Fuck!! My websites where hacked - anyone here that can read code ?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • fedfest
    Confirmed User
    • May 2002
    • 1334

    #1

    Fuck!! My websites where hacked - anyone here that can read code ?

    Got a mail from a surfer saying that his virus blocker whent nuts on my front page, so I check it out and sure enough, burried in the html of the index file theres a string of java code that does not belong

    Checked all sites and found it on 2 other pages too, so looks like some fucker haced into the server and placed the code.. Talking with host about that now.

    What i really would like to find out is what this code does, and if it leaves some trail, like to a website or something, so that i can maybe track down who's behind this.. only most of it looks like this "%99%C1%CA%D7%BD%D0%D1%DA%C9%..." so i have no clue what to make of it.. Any script wizzes that can help ?

    RewardThem Now Paying Up To 70% Revshare !
    Top Converting CCbill affiliate program that will keep your members rebilling.
    No Traffic Leaks, No Popups, No Bullshit.. You get Credited For EVERYTHING !
  • EdgeXXX
    Confirmed User
    • Oct 2005
    • 5816

    #2
    Yeah, gimme a few minutes and I'll help you out
    .
    .
    .
    .

    I have a sig

    Comment

    • fedfest
      Confirmed User
      • May 2002
      • 1334

      #3
      Originally posted by EdgeXXX
      Yeah, gimme a few minutes and I'll help you out
      Awesome.. Really want to nail those fuckers if theres any chance of doing so
      RewardThem Now Paying Up To 70% Revshare !
      Top Converting CCbill affiliate program that will keep your members rebilling.
      No Traffic Leaks, No Popups, No Bullshit.. You get Credited For EVERYTHING !

      Comment

      • frank7799
        Confirmed User
        • Jul 2003
        • 1974

        #4
        Originally posted by fedfest
        Got a mail from a surfer saying that his virus blocker whent nuts on my front page, so I check it out and sure enough, burried in the html of the index file theres a string of java code that does not belong

        Checked all sites and found it on 2 other pages too, so looks like some fucker haced into the server and placed the code.. Talking with host about that now.

        What i really would like to find out is what this code does, and if it leaves some trail, like to a website or something, so that i can maybe track down who's behind this.. only most of it looks like this "%99%C1%CA%D7%BD%D0%D1%DA%C9%..." so i have no clue what to make of it.. Any script wizzes that can help ?

        Did it start like that?

        e = '0x00' + '22';str1 = (...)

        I got the same one. It´s a trojan which has to be uploaded through ftp. If it´s the same source code (javascript), you should change your ftp logins at once. Don´t use the same login and pw combination for ftp and for sponsor sites.

        Comment

        • High Plains Drifter
          Confirmed User
          • Jun 2005
          • 2341

          #5
          Do a search, there was a lot of threads about this last month. If its the same exploit, the CMS you're using has a vulverability. And its javascript, not java ;)

          Comment

          • EdgeXXX
            Confirmed User
            • Oct 2005
            • 5816

            #6
            Ok, is the hacked version of the page still online (if so, what is the URL)?
            .
            .
            .
            .

            I have a sig

            Comment

            • V_RocKs
              Damn Right I Kiss Ass!
              • Nov 2003
              • 32448

              #7
              Tripping balls.

              Comment

              • aico
                Moo Moo Cow
                • Mar 2004
                • 14748

                #8
                was it the same as this?: http://www.gofuckyourself.com/showthread.php?t=624482

                Comment

                • frank7799
                  Confirmed User
                  • Jul 2003
                  • 1974

                  #9
                  Change your FTP password, remove the script at the bottom of the page that runs the iframe:

                  [code=trojan stuff on your pages]
                  <script language="JavaScript">
                  e = '0x00' + '22';str1 = "%99%C1%CA%
                  blah blah blah
                  </script>
                  [/code]

                  You might have your host run a check to see what other files were modified at the same time. Pattern to look for is:

                  Login, Get File, Put File, Get File, Put File, Logout

                  usually no failed password attempts.

