1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

<b1> tags - WHICH one of you hacked my blog?

Discussion in 'Black Hat SEO' started by Web-Hobo777, Feb 28, 2011.

  1. Web-Hobo777

    Web-Hobo777 Newbie

    Joined:
    Aug 3, 2010
    Messages:
    42
    Likes Received:
    3
    I found some strange <b1> tags in my blog. Google gives only 2 relevant results.

    Please help me - i feel like i have to trash my whole blog. Im feeling really really sad cause i dont have a clue what to do.

    This is the code between the body tags.

    Code:
    <body><b1><!--Iw_9c9aZeNlyUEOwyAMBMAXhX2TC6sYCWyEnfD9quppDgP1SURuScc5B2/Ud4ej4yrbcqMYkxoNq+Bf+DmaF104izruqWtEQqJwOf8TBoIdndoJTGXZauLyrvKog=--></b1>
    
    website content
    
    <b1><!--Iw_9c9aeNolyUEOwyAMBMAXhXThU2MBDbCJny/qnqaw0BsEB4rh+Gcg7f9SG/znftVF/PwpAxIVCuO+Bhr16kUYkzr2Ia1EAIBx2fvulUz9FMcZsFV5oyvywVKq4=--></b1></body>
    
    Is there anything i could do? I dont want to lose my posts / settings / theme changes. Ive worked so hard i could cry.
     
    Last edited: Feb 28, 2011
  2. Jared255

    Jared255 Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    May 10, 2009
    Messages:
    1,909
    Likes Received:
    1,664
    Location:
    Boston, MA
    Restore your blog with a backup?
     
  3. Web-Hobo777

    Web-Hobo777 Newbie

    Joined:
    Aug 3, 2010
    Messages:
    42
    Likes Received:
    3
    i dont have any. all of my backups contain these strange codes.

    i never realised this until i started editing some files today :(
     
  4. dragonlube

    dragonlube Regular Member

    Joined:
    Jan 22, 2011
    Messages:
    420
    Likes Received:
    113
    Location:
    Behind the bushes
    how dare you blame me
     
  5. Web-Hobo777

    Web-Hobo777 Newbie

    Joined:
    Aug 3, 2010
    Messages:
    42
    Likes Received:
    3
    because its always someone behind the bushes...
     
    Last edited: Feb 28, 2011
  6. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    If you're using WordPress, then edit your post and look for "Revisions" under "Edit Posts". If the posts are re-edited then there should be revisions mentioned there. Try to Restore one and look for the above codes in the HTML. If the code is clean then Update that post. You will get back your earlier clean coded post. If this succeeds then do the same for all the posts. Try it. Once you get all the posts back, then do a backup and change your password details, and ask your Hosting support to help you further.
     
  7. ronegraT

    ronegraT Power Member

    Joined:
    Dec 29, 2010
    Messages:
    620
    Likes Received:
    101
    Occupation:
    sleeping
    Location:
    Sweden
    It´s seems there is more people that have had this problem

    Code:
    http://www.phpfreaks.com/forums/php-coding-help/strange-ltb1gt-html-tag/
    
    But to me the code seems harmless if use in HTML since <!-- is a comment function -->

    i did find Exploit scanner for wordpress, maybe something to think about

    Code:
    http://wordpress.org/extend/plugins/exploit-scanner/
    
     
    Last edited: Feb 28, 2011
  8. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    It cannot be harmless just because it is commented out. The one who got the code modified has the control of the blog, and the hacker can anytime use the blog if (s)he is not blocked immediately.

    BTW, who is your host and are you using any specific pirated/free theme? If that theme is the culprit then it can be much easier to find out how it works if someone can get a hand on that unedited and fresh downloaded theme.

    Or there can be holes in your site -- folders or files using 777 chmode permissions, or something similar.

    Immediately ask your Hosting Support to look into the code and also ask them to do server-wide checks...
     
