Hijack! And Bit(hing About it!

Filed Under (Journal) by Casey on 18-08-2010

Tags: , ,

My site have been hijacked not once but twice! Some of you might have notice that a few weeks ago, when I wasn’t updating my blog, your visit would have been redirected to another site.

This site is about how your site or your computer is being infected by virus blah blah blah…

That is what it means by being hijacked. They hijack my visitors…

These hi-wankers seems to be able to embed a piece of code into my site and it is everywhere on the top of all my php files.

While it seems harmless, it is nevertheless frustrating and annoying.

The codes looks something like this…

The encrypted code is long but when one decodes, one will be able to see that this script will direct visitors accessing these php files or site to a site encrypted into the codes. Most of these sites are either anti-spam or anti-virus site. Ironic isn’t it?

I believe it is these twats that hack and hijack sites with vulnerable site security such as mine.

Once hijacked… the only thing to do next was for me to clean up the codes as soon as possible.

I had to firstly scour the internet to find a way to clean this codes up. If not I needed to clean each files up one by one! And that would mean… long, tedious, frustrating, exercise.

Luckily for me, my webhost provider gave me a script file to assist me. But it was not able to help me clean up these files  100%. Some files I had to manually clean it up myself.

There does not seem to have a clear cut solution in cleaning up the mess 100% but this script which my webhost provider forwarded to me help me a bit.

So… Allow me to share this solution with you if your any site owners out there have also been hijacked in the same manner. This is my solution to help you not 100% but at least save you some time.

  1. Create a fix.php file using a html editor (or whatever site editor one uses)
  2. Copy and paste the code below onto this fix.php file.
  3. Upload this file to your root server on your webhost server
  4. Then run the file by going to your browser and type in http://yousite.com/fix.php

fix.php

<?php
set_time_limit(0);

$dir = “./”;

$rmcode = `find $dir -name “*.php” -type f |xargs sed -i ‘s#<?php /\*\*/ eval(base64_decode(“aWY.*?>##g’ 2>&1`;
echo “Malware removed.<br />\n”;
$emptyline = `find $dir -name “*.php” -type f | xargs sed -i ‘/./,$!d’ 2>&1`;
echo “Empty lines removed.<br />\n”;
?>
<br />
Completed.

It should look something like this:

Simple eh… next check the date of all your php files. If it shows todays date, that means this file have successfully clean up the files on your other php files.


(ignore the .htaccess file in the above example)

Continue to check other php files in your subfolders. You will notice that some dates are different from the date on which you just fixed the files. You will also be able to know the time and date your site was hacked and hijacked.

If you notice some date discrepancy on your php files within a folder, you will then need to check these files individually to see if the script has clean it or that file originally was not infected.

Next, just do a simple exercise by reinstalling your site to a  lower version and then upgrade back up again. That would ensure that the core php files are clean. (Always backup your database before doing this)

If you webhosting provider uses SimpleScript or you use SimpleScript to upload your wordpress, joomla or any other php content management then this exercise is much easier. With just a few clicks… Viola!! Down and up in a matter of minutes.

Come to think of it… I think one should do this simple exercise first of downgrading and upgrading the core files before one should execute the fix.php files.

Anyway… whichever way one wants to do it… It should help ease the frustration of trying to clean the files one by one.

Man… this site is mean to be about forex… and not an internet solution site… :)

Oh well, just in case some of you forex traders out there who are also site and blog owners and coincidentally got your site hijacked. This will help you.

So how do you stop your site from getting hijacked in the future?!

It seems that I can’t find a clear cut solution on the internet. The only solution presented on my google search is to change my password regularly and update my wordpress as and when there is an update.

Shitty isn’t it?

I guess that is the only way until some smart genius comes up with a solution to stop these a$$hole from hijacking site.

Life goes on…

Be Sociable, Share!

Comments:

There are (1) Comments for the Hijack! And Bit(hing About it!

Post a comment

Anti-Spam Protection by WP-SpamFree