Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
Hurricane
New Member
New Member


Joined: Nov 25, 2005
Posts: 23
Location: Newnan, GA

PostPosted: Sat Jan 20, 2007 2:08 pm Reply with quote

...even though that I keep all my Sentinel up to date, and running on Raven Nuke, this time the hacking bastards got me.
They got in through my guest book from Raven ... how ironic! Wink
Well they replaced my index page with their crap, which was not shown. My site just seemed not to have an index page. So I investigated the thing and found out, that my guestbook files in modules had been replaced with some C90 files and other trojan horse crap. I erased the whole guestbook.
Then today, my account got suspended by my service provider due to somebody reporting my site as a "Phishing site"....gee...
We found out that they replaced on day later, than the initial hacking attack, the files in the db folder. Sure enough, I had linked to Only registered users can see links on this board! Get registered or login!
I was able to ftp the infected files and saved them, in case some of you specialists want to see them, let me know. I erased the infected db files from my server, and uploaded my backup and my site is working fine again.

I just want to know, how those freaks got in, and how we can stop such a stupid attack.
 
View user's profile Send private message Visit poster's website
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Sat Jan 20, 2007 2:41 pm Reply with quote

to bad....but im not aware of ravens guestbook being vulnerable.
the c90 often comes as c99 ,so maybe a different one but used to gain access on a server..
but realise that sentinel only protect core stuff,not 3d party stuff.
 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Sat Jan 20, 2007 4:52 pm Reply with quote

It's unusual that files were created / changed on your site. That indicates that an upload script (e.g. photo gallery, etc.) was in use, or that your FTP or control panel has been compromised. No likely done through the guestbook.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Hurricane
PostPosted: Sat Jan 20, 2007 5:00 pm Reply with quote

I will check the log files and will try to check how they got in.
As far as the photo album, it seemed to be ok and had not been used by those guys.
What is this C90 or C99 file in the first place?
All I know so far, is that the guestbook files were corrupted, as well as the db folder. I did not say that it could have been the guestbook, but currently I have no idea how they managed to get in.
 
hitwalker
PostPosted: Sat Jan 20, 2007 6:03 pm Reply with quote

the C99 is a mean sob.
if you get that on your server you can kiss it goodbye to... Laughing
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sun Jan 21, 2007 1:08 am Reply with quote

c99shell is a very malacious shell script, it can let the hacker take over your server.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Sun Jan 21, 2007 10:38 am Reply with quote

I am readying the security release even as we talk. Do you have register_globals turned off?
 
View user's profile Send private message
Hurricane
PostPosted: Sun Jan 21, 2007 10:42 am Reply with quote

Raven wrote:
I am readying the security release even as we talk. Do you have register_globals turned off?


Help me out...where could I could have done that?
 
Raven
PostPosted: Sun Jan 21, 2007 12:21 pm Reply with quote

If you have access to your php.ini, then set register_globals=off. Otherwise, add the line to your .htaccess file. In addition, at the bottom of your config.php you should have these lines:
Code:
######### DO NOT EDIT BELOW THIS LINE!! ##########

if (file_exists($path_to_user_prefs)&&$use_userprefs) @include($path_to_user_prefs);
$version = $app_version;

MODIFY it to read

Code:
######### DO NOT EDIT BELOW THIS LINE!! ##########

if ($hide_errors) @ini_set('display_errors','off');
function stripAllTags (&$arrayGET, $value) {
   if (is_array ($arrayGET)) @array_walk ($arrayGET, "stripAllTags");
   else $arrayGET = @strip_tags ($arrayGET);
}
if (isset ($_GET)) @array_walk ($_GET, "stripAllTags");
elseif (isset ($HTTP_GET_VARS)) @array_walk ($HTTP_GET_VARS, "stripAllTags");
if (file_exists($path_to_user_prefs)&&$use_userprefs) @include($path_to_user_prefs);
$version = $app_version;


That should get you by until I get the fix pack out.

Would you zip up the log entries pertaining to the compromise and send it to me, please? I want to be sure that what I have done covers what hole they used.

raven
at
phpscripts
dot
com

Thanks.
 
Hurricane
PostPosted: Tue Jan 23, 2007 9:42 pm Reply with quote

Raven wrote:
If you have access to your php.ini, then set register_globals=off. Otherwise, add the line to your .htaccess file. In addition, at the bottom of your config.php you should have these lines:...


I do not have access to this/these file(s).
Raven wrote:

That should get you by until I get the fix pack out.

Would you zip up the log entries pertaining to the compromise and send it to me, please? I want to be sure that what I have done covers what hole they used.

raven
at
phpscripts
dot
com

Thanks.

I've sent you the complete log files of the last couple days around the attack and after. I hope it helps...
 
Raven
PostPosted: Tue Jan 23, 2007 9:57 pm Reply with quote

Just add a file called .htaccess in your guestbook home folder. In it place the following line:

php_flag register_globals off

Thanks for the logs!
 
Hurricane
PostPosted: Tue Jan 23, 2007 10:04 pm Reply with quote

Let me know if I can help you going through this large amount of data from the logs...
I will have to re-install the kisgb after I make a couple changes to my site...
Thank you very much Raven!
 
Raven
PostPosted: Tue Jan 23, 2007 10:08 pm Reply with quote

okay, but I haven't received them [yet]. When did you send them?
 
Hurricane
PostPosted: Tue Jan 23, 2007 10:12 pm Reply with quote

Yesterday evening 11:30 Eastern to the email mentioned earlier. However it is 6MB! Should I make it available for DL, in case it is too big?
 
Raven
PostPosted: Tue Jan 23, 2007 10:19 pm Reply with quote

Strange. Yes, make the zip a d/l and PM to me the name/location of the file. Thanks.
 
Hurricane
PostPosted: Tue Jan 23, 2007 10:39 pm Reply with quote

Done!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©