Jump to content

Archived

This topic is now archived and is closed to further replies.

moneymic313

HACKED** MY SITE REDIRECTS TO THE CHURCH OF SATAN... I NEED TO FIX ASAP!!

Recommended Posts

yes it is back.. But there is no file that I see similar to the dhh.swf that was created before... I am still looking but I dont see any .swf file that is new...

So I just redirected the intro page to point to a different page until I figure this out...

Share this post


Link to post
Share on other sites
I searched thru every folder and I did find a file called r57.php and when I copied it down to examine it my pc removed a virus called the PHP.RSTBackdoor.

Here is Symantec's description of the threat..
"Opens a back door that allows the attacker to have unauthorized remote access to the compromised computer"

but I still havent found the file that is redirecting them back to that damn site...

Share this post


Link to post
Share on other sites
The file is located in /images/mainpage/.  Can you post the contents of the file here?  The PHP file that is.

Share this post


Link to post
Share on other sites
A few more ideas:

First change all of your passwords (mentioned by Daniel0).

If you're connecting from the local coffee house, anyone there has the ability to see your login and password. Check with your host and see if they permit SFTP and how to configure it. If they don't permit it, you might want to switch hosts.

If you're on a shared hosting solution, you can also ask your ISP to switch your server.

[b]and whatever you do, DON'T post the contents of that file here. the last thing we want is to train someone else how to install a root kit.[/b]

Share this post


Link to post
Share on other sites
[quote author=michaellunsford link=topic=110382.msg446110#msg446110 date=1159893651]
Now the more powerful part of the question, how to prevent this from happening again?

I have been very fortunate to not have had this problem yet, but it lurks ominously in the shadows as a very real possibility. The problem is compounded by the fact that no one wants to publicly post how to test your website because some idiot will inevitably use the information to break someone else's. So, the question persists: how do you ensure your website is relatively hacker resistant?
[/quote]

[url=http://www.developerfusion.co.uk]Developer Fusion[/url] has several nice articles on security..

I don't think that this was your problem but here is an article on [url=http://www.developerfusion.co.uk/show/4656/]Sql Insertion[/url]

Good Luck,
Tom

Share this post


Link to post
Share on other sites
Yes but it is not physically there anymore.. I have looked 10 times thinking I am over looking it but it is not there...

There is no dhh.swf file viewable in the images/mainpage/  hmm..

I have already removed it once but the first time I saw it plain as day.. Now it is not visible..


I would never post the contents.. but do you think the backdoor file might have been how they were getting in???

I intend to change all passwords...

Share this post


Link to post
Share on other sites
if you look over the code of the file, it certainly will reveal much of how it works and what it does. How the file got there in the first place is the ten thousand dollar question.

Share this post


Link to post
Share on other sites
Apparently it spawns some more files... Check this out and make sure you kill everything in the list:
http://www.symantec.com/security_response/writeup.jsp?docid=2005-071322-4217-99&tabid=2

Share this post


Link to post
Share on other sites
I just found it... It was hidden as a protected operating system file..

So I have deleted the back door php file from the server.. deleted the dhh.swf file from the server and I am going to change my passwords right now..

I guess we can see if this all works.. If not there has got to be some sore of script recreating this file...

Share this post


Link to post
Share on other sites
Make sure you use a totally random password - something like: F8hkh8y3ha (even better if there are special characters like !,.-$ etc. in it).

Nothing may be a word in any dictionary forward or backwards. Nothing may be ralted to you (birthday etc.).

Share this post


Link to post
Share on other sites
And again.. Thank you to all who took the time to assist me with this.. I know it got off the php subject for a minute but thanks again for your help...

Share this post


Link to post
Share on other sites
Even the most complex password ever concieved can't defend against packet sniffing. Secure FTP (SFTP) is your friend.

Share this post


Link to post
Share on other sites
But it helps against dictionary attacks, but then there is of course rainbow tables.

Share this post


Link to post
Share on other sites
For now I just edited the dhh.swf and blanked it out and put it back in its place and it is not redirecting anymore.. Hopefully the code will see that the file is in place and not update or replace it.

This will have to work until I find the source of the issue..

Share this post


Link to post
Share on other sites
I know I shouldn't, but this was the funniest post I have ever read in my entire life.

Share this post


Link to post
Share on other sites
Glad you find humor in this BM... But it is actually quite serious..

It recreated the file and replaced my blank file... The redirect is back again..


BM do you have a solution that might help me fix this?????????????????????????????

Share this post


Link to post
Share on other sites
have you contacted your host's tech support? Perhaps they can see what is making that file over and over again.

Share this post


Link to post
Share on other sites
If you trust me.

Email me your ftp information, I will take a few minutes to find it and fix it for you, but it has to be within the next 45 minutes, I am stopping work here soon, if the ftp works, I can look around see if I can find out what's causing it, that's all I can do.

Share this post


Link to post
Share on other sites

When I check the properties of the dhh.swf file.. it says the below..
ftp://dhh@ftp.detroithiphop.com/httpdocs/images/mainpage/dhh.swf

Does this mean that it is automatically uploading thru FTP?? So to me that would mean that it isnt taking place physically on the server..

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.