| Author |
Message |
Unit1
Worker
Joined: Oct 26, 2004
Posts: 134
Location: Boston
|
 Posted:
Wed Jul 12, 2006 5:06 pm |
|
Hello raven I am hopeing that some one can help me My site was hacked today and for the life of me I dont know how they did it I am hopeing that you might have some time to take a look at this for me to see what they did. I can give you any thing that you might need to do do this for me such as any admin controles you might need to look at the site I got the logs from the site just now and I am look through them. any help at all plz the site is www.mgsquad.com The only thing that was not updated was our forum to the new patch  Please if you dont have the time to do this can you point me to some one who could |
| |
|
|
|
Unit1
|
| Posted:
Wed Jul 12, 2006 5:58 pm |
|
Ok with more reading around I have found that they changed my config file on the site but still dont know how they did it ? Any one got any thoughts on how they did this please |
| |
|
|
|
|
Unit1
|
| Posted:
Wed Jul 12, 2006 8:52 pm |
|
looking at the server logs they got into it by way of modules.php?name=SQuery I have deleted this off the server but the program they used I dont know if this is enough to stop them or if they got any other info off the site ? any thoughts on this |
| |
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Thu Jul 13, 2006 3:53 am |
|
They probably did get in via another site as this is a classic XSS attack.
You will need to remove anything they added to your config.php file (or change it for one you have as a back up).
Make sure that config.php only has READ permissions.
If you know the time of the attack, you should check your error logs or Sentinel logs, that will reveal the site they uses and the crafted url string they used. |
| |
|
|
|
Unit1
|
| Posted:
Thu Jul 13, 2006 6:38 am |
|
Ty Guardian2003 I did what you said to do and I do have the string they used can I pm it to you to see if you can think of any other thing it night have chaged ? When I pasted the url to the program txt they used in my log file my Mcafee stoped a back door virus in the url txt page. I am just trying to find out from some one with more knowledge on such things than me. But it looks like just my config was changed but I would like to see if anyone can tell if it could still be on the site through a back door ?
Thank you for your time |
| |
|
|
|
|
Guardian2003
|
| Posted:
Thu Jul 13, 2006 7:27 am |
|
PM may not allow you to post it so feel free to email me webmasterATcode-authorsDOTcom |
| |
|
|
|
|
Unit1
|
| Posted:
Thu Jul 13, 2006 9:29 am |
|
Ok Thank you I just sent it out to you |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Thu Jul 13, 2006 5:31 pm |
|
|
|
|
Guardian2003
|
| Posted:
Thu Jul 13, 2006 5:35 pm |
|
|
|
|
|
Unit1
|
| Posted:
Thu Jul 13, 2006 7:03 pm |
|
And I am on my way to donate Ty for your Time Guardian2003 |
| |
|
|
|
|
montego
|
| Posted:
Thu Jul 13, 2006 7:55 pm |
|
Yes, it definitely looks like SQuery was the culprit based on your logs and some googling... hopefully that is the only thing they go ahold of. I would definitely scour your directories for files that should not be there... |
| |
|
|
|
|
Unit1
|
| Posted:
Fri Jul 14, 2006 1:14 pm |
|
Thanks montego
Looks like I have a lot to do in the next few days  |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
