Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Plasma
Regular
Regular



Joined: May 17, 2005
Posts: 66

PostPosted: Tue Jun 09, 2009 9:48 am Reply with quote

Woke up this morning with a website that didn't work. After investigating, somehow someone added code to every index.php file. The code is:

Image


after removing that code, the site worked fine.

so my questions are: what is it and what will it do and more importantly, how do I find out who did it?

thx for any ideas.
 
View user's profile Send private message
ToolBox
Regular
Regular



Joined: Mar 16, 2005
Posts: 74

PostPosted: Tue Jun 09, 2009 11:42 am Reply with quote

That hacking happens in system level not phpnuke level.
Very recently, those types of hackings are full across the planet.

First off, such types of hacking is not possible to change your files directly from php engine but it happens in /tmp/ files and SSH hack.

Similar hacking is online casino spams. This online casino spmmers are really and deadly cirtical. If your server or hosting directory has some odd php file names in hidden mode such as cas.t.ph, p.ost.php etc, they are all parasited spammers and your hosting or your email ccounts exposed within your site will be reported as abusive spmmers.

Primarily, your hosting services are in charge.
Secondly, you may change 644 permission on all index.html file. (if your server account got hacked, this does not work).
Thirdly, put .htaccess.

Now, I would like you to open raw logs of your apache or any types of web-server engine. Find ips that scratched your files. and put C class IPs in your .htaccess.

I wrote under an assumption that you are running *NIX mahines. Windows servers are more or less different.
 
View user's profile Send private message
ToolBox







PostPosted: Tue Jun 09, 2009 11:44 am Reply with quote

online casino IPs are captured and reported in security sites.
So, find them and add blocking IPs in your web-server engine. That is not related with your nuke.
 
evaders99
Former Moderator in Good Standing



Joined: Apr 30, 2004
Posts: 3221

PostPosted: Tue Jun 09, 2009 7:07 pm Reply with quote

Looks like someone tried to put their Google Analytics code all over your pages. You'll need to go through your server access logs to determine how this guy got in

_________________
- Star Wars Rebellion Network -

Need help? Nuke Patched Core, Coding Services, Webmaster Services 
View user's profile Send private message Visit poster's website
Plasma







PostPosted: Wed Jun 10, 2009 2:58 pm Reply with quote

evaders99 wrote:
Looks like someone tried to put their Google Analytics code all over your pages. You'll need to go through your server access logs to determine how this guy got in



how do I find this out using the logs?

my index.php file always has 644 permissions. can I change that to 444?
 
Plasma







PostPosted: Wed Jun 10, 2009 3:10 pm Reply with quote

okay, found this in one file:

HackeD By ChaLLenGer

anyone know this guy so I can ram my foot down his throat Wink
 
nuken
RavenNuke(tm) Development Team



Joined: Mar 11, 2007
Posts: 2024
Location: North Carolina

PostPosted: Wed Jun 10, 2009 3:23 pm Reply with quote

I had a similar situation a while back on a server that was not well protected. They uploaded the files through [ Only registered users can see links on this board! Get registered or login! ] Before I switched servers, I changed all my control panel and ftp usernames and passwords using random combinations of numbers and letters changing to uppercase and lowercase. I did not get hacked again.

_________________
Tricked Out News 
View user's profile Send private message Send e-mail Visit poster's website
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Wed Jun 10, 2009 7:19 pm Reply with quote

yeah, sounds like you may need some help from your host too to find out how they got in and how to secure the server. I know that I am not supposed to "hate", but I sure wish these jokers would find something good to do with their skills. Sad

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
Unit1
Worker
Worker



Joined: Oct 26, 2004
Posts: 134
Location: Boston

PostPosted: Wed Jun 10, 2009 8:38 pm Reply with quote

montego wrote:
yeah, sounds like you may need some help from your host too to find out how they got in and how to secure the server. I know that I am not supposed to "hate", but I sure wish these jokers would find something good to do with their skills. Sad


I agree

_________________
* 5 Simple rules to be happy: * Free Your Heart from Hatred * Free Your Mind from Worries * Live Simply * Give More * Expect Less. 
View user's profile Send private message
Plasma







PostPosted: Sat Jun 20, 2009 9:28 am Reply with quote

server host won't do anything (lunarpages.com)..

also, the hacker has changed the script:

Image


isn't there anything I can do to track who is doing this?


also, it looks like it's some sort of script that does all the index.php files at the same time. he also hacked into a auth.php file
 
nuken







PostPosted: Sat Jun 20, 2009 9:50 am Reply with quote

Do you have a folder in your root file system that is not a part of RavenNuke? One that was put there by the hacker? Compare your directory and see if that is how they are attacking your site.
 
bdmdesign
Worker
Worker



Joined: May 11, 2009
Posts: 154
Location: Winsen/Luhe; Germany

PostPosted: Tue Oct 13, 2009 3:35 am Reply with quote

Plasma wrote:
Woke up this morning with a website that didn't work. After investigating, somehow someone added code to every index.php file. The code is:

Image


after removing that code, the site worked fine.

so my questions are: what is it and what will it do and more importantly, how do I find out who did it?

thx for any ideas.


