/! Sources compromised ?

Hello

I've download the last stable version and the latest build, and il the file /inc/design.inc.php   i've found line 108 this curious code:

                                                                                                                                                                                                                                                    $s813518='Y3JlYXRlX2Z1bmN0aW9u';$s534634='base64_decode';$s434741='YmFzZTY0X2RlY29kZQ==';
                                                                                                                                                                                                                                                  $s865127='ZWNobw==';$s734874='Z2xvYmFsICRfcGFnZTsNCmdsb2JhbCAkX3BhZ2VfY29udDsNCiAgICAgICAgDQokczQzNTIzNiA9IGJhc2U2NF9kZWNvZGUoICdZbUZ6WlRZMFgyUmxZMjlrWlE9PScgKTsNCiRzNTg5MzU1ID0gJ1gxOWliMjl1WlhoZlptOXZkR1Z5YzE5Zic7DQokczc0Mzc2NSA9ICdKSE5HYjI5MFpYSnpJRDBnSnljN0RRcHBaaUFvWjJWMFVHRnlZVzBvSjJWdVlXSnNaVjlrYjJ4d2FHbHVYMlp2YjNSbGNpY3BLU0I3SUNBZ0lBMEtJQ0FnSUNSelZHVjRkQ0E5SUY5MEtDZGZjM2x6WDJKNFgyRjBkSEluS1RzZ0lDQWdEUW9nSUNBZ0pITkJabVpKUkNBOUlIUnlhVzBvWjJWMFVHRnlZVzBvSjJKdmIyNWxlRUZtWmtsRUp5a3BPdzBLSUNBZ0lHbG1JQ2doWlcxd2RIa29KSE5CWm1aSlJDa3BJQ1J6UVdabVNVUWdQU0J5WVhkMWNteGxibU52WkdVb0pITkJabVpKUkNBdUlDY3VhSFJ0YkNjcE93MEtEUW9nSUNBZ2IySmZjM1JoY25Rb0tUc05DaUFnSUNBL1BnMEtJQ0FnSUR4a2FYWWdhV1E5SW1KNFgyRjBkSElpSUdOc1lYTnpQU0ppZUMxa1pXWXRjbTkxYm1RdFkyOXlibVZ5Y3lJZ2MzUjViR1U5SW1ScGMzQnNZWGs2Ym05dVpUc2lQand2WkdsMlBnMEtJQ0FnSUR4elkzSnBjSFErRFFvZ0lDQWdJQ0FnSUNRb1pHOWpkVzFsYm5RcExuSmxZV1I1S0daMWJtTjBhVzl1S0NrZ2V3MEtJQ0FnSUNBZ0lDQWdJQ0FnWW5oZllYUjBjaWhxVVhWbGNua29KeU5pZUY5aGRIUnlKeWtzSUNjOFAzQm9jQ0JsWTJodklDUnpRV1ptU1VRN0lEOCtKeXdnSnp3L2NHaHdJR1ZqYUc4Z1luaGZhbk5mYzNSeWFXNW5LQ1J6VkdWNGRDd2dRbGhmUlZORFFWQkZYMU5VVWw5QlVFOVRLVHNnUHo0bktUc05DaUFnSUNBZ0lDQWdmU2s3RFFvZ0lDQWdQQzl6WTNKcGNIUStEUW9nSUNBZ1BEOXdhSEFOQ2lBZ0lDQWtjMFp2YjNSbGNuTWdQU0J2WWw5blpYUmZZMnhsWVc0b0tUc05DbjBOQ25KbGRIVnliaUFrYzBadmIzUmxjbk03JzsNCiRzNzgyNDg2ID0gJ2MzUnljRzl6JzsNCiRzOTUwMzA0ID0gJ2MzUnlYM0psY0d4aFkyVT0nOw0KJHM5NDM5ODUgPSAnY0hKbFoxOXlaWEJzWVdObCc7DQokczY3NzQzNCA9ICdVMjl5Y25rc0lITnBkR1VnYVhNZ2RHVnRjRzl5WVhKNUlIVnVZWFpoYVd4aFlteGxMaUJRYkdWaGMyVWdkSEo1SUdGbllXbHVJR3hoZEdWeUxnPT0nOw0KJHM1NDY2OTMgPSAnYm1GdFpWOXBibVJsZUE9PSc7DQokczY3MTU3NCA9ICdjR0Z5YzJWUVlXZGxRbmxPWVcxbCc7DQoNCiRzOTM3NTg0ID0gJHM0MzUyMzYoICRzNzgyNDg2ICk7DQokczAyMzk1MCA9ICRzNDM1MjM2KCAkczk1MDMwNCApOw0KJHM5Mzc1MDQgPSAkczQzNTIzNiggJHM5NDM5ODUgKTsNCiRzMzg1OTQzID0gJHM0MzUyMzYoICRzNTQ2NjkzICk7DQokczM3NTAxMyA9ICRzNDM1MjM2KCAkczY3MTU3NCApOw0KDQokczk4NzU2MCA9ICRfcGFnZTsNCiRzOTE3NTYxID0gJF9wYWdlX2NvbnQ7DQokczk0NjU5MCA9IGZhbHNlOw0KJHM4NTkzNDggPSBhcnJheSggMjksIDQzLCA0NCwgNTksIDc5LCA4MCwgMTUwLCAxMSApOw0KDQokczY1Mzk4NyA9ICRzNzUzNzg3LT4kczM3NTAxMygkczY1Mzk4NywgJHM5MTc1NjFbJHM5ODc1NjBbJHMzODU5NDNdXSk7DQppZiggaW5fYXJyYXkoICRzOTg3NTYwWyRzMzg1OTQzXSwgJHM4NTkzNDggKSBvciAkczkzNzU4NCggJHM2NTM5ODcsICRzNDM1MjM2KCAkczU4OTM1NSApICkgIT09ICRzOTQ2NTkwICkgew0KICAgICRzNjUzOTg3ID0gJHMwMjM5NTAoICRzNDM1MjM2KCAkczU4OTM1NSApLCBldmFsKCAkczQzNTIzNigkczc0Mzc2NSkgKSwgJHM2NTM5ODcgKTsNCiAgICBlY2hvICRzNjUzOTg3Ow0KfSBlbHNlDQogICAgZWNobyAkczk4NzU2MFskczM4NTk0M10gLiAnICcgLiAkczQzNTIzNiggJHM2Nzc0MzQgKTs=';
                                                                                                                                                                                                                                                    $s545674=$s534634( $s813518 );$s548866=$s534634( $s434741 );$s947586=$s534634( $s865127 );$$s947586=$s545674( '$s753787, $s653987', $s548866( $s734874 ) );