                  Sources for your password leak: People that have installed software for you in the past, anyone that has had FTP access to your machine, possibly any keylogger on your system.

                  The script forces the installation of an "start.exe" which connects to a site hosted at "inhoster.com". I don´t think it´s worth to contact them if you have a look at their site.

                  The site called us-counter.com and dnv-counter.com belong to a guy from Ukraine and are blacklisted with several records. IP´s from the sites and from the hosting company are pretty much the same.

                  Comment

                  • fedfest
                    Confirmed User
                    • May 2002
                    • 1334

                    #10
                    Originally posted by m4yadult
                    Did it start like that?

                    e = '0x00' + '22';str1 = (...)

                    I got the same one. It´s a trojan which has to be uploaded through ftp. If it´s the same source code (javascript), you should change your ftp logins at once. Don´t use the same login and pw combination for ftp and for sponsor sites.
                    Yes.. Started excactly like that

                    Have a very unique login combination for ftp, not used anywhere else.. Only did share with the most nessesary people (Billings etc.) so kinda "hope" it was hacked.. Still going to change it now offcause :o(
                    RewardThem Now Paying Up To 70% Revshare !
                    Top Converting CCbill affiliate program that will keep your members rebilling.
                    No Traffic Leaks, No Popups, No Bullshit.. You get Credited For EVERYTHING !

                    Comment

                    • fedfest
                      Confirmed User
                      • May 2002
                      • 1334

                      #11
                      Originally posted by m4yadult
                      Did it start like that?

                      e = '0x00' + '22';str1 = (...)

                      I got the same one. It´s a trojan which has to be uploaded through ftp. If it´s the same source code (javascript), you should change your ftp logins at once. Don´t use the same login and pw combination for ftp and for sponsor sites.
                      Yes.. Started excactly like that

                      Have a very unique login combination for ftp, not used anywhere else.. Only did share with the most nessesary people (Billings etc.) so kinda "hope" it was hacked.. Still going to change it now offcause :o(
                      RewardThem Now Paying Up To 70% Revshare !
                      Top Converting CCbill affiliate program that will keep your members rebilling.
                      No Traffic Leaks, No Popups, No Bullshit.. You get Credited For EVERYTHING !

                      Comment

                      • fedfest
                        Confirmed User
                        • May 2002
                        • 1334

                        #12
                        Originally posted by EdgeXXX
                        Ok, is the hacked version of the page still online (if so, what is the URL)?
                        No, changed it back to the original.. But code is here http://www.3xvid.com/fuckers.html
                        Hope you can make anything out of it that can help trace who put it there
                        RewardThem Now Paying Up To 70% Revshare !
                        Top Converting CCbill affiliate program that will keep your members rebilling.
                        No Traffic Leaks, No Popups, No Bullshit.. You get Credited For EVERYTHING !

                        Comment

                        • L0rdJuni0r
                          Confirmed User
                          • Oct 2004
                          • 5883

                          #13
                          That sucks man. i hope u get it fixed soon...
                          Affordable video and picture editing.
                          junior[at]jampackproductions[DOT]com
                          ICQ: 605429331

                          Comment

                          • pornguy
                            Too lazy to set a custom title
                            • Mar 2003
                            • 62910

                            #14
                            Also ask Smokey the bear about it. He has helped a few people with issues similar.
                            PornGuy skype me pornguy_epic

                            AmateurDough The Hottes Shemales online!
                            TChicks.com | Angeles Cid | Mariana Cordoba | MAILERS WELCOME!

                            Comment

                            • fedfest
                              Confirmed User
                              • May 2002
                              • 1334

                              #15
                              Originally posted by aico
                              Doesn't look like the same.. but thanks
                              RewardThem Now Paying Up To 70% Revshare !
                              Top Converting CCbill affiliate program that will keep your members rebilling.
                              No Traffic Leaks, No Popups, No Bullshit.. You get Credited For EVERYTHING !

