v2.30.01 RN site hacked

New Member Joined: Dec 30, 2008 Posts: 14

Hi all.

Last night my site was hacked.

When I try to access it AVG web shield blocks it saying

Exploit Javascript Obfuscation (type 607).

I tried it from work today and it redirects to lousecn.cn opening multiple pages.

On searching my files there is javascript code added to the end of every file in my root folder.

I will not post the javascript code here for obvious reasons, however if any staff members would like to see it I will gladly pm it to you.

There was a folder that should not have been on my server that I deleted a couple of days ago as well.

Could anyone shed some light on how I would go about finding out their method of getting this code into my files please?

Thanks

Posted: Fri Mar 20, 2009 7:23 am

You need to check your server logs.

Are you running any third party modules, or blocks?

Posted: Fri Mar 20, 2009 1:03 pm

Checked server logs last night they start at 8:28 am the morning after the site was hacked and I found out it was hacked at 6am that morning.

They were raw access logs so I might be looking in the wrong place.

Error logs pointed a few times to the folder I deleted previously and missing files from a theme I used to use.

3rd party modules and blocks are nuke weather and my footy tipping module, but found no references to either of them in any logs, but then again I don't know what to look for.

Posted: Fri Mar 20, 2009 5:49 pm

I'd be happy to look at it if its a new security issue. Send me the site details in a PM

Posted: Sat Mar 21, 2009 2:52 am

He doesn't have any further logs that show the attack. So there's really nothing I can investigate on

Site Admin Joined: Jun 04, 2004 Posts: 6432

Sounds like file access or an admin attack. Is admin authentication on?

Posted: Sat Mar 21, 2009 4:31 pm

yes I am using cgi auth but I was too slow to get necessary log files, I didn't have cpanel setup to archive log files daily, there is probably a lot I don't have set up right.

I still have multiple attempts to access the folder that was put into my server and having them fill up my error log I setup a redirection on that folder

# -------------------------------------------
#redirect on that d*** folder
#-------------------------------------------
RedirectMatch 301 /8851drg(.*) [ Only registered users can see links on this board! Get registered or login! ]
#-------------------------------------------
#end redirect
#-------------------------------------------

and now I get no more error messages on it but they get a nice message.

Posted: Sun Mar 22, 2009 8:51 am

If you are on a shared server it is possible that they also got there that way. You may need to check with your host too if it happens again (especially if you find another new file/directory being added).

Posted: Mon Mar 23, 2009 2:19 am

About to contact host as it happened again.
They haven't done anything to the site itself as yet not like last time, however there was a new folder in my cgi-bin this morning.

I deleted it before going to work and got home and it was back and my cpanel password had been changed.

Luckily I can change my password through my hosts website so I now have control of cpanel again, we will see what my host has to say.

Posted: Mon Mar 23, 2009 11:51 am

Just a shot ....

Check your site for any directories and/or file permissions set to 777 (world writable). If so, then chmod to something else such as 644 or 755 depending on access needed, etc. Many years ago I had a chat application installed on my server by a hacker that got in through the 777 permissions in the Gallery - a very well known exploit. I wrote a wrapper script that runs as a cron job every night that searches for keywords associated with this "chat" app and automatically deletes it if found.

Posted: Tue Mar 24, 2009 3:11 am

my host informed me I had 2 folders with 777 permissions, logs and sys in root, however I never set them to that, it may be default I don't know.

The host changed them for me when they found them.

Is there a quick way of checking if any files or folders have 777 permissions without having to go through every file and check them individually?

*edit just found their file uploads in ftp logs, but they already had my cpanel password by then I guess.

Posted: Tue Mar 24, 2009 4:28 am

777 isn't necessarily bad, depending on the configuration of the server. They would not be 777 by default - only if you changed them, or someone else had that ability through another means.

I would press the host for more details - I've heard that there have been issues with FTP (it happened on site I support in December - many folders where changed to 777 and htaccess files were written to redirect 404s to a bad uploaded script, and the host was honest enough to tell me about the FTP issue after I spent hours checking logs and folders to find out what happened). If I remember correctly, the host made some changes to prevent the inappropriate FTP access.

Posted: Tue Mar 24, 2009 7:25 pm

I have a feeling your server's already been compromised. I would ask your host to do a complete reformat/reinstall. Load your site with clean files.

I can find no indication of the original hack.

Posted: Wed Mar 25, 2009 2:37 am

I did find last night that my server ftp was set to allow anonymous access, which I changed as well.

I will definately take that into consideration evaders, that may very well be my next port of call. The only downside to that is I don't know how good their response time is to something like that and I am running a weekly competition where 4 days of the week people need access to the site so if I can schedule them into doing it when footy tipping is closed for the weekend while matches are being played, I will get it done.

They suggested I change passwords weekly, however I may consider doing it daily, it doesn't take anywhere near as much effort as searching through logs and files after the fact.

At least through this I am learning a bit more about the security side of running a website, Most people who start one probably think it is just a matter of either installing software or coding one and throwing the files into a folder. Well I know I did originally until I started using RN.

My thanks to everyone who replied with suggestions of where to look and to evaders for taking the time to check it out.

Posted: Wed Mar 25, 2009 5:47 am

As far as changing passwords, the best practice that I have found is to not use words that are in the dictionary, use random upper and lower case letters and random numbers in the password. The scripts used to gain access to ftp accounts can break a simple password just through the process of elimination no matter how often you change them. But changing them often does help greatly.

Regular Joined: Jun 13, 2006 Posts: 54

Yeah not to long ago I had this same issue where an outsider got ahold of one of my clients FTP passwords. The only reason I caught it was asking what everyones ip's were that had access to the account and found the odd ball ip connecting to the [ Only registered users can see links on this board! Get registered or login! ] Once we figured that out banned the ip and changed the ftp password. It's hard to track down someone sometimes when the they have access to the webiste Wink