Hacked website, code is encrypted in hex, unable to identify

Question

my web site hacked and i am getting code in index page, but i am unable to find that where is the code in my web site...

%3c%68%74%6d%6c%3e%3c%68%65%61%64%3e%0d%0a%3c%6d%65%74%61%20%63%6f%6e%74%65%6e%74%3d%22%74%65%78%74%2f%68%74%6d%6c%3b%20%63%68%61%72%73%65%74%3d%75%74%66%2d%38%22%3e%0d%0a%3c%74%69%74%6c%65%3e%2e%2f%20%72%45%64%20%58%20%7c%20%33%78%70%31%72%33%20%43%79%62%65%72%20%41%72%6d%79%3c%2f%74%69%74%6c%65%3e%0d%0a%3c%6d%65%74%61%20%6e%61%6d%65%3d%22%61%75%74%68%6f%72%22%20%63%6f%6e%74%65%6e%74%3d%22%72%45%64%20%58%22%20%2f%3e%0d%0a%3c%6d%65%74%61%20%6e%61%6d%65%3d%22%6b%65%79%77%6f%72%64%73%22%20%63%6f%6e%74%65%6e%74%3d%22%72%45%64%20%58%2c%33%78%70%31%72%33%20%43%79%62%65%72%20%41%72%6d%79%2c%5a%6f%6e%65%2d%48%2c%42%61%6e%67%6c%61%64%65%73%68%69%20%48%61%63%6b%65%72%22%20%2f%3e%0d%0a%3c%6d%65%74%61%20%6e%61%6d%65%3d%22%64%65%73%63%72%69%70%74%69%6f%6e%22%20%63%6f%6e%74%65%6e%74%3d%22%5b%20%72%45%64%20%58%20%2e%2e%20%54%68%65%20%52%65%61%6c%20%4f%75%74%72%61%67%65%6f%75%73%20%5d%22%20%2f%3e%0d%0a%3c%6c%69%6e%6b%20%72%65%6c%3d%22%53%48%4f%52%54%43%55%54%20%49%43%4f%4e%22%20%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%75%73%2e%79%69%6d%67%2e%63%6f%6d%2f%69%2f%6d%65%73%67%2f%65%6d%6f%74%69%63%6f%6e%73%37%2f%36%31%2e%67%69%66%22%3e%0d%0a%3c%73%74%79%6c%65%20%74%79%70%65%3d%22%74%65%78%74%2f%63%73%73%22%3e%0d%0a%62%6f%64%79%20%7b%62%61%63%6b%67%72%6f%75%6e%64%2d%69%6d%61%67%65%3a%20%75%72%6c%28%68%74%74%70%3a%2f%2f%6d%65%64%69%61%2e%73%6f%6d%65%77%68%65%72%65%69%6e%62%6c%6f%67%2e%6e%65%74%2f%69%6d%61%67%65%73%2f%6f%6e%64%68%6f%6b%61%72%65%72%5f%72%61%6a%70%75%74%72%61%5f%31%33%33%38%32%35%30%34%33%31%5f%31%2d%62%67%2e%67%69%66%29%3b%0d%0a%62%61%63%6b%67%72%6f%75%6e%64%2d%63%6f%6c%6f%72%3a%20%62%6c%61%63%6b%3b%63%6f%6c%6f%72%3a%20%23%46%46%41%35%30%30%3b%66%6f%6e%74%2d%77%65%69%67%68%74%3a%20%62%6f%6c%64%3b%74%65%78%74%2d%61%6c%69%67%6e%3a%20%63%65%6e%74%65%72%3b%7d%0d%0a%69%6d%67%7b%6f%70%61%63%69%74%79%3a%30%2e%37%35%3b%20%66%69%6c%74%65%72%3a%61%6c%70%68%61%28%6f%70%61%63%69%74%79%3d%37%35%29%3b%7d%0d%0a%2e%72