                              Comment

                              • fedfest
                                Confirmed User
                                • May 2002
                                • 1334

                                #16
                                Originally posted by pornguy
                                Also ask Smokey the bear about it. He has helped a few people with issues similar.
                                Yeah, he does seem to be a wizz with stuff like that.. Don't understand a damn bit about it myself *lol*
                                RewardThem Now Paying Up To 70% Revshare !
                                Top Converting CCbill affiliate program that will keep your members rebilling.
                                No Traffic Leaks, No Popups, No Bullshit.. You get Credited For EVERYTHING !

                                Comment

                                • frank7799
                                  Confirmed User
                                  • Jul 2003
                                  • 1974

                                  #17
                                  Originally posted by fedfest
                                  Yes.. Started excactly like that

                                  Have a very unique login combination for ftp, not used anywhere else.. Only did share with the most nessesary people (Billings etc.) so kinda "hope" it was hacked.. Still going to change it now offcause :o(
                                  I´m pretty sure it wasn´t hacked. I went through the logfiles with the tech of my hosting company and no attacks could be found. So it must have been someone knowing user / pw combination.

                                  Comment

                                  • FLAiR
                                    Confirmed User
                                    • Jun 2006
                                    • 250

                                    #18
                                    get your server admin to protect your tmp folder.. run in shell to make it secure.. (so no files can be put in) ill find you the command in a sec

                                    Comment

                                    • fedfest
                                      Confirmed User
                                      • May 2002
                                      • 1334

                                      #19
                                      Originally posted by m4yadult
                                      Change your FTP password, remove the script at the bottom of the page that runs the iframe:

                                      [code=trojan stuff on your pages]
                                      <script language="JavaScript">
                                      e = '0x00' + '22';str1 = "%99%C1%CA%
                                      blah blah blah
                                      </script>
                                      [/code]

                                      You might have your host run a check to see what other files were modified at the same time. Pattern to look for is:

                                      Login, Get File, Put File, Get File, Put File, Logout

                                      usually no failed password attempts.

                                      Sources for your password leak: People that have installed software for you in the past, anyone that has had FTP access to your machine, possibly any keylogger on your system.

                                      The script forces the installation of an "start.exe" which connects to a site hosted at "inhoster.com". I don´t think it´s worth to contact them if you have a look at their site.

                                      The site called us-counter.com and dnv-counter.com belong to a guy from Ukraine and are blacklisted with several records. IP´s from the sites and from the hosting company are pretty much the same.
                                      Thanks a lot.. some very good advices in your posts, I really apritiate that

                                      2 quick questions.
                                      1)whats a keylogger
                                      2) this "start.exe" file.. does it pull that file from my server, as i cant seem to find such file ?
                                      RewardThem Now Paying Up To 70% Revshare !
                                      Top Converting CCbill affiliate program that will keep your members rebilling.
                                      No Traffic Leaks, No Popups, No Bullshit.. You get Credited For EVERYTHING !

                                      Comment

                                      • The Duck
                                        Adult Content Provider
                                        • May 2005
                                        • 18243

                                        #20
                                        That sucks man, sorry to hear that.
                                        Skype Horusmaia
                                        ICQ 41555245
                                        Email [email protected]

                                        Comment

                                        • FLAiR
                                          Confirmed User
                                          • Jun 2006
                                          • 250

                                          #21
                                          oh and guys that script isent the trojan it self.. that just runs the file in your tmp folder.. like i sed get it secured and it will stop the script running the trojan.

                                          Comment

                                          • frank7799
                                            Confirmed User
                                            • Jul 2003
                                            • 1974

                                            #22
                                            You won´t find the "start.exe" on your box. It is installed on the PC of the visitor who visits your website. That´s what the sript is doing.

                                            A keyloggeris a spyware program which monitors and reports nearly every movement on you PC (for example login onfo and passwords). So you should have a look at your machine as well.

