Something happened to my website, what exactly?

Discussion in 'Black Hat SEO' started by Quazpolter, Jan 23, 2012.

  1. Quazpolter

    Quazpolter Junior Member

    Joined:
    Dec 29, 2011
    Messages:
    114
    Likes Received:
    24
    <HTML>
    <HEAD>
    <TITLE>404 Not Found</TITLE>
    </HEAD>
    <BODY>
    <H1>Not Found</H1>
    The requested document was not found on this server.
    <P>
    <HR>
    <ADDRESS>
    Web Server at j-query.org
    </ADDRESS>
    </BODY>
    </HTML>



    i can read the blog posts fine but this is at the top of the page source, what happened? it was fine a few hours ago, I changed nothing.
     
  2. Quazpolter

    Quazpolter Junior Member

    Joined:
    Dec 29, 2011
    Messages:
    114
    Likes Received:
    24
    i found this

    wpmu DOT org/beware-fake-jquery-calls-in-wordpress-plugins-from-the-repo/

    it says that j-query.org is fake

    Did I download a theme with malicious code in it and get hacked?
     
  3. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    1,001
    You didn't get hacked, but you did install a rogue plugin or theme and it is injecting that (now non-existent) fake jquery library.

    Disable your plugins one by one till you find the culprit code. Check your theme too. Once you find out what is responsible either find a suitable alternative, or remove the malicious curl function from the php.
     
  4. Seo Lover

    Seo Lover Jr. Executive VIP Jr. VIP

    Joined:
    Jan 30, 2011
    Messages:
    6,048
    Likes Received:
    4,322
    Gender:
    Male
    Occupation:
    Hanging Around Interawebs !
    Location:
    <-----------------Sin City
    Thats a theme issue or might be plugin issue
    Whatever you have newly installed delete it
    through FTP and your site will be up again
     
  5. Quazpolter

    Quazpolter Junior Member

    Joined:
    Dec 29, 2011
    Messages:
    114
    Likes Received:
    24
    It seems it is the theme, how do I go about finding the malicious code and removing it? Anything to look out for? What file would it be in?

    Sorry, I'm a complete noob.

    exploit scanner found this

    wp-content/themes/thesis_182/lib/scripts/jscolor/jscolor.js:78
    Often used to execute malicious code eval('prop='+m[3])
    wp-content/plugins/pretty-link/includes/jquery/js/jquery-1.3.2.min.js:12
    Often used to execute malicious code .src,async:false,dataType:"script"})}else{o.globalEval(F.text||F.textContent||F.innerHTML||"")}if(F.pa
    wp-content/plugins/pretty-link/includes/jquery/js/jquery-1.3.2.min.js:19
    Often used to execute malicious code )}if(typeof I==="string"){if(H=="script"){o.globalEval(I)}if(H=="json"){I=l["eval"]("("+I+")")}}return
    wp-content/plugins/pretty-link/includes/jquery/js/jquery-ui-1.7.1.custom.min.js:122
    Often used to execute malicious code s=inlineSettings||{};try{inlineSettings[attrName]=eval(attrValue)}catch(err){inlineSettings[attrName]=
    wp-content/plugins/pretty-link/includes/version-2-kvasir/js/json/json2.js:444
    Often used to execute malicious code j = eval('(' + text + ')');
    wp-content/plugins/exitsplash/files/lightbox/jquery.lightbox.min.js:17
    Often used to execute malicious code eval(function(p,a,c,k,e,r){e=function(c){return(c<a?
    wp-content/plugins/exitsplash/files/jquery-1.5.2.min.js:16
    Often used to execute malicious code x({url:b.src,async:!1,dataType:"script"}):d.globalEval(b.text||b.textContent||b.innerHTML||""),b.parentNode&&b.parentNode.removeChild(b)}functi [line truncated]
    wp-content/plugins/exitsplash/colorpicker/js/jquery.js:552
    Often used to execute malicious code jQuery.globalEval( elem.text || elem.textContent || elem.innerHTM
    wp-content/plugins/exitsplash/colorpicker/js/jquery.js:3721
    Often used to execute malicious code jQuery.globalEval( data );

    Eval( was highlited. Both are "nulled" things that I downloaded
     
    Last edited: Jan 23, 2012
  6. anonapersons

    anonapersons Newbie

    Joined:
    Dec 18, 2011
    Messages:
    26
    Likes Received:
    2
    can you still login to admin panel?
     
  7. Quazpolter

    Quazpolter Junior Member

    Joined:
    Dec 29, 2011
    Messages:
    114
    Likes Received:
    24
    yes, trying to find a file that contains j-query, but what if it is encrypted?
     
  8. Quazpolter

    Quazpolter Junior Member

    Joined:
    Dec 29, 2011
    Messages:
    114
    Likes Received:
    24
    found it and deleted it
     
  9. ezines

    ezines Power Member

    Joined:
    Jan 3, 2011
    Messages:
    719
    Likes Received:
    220
    Occupation:
    Online/Offline
    Location:
    Somewhere On Earth
    Last edited: Feb 2, 2012