Under Attack...

Posted: Sat Jan 28, 2006 4:17 pm

Greetings All,
They got me.....several times now. I have not figured out how they got in this last time.....but I am working on it. Anyone that enjoys this sort of thing is welcome to come play!

History....
A couple months ago my index file kept getting over wrote. Nothing bad....just changing the capatol letters in the varibles.

Example....index hacked....

Code:

require_once("mainfile.php");


$_server['php_self'] = "modules.php";


$row = $db->sql_fetchrow($db->sql_query("select main_module from ".$prefix."_main"));


$name = $row['main_module'];


$home = 1;





if ($httpref==1) {


    $referer = $_server["http_referer"];


    $referer = check_html($referer, nohtml);


    if ($referer=="" or eregi("^unknown", $referer) or substr("$referer",0,strlen($nukeurl))==$nukeurl or eregi("^bookmark",$referer)) {


    } else {


   $result = $db->sql_query("insert into ".$prefix."_referer values (null, '$referer')");


    }


    $numrows = $db->sql_numrows($db->sql_query("select * from ".$prefix."_referer"));


    if($numrows>=$httprefmax) {


   $result2 = $db->sql_query("delete from ".$prefix."_referer");


    }

Index Normal.....

Code:

require_once("mainfile.php");


$_SERVER['PHP_SELF'] = "modules.php";


$row = $db->sql_fetchrow($db->sql_query("SELECT main_module from ".$prefix."_main"));


$name = $row['main_module'];


$home = 1;





if ($httpref==1) {


    $referer = $_SERVER["HTTP_REFERER"];


    $referer = check_html($referer, nohtml);


    if ($referer=="" OR eregi("^unknown", $referer) OR substr("$referer",0,strlen($nukeurl))==$nukeurl OR eregi("^bookmark",$referer)) {


    } else {


   $result = $db->sql_query("INSERT INTO ".$prefix."_referer VALUES (NULL, '$referer')");


    }


    $numrows = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_referer"));


    if($numrows>=$httprefmax) {


   $result2 = $db->sql_query("DELETE FROM ".$prefix."_referer");


    }


}

I did not know is this was my ISP....or what the crap was goning on. I fixed it by chmod the file to 444. Done. Problem went away.

Come forward to a couple days ago. It started back up. I chmoded it again wit no effect. Then after a couple times they redirected the site to some remote server and loaded a couple of my members with a trogan.

VerifyByte.trogen to be exact.

I think they did it through a Remote avatar in phpBB. So I got rid of the remote avatars.

Over the last day or so the index has been overwritten at times as fast as I can fix it with a Backup.

I can back this afternoon and they had put a new index in place....some commerce site this time. Now I have had enough. I will get to the bottom of it.

The site has way to many MODs to it. Bringing it up todate is goin gto be one major PAIN in the @ kaching!

.

Like I said....If anyone that enjoys this kind of crap wants to come play....just let me know.....

Dawg

Posted: Sat Jan 28, 2006 4:55 pm

You got some serious updating to do ther man.
Was this attack on a shared server or your local box?

Posted: Sat Jan 28, 2006 5:50 pm

Hosted Box

I am working on the BB for the moment. I hated to do it.....I run an Offshore fishing site and of coarse there WERE a TON of Pics in my forums. That is why I was so far behind....

I am up to 18 now....We are working on it....

Anyone know of a resonable way to allow uploading of Pics and Admin uploading of files to the forums?

I was using Attachment Mod....of coarse the upgrading has killed it....

Dawg

Posted: Sat Jan 28, 2006 9:05 pm

Well, I came through it....We are up to 19 now. Geez that was too fun.

Dawg

Posted: Sun Jan 29, 2006 10:36 am

Updating is always a pain, but in the end its worth it.

Posted: Mon Jan 30, 2006 8:16 am

Well, It was every bit as much of a PAIN in the......as I thought it would be but we seem to have come through it with only a couple of small issues.

phpBB is now current......I am on patched 3.1. Now on to NS.

JOY JOY...FUN FUN!!

Dawg