this message...
<?PHPini_set('display_errors', 0); $data = yahoo_reg_login_setup();if ( $data === FALSE ){ exit();}else if ( ! isset( $data ) ){ error_log( "yahoo_reg_login_setup didn't set the DISPLAY_FORM field" ); header( "Location: http://login.yahoo.com/"); exit();}$tstname = @$data;$src = @$data;$partner = @$data;$intl = @$data;// This is a hack put in place so that persistancy files are // picked from the regular html directory.// yinst packaging didn't allow for the multiple links to be created// with one single command.if($tstname == "tst_pst") { $tstname = "";}// Adding support for pkg using PHPif((@$data != null) && (@$data != "" )){ $data = "/home/y/share/htdocs/idaho/php/${intl}_shrkwp"; $res=include("/home/y/share/pear/Yahoo/reg/logic/shrkwp.inc");}// Adding support for .partner via PHP// If both .src and .partner are present, and .src=ym, then .src takes// precedence, else .partner takes precedence. - Aanchal, Bug #368481 // Please note that if in future, a more complicated pprecednce has to// be added, the priorityMap array from propTemplate.inc.ros and// header.inc.ros should be used.// Disabling the src=""ym precedence over the partner user as ym is not// converted in intls like ca and cf and users end up seeing the older// login_verify page for ym. It is better if we show them the partner// branding. - bug # 652617//else if(($src != null) && ($src != "") && ($src == "ym"))//{ //$data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}"; //$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data}");//}else if(($partner != null) && ($partner != "")){ $data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}"; $res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}/login/${data}");}else if(($src != null) && ($src != "")){ $data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}"; $res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data}");}else{ $data = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}"; $res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}/login/${data}");}// This check is put in place to avoid showing a blank login page// when some test is set in common_login.conf and that test package is not// installed on the machine.// Ideally this should not happen. - Aanchal, Feb 3, 2005// Bug # 305858if($res != '1'){ if(!is_dir($data)){ // reset abs_path only if it didn't exist before // a temp fix for ym logout issue // Bug 1146959 $data = "/home/y/share/htdocs/idaho/php/${intl}"; } include("/home/y/share/htdocs/idaho/php/${intl}/login/${data}");}?>
</PRE>
</PRE>
I was using Comodo but I'm currently using ZoneAlarm and two intrusion attempts have been blocked.
</PRE>
0
Comments
It's a PHP error.
I'm not the most aware when it comes to computers. I seem to become paranoid about things I don't really understand.
Logfile of HijackThis v1.99.1
Scan saved at 05:04:09, on 03/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 2 for hijackthis_199[1].zip\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182709046911
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182710875686
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Thanks again.
I really need to improve my knowledge (Maybe taking a course will help).
C:\WINDOWS\System32\snmp.exe
that's not a real process name. Post your HJT log in the spyware forum.
snmp.exe (Snmp Agent) - Details
The process called snmp.exe is used by Windows applications when communicating with network devices using SNMP (Simple Network Management Protocol). SNMP is used to perform remote administration of network hardware such as Routers and Hubs. Snmp.exe is required for your system to remain stable, you should not terminate this process.
snmp.exe is flagged as a system process and does not appear to be a security risk. However, removing Snmp Agent may adversly impact your system.
The Process Server database currently registers snmp.exe to Microsoft.
This is part of Microsoft Windows.
I may be a hardware noob, but I'm not bad with viruses/processes. Read above.