please advise - is this a hack?

deltuna · 07-03-2007, 03:08 AM

when i try and access yahoo mail from my laptop this is what comes up. i'm really worried..please help

<?PHP
ini_set('display_errors', 0);
$data = yahoo_reg_login_setup();

if ( $data === FALSE )
{
exit();
}
else if ( ! isset( $data['DISPLAY_FORM'] ) )
{
error_log( "yahoo_reg_login_setup didn't set the DISPLAY_FORM field" );
header( "Location: http://login.yahoo.com/");
exit();
}

$tstname = @$data['.testname'];
$src = @$data['.src'];
$partner = @$data['.partner'];
$intl = @$data['.intl'];

// This is a hack put in place so that persistancy files are
// picked from the regular html directory.
// yinst packaging didn't allow for the multiple links to be created
// with one single command.
if($tstname == "tst_pst") {
$tstname = "";
}

// Adding support for pkg using PHP
if((@$data['pkg'] != null) && (@$data['pkg'] != "" ))
{
$data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${intl}_shrkwp";
$res=include("/home/y/share/pear/Yahoo/reg/logic/shrkwp.inc");
}

// Adding support for .partner via PHP
// If both .src and .partner are present, and .src=ym, then .src takes
// precedence, else .partner takes precedence. - Aanchal, Bug #368481
// Please note that if in future, a more complicated pprecednce has to
// be added, the priorityMap array from propTemplate.inc.ros and
// header.inc.ros should be used.
// Disabling the src=ym precedence over the partner user as ym is not
// converted in intls like ca and cf and users end up seeing the older
// login_verify page for ym. It is better if we show them the partner
// branding. - bug # 652617
//else if(($src != null) && ($src != "") && ($src == "ym"))
//{
//$data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}";
//$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data['DISPLAY_FORM']}");
//}
else if(($partner != null) && ($partner != ""))
{
$data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}";
$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}/login/${data['DISPLAY_FORM']}");
}
else if(($src != null) && ($src != ""))
{
$data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}";
$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data['DISPLAY_FORM']}");
}
else
{
$data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}";
$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}/login/${data['DISPLAY_FORM']}");
}

// This check is put in place to avoid showing a blank login page
// when some test is set in common_login.conf and that test package is not
// installed on the machine.
// Ideally this should not happen. - Aanchal, Feb 3, 2005
// Bug # 305858
if($res != '1')
{
if(!is_dir($data['.abs_path'])){
// reset abs_path only if it didn't exist before
// a temp fix for ym logout issue
// Bug 1146959
$data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${intl}";
}
include("/home/y/share/htdocs/idaho/php/${intl}/login/${data['DISPLAY_FORM']}");
}
?>

**Go The Power** · 07-03-2007, 03:14 AM

Hello and welcome to TSF.

Are you on a network and what web browser are you using?

chauffeur2 · 07-03-2007, 03:19 AM

Hello Deltuna,

Going by the look of your post, you have been infected with something rather sinister.

Please go here; read the instructions carefully and follow each step; then, post your Logs in our HJT Support Forum here.
(Please click on the coloured links)

The analysts are usually very busy in the Security Team, so please be patient, and one of them will be along as soon as they can to assist you.

Good Luck with it!

Kind Regards,

deltuna · 07-03-2007, 03:48 AM

hi there, i have posted my log in hjt section.

go to the power -- i am on laptop at home network and this is the only pc. i am on a wireless connection using windows vista.

**Go The Power** · 07-03-2007, 04:02 AM

Hello
My advice would be to wait for an expert Analyst to check your logs for infections.

Good luck.

**Ben** · 07-03-2007, 01:21 PM

This doesn't look like an infection to me, Its just where the browser isn't rendering the php code properly

What browser are you using?

**Ben** · 07-03-2007, 02:30 PM

Also, should this thread be in Computer Security News?

