Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Unit1
Worker
Worker


Joined: Oct 26, 2004
Posts: 134
Location: Boston

PostPosted: Wed Jul 12, 2006 5:06 pm Reply with quote

Hello raven I am hopeing that some one can help me My site was hacked today and for the life of me I dont know how they did it I am hopeing that you might have some time to take a look at this for me to see what they did. I can give you any thing that you might need to do do this for me such as any admin controles you might need to look at the site I got the logs from the site just now and I am look through them. any help at all plz the site is Only registered users can see links on this board! Get registered or login! The only thing that was not updated was our forum to the new patch Embarassed Please if you dont have the time to do this can you point me to some one who could
 
View user's profile Send private message
Unit1
PostPosted: Wed Jul 12, 2006 5:58 pm Reply with quote

Ok with more reading around I have found that they changed my config file on the site but still dont know how they did it ? Any one got any thoughts on how they did this please Embarassed
 
Unit1
PostPosted: Wed Jul 12, 2006 8:52 pm Reply with quote

looking at the server logs they got into it by way of modules.php?name=SQuery I have deleted this off the server but the program they used I dont know if this is enough to stop them or if they got any other info off the site ? any thoughts on this
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Thu Jul 13, 2006 3:53 am Reply with quote

They probably did get in via another site as this is a classic XSS attack.
You will need to remove anything they added to your config.php file (or change it for one you have as a back up).
Make sure that config.php only has READ permissions.
If you know the time of the attack, you should check your error logs or Sentinel logs, that will reveal the site they uses and the crafted url string they used.
 
View user's profile Send private message Send e-mail
Unit1
PostPosted: Thu Jul 13, 2006 6:38 am Reply with quote

Ty Guardian2003 I did what you said to do and I do have the string they used can I pm it to you to see if you can think of any other thing it night have chaged ? When I pasted the url to the program txt they used in my log file my Mcafee stoped a back door virus in the url txt page. I am just trying to find out from some one with more knowledge on such things than me. But it looks like just my config was changed but I would like to see if anyone can tell if it could still be on the site through a back door ?

Thank you for your time
 
Guardian2003
PostPosted: Thu Jul 13, 2006 7:27 am Reply with quote

PM may not allow you to post it so feel free to email me webmasterATcode-authorsDOTcom
 
Unit1
PostPosted: Thu Jul 13, 2006 9:29 am Reply with quote

Ok Thank you I just sent it out to you
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9453
Location: Arizona

PostPosted: Thu Jul 13, 2006 5:31 pm Reply with quote

Guardian2003, wouldn't mind taking a look at it myself if you don't mind passing it along. Thx.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Guardian2003
PostPosted: Thu Jul 13, 2006 5:35 pm Reply with quote

On its way.
 
Unit1
PostPosted: Thu Jul 13, 2006 7:03 pm Reply with quote

And I am on my way to donate Ty for your Time Guardian2003
 
montego
PostPosted: Thu Jul 13, 2006 7:55 pm Reply with quote

Yes, it definitely looks like SQuery was the culprit based on your logs and some googling... hopefully that is the only thing they go ahold of. I would definitely scour your directories for files that should not be there...
 
Unit1
PostPosted: Fri Jul 14, 2006 1:14 pm Reply with quote

Thanks montego

Looks like I have a lot to do in the next few days Evil or Very Mad
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©