Site Hacked - Links Added

[gazza]

Hi

Just wondering if anyone has had their site hacked over the weekend?? Received a disk usage exceeded message yesterday and just checked my site (not logged in to it for a few months). All of my HTML files have had dodgy links added to them on 27th March!!

Called support who asked me to send emails to support and abuse which I have done. But would like to delete the links asap.

Cheers
gaz

[eUK-Nick]

Hello Gareth,

Martin has already replied to your email. He has suggested a few steps in it.

[brighter]

This happened to me too. On March 17th.

I noticed both a line that contained a load of links and a different line starting eval(base64_decode...

Note: Decoding the code leads to another base 64 decode which generates a remote procedure call to the phpAdsNew program installed on ppc100 dot info. This is obviously a malicious ad server.

Be sure to remove both lines from your files.

I'm contemplating writing a script to automatically remove the links from the infected files, but this largely depends on whether I can knock one up quicker than it would take me to manually delete the lines. I'll post the script here if I do end up writing one.

[DavidAllen]

What server are you guys on - as often this type of think can affect a lot of accounts on the same server and others on that same server might be unaware that they are also affected.

[brighter]

Btw, if anyone want to search their files for this infection, you can search for a number of things.

1. The eval(base64... statement.

Code:

find . -name "*" -exec grep "eval(base64_decode(" -l {} \;

2. The id of the divider surrounding the links, though this is likely to be changed periodically by the attacker.

Code:

find . -name "*" -exec grep "myDiv412" -l {} \;

3. dc.write statements responsible for hiding the dodgy links.

Code:

find . -name "*" -exec grep "dc\.write(" -l {} \;

4. Some of the text in the block of dodgy links, though when I tried this it didn't return all infected files because the links varied.

Code:

find . -name "*" -exec grep "mind in love saying" -l {} \;

Note: These commands will search recursively from the current directory in all files. It could take some time. You could change the command to search the public_html directory in all html files by changing the command to the following (using example 1):

Code:

find public_html -name "*.html" -exec grep "eval(base64_decode(" -l {} \;

[brighter]

firefly

I spoke to someone via chat. They say that no other accounts are infected, but I doubt they could know that for certain in the time it took them to check.

[brighter]

Ok. I've got a basic script. It's not perfect. It looks at all html files and replaces all lines that match the matchstring with nothing. It creates backup files with a .bak extension whether a file is altered or not.

Code:

find . -name "*.html" -exec sed -e '/^matchstring*/d' -i.bak {} \;

So, replace matchstring with the malicious line you want removed.

BACKUP ALL FILES FIRST!! just in case something goes wrong.

Edit: And if you want to check other files, just change the *.html to *.whatever, or just use * alone to search all files.

[jc8654]

I had this a while ago. It was only the one account on the VPS which seemed a bit odd. I had a backup copy so just wiped it and reuploaded as it is only a CSS and HTML site.

[eUKhost.com]

Firefly was reserved for customers who needed SSH access and no "security settings". We have 2 servers reserved for such customers as some customers using CMS like Joomla or Mambo need mod_security and php disabled_functions disabled on the server.

We have basic security for this 2 servers but they are not as secure as other servers.