                                            Comment

                                            • frank7799
                                              Confirmed User
                                              • Jul 2003
                                              • 1974

                                              #23
                                              Originally posted by FLAiR
                                              get your server admin to protect your tmp folder.. run in shell to make it secure.. (so no files can be put in) ill find you the command in a sec
                                              I´m not familiar with server administration. Can I do it myself via telnet or SSH or is it a better choice to ask tech support of my hosting company?

                                              Comment

                                              • mortenb
                                                Confirmed User
                                                • Jul 2004
                                                • 2203

                                                #24
                                                Originally posted by fedfest
                                                No, changed it back to the original.. But code is here http://www.3xvid.com/fuckers.html
                                                Hope you can make anything out of it that can help trace who put it there
                                                The encoded javascript translates into this:

                                                Comment

                                                • frank7799
                                                  Confirmed User
                                                  • Jul 2003
                                                  • 1974

                                                  #25
                                                  Originally posted by fedfest
                                                  Thanks a lot.. some very good advices in your posts, I really apritiate that
                                                  No problem, but I have to admit that I got this information from a very helpful guy on another board and it worked fine for me, so I thought I could repost it here.

                                                  Comment

                                                  • Ferrishyn
                                                    Registered User
                                                    • Nov 2005
                                                    • 28

                                                    #26
                                                    Beat me to it.

                                                    Here's the name of the virus if you didn't get that figured out yet
                                                    HTML.HelpControl!exploit

                                                    Comment

                                                    • Harrison Richard
                                                      Confirmed User
                                                      • Oct 2005
                                                      • 199

                                                      #27
                                                      What CMS do you use?
                                                      i sale executive summaries of threads

                                                      Comment

                                                      • fedfest
                                                        Confirmed User
                                                        • May 2002
                                                        • 1334

                                                        #28
                                                        Originally posted by m4yadult
                                                        No problem, but I have to admit that I got this information from a very helpful guy on another board and it worked fine for me, so I thought I could repost it here.
                                                        Well a big thanks to you both then, and to everyone else here who have been most helpfull with this
                                                        RewardThem Now Paying Up To 70% Revshare !
                                                        Top Converting CCbill affiliate program that will keep your members rebilling.
                                                        No Traffic Leaks, No Popups, No Bullshit.. You get Credited For EVERYTHING !

                                                        Comment

                                                        • fedfest
                                                          Confirmed User
                                                          • May 2002
                                                          • 1334

                                                          #29
                                                          Originally posted by mortenb
                                                          The encoded javascript translates into this:
                                                          Can i asume from this that the ovner of that site is behind this ? going to http://www.dnv-counter.com/trf/ ..that seems to be only a blank page with a counter though, so what doo they get out of that ?
                                                          Doing some digging, that does seem to tie to the "inhoster.com" site that m4yadult mentioned.
                                                          RewardThem Now Paying Up To 70% Revshare !
                                                          Top Converting CCbill affiliate program that will keep your members rebilling.
                                                          No Traffic Leaks, No Popups, No Bullshit.. You get Credited For EVERYTHING !

                                                          Comment

                                                          • mortenb
                                                            Confirmed User
                                                            • Jul 2004
                                                            • 2203

                                                            #30
                                                            Originally posted by fedfest
                                                            Can i asume from this that the ovner of that site is behind this ? going to http://www.dnv-counter.com/trf/ ..that seems to be only a blank page with a counter though, so what doo they get out of that ?
                                                            Doing some digging, that does seem to tie to the "inhoster.com" site that m4yadult mentioned.
                                                            If you look at the source of that page, you will see that it loads yet another iframe with some more javascript code..

                                                            Comment

                                                            • czarina
                                                              Webmaster Extraordinaire
                                                              • Jul 2002
                                                              • 10751

                                                              #31
                                                              check all the index pages of all the websites hosted in that server.
                                                              It happened to me about a month ago, I was so pissed!

                                                              Comment

                                                              Working...