Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Plasma
Regular
Regular


Joined: May 17, 2005
Posts: 66

PostPosted: Tue Jun 09, 2009 9:48 am Reply with quote

Woke up this morning with a website that didn't work. After investigating, somehow someone added code to every index.php file. The code is:

Image


after removing that code, the site worked fine.

so my questions are: what is it and what will it do and more importantly, how do I find out who did it?

thx for any ideas.
 
View user's profile Send private message
ToolBox
Regular
Regular


Joined: Mar 16, 2005
Posts: 74

PostPosted: Tue Jun 09, 2009 11:42 am Reply with quote

That hacking happens in system level not phpnuke level.
Very recently, those types of hackings are full across the planet.

First off, such types of hacking is not possible to change your files directly from php engine but it happens in /tmp/ files and SSH hack.

Similar hacking is online casino spams. This online casino spmmers are really and deadly cirtical. If your server or hosting directory has some odd php file names in hidden mode such as cas.t.ph, p.ost.php etc, they are all parasited spammers and your hosting or your email ccounts exposed within your site will be reported as abusive spmmers.

Primarily, your hosting services are in charge.
Secondly, you may change 644 permission on all index.html file. (if your server account got hacked, this does not work).
Thirdly, put .htaccess.

Now, I would like you to open raw logs of your apache or any types of web-server engine. Find ips that scratched your files. and put C class IPs in your .htaccess.

I wrote under an assumption that you are running *NIX mahines. Windows servers are more or less different.
 
View user's profile Send private message
ToolBox
PostPosted: Tue Jun 09, 2009 11:44 am Reply with quote

online casino IPs are captured and reported in security sites.
So, find them and add blocking IPs in your web-server engine. That is not related with your nuke.
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Tue Jun 09, 2009 7:07 pm Reply with quote

Looks like someone tried to put their Google Analytics code all over your pages. You'll need to go through your server access logs to determine how this guy got in

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Plasma
PostPosted: Wed Jun 10, 2009 2:58 pm Reply with quote

evaders99 wrote:
Looks like someone tried to put their Google Analytics code all over your pages. You'll need to go through your server access logs to determine how this guy got in



how do I find this out using the logs?

my index.php file always has 644 permissions. can I change that to 444?
 
Plasma
PostPosted: Wed Jun 10, 2009 3:10 pm Reply with quote

okay, found this in one file:

HackeD By ChaLLenGer

anyone know this guy so I can ram my foot down his throat Wink
 
nuken
RavenNuke(tm) Development Team


Joined: Mar 11, 2007
Posts: 2024
Location: North Carolina

PostPosted: Wed Jun 10, 2009 3:23 pm Reply with quote

I had a similar situation a while back on a server that was not well protected. They uploaded the files through Only registered users can see links on this board! Get registered or login! Before I switched servers, I changed all my control panel and ftp usernames and passwords using random combinations of numbers and letters changing to uppercase and lowercase. I did not get hacked again.

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Wed Jun 10, 2009 7:19 pm Reply with quote

yeah, sounds like you may need some help from your host too to find out how they got in and how to secure the server. I know that I am not supposed to "hate", but I sure wish these jokers would find something good to do with their skills. Sad

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Unit1
Worker
Worker


Joined: Oct 26, 2004
Posts: 134
Location: Boston

PostPosted: Wed Jun 10, 2009 8:38 pm Reply with quote

montego wrote:
yeah, sounds like you may need some help from your host too to find out how they got in and how to secure the server. I know that I am not supposed to "hate", but I sure wish these jokers would find something good to do with their skills. Sad


I agree

_________________
* 5 Simple rules to be happy: * Free Your Heart from Hatred * Free Your Mind from Worries * Live Simply * Give More * Expect Less. 
View user's profile Send private message
Plasma
PostPosted: Sat Jun 20, 2009 9:28 am Reply with quote

server host won't do anything (lunarpages.com)..

also, the hacker has changed the script:

Image


isn't there anything I can do to track who is doing this?


also, it looks like it's some sort of script that does all the index.php files at the same time. he also hacked into a auth.php file
 
nuken
PostPosted: Sat Jun 20, 2009 9:50 am Reply with quote

Do you have a folder in your root file system that is not a part of RavenNuke? One that was put there by the hacker? Compare your directory and see if that is how they are attacking your site.
 
bdmdesign
Worker
Worker


Joined: May 11, 2009
Posts: 154
Location: Winsen/Luhe; Germany

PostPosted: Tue Oct 13, 2009 3:35 am Reply with quote

Plasma wrote:
Woke up this morning with a website that didn't work. After investigating, somehow someone added code to every index.php file. The code is:

Image


after removing that code, the site worked fine.

so my questions are: what is it and what will it do and more importantly, how do I find out who did it?

thx for any ideas.


Change ALL your Passwords on your Server (root, user, database and the RN) like this:

N%gt638Dmls!hDrg645mlH

or this:

Ngt638DmlshDrg645mlH

DONT use Names and Names Numbers Combinations !!!!!

Best Regards

Peter
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Tue Oct 13, 2009 2:31 pm Reply with quote

bdmdesign,

Great advice Wink !
 
View user's profile Send private message
bdmdesign
PostPosted: Tue Oct 13, 2009 5:07 pm Reply with quote

@ Raven:

thanx, the most People use unsafely Passwords like this:

cabonara, cabo1856nara, 45cabonara56


Best Regards

Peter
 
slackervaara
Worker
Worker


Joined: Aug 26, 2007
Posts: 236

PostPosted: Tue Oct 13, 2009 10:20 pm Reply with quote

Read about how hackers with spyware on your PC, can find out your ftp-password and then introduce scripts on your site that modifies index.php: Only registered users can see links on this board! Get registered or login!

I have stopped this possibility by using KeePass Professional to encrypt my usernames and passwords and I don't use FileZilla anylonger, but instead the web hotels Ftp-program from the controlpanel that is secured.
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©