And we got hacked again. Fuckers. Bunch of weird scripts and sadly a Wells Fargo phishing site appeared around 24th April. And apparently we were sending those you have won $xx emails. If you are visiting wondering why we are spamming you sorry about that. I am now looking for a host that allows a daily scan for changes and sends an email notifying any such changes. I have never bothered to learn PHP but its starting to seem like I should. If you are visiting because you dont know shit either, and your host has said its your problem to find and fix there are some good resources on the net but heres what I found. One thing that seems to show up in all of these spams is the following statement or similar which was in a file called “mailer.php” :-
email = base64_decode(“bmdlbnRvdC55dWsuY2F5YW5rQGdtYWlsLmNvbQ==”);
When decoded this says send an email with the phished details to a specific gmail address . I’ve sent the address to google and wells fargo – whether they do anything with that who knows.
Again to be clear i dont know PHP at all but some basic searches revealed the following files installed on my acount were bad (all in the root of the public html folder)
mailer.php – had the above mentioned “forward your details to criminals with tiny penises” script.
wp-inc.php (contained a set of hacking tools coded starting with the following statement ”eval(gzinflate(str_rot13(base64_decode(“7X14ats6rujnnrXOf0M1OSN712R5J……………..”
redirect.php (contained some coded and a weird redicrect to a site that hosted a wells fargo phishing site”
data.php (contained what apears to be some backdoor script)
2x.php which windows declared to contain a backdoor virus and a file to completely distrust. I had a look inside and it seemed to be designed to gather password and other files. starting with a “.”
in addition there was a folder called “z” which contained a script called “C2.php” which claimed to be a cpanel and ftp hacking script. Also in this folder were a set of zero byte files with names that looked like eithe email addresses to spam or password types to try.
a file called z.zip which contained a complete copy of a wells fargo phishing site and a group of PHP scripts.
Nothing to do but delete them change the passwords and try again. would be nice if the hosts could scan for eval(base64 additions or even just provide a method of reporting anythin changed with .php at the end or starting with a “.“