Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
checksum
Hangin' Around


Joined: Jun 30, 2003
Posts: 39

PostPosted: Tue Jun 12, 2007 5:52 pm Reply with quote

Could any of you guys look at my site and let me know where the problem is?
My site has been hacked since this morning
Only registered users can see links on this board! Get registered or login!


Last edited by checksum on Wed Jun 13, 2007 10:43 pm; edited 1 time in total 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Tue Jun 12, 2007 5:55 pm Reply with quote

Looks like the code was replaced with some nasty Javascript

It could be anywhere, hacked files... hacked database, etc.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
checksum
PostPosted: Tue Jun 12, 2007 6:06 pm Reply with quote

yes I see the javascript, how can I locate it and delete it?
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Tue Jun 12, 2007 6:27 pm Reply with quote

Look for recently changed files.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
checksum
PostPosted: Tue Jun 12, 2007 6:33 pm Reply with quote

That's what I am doing, but it's hard
I see config.php 5/6/2007 but when I look into it I do not see the javascript code

Can I give you access to my ftp in you PM so you can help me locate it?
 
checksum
PostPosted: Tue Jun 12, 2007 7:00 pm Reply with quote

I did a search in the entire database, and I could not find anything javascript.

I could not see any fils or folders modified 6/12/07, it happened this morning
 
kguske
PostPosted: Tue Jun 12, 2007 7:24 pm Reply with quote

It could be in your database - check the messages, news and blocks tables.
 
checksum
PostPosted: Tue Jun 12, 2007 7:54 pm Reply with quote

I downloaded the whole database and did a search, no javascript found
 
kguske
PostPosted: Tue Jun 12, 2007 8:34 pm Reply with quote

OK. I looked at the site. If there aren't any new files (e.g. index.html, index.htm) or changes to your index.php (assuming it's PHP-Nuke), I'd check the includes and themes directory for changes to files there.
 
checksum
PostPosted: Tue Jun 12, 2007 10:20 pm Reply with quote

could he be pulling the javascript from somewhere else, such that when i do a search on the javascript code, i do not find anything?
 
kguske
PostPosted: Tue Jun 12, 2007 10:37 pm Reply with quote

Something in mainfile...haven't found it yet.
 
kguske
PostPosted: Tue Jun 12, 2007 10:51 pm Reply with quote

You need to check with your host. There is a bigger problem. It looks like they are adding a google analytics reference that is interfering with your scripts. I added an info.php file, and all it does is execute phpinfo. Even that has the google analytics stuff. Is this a free host?

Don't forget to remove the info.php after you verify.
 
checksum
PostPosted: Tue Jun 12, 2007 10:55 pm Reply with quote

no, it is a VPS, I have access to the server too. I can give you access to the server also
 
kguske
PostPosted: Tue Jun 12, 2007 10:59 pm Reply with quote

Is it managed? If so, have them check the configuration. Even regular .html files are loading the google-code script.
 
kguske
PostPosted: Tue Jun 12, 2007 11:04 pm Reply with quote

Sorry - it's pointing to google-counter.com Probably to drive up adsense or some other nonsense. Giving me VPS access won't help - I wouldn't know where to start. But it's definitely not your script, though you should have different passwords for cpanel, database and nuke admin. Not sure if that's the case, but you should also update your NukeSentinel - it looks a few versions old.
 
checksum
PostPosted: Tue Jun 12, 2007 11:09 pm Reply with quote

I don't know what you mean by managed, but I do have pretty much control of the server. I have sent them an email, I will see what they say, and if they can identify the root cause.

Thank you for your help
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Wed Jun 13, 2007 6:28 am Reply with quote

checksum, there are typically two levels of service provided by hosting companies for a VPS and dedicated. There is "managed" and "not managed". "managed" is more expensive, but generally speaking, if the plan is a good one, the hosting company will do almost anything you need done at the server level. Let's face it, most of us are not server admins, so we need help from time-to-time. If your plan is not "managed", then there may be a charges for support tickets.

In other words, it boils down to how much help you can expect to get from your hosting company for your VPS or dedicated server.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
kguske
PostPosted: Wed Jun 13, 2007 6:49 am Reply with quote

Looks like it's working now. Please let us know the details.
 
checksum
PostPosted: Wed Jun 13, 2007 5:02 pm Reply with quote

Hi,

Sorry for the delay, was at work.

They fixed it early this morning I pointed them to this thread also.
Here is what they said:


Could you please chech now, that code shouldn't load on your pages anymore.
It was exploit that is using bug in mod_layout apache module. I've disabled it, and your serevr is safe now.
Best regards,
Tom H.
HostForWeb Inc.

Thank you kguske for your help
 
kguske
PostPosted: Wed Jun 13, 2007 8:46 pm Reply with quote

Thanks for following up. Don't forget to remove the info.php file in your Nuke root. Make sure have different cPanel, VPS, and Nuke database user IDs / passwords for extra security...
 
kguske
PostPosted: Thu Jun 14, 2007 5:14 am Reply with quote

One more follow up - can you get some details (i.e. a link) on this exploit from your host? That was a particularly nasty issue, and we couldn't find any details about it based on the response.
 
checksum
PostPosted: Thu Jun 14, 2007 7:05 pm Reply with quote

Ok, will do
 
CodyG
Life Cycles Becoming CPU Cycles


Joined: Jan 02, 2003
Posts: 712
Location: Vancouver Island

PostPosted: Tue Jun 26, 2007 12:04 am Reply with quote

any updates?

_________________
"We want to see if life is ubiquitous." D.Goldin 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©