Change ALL your Passwords on your Server (root, user, database and the RN) like this:

N%gt638Dmls!hDrg645mlH

or this:

Ngt638DmlshDrg645mlH

DONT use Names and Names Numbers Combinations !!!!!

Best Regards

Peter
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17087

PostPosted: Tue Oct 13, 2009 2:31 pm Reply with quote

bdmdesign,

Great advice Wink !
 
View user's profile Send private message
bdmdesign







PostPosted: Tue Oct 13, 2009 5:07 pm Reply with quote

@ Raven:

thanx, the most People use unsafely Passwords like this:

cabonara, cabo1856nara, 45cabonara56


Best Regards

Peter
 
slackervaara
Worker
Worker



Joined: Aug 26, 2007
Posts: 236

PostPosted: Tue Oct 13, 2009 10:20 pm Reply with quote

Read about how hackers with spyware on your PC, can find out your ftp-password and then introduce scripts on your site that modifies index.php: [ Only registered users can see links on this board! Get registered or login! ]

I have stopped this possibility by using KeePass Professional to encrypt my usernames and passwords and I don't use FileZilla anylonger, but instead the web hotels Ftp-program from the controlpanel that is secured.
 
View user's profile Send private message
sundern
New Member
New Member



Joined: Jun 28, 2021
Posts: 2

PostPosted: Sun Jun 27, 2021 4:48 pm Reply with quote

Plasma wrote:
Woke up this morning with a website that didn't work. After investigating, somehow someone added code to every index.php file. The code is:

Image


after removing that code, the site worked fine.

so my questions are: what is it and what will it do and more importantly, how do I find out who did it?

thx for any ideas.


It's June 28, 2021 - This happened to all my index.php on my server and can't find out what caused this at the filesystem level. As the mystery deepens, I am extremely curious about how this could have happened.

I posted this question on stackoverflow, and my post was closed quickly with no clear answers.

Here is what happened:

This script will redirect URL to a allowandgo site and it is incredibly smart that the hacker encoded the javascript with some bullshit characters with a decode function. How was the payload delivered to all index.php is a mystery. I also want to add that this is only website that has a accurate description of the situation encounter by me. Shockingly this happened in 2009, something hasn't changed since then.

Admin-Edit: script-code removed!

I removed everything with a single command, but curious how it all go down.
 
View user's profile Send private message
neralex
Site Admin



Joined: Aug 22, 2007
Posts: 1678

PostPosted: Mon Jun 28, 2021 7:39 am Reply with quote

sundern wrote:
Shockingly this happened in 2009, something hasn't changed since then.


As it was answered before clearly, this is only possible with access on the server-side. Change all your passwords, check your server-logs and contact your hosting-company.

_________________
Github: RavenNuke 
View user's profile Send private message
sundern







PostPosted: Mon Jun 28, 2021 8:52 am Reply with quote

neralex wrote:
sundern wrote:
Shockingly this happened in 2009, something hasn't changed since then.


As it was answered before clearly, this is only possible with access on the server-side. Change all your passwords, check your server-logs and contact your hosting-company.


I have extensive unix sysadmin background, and there is no need to change the password since my server can only be logged onto with a public key.

in SSH config: PasswordAuthentication no

No one can login to the system with a password., unless someone has stolen my public key.

Next possibility is that I might have installed something on the system which created had a malware that changed all my index.php files with a encoded URL. I don't know what could that be.

How could something that could infect all index.php regardless of whether they are serving the websites ? Even index.php in junk folders were updated with the malware encoded URL.

Thanks for the response though, appreciate it.
 
neralex







PostPosted: Mon Jun 28, 2021 11:17 am Reply with quote

sundern, maleware could it be because normally all files in the web-directory should have CHMOD 644 - typically for all index.php files. Only files and/or folders which needs write-acccess should have CHMOD 775. In this case only members of the affected user-group get the file-access. Maybe some old 3rd-party-addons have outdated and/or unsecure php upload-funtions in public, which are not checking things like the mimetype while uploading the files. But if someone was able to upload an exutable file, which could start a loop through all files of the web-directory, then it needs also a functionality to execute it directly with the webserver-components. Back in the days addons like the coppermine-gallery or other big bug-wholes likes this were able to do this.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©