Fuck!! My websites where hacked - anyone here that can read code ?

[fedfest]

Got a mail from a surfer saying that his virus blocker whent nuts on my front page, so I check it out and sure enough, burried in the html of the index file theres a string of java code that does not belong

Checked all sites and found it on 2 other pages too, so looks like some fucker haced into the server and placed the code.. Talking with host about that now.

What i really would like to find out is what this code does, and if it leaves some trail, like to a website or something, so that i can maybe track down who's behind this.. only most of it looks like this "%99%C1%CA%D7%BD%D0%D1%DA%C9%..." so i have no clue what to make of it.. Any script wizzes that can help ?

[EdgeXXX]

Yeah, gimme a few minutes and I'll help you out

[fedfest]

Quote:

Originally Posted by EdgeXXX

Yeah, gimme a few minutes and I'll help you out

Awesome.. Really want to nail those fuckers if theres any chance of doing so

[frank7799]

Quote:

Originally Posted by fedfest

Got a mail from a surfer saying that his virus blocker whent nuts on my front page, so I check it out and sure enough, burried in the html of the index file theres a string of java code that does not belong

Checked all sites and found it on 2 other pages too, so looks like some fucker haced into the server and placed the code.. Talking with host about that now.

What i really would like to find out is what this code does, and if it leaves some trail, like to a website or something, so that i can maybe track down who's behind this.. only most of it looks like this "%99%C1%CA%D7%BD%D0%D1%DA%C9%..." so i have no clue what to make of it.. Any script wizzes that can help ?

Did it start like that?

e = '0x00' + '22';str1 = (...)

I got the same one. It´s a trojan which has to be uploaded through ftp. If it´s the same source code (javascript), you should change your ftp logins at once. Don´t use the same login and pw combination for ftp and for sponsor sites.

[High Plains Drifter]

Do a search, there was a lot of threads about this last month. If its the same exploit, the CMS you're using has a vulverability. And its javascript, not java ;)

[EdgeXXX]

Ok, is the hacked version of the page still online (if so, what is the URL)?

[V_RocKs]

Tripping balls.

[aico]

was it the same as this?: http://www.gofuckyourself.com/showthread.php?t=624482

[frank7799]

Change your FTP password, remove the script at the bottom of the page that runs the iframe:

[code=trojan stuff on your pages]
<script language="JavaScript">
e = '0x00' + '22';str1 = "%99%C1%CA%
blah blah blah
</script>
[/code]

You might have your host run a check to see what other files were modified at the same time. Pattern to look for is:

Login, Get File, Put File, Get File, Put File, Logout

usually no failed password attempts.

Sources for your password leak: People that have installed software for you in the past, anyone that has had FTP access to your machine, possibly any keylogger on your system.

The script forces the installation of an "start.exe" which connects to a site hosted at "inhoster.com". I don´t think it´s worth to contact them if you have a look at their site.

The site called us-counter.com and dnv-counter.com belong to a guy from Ukraine and are blacklisted with several records. IP´s from the sites and from the hosting company are pretty much the same.

[fedfest]

Quote:

Originally Posted by m4yadult

Did it start like that?

e = '0x00' + '22';str1 = (...)

I got the same one. It´s a trojan which has to be uploaded through ftp. If it´s the same source code (javascript), you should change your ftp logins at once. Don´t use the same login and pw combination for ftp and for sponsor sites.

Yes.. Started excactly like that

Have a very unique login combination for ftp, not used anywhere else.. Only did share with the most nessesary people (Billings etc.) so kinda "hope" it was hacked.. Still going to change it now offcause :o(

[fedfest]

Quote:

Originally Posted by m4yadult

Did it start like that?

e = '0x00' + '22';str1 = (...)

I got the same one. It´s a trojan which has to be uploaded through ftp. If it´s the same source code (javascript), you should change your ftp logins at once. Don´t use the same login and pw combination for ftp and for sponsor sites.

Yes.. Started excactly like that

Have a very unique login combination for ftp, not used anywhere else.. Only did share with the most nessesary people (Billings etc.) so kinda "hope" it was hacked.. Still going to change it now offcause :o(

[fedfest]

Quote:

Originally Posted by EdgeXXX

Ok, is the hacked version of the page still online (if so, what is the URL)?

No, changed it back to the original.. But code is here http://www.3xvid.com/fuckers.html
Hope you can make anything out of it that can help trace who put it there

[L0rdJuni0r]

That sucks man. i hope u get it fixed soon...

[pornguy]

Also ask Smokey the bear about it. He has helped a few people with issues similar.

