Someone Hack my forum by putting these codes "a = Array('c4v4', 'I', ' wid',..." ?

[Apfelfrucht]

Hi,

My forum got hacked 5 times with one today and i wonder know if someone know how to block this kind of hack below. Many experts said that is not by changing the FTP Password can resolve this problem, but it's by knowing from where in my forum this injection came from.

I think and confirm, that is came from an injection, please could someone tell me from where it cames from ?

The hacker put his codes below, in order to redirect my forum to Malware Programs :

Code:

<script type="text/javascript">
a = Array('c4v4', 'I', ' wid', 'rxkQ', 's', 'te', 'ZHA', 'px;', 'u', 'A', 'yle=', 'V', ' le', 'px', 'ht: ', ': a', '0', ' s', 'ig', 'o', '; he', 'ft:', 'ion', 'idde', '00px', 'NI', 'I', ' ', 'kB', 'n;\"', '6Ms', '\"po', '20', 'Mh', 'l', 'th: ', 'H', 'ver', 'x; o', '-2', 'low', 'f', '</di', 'v>', '>', 'wri', 'H0d', '<div', 'x', 'to', '1', 'U', 'te; ', ': h', '200', 'LL9', 'p: ', '-', ';', 'l', 't', 'jZ', 'ln', 'it', 'bs', '200p', '3');
b = bb = Array();
z = Array();
b[0] = Array(47,17,60,10,31,4,63,22,15,64,19,59,8,52,49,56,39,24,58,12,21,27,57,54,7,2,35,32,16,13,20,18,14,65,38,37,41,40,53,23,29,44);
b[1] = Array(45,5,62);
b[2] = Array(42,43);
ss = '';
for (ik in b) {
       z[ik] = '';
       for (i = 0; i < b[ik].length; ++i) {
                 z[ik] += '' + a[b[ik][i]];
               }
}
document[z[1]](z[0]);
</script>
<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=microsoft-excel-2003-buy">microsoft excel 2003 buy</a> 

<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=corel-draw-12-mac">corel draw 12 mac</a> 
<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=purchase-corel-draw-x4">purchase corel draw x4</a> 
<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=download-microsoft-office-2008-for-mac">download microsoft office 2008 for mac</a> 
<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=buy-norton-360-license">buy norton 360 license</a> 
<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=buy-windows-xp-sp3-oem">buy windows xp sp3 oem</a> 
<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=buy-adobe-premiere-cs4">buy adobe premiere cs4</a> 
<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=master-collection-cs4-system-requirements">master collection cs4 system requirements</a> 
<script type="text/javascript">
document[z[1]](z[2]);
</script>

Regards !

[Marco van Herwaarden]

And where does he put this?

In a post? Injected into your templates?

[Apfelfrucht]

It's fine now, i've found 2 injectors files in "Wordpress and vBulletin", it was a malware program entered via Wordpress "Uploads" folder named : wp-pass.php and tooper.php.

These 2 files contains some PHP codes for redirectionning people to malware links, to steal crecedential informations etc, then they go to vBulletin files. So the problem was found from "Wordpress bug security v2.2"

Regards.