No announcement yet.

Help, site hacked!

  • Filter
  • Time
  • Show
Clear All
new posts

  • Help, site hacked!

    Someone was able to login to my site as "Admin", I could see it in the cp logs. It says they were working with template.php and plugins.

    They have somehow been able to insert adsense ads into posts using a combo of javascript and iframes. I thought the code would be in the postbit template, but I cannot find anything. I also tried disabling all of my plugins,etc. but it didnt help. I can't seem to find what they have done anywhere.

    When I look at the source code of the ads in the posts I see this. (note: the ads only display to users who are not logged in):

    <div class="content"> <div id="post_message_86480"> <blockquote class="postcontent restore "> <!-- google_ad_section_start -->Hi, This is my first post. Thanks<br /> <br /> Love &amp; best wishes,<br /> Lalita.<!-- google_ad_section_end --> <br /><br /><Script Language='Javascript'>document.write(unescape('%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22% 74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%67%6F%6F%67%6C%65%5F%61%64%5F%63%6C%69% 65%6E%74%20%3D%20%22%63%61%2D%70%75%62%2D%39%31%30%39%36%36%34%32%30%34%35%35%38%33%39%38% 22%3B%67%6F%6F%67%6C%65%5F%61%64%5F%73%6C%6F%74%20%3D%20%22%34%33%35%32%34%37%37%30%36%31% 22%3B%67%6F%6F%67%6C%65%5F%61%64%5F%77%69%64%74%68%20%3D%20%37%32%38%3B%67%6F%6F%67%6C%65% 5F%61%64%5F%68%65%69%67%68%74%20%3D%20%39%30%3B%3C%2F%73%63%72%69%70%74%3E%0A%3C%73%63%72% 69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%20%73%72%63% 3D%22%68%74%74%70%3A%2F%2F%70%61%67%65%61%64%32%2E%67%6F%6F%67%6C%65%73%79%6E%64%69%63%61% 74%69%6F%6E%2E%63%6F%6D%2F%70%61%67%65%61%64%2F%73%68%6F%77%5F%61%64%73%2E%6A%73%22%3E%3C% 2F%73%63%72%69%70%74%3E'));</Script> </blockquote> </div> </div> </div> <div class="after_content">

  • #2
    I just searched my database and 8 results for the obfuscated javascript showed up in the table "externalcache". Not sure what that table is used for or how it got in there. Any ideas?


    • #3
      I don't know if you could this, but you should report the adsense code to Google, that's gotta be something against their rules, you could probably get their account banned.


      • #4
        Thanks I just notified google about it.

        I notice that the code they inserted is appearing only to non-logged in users, between the <blockquote> tags. Not sure if that helps.


        • #5
          I finally found it. There were 3 entries in the "Plugin Manager" called:

          Admin Linker Group Message
          Admin Linker Posts and PMs
          Admin Linker Visitor

          These all pointed to new files that were created on my ftp.

          I cant tell how they created them, but all of the files in ftp that they create say owner is 99
          The owners of everything else is my ftp username.
          Last edited by mrdon; Fri 14 Jun '13, 10:55am.


          • #6
            If you have access to the logs around the time this happened originally, you need ot check the logs for injections etc from that date in the log, to try and track how they was able to get in.

            As they added code to the plugins & created files on the server, this tells me you most likely have insecure scripts on the server & that they was able to exec code from tmp most likely, as well as sql injections, so it can range from a insecure hack you have installed to a out dated version of vb.

            Do you have a server admin that is taking care of your server, it needs to be secured.
            Gentoo Geek


            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.