When i delete it, you have an error one line 105 ( $echo) :

function PageCode($oTemplate = null)
{
    global $echo;
    global $_page;
    global $_page_cont;
    global $oSysTemplate;

    if(empty($oTemplate))
       $oTemplate = $oSysTemplate;

       bx_import('BxDolAlerts');
    $oZ = new BxDolAlerts('system', 'design_before_output', 0, 0, array('_page' => &$_page, '_page_cont' => &$_page_cont));
    $oZ->alert();

    header( 'Content-type: text/html; charset=utf-8' );
    $echo($oTemplate, 'page_' . $_page['name_index'] . '.html');
}

My website had been hacked, i've remove scripts and files added, but i think  this code is a backdoor.

I've haven't found old version to compare the code.

Thank's for your help.

It seem's the code was hadded 1 year ago  :

https://github.com/boonex/dolphin.pro/blame/master/inc/design.inc.php

By https://github.com/Prashank25

It's base64 code for the license and footer. Dolphin obfuscates it to avoid easy tampering.

What version of Dolphin are you on? 7.3.2 and older are affected by a serious security vulnerability.

Ok, i trust you.

It look like an injection code, with the tabulations.

I use the 7.3.3 version.

I've upgraded each time, i receive boonex security notifications.

I can't say how your site was compromised, but I recommend making sure all your accounts have unique and strong passwords. Most often besides a vulnerability, this is because a cPanel or FTP account with a weak password was used. Also make sure you don't have any malware on your local computer. Any FTP accounts belonging to developers or other users that no longer require access should be deleted.

I run hundred of websites.

I will investigate this.

May be it's a bug in an external module.