    • Thanks Thanks x 1
    Last edited: Feb 28, 2011
  9. Web-Hobo777

    Web-Hobo777 Newbie

    Joined:
    Aug 3, 2010
    Messages:
    42
    Likes Received:
    3
    Thanks for trying to help me! I really appreciate any help !!!

    The code is between the <body> tags in the files header.php and footer.php of the theme.

    The theme im using is a common free theme and ive downloaded it from the original wordpress site.

    Its a shared hosting environment and i didnt found any 777 directory. Only a 750 folder called cache. Other files and folders are set to 644 and 755 (folders)

    Some days ago i couldnt upload to the server because the owner/group parameters of the files and folders were screwed. Some were set to 0/0 while others remained intact.

    I would like to but what should i look for?



    Is there any way to block the attacker?

    Ive already changed administrator password but if he has access to the database and ftp this was kind of an useless action i guess ?!
     
    Last edited: Feb 28, 2011
  10. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    If it's a free theme then can you give the name here? Also check for plugins and any other addons.

    Best way is to ask your Hosting tech support to find the culprit codes. They can find it very fast. Ask them to give you some sort of details about it and also how to stop any intrusion on your blog. As seen on other forums, that sort of code still shows up again in future even after they have changed passwords etc.

    I could have checked the code in sandboxie/xampp (localhost) but it is not possible to do it this moment.
     
    • Thanks Thanks x 1
    Last edited: Feb 28, 2011
  11. ronegraT

    ronegraT Power Member

    Joined:
    Dec 29, 2010
    Messages:
    620
    Likes Received:
    101
    Occupation:
    sleeping
    Location:
    Sweden
    You are absolutley right, i didn´t think of someone having access to the site :(

    Have you looked for any "unkown" or suspicios files? Check every folder to se if you find. Anything that you haven´t placed there

    In the link i posted they found a file named "data" but thats in 2009 so it could have changed
     
    • Thanks Thanks x 1
  12. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    By the way the code is embedded in Header and Footer, I would like you to check all the theme files (unmodified and freshly downloaded) as the first suspect.
     
    • Thanks Thanks x 1
  13. moozig23

    moozig23 Newbie

    Joined:
    Mar 6, 2010
    Messages:
    14
    Likes Received:
    1
    First of all: Download the theme to your computer, and see if those tags are there in the first place.
    If not: delete them, change all your passwords(to Wordpress, to cPanel, to FTP, etc.), and hope for the best.
    Check for appearance of the tags daily, and the moment they appear, analyze your sever access logs VERY carefully.
     
    • Thanks Thanks x 1
  14. chris456

    chris456 Regular Member

    Joined:
    May 17, 2010
    Messages:
    281
    Likes Received:
    567
    Next time search in google for something like this (vulnerability scanner) :
    Code:
    "acunetix web vulnerability scanner hotfile"
     
    • Thanks Thanks x 1
  15. krluk

    krluk Registered Member

    Joined:
    Mar 25, 2010
    Messages:
    84
    Likes Received:
    18
    Location:
    G@@gle attic
    Can you please check your rss feeds and came back with the way they look?
    If is what it happened to me a some time ago,your rss feeds are messy,or just some backlinks to other sites.(Rss are missing,and just url for another website shows)
    Also can you check your page source(home page and few other posts as well) and see if there are some backlinks which should not be there?
    If is this,the only think is to clear database,fresh install.Will give further details after confirmation if is this or not.
     
    • Thanks Thanks x 1
  16. Web-Hobo777

    Web-Hobo777 Newbie

    Joined:
    Aug 3, 2010
    Messages:
    42
    Likes Received:
    3
    The name of the theme is bluesansation and it was downloaded from the wordpress.org themes library. I redownloaded it from there and the codes are not in the theme itself. I cant find any suspicious files as there are hundreds of files in the wordpress folder that i dont know.

    @srb88, i could send you the real code for testing purposes. The code i published here isnt exactly the same i found in the files. BHW changed some chars

    @krluk, rss feed and main page seem to be free of suspicious links.

    ### Do you think im safe after ive changed database password, admin account login and ftp passwords? What else could i do?


    ps. Acunetix is running. What a mighty tool - im impressed!
     