[fedfest]

Quote:

Originally Posted by aico

was it the same as this?: http://www.gofuckyourself.com/showthread.php?t=624482

Doesn't look like the same.. but thanks

[fedfest]

Quote:

Originally Posted by pornguy

Also ask Smokey the bear about it. He has helped a few people with issues similar.

Yeah, he does seem to be a wizz with stuff like that.. Don't understand a damn bit about it myself *lol*

[frank7799]

Quote:

Originally Posted by fedfest

Yes.. Started excactly like that

Have a very unique login combination for ftp, not used anywhere else.. Only did share with the most nessesary people (Billings etc.) so kinda "hope" it was hacked.. Still going to change it now offcause :o(

I´m pretty sure it wasn´t hacked. I went through the logfiles with the tech of my hosting company and no attacks could be found. So it must have been someone knowing user / pw combination.

[FLAiR]

get your server admin to protect your tmp folder.. run in shell to make it secure.. (so no files can be put in) ill find you the command in a sec

[fedfest]

Quote:

Originally Posted by m4yadult

Change your FTP password, remove the script at the bottom of the page that runs the iframe:

[code=trojan stuff on your pages]
<script language="JavaScript">
e = '0x00' + '22';str1 = "%99%C1%CA%
blah blah blah
</script>
[/code]

You might have your host run a check to see what other files were modified at the same time. Pattern to look for is:

Login, Get File, Put File, Get File, Put File, Logout

usually no failed password attempts.

Sources for your password leak: People that have installed software for you in the past, anyone that has had FTP access to your machine, possibly any keylogger on your system.

The script forces the installation of an "start.exe" which connects to a site hosted at "inhoster.com". I don´t think it´s worth to contact them if you have a look at their site.

The site called us-counter.com and dnv-counter.com belong to a guy from Ukraine and are blacklisted with several records. IP´s from the sites and from the hosting company are pretty much the same.

Thanks a lot.. some very good advices in your posts, I really apritiate that

2 quick questions.
1)whats a keylogger
2) this "start.exe" file.. does it pull that file from my server, as i cant seem to find such file ?

[The Duck]

That sucks man, sorry to hear that.

[FLAiR]

oh and guys that script isent the trojan it self.. that just runs the file in your tmp folder.. like i sed get it secured and it will stop the script running the trojan.

[frank7799]

You won´t find the "start.exe" on your box. It is installed on the PC of the visitor who visits your website. That´s what the sript is doing.

A keyloggeris a spyware program which monitors and reports nearly every movement on you PC (for example login onfo and passwords). So you should have a look at your machine as well.

[frank7799]

Quote:

Originally Posted by FLAiR

get your server admin to protect your tmp folder.. run in shell to make it secure.. (so no files can be put in) ill find you the command in a sec

I´m not familiar with server administration. Can I do it myself via telnet or SSH or is it a better choice to ask tech support of my hosting company?

[mortenb]

Quote:

Originally Posted by fedfest

No, changed it back to the original.. But code is here http://www.3xvid.com/fuckers.html
Hope you can make anything out of it that can help trace who put it there

The encoded javascript translates into this:

[frank7799]

Quote:

Originally Posted by fedfest

Thanks a lot.. some very good advices in your posts, I really apritiate that

No problem, but I have to admit that I got this information from a very helpful guy on another board and it worked fine for me, so I thought I could repost it here.

[Ferrishyn]

Beat me to it.

Here's the name of the virus if you didn't get that figured out yet
HTML.HelpControl!exploit

[Harrison Richard]

What CMS do you use?

[fedfest]

Quote:

Originally Posted by m4yadult

No problem, but I have to admit that I got this information from a very helpful guy on another board and it worked fine for me, so I thought I could repost it here.

Well a big thanks to you both then, and to everyone else here who have been most helpfull with this

[fedfest]

Quote:

Originally Posted by mortenb

The encoded javascript translates into this:

Can i asume from this that the ovner of that site is behind this ? going to http://www.dnv-counter.com/trf/ ..that seems to be only a blank page with a counter though, so what doo they get out of that ?
Doing some digging, that does seem to tie to the "inhoster.com" site that m4yadult mentioned.

[mortenb]

Quote:

Originally Posted by fedfest

Can i asume from this that the ovner of that site is behind this ? going to http://www.dnv-counter.com/trf/ ..that seems to be only a blank page with a counter though, so what doo they get out of that ?
Doing some digging, that does seem to tie to the "inhoster.com" site that m4yadult mentioned.

If you look at the source of that page, you will see that it loads yet another iframe with some more javascript code..

[czarina]

check all the index pages of all the websites hosted in that server.
It happened to me about a month ago, I was so pissed!