%65%64%78%20%7b%74%65%78%74%2d%73%68%61%64%6f%77%3a%20%30%20%30%20%36%70%78%20%72%65%64%2c%20%30%20%30%20%35%70%78%20%72%65%64%2c%20%30%20%30%20%35%70%78%20%72%65%64%3b%63%6f%6c%6f%72%3a%20%23%46%46%46%7d%0d%0a%3c%2f%73%74%79%6c%65%3e%0d%0a%3c%2f%68%65%61%64%3e%0d%0a%3c%62%6f%64%79%20%6f%6e%63%6f%6e%74%65%78%74%6d%65%6e%75%3d%22%72%65%74%75%72%6e%20%66%61%6c%73%65%22%20%6f%6e%6b%65%79%64%6f%77%6e%3d%22%72%65%74%75%72%6e%20%66%61%6c%73%65%22%20%6f%6e%6d%6f%75%73%65%64%6f%77%6e%3d%22%72%65%74%75%72%6e%20%66%61%6c%73%65%22%3e%0d%0a%3c%64%69%76%20%73%74%79%6c%65%3d%22%66%6f%6e%74%2d%66%61%6d%69%6c%79%3a%20%50%61%6c%61%74%69%6e%6f%20%4c%69%6e%6f%74%79%70%65%3b%66%6f%6e%74%2d%73%69%7a%65%3a%20%34%36%70%78%3b%22%20%63%6c%61%73%73%3d%22%72%65%64%78%22%3e%2e%3a%3a%20%72%45%64%20%58%20%57%61%73%20%48%65%72%65%20%3a%3a%2e%3c%2f%64%69%76%3e%3c%62%72%2f%3e%0d%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%6d%65%64%69%61%2e%73%6f%6d%65%77%68%65%72%65%69%6e%62%6c%6f%67%2e%6e%65%74%2f%69%6d%61%67%65%73%2f%6f%6e%64%68%6f%6b%61%72%65%72%5f%72%61%6a%70%75%74%72%61%5f%31%33%35%33%35%35%32%36%35%31%5f%31%2d%72%65%64%2d%78%2e%6a%70%67%22%3e%3c%62%72%2f%3e%0d%0a%3c%64%69%76%20%73%74%79%6c%65%3d%22%66%6f%6e%74%2d%66%61%6d%69%6c%79%3a%20%42%6f%6f%6b%6d%61%6e%20%4f%6c%64%20%53%74%79%6c%65%3b%63%6f%6c%6f%72%3a%20%23%30%30%30%3b%66%6f%6e%74%2d%73%69%7a%65%3a%20%32%30%70%78%3b%6d%61%72%67%69%6e%3a%30%3b%74%65%78%74%2d%73%68%61%64%6f%77%3a%20%30%20%31%70%78%20%33%70%78%20%23%30%30%46%46%30%30%2c%20%2d%31%70%78%20%30%20%33%70%78%20%23%30%30%46%46%30%30%2c%20%30%20%2d%31%70%78%20%33%70%78%20%23%30%30%46%46%30%30%2c%20%31%70%78%20%30%20%33%70%78%20%23%30%30%46%46%30%30%3b%22%3e%50%72%6f%75%64%20%54%6f%20%62%65%20%61%20%42%61%6e%67%6c%61%64%65%73%68%69%20%48%61%63%6b%65%72%3c%2f%64%69%76%3e%3c%62%72%2f%3e%0d%0a%3c%64%69%76%20%73%74%79%6c%65%3d%22%66%6f%6e%74%2d%66%61%6d%69%6c%79%3a%20%42%65%72%6c%69%6e%20%53%61%6e%73%20%46%42%3b%63%6f%6c%6f%72%3a%20%23%31%35%31%42%35%34%3b%66%6f%6e%74%2d%73%69%7a%65%3a%20%32%30%70%78%3b%74%65%78%74%2d%73%68%61%64%6f%77%3a%20%30%20%30%20%33%70%78%20%23%30%30%46%46%30%30%2c%20%30%20%30%20%33