    Last edited: Feb 28, 2011
  17. chris456

    chris456 Regular Member

    Joined:
    May 17, 2010
    Messages:
    281
    Likes Received:
    567
    Yes I had similar problem , but not with wordpress , I got on every bottom of the index.html and index.php some malicious javascript code , so I had to delete all script (I don't remember the name of the script , but it wasn't updated for years so I installed wordpress (I use wordpress on 30 pages but that script I liked and wanted to try it .
    Acunetix I have discovered after I had that problem , from that moment I use to use it to control my websites .
     
    • Thanks Thanks x 1
  18. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    I will also download that theme and check.

    In the mean time, you can upload those 2 php files (header and footer) in zipped format to, for example, rapidshare and give its link here so that other may also check it. If possible, also upload the HTML of one of the posts along those to see the 'malicious' text. Try to give a simple password to the zip file as sometimes the malicious codes present in the zipped files cannot get activated on their own if the zip file is password protected (but I may be wrong in this assumption).

    First, just take care of running the downloaded files through a good antivirus and anti-malware anti-adware software before opening them or even zipping them for the upload purpose.

    If you have other websites (other than this 'infected' site) present on the hosting account, then are any posts on those other sites showing the same 'malicious' codes?

    If there are other websites present then are you using the same theme on those sites? If those sites are still showing (and if the theme there is different), then this could be a serious matter because then there would be other files like plugins, text files, etc. with infection. Anyway, this code too must be originating from a infected file (such as a php or txt) other than the theme's files.

    So IMO, your hosting support can check the matter much better and faster. Those guys are well experienced in these things and they encounter such intrusions on regular basis. So asking them to look over can produce better and faster results, and they can inoculate the server or part of the server more professionally. Ask them what needs to be done.





    I am at present extremely busy completing a task for my client and hence cannot do a test run as I haven't installed the necessary softwares to handle such a risky task. So asking your host to help is the best option IMO. :)


    You're not safe even if you do all those things, IMO. As mentioned on other forums, the code re-emerges after a few days, so getting to the bottom of the issue and cleaning the source as well as the posts can be the only option.

    As also stated earlier, your own hosting support team can really help you find the suspect files, and they can also look at other sites residing along with your site on the shared server.
     
    • Thanks Thanks x 1
  19. krluk

    krluk Registered Member

    Joined:
    Mar 25, 2010
    Messages:
    84
    Likes Received:
    18
    Location:
    G@@gle attic

    Check page source for suspicious backlinks also.
    My problem was the same.But there was the backlinks as well.I have investigate this a lot back in 2009,and this i can pass to you(i dont remember all details....):
    You are hacked through another website,hosted on same server with yours.Looks like through Joomla sites,not updated.The virus was created for joomla sites,once one in the server is infected,spread to all Joomla sites on that server.After they released the think,they have notice that goes on WP too,so they adapted to WP as well.
    First this think,sleep in your website,hidden.When sleeps,are no backlinks.If im not wrong,acunetix does not pick this one up.
    When is active,creates an iframe,with backlinks to other sites,but is not visible to regular visitors,only for SE.
    If you clean all the code,files,etc,after some time,the code appear again.
    It s useless to change pass,user,etc,they dont need that.
    I have been cleaning that site for more than 10 times.each time was back on.
    My personal opinion is that is related to database prefix,as i have cleaned,even deleted database an WP installation files,.httacces,but the virus was back.Finally i have reinstalled again with different database prefix,and never got it back.
    Try to install file monitor,it will mail you each time your files are modified,and you have a point to start from if the code reappear.
     
    • Thanks Thanks x 2
  20. krluk

    krluk Registered Member

    Joined:
    Mar 25, 2010
    Messages:
    84
    Likes Received:
    18
    Location:
    G@@gle attic
    can you PM the url,i will have a look.

    Just remember now,are also 3 different entry's on database,you delete them also and they reaper.
    i dont recall the name for them....
     
    • Thanks Thanks x 1
    Last edited: Feb 28, 2011