| Author |
Message |
Serafim
Worker
Joined: Mar 25, 2006
Posts: 109
Location: Delaware Usa
|
 Posted:
Sun Oct 28, 2007 3:13 pm |
|
Well I haven't been on here in a while but I could sure use some help. I run an online auction Called herps4sale.com We are a simple site dedicated to hobbyist reptile keepers. I got this great message on my index page this afternoon
Hacked By kentunk
Indonesia Hacker Community
#sekuritionline #generation-x @ Dal.net
Warning: Cannot modify header information - headers already sent by (output started at /home/herps4sa/public_html/includes/config.inc.php:3) in /home/herps4sa/public_html/header.php on line 4
Warning: Cannot modify header information - headers already sent by (output started at /home/herps4sa/public_html/includes/config.inc.php:3) in /home/herps4sa/public_html/header.php on line 5
Warning: Cannot modify header information - headers already sent by (output started at /home/herps4sa/public_html/includes/config.inc.php:3) in /home/herps4sa/public_html/header.php on line 6
Warning: Cannot modify header information - headers already sent by (output started at /home/herps4sa/public_html/includes/config.inc.php:3) in /home/herps4sa/public_html/header.php on line 7
Warning: Cannot modify header information - headers already sent by (output started at /home/herps4sa/public_html/includes/config.inc.php:3) in /home/herps4sa/public_html/header.php on line 8
Warning: mysql_query(): Access denied for user: 'nobody@localhost' (Using password: NO) in /home/herps4sa/public_html/maintenance.php on line 10
Warning: mysql_query(): A link to the server could not be established in /home/herps4sa/public_html/maintenance.php on line 10
Error: SELECT * FROM PHPAUCTIONXL_statssettings
Access denied for user: 'nobody@localhost' (Using password: NO)
I am not sure what happened, I assume someone accessed my config file and figured out where the password is located. I need to see what I can do to protect these files. I cannot remember what Chmod to place on such files. I did not set this site up I paid to have this done. The person that hosts me has yet to get back with me. I am sure she is aware of the issue as the index page was corrected. Anyone interested in helping me fix this please let me know. I am really not sure what would happen if I changed the chmod. Im not sure if it will break the site. But I know alot of damage was done and it cost me alot. Not to mention the embarrassment factor |
_________________
 |
|
  
 |
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Sun Oct 28, 2007 6:40 pm |
|
It is possible they changed your config file. If you have a file backup, you'll need to restore clean files. They also may have changed data in your database.
Really it is best you restore from a clean backup. And figure out how they got in and patch it. You will need to go through your access logs to determine how they got in.
If you haven't yet, secure your site with the latest Patched files and Nuke Sentinel. Or just switch to RavenNuke  |
_________________
- Star Wars Rebellion Network -
Need help? Nuke Patched Core, Coding Services, Webmaster Services |
|
|
|
|
Serafim
|
| Posted:
Sun Oct 28, 2007 6:55 pm |
|
Thanks evaders but the site is not a nuke site its php based but a totally seperate program. I did find where an odd log entry came in. It was a script called kiddies/safe.txt?
I can't find anything about it and cannot understand where it was installed or how. I have a copy of the script I located [ Only registered users can see links on this board! Get registered or login! ]
But again I do not understand what it means The attack originated from 200.160.240.34. Any help would be appreciated |
| |
|
|
|
|
Dawg
RavenNuke(tm) Development Team
Joined: Nov 07, 2003
Posts: 928
|
| Posted:
Mon Oct 29, 2007 3:36 am |
|
[ Only registered users can see links on this board! Get registered or login! ]
We have been seeing alot of these as of late. They are called remote file inclusion attack(I think) What they do is try to include the code in the txt file so it is run on your site. IF the attack originated from 200.160.240.34 then that is the IP where the request came from.
You culd ban that IP but it will not do much good. They can just change the IP. Restoreing the site from Back-Up is the best way to get started. Once the restore is done...finding what was hit is the next step and how to stop it.
Without knowing the site or the setup it is really hard to point you in the right direction. I can tell you that RN (Sentinal Really) stops all of these kinds attacks. Maybe it is time to do a rebuild based on RN. On my own Nuke sites I bet I see 100 attacks like this a day.
Dawg |
Last edited by Dawg on Mon Oct 29, 2007 11:32 am; edited 1 time in total |
|
|
|
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Mon Oct 29, 2007 7:27 am |
|
| Quote: | | the site is not a nuke site its php based but a totally seperate program |
Nuke Sentinel will not help you then. You really need to get the person who set this up to fix it and you need him/her to determine how the attack got in and put security in place to keep it from happening again. |
| |
|
|
|
|
evaders99
|
| Posted:
Mon Oct 29, 2007 10:10 am |
|
Yes the safe.txt is the beginning of a remote file inclusion attack. This script doesn't really show us how you were infected. Access logs would be able to show all activity from 200.160.240.34
Whatever PHP script you are using, you'll need to find the vulnerability and patch it. |
| |
|
|
|
|
slackervaara
Worker
Joined: Aug 26, 2007
Posts: 236
|
| Posted:
Mon Oct 29, 2007 12:33 pm |
|
Could not protection against cross scripting be made through the .htaccess file and modrewrite? I have included this in my .htaccess:
RewriteEngine on
RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F] |
| |
|
|
|
|
Serafim
|
| Posted:
Mon Oct 29, 2007 2:56 pm |
|
Well thanks for all te replies. Today is looking much better. All the site is restored. And security has been added at server level. I am told the attack first happened to another site on our server. My site structure is similar in content so once they knew where to look the rest was history. I am thankful my site did not end up like 12 others that saw far worse damage. I am looking into a better server with more security. Problem here is that my software is very resource intensive. So Most hosting providers cannot handle the load or do not want to bog down the server.
Thanks for all the help |
| |
|
|
|
|
evaders99
|
| Posted:
Mon Oct 29, 2007 6:22 pm |
|
Personally I would recommend a dedicated host. It may be above your budget, but it allows you to handle very database-intensive sites and install your own software for security.
I've been using 1and1's Root Servers
[ Only registered users can see links on this board! Get registered or login! ]
(I don't think Raven offers this kind of hosting. If so, then please feel free to delete the 1and1 link) |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