deltuna · 07-04-2007, 07:10 AM

hi i'm using AOL browser

**Ben** · 07-04-2007, 07:14 AM

Try using Interent Explorer and see if you still have the same problem

07-03-2007, 03:08 AM	#1 (permalink)
deltuna Registered User Join Date: Mar 2006 Location: lake district uk Posts: 81 OS: xp	please advise - is this a hack? when i try and access yahoo mail from my laptop this is what comes up. i'm really worried..please help <?PHP ini_set('display_errors', 0); $data = yahoo_reg_login_setup(); if ( $data === FALSE ) { exit(); } else if ( ! isset( $data['DISPLAY_FORM'] ) ) { error_log( "yahoo_reg_login_setup didn't set the DISPLAY_FORM field" ); header( "Location: http://login.yahoo.com/"); exit(); } $tstname = @$data['.testname']; $src = @$data['.src']; $partner = @$data['.partner']; $intl = @$data['.intl']; // This is a hack put in place so that persistancy files are // picked from the regular html directory. // yinst packaging didn't allow for the multiple links to be created // with one single command. if($tstname == "tst_pst") { $tstname = ""; } // Adding support for pkg using PHP if((@$data['pkg'] != null) && (@$data['pkg'] != "" )) { $data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${intl}_shrkwp"; $res=include("/home/y/share/pear/Yahoo/reg/logic/shrkwp.inc"); } // Adding support for .partner via PHP // If both .src and .partner are present, and .src=ym, then .src takes // precedence, else .partner takes precedence. - Aanchal, Bug #368481 // Please note that if in future, a more complicated pprecednce has to // be added, the priorityMap array from propTemplate.inc.ros and // header.inc.ros should be used. // Disabling the src=ym precedence over the partner user as ym is not // converted in intls like ca and cf and users end up seeing the older // login_verify page for ym. It is better if we show them the partner // branding. - bug # 652617 //else if(($src != null) && ($src != "") && ($src == "ym")) //{ //$data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}"; //$res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data['DISPLAY_FORM']}"); //} else if(($partner != null) && ($partner != "")) { $data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}"; $res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${partner}/login/${data['DISPLAY_FORM']}"); } else if(($src != null) && ($src != "")) { $data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}"; $res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}_${src}/login/${data['DISPLAY_FORM']}"); } else { $data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${tstname}/${intl}"; $res=include("/home/y/share/htdocs/idaho/php/${tstname}/${intl}/login/${data['DISPLAY_FORM']}"); } // This check is put in place to avoid showing a blank login page // when some test is set in common_login.conf and that test package is not // installed on the machine. // Ideally this should not happen. - Aanchal, Feb 3, 2005 // Bug # 305858 if($res != '1') { if(!is_dir($data['.abs_path'])){ // reset abs_path only if it didn't exist before // a temp fix for ym logout issue // Bug 1146959 $data['.abs_path'] = "/home/y/share/htdocs/idaho/php/${intl}"; } include("/home/y/share/htdocs/idaho/php/${intl}/login/${data['DISPLAY_FORM']}"); } ?>

07-03-2007, 03:14 AM	#2 (permalink)
Go The Power Moderator, Microsoft Support Join Date: Mar 2007 Location: South Australia Posts: 10,981 OS: Windows XP Home SP2 Blog Entries: 1	Re: please advise - is this a hack? Hello and welcome to TSF. Are you on a network and what web browser are you using? __________________

07-03-2007, 03:19 AM	#3 (permalink)
chauffeur2 Manager Emeritus Join Date: Feb 2006 Location: Adelaide, South Australia Posts: 10,180 OS: Xp Sp3 with all updates + Vista™ Ultimate SP1. My System	Re: please advise - is this a hack? Hello Deltuna, Going by the look of your post, you have been infected with something rather sinister. Please go here; read the instructions carefully and follow each step; then, post your Logs in our HJT Support Forum here. (Please click on the coloured links) The analysts are usually very busy in the Security Team, so please be patient, and one of them will be along as soon as they can to assist you. Good Luck with it! Kind Regards, __________________ Dave T. Submit New Articles If it works, Don't fix it! Especially if Bill Gates had anything to do with it!!

07-03-2007, 03:48 AM	#4 (permalink)
deltuna Registered User Join Date: Mar 2006 Location: lake district uk Posts: 81 OS: xp	Re: please advise - is this a hack? hi there, i have posted my log in hjt section. go to the power -- i am on laptop at home network and this is the only pc. i am on a wireless connection using windows vista.

07-03-2007, 04:02 AM	#5 (permalink)
Go The Power Moderator, Microsoft Support Join Date: Mar 2007 Location: South Australia Posts: 10,981 OS: Windows XP Home SP2 Blog Entries: 1	Re: please advise - is this a hack? Hello My advice would be to wait for an expert Analyst to check your logs for infections. Good luck. __________________

07-03-2007, 01:21 PM	#6 (permalink)
Ben TSF Enthusiast Join Date: Mar 2007 Location: United Kingdom Posts: 1,343 OS: Windows XP Home SP2 My System	Re: please advise - is this a hack? This doesn't look like an infection to me, Its just where the browser isn't rendering the php code properly What browser are you using? __________________ \|3e\|\\| If I stop replying to a thread, send me a PM with the thread link HijackThis • AVG Anti-Virus • AVG Anti-Spyware • SpywareBlaster • CWShredder • HOSTS File PC Safety and Security - What Do I Need? • So How Did I Get Infected In The First Place?

07-03-2007, 02:30 PM	#7 (permalink)
Ben TSF Enthusiast Join Date: Mar 2007 Location: United Kingdom Posts: 1,343 OS: Windows XP Home SP2 My System	Re: please advise - is this a hack? Also, should this thread be in Computer Security News? __________________ \|3e\|\\| If I stop replying to a thread, send me a PM with the thread link HijackThis • AVG Anti-Virus • AVG Anti-Spyware • SpywareBlaster • CWShredder • HOSTS File PC Safety and Security - What Do I Need? • So How Did I Get Infected In The First Place?

07-04-2007, 07:10 AM	#8 (permalink)
deltuna Registered User Join Date: Mar 2006 Location: lake district uk Posts: 81 OS: xp	Re: please advise - is this a hack? hi i'm using AOL browser

07-04-2007, 07:14 AM	#9 (permalink)
Ben TSF Enthusiast Join Date: Mar 2007 Location: United Kingdom Posts: 1,343 OS: Windows XP Home SP2 My System	Re: please advise - is this a hack? Try using Interent Explorer and see if you still have the same problem __________________ \|3e\|\\| If I stop replying to a thread, send me a PM with the thread link HijackThis • AVG Anti-Virus • AVG Anti-Spyware • SpywareBlaster • CWShredder • HOSTS File PC Safety and Security - What Do I Need? • So How Did I Get Infected In The First Place?