Free hacker warning script

At present, there is a massive hacking attack going on that is affecting thousands of sites. Fortunately, no Article Friendly sites have been vandalized, but other free article scripts have been hacked and are continuing to be hacked due to forum mods not knowing whats happening and giving incorrect advice, or trying to minimize the danger to user's sites.

For the hack detect pro script, please GO HERE!

This script will check any number of files & pages you wish and automatically replace any hacked files with original backups! Also notifies the admin of the file replacement(s) and the script can be run manually or with a cron job.

Please note that if you have ANY other sites in your hosting account along with the Article Dashboard article directory script, they WILL be hacked too!

Most affected have been Article Dashboard (see the secunia security alert Right Here), joomla, wordpress and other free scripts, but many other sites, including sites that are simple html have been hacked, and a poisoned iframe added to all their index pages, even if they are empty! The affected pages are any that are used as the first page for a site or folder, such as index, default, home ect and any extension that page may use (.asp, .php, .htm, .html ect)...

How it's done

This is a sophisticated operation, and the infection cycle is involved, but basically, the hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no difference.

After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected. The hackers are depending on site owners not knowing their sites have been hacked so that the number of hacked sites will grow (as they have starting in Italy) into the tens of thousands... Please don't think you can depend solely on your antivirus software to protect your computer. It more than likely won't help you. For $1000 dollars, the russian hacking bulletin boards are offering Mpack with 1 year support and a GUARANTEE that virus programs will not catch the keyloggers. SO, keep your virus program updated, but don't depend on it completely!

How can I tell if I've been hacked?

All your pages that a visitor would go to first to see your site (home page) will have the infected iframe, along with any login.php pages. This includes any index page in any subfolder and regardless of what the extension is. Be sure to check all index, default and home pages, and any login pages (just to be safe). You will see errors on your site you didn't see before. This is due to the hackers intentionally causing errors after uploading many script to have the information passed on to them. They also upload a file called xhide which is a process faker by schizoprenic Xnuxer Research 2002, and you will not be able to delete it (your host must), if you even find it...

The code may start like this:

<script language=javascript>document.write(unesc ape(%3C....." Or, this
<script>eval(unescape("%77 ... And there will be lots of encoded numbers following ....

Unencoded, the above would look like this
<script>eval(unescape("window.status='Done';document.write('<iframe name=199f08.....

It may also be unencoded and lool like this:

<iframe src='http://62.176.......

And there will be many codelock files in nearly every folder of your Article Dashboard site.

The encoded iframe code may appear at the top of your index page, right after the body tag or after the last close html tag or ?> tag. If the infected script is using tpl or template files for the header, index and footer, the code may appear there rather than on the actual index page.

If your site has been hacked, it means that either the hackers entered your site thru a weak script's known exploit, or your PC is infected and the hackers have your passwords. Both are bad news, but the entrance thru a poorly written script is better news for you. Check your cpanel access logs to see which script they used to upload pages or whole sites to your hosted account, VPS or Ded Server. If theres nothing there, then it probably means the hacker(s) have everything from your computer....

What do I do if I'm hacked?

If you find any of the hacker's code, remove it in all your sites pages and subfolder pages, or restore a clean backup. This alone will not help you tho, as it's already been reported over and over again that the hackers simply re-add the iframe code after cleaning.... Once in your site, they are going to constantly be trying again! You need to clean your PC (reinstall if necessary) and change all your passwords. You especially need to change your hosting password and ftp passes, but change every password. If using the Article Dashboard script, or another script that is never updated for your protection, DELETE it completely from your hosting account so the hackers can't get back in.

What should I do then?

You will need to monitor your sites frequently. This can be a hassle, or not possible for you, but it must be done to stop the infections! To help you with this, I'm offering a php script that can email you instantly if your site's index page has been altered, thereby minimizing the infections from your site(s). This script can be used to protect any site's script and subfolders where index, home or default pages reside, and can be run at set intervals with a cron job, or run manually by you.

This script is easy to setup and includes instructions, and again, it is completely free to use. Also, it doesn't require a database. Simply enter a valid email below and you will receive a download link for the script.