A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.

Damn you Hackers!!! Go to Hell!!!

So today, I noticed my another hack that’s been installed on my machine. I have to say ever since my move to, my site has been hacked over and over again. This is number #3. The reason why I posted about this one is because it is actually pretty interesting and finding what was done was like a mystery. So let me tell you a quick story.

So this evening I was trying to figure out how to get my project 365 page to post automatically to my website. This is when I first noticed a slowdown and issue when I am using the debugger from Facebook. At first I thought it was the wordpress plug in, but it occasionally works. I got everything ready, and posted my first auto post and strange things started to happen.

As I stated, everything looked normal at first until I click on the links provided by Facebook. When I click on the Facebook link to my website, it goes to some spam site. At first I thought it was the .htaccess hack that was I received a while back, but that is not the case. Then I thought maybe it was a DNS hack. That was also not the case, finally, I found the following in all my .php files on my web server.

It uses eval command and nested with base64_decode the following block of code.


it is quite clever. It is encoded and people may easily over look it, but when you decode the text this is what you get

if (!$qazplm){
if ($uag) {
if (!stristr($uag,”MSIE 7.0″)){
if (stristr($referer,”yahoo”) or stristr($referer,”bing”) or stristr($referer,”rambler”) or stristr($referer,”gogo”) or stristr($referer,””)or stristr($referer,”aport”) or stristr($referer,”nigma”) or stristr($referer,”webalta”) or stristr($referer,””) or stristr($referer,””) or stristr($referer,””) or stristr($referer,””) or preg_match(“/yandex\.ru\/yandsearch\?(.*?)\&lr\=/”,$referer) or preg_match (“/google\.(.*?)\/url\?sa/”,$referer) or stristr($referer,””) or stristr($referer,””) or stristr($referer,””)) {
if (!stristr($referer,”cache”) or !stristr($referer,”inurl”)){

Tricky huh?

So well… solution? remove all code in all .php files and with a little help from “grep” I was able to locate all the bad codes.

grep -H -r ‘eval(base64_decode’ ./

So, Go To Hell You Punk Hackers!!! I hope you guys get busted and become someone’s bitch in prison.

4 comments to Damn you Hackers!!! Go to Hell!!!

  • Rebecca

    Wow that’s scary! Are you going to change to a different host? I hope my website never gets hacked!

  • I am on such a good deal with GoDaddy right now, it is very hard for me to change. I will ride this out until the end of my current contract and move host. Meanwhile, I got to put my degree to some use, right?

  • Kim

    thank you SO much for posting this. The same thing has been happening to my website; only on facebook. I am technically challenged so I need to forward your advice to someone with some knowledge. I do appreciate you posting it though.

  • My advice is to change your password ASAP to your blog account and then start looking for the bad scripts. Your hosting service may have a way to see what files have been changed. It is only on facebook, it is probably exactly the same problem that I had.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.