hacked: index.php replaced / changed

New Member Joined: Apr 05, 2006 Posts: 3

Hello,

Our website has been hacked. looks like they replaced the index.php file.

from what i can see they didn't touched the DB.

how is it possible that someone can replace the index.php ?

im the only one with ftp access (no one knows the codes except me)
nuke sentinal 2.4.1. running.
nuke 7.6 cs patched

looking at the sentinal tracked ip's, i dont see any strange stuff.
log files of the (hosted) server no strange things either.

could someone give me a hint where to look at in the log files / tracked ip's ?

greetings

Site Admin Joined: Jun 04, 2004 Posts: 6432

I would check FTP access. But I would also check for modules or other addons that do not use the standard method for accessing the database OR that allow file uploads (e.g. a gallery). If someone could upload a malicious file, they might be able to replace the index file.

Posted: Wed Apr 05, 2006 7:40 am

If you are using vwar, coppermine, or spchat they have holes that allow hackers to change files. Are you using any of these?

Posted: Wed Apr 05, 2006 2:17 pm

hi,

yes, using virtual war (v1.5 R9 BlackBox V2) and attachement mod for the forum.

maybe its better to switch to the standalone version of vwar instead...

Posted: Wed Apr 05, 2006 3:11 pm

looks like someone from brazil Smile

and they used Vwar for it

here is the ip they used
200.163.63.39 - - [03/Apr/2006:23:03:02 +0200]

...i deleted a part of the url they used...

=http://savsak1.sitemynet.com/rst.txt?"

Sells PC To Pay For Divorce Joined: Posts: 5661

well turkey is very fast this time..
ive send out a mail to 3 addresses belonging to the host and provider of that domain..
lol...its gone ....