%70%78%20%23%30%30%46%46%30%30%2c%20%30%20%30%20%33%70%78%20%23%66%66%66%2c%20%30%20%30%20%35%70%78%20%23%46%30%30%2c%20%30%20%30%20%35%70%78%20%23%66%66%32%64%39%35%3b%22%3e%44%65%61%72%20%41%44%4d%49%4e%3c%62%72%2f%3e%21%20%53%65%63%75%72%65%20%79%6f%75%72%20%53%49%54%45%20%21%3c%2f%64%69%76%3e%3c%62%72%2f%3e%0d%0a%3c%64%69%76%20%73%74%79%6c%65%3d%22%66%6f%6e%74%2d%73%69%7a%65%3a%20%31%38%70%78%3b%66%6f%6e%74%2d%66%61%6d%69%6c%79%3a%20%43%65%6e%74%75%72%79%20%47%6f%74%68%69%63%3b%63%6f%6c%6f%72%3a%20%23%30%30%30%3b%74%65%78%74%2d%73%68%61%64%6f%77%3a%20%30%20%30%20%33%70%78%20%6c%69%6d%65%2c%20%30%20%30%20%33%70%78%20%6c%69%6d%65%2c%20%30%20%30%20%35%70%78%20%23%66%66%32%64%39%35%2c%20%30%20%30%20%35%70%78%20%23%66%66%32%64%39%35%3b%22%3e%72%65%64%2d%78%40%68%61%63%6b%65%72%6d%61%69%6c%2e%63%6f%6d%3c%2f%64%69%76%3e%0d%0a%3c%62%72%2f%3e%3c%64%69%76%20%73%74%79%6c%65%3d%22%66%6f%6e%74%2d%73%69%7a%65%3a%20%32%30%70%78%3b%22%3e%2e%2e%3a%3a%7c%20%47%72%65%65%74%7a%20%7c%3a%3a%2e%2e%3c%2f%64%69%76%3e%0d%0a%3c%64%69%76%20%73%74%79%6c%65%3d%22%66%6f%6e%74%2d%66%61%6d%69%6c%79%3a%20%42%6f%6f%6b%20%41%6e%74%69%71%75%61%3b%63%6f%6c%6f%72%3a%20%67%72%65%79%3b%66%6f%6e%74%2d%73%69%7a%65%3a%20%32%30%70%78%3b%74%65%78%74%2d%73%68%61%64%6f%77%3a%20%72%65%64%20%31%70%78%20%2d%30%70%78%20%36%70%78%22%3e%2e%3a%3a%20%78%33%6f%2d%31%33%33%37%20%7c%20%47%61%62%62%79%20%7c%20%24%70%21%72%21%74%7e%24%33%33%6b%33%72%20%7c%20%46%72%45%61%4b%79%20%3a%3a%2e%3c%62%72%2f%3e%41%6c%6c%20%4d%65%6d%62%65%72%73%20%6f%66%20%33%78%70%31%72%33%20%43%79%62%65%72%20%41%72%6d%79%3c%2f%64%69%76%3e%3c%62%72%2f%3e%0d%0a%3c%65%6d%62%65%64%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%79%6f%75%74%75%62%65%2e%67%6f%6f%67%6c%65%61%70%69%73%2e%63%6f%6d%2f%76%2f%70%74%5a%31%77%6f%33%4a%73%50%63%26%61%75%74%6f%70%6c%61%79%3d%31%26%6c%6f%6f%70%3d%31%22%20%74%79%70%65%3d%22%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%2d%73%68%6f%63%6b%77%61%76%65%2d%66%6c%61%73%68%22%20%77%6d%6f%64%65%3d%22%74%72%61%6e%73%70%61%72%65%6e%74%22%20%77%69%64%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%62%6f%64%79%3e%3c%2f%68%74%6d%6c%3e'

score 4 · Accepted Answer · answered Oct 19 '13 at 13:22

Converting chars to hex is not really encryption. Converted back to ASCII characters it's just a regular html document, letting you know who the hackers are:

<html><head>
<meta content="text/html;charset=utf-8">
<title>./rEdX|3xp1r3CyberArmy</title>
<meta name="author" content="rEdX"/>
<meta name="keywords" content="rEdX, 3xp1r3CyberArmy, Zone-H, Bangladeshi Hacker"/>
<meta name="description" content="[rEdX..TheRealOutrageous]"/>
<link rel="SHORTCUTICON" href="http://us.yimg.com/i/mesg/emoticons7/61.gif">
<style type="text/css">
body{ 
background-image:url(http://media.somewhereinblog.net/images/ondhokarer_rajputra_1338250431_1-bg.gif);
background-color:black;
color:#FFA500;
font-weight:bold;
text-align:center;
}
img{
opacity:0.75;
filter:alpha(opacity=75);
}
.redx{
text-shadow: 0 0 6px red, 0 0 5px red, 0 0 5px red;
color: #FFF
}
</style>
</head>
<body oncontextmenu="returnfalse" onkeydown="returnfalse" onmousedown="returnfalse">
<div style="font-family: Palatino Linotype; font-size:46px;" class="redx">.::rEdXWasHere::.</div><br/>
<img src="http://media.somewhereinblog.net/images/ondhokarer_rajputra_1353552651_1-red-x.jpg"><br/>
<div style="font-family: Bookman Old Style; color:#000; font-size:20px; margin:0; text-shadow: 0 1px 3px #00FF00, -1px 0 3px #00FF00, 0 -1px 3px #00FF00, 1px 0 3px #00FF00;">Proud To be a Bangladeshi Hacker</div><br/>
<div style="font-family: Berlin Sans FB; color:#151B54; font-size:20px; text-shadow: 0 0 3px #00FF00, 0 0 3px #00FF00, 0 0 3px #fff, 0 0 5px #F00, 0 0 5px #ff2d95;">Dear ADMIN<br/>!Secure your SITE!</div><br/>
<div style="font-size:18px; font-family: Century Gothic; color:#000; text-shadow: 0 0 3px lime, 0 0 3px lime, 0 0 5px #ff2d95, 0 0 5px #ff2d95;">red-x@hackermail.com</div>
<br/><div style="font-size:20px;">..::|Greetz|::..</div>
<div style="font-family: Book Antiqua; color:grey; font-size:20px; text-shadow: red 1px -0px 6px">.::x3o-1337|Gabby|$p!r!t~$33k3r|FrEaKy::.<br/>All Members of 3xp1r3 Cyber Army</div><br/>
<embed src="http://youtube.googleapis.com/v/ptZ1wo3JsPc&autoplay=1&loop=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></body></html>

i get it, but match of this coding is not in any of page in my site. how i will find it? — dhakad, Oct 21 '13 at 13:09
Ehhh what? When you browse your sites index page in a browser, the string "%3c%68%74%6d%6c%3e%3c..." is displayed, but when you open the file on the server there's nothing like it in the actual file? — Mathias R. Jessen, Oct 21 '13 at 14:31
yes,,, i search in every php and js file ,, i cant find it.. — dhakad, Oct 21 '13 at 14:47
It's not unusual for php exploits to obfuscate statements in more than one turn. In that case eval() is often used to expand and execute the obfuscated payload. Look for eval( instead, or code that fetches external resources — Mathias R. Jessen, Oct 21 '13 at 15:53
@dhakad Ultimately it doesn't matter where the code is (unless you don't have a known-good backup prior to the compromise and need to scrub your live code to restore to the machine after you rebuild from this compromise…) -- What matters is determining how they got in so you can close that hole during your rebuild... — voretaq7, Oct 21 '13 at 15:59

Hacked website, code is encrypted in hex, unable to identify

1 Answers1