Jump to content


Photo

HACKED** MY SITE REDIRECTS TO THE CHURCH OF SATAN... I NEED TO FIX ASAP!!


  • Please log in to reply
48 replies to this topic

#21 FrOzeN

FrOzeN
  • Members
  • PipPipPip
  • Advanced Member
  • 70 posts

Posted 03 October 2006 - 04:49 PM

A start would be to have a look over http://phpsec.org/projects/guide/ and see if any of the risks relate to your code.

#22 moneymic313

moneymic313
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 03 October 2006 - 04:54 PM

Thank you everyone who helped with this... Honestly that was a fabricated .swf file that I did not even create or use..

So is this just changing and making my login info different and harder to figure out or is it more than that..??


Unfortunately though there is another issue on my side.. All of the links in my links section have been changed to the same url www.churchofsatan.com.. This is obviously a little different issue that I am sure is not quite as easy to fix...

If anyone has any suggestions on that as well please let me know..


Once again thank you all..

#23 michaellunsford

michaellunsford
  • Members
  • PipPipPip
  • Advanced Member
  • 1,023 posts
  • LocationLouisiana, USA

Posted 03 October 2006 - 05:01 PM

Is this even a PHP issue? I'm thinking if someone placed a SWF file on the server, they had ftp access at the very least. So, how do you protect against that?

A start would be to have a look over http://phpsec.org/projects/guide/ and see if any of the risks relate to your code.



#24 FrOzeN

FrOzeN
  • Members
  • PipPipPip
  • Advanced Member
  • 70 posts

Posted 03 October 2006 - 05:18 PM

Is this even a PHP issue? I'm thinking if someone placed a SWF file on the server, they had ftp access at the very least. So, how do you protect against that?

Not sure. But it seems to be back, so either the hacker just re-added it (unlikely), or there is some form of script that put the file back, which could be a php script. It'd be best just to go over all these factors so you can determine how it happened.

If you have a CPanel, or something similar. Check the ftp logs to see if someone actually uploaded the .swf file.

#25 michaellunsford

michaellunsford
  • Members
  • PipPipPip
  • Advanced Member
  • 1,023 posts
  • LocationLouisiana, USA

Posted 03 October 2006 - 05:30 PM

If it is PHP doing the deed, you might use your ftp program's synchronize feature to see what files are different on the server than on your local machine. That might help find the offending code (since it's probably buried inside an existing PHP page someplace).

Please report back what you find, if anything. I'd also enlist the ISP help. It is highly likely that anyone with the wherewithal to get into your domain would also be able to cover their tracks, but it's worth a look.

#26 moneymic313

moneymic313
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 03 October 2006 - 05:52 PM

yes it is back.. But there is no file that I see similar to the dhh.swf that was created before... I am still looking but I dont see any .swf file that is new...

So I just redirected the intro page to point to a different page until I figure this out...



#27 JayBachatero

JayBachatero
  • Members
  • PipPipPip
  • Advanced Member
  • 296 posts
  • LocationQueens NY

Posted 03 October 2006 - 05:55 PM

Do you have a file upload script somewhere on your site?
JayBachatero
SMF Developer && Converter Specialist

#28 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 03 October 2006 - 06:02 PM

or are you using $_GET without checking it?
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)

#29 moneymic313

moneymic313
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 03 October 2006 - 06:06 PM

Actually I move it up directly thru windows Explorer.... and log into the ftp like that..

#30 moneymic313

moneymic313
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 03 October 2006 - 06:12 PM

I searched thru every folder and I did find a file called r57.php and when I copied it down to examine it my pc removed a virus called the PHP.RSTBackdoor.

Here is Symantec's description of the threat..
"Opens a back door that allows the attacker to have unauthorized remote access to the compromised computer"

but I still havent found the file that is redirecting them back to that damn site...

#31 JayBachatero

JayBachatero
  • Members
  • PipPipPip
  • Advanced Member
  • 296 posts
  • LocationQueens NY

Posted 03 October 2006 - 06:15 PM

The file is located in /images/mainpage/.  Can you post the contents of the file here?  The PHP file that is.
JayBachatero
SMF Developer && Converter Specialist

#32 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 03 October 2006 - 06:21 PM

Chances are somebody got your password so you better change it.

#33 michaellunsford

michaellunsford
  • Members
  • PipPipPip
  • Advanced Member
  • 1,023 posts
  • LocationLouisiana, USA

Posted 03 October 2006 - 06:23 PM

A few more ideas:

First change all of your passwords (mentioned by Daniel0).

If you're connecting from the local coffee house, anyone there has the ability to see your login and password. Check with your host and see if they permit SFTP and how to configure it. If they don't permit it, you might want to switch hosts.

If you're on a shared hosting solution, you can also ask your ISP to switch your server.

and whatever you do, DON'T post the contents of that file here. the last thing we want is to train someone else how to install a root kit.

#34 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 03 October 2006 - 06:29 PM

Now the more powerful part of the question, how to prevent this from happening again?

I have been very fortunate to not have had this problem yet, but it lurks ominously in the shadows as a very real possibility. The problem is compounded by the fact that no one wants to publicly post how to test your website because some idiot will inevitably use the information to break someone else's. So, the question persists: how do you ensure your website is relatively hacker resistant?


Developer Fusion has several nice articles on security..

I don't think that this was your problem but here is an article on Sql Insertion

Good Luck,
Tom

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#35 moneymic313

moneymic313
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 03 October 2006 - 06:31 PM

Yes but it is not physically there anymore.. I have looked 10 times thinking I am over looking it but it is not there...

There is no dhh.swf file viewable in the images/mainpage/  hmm..

I have already removed it once but the first time I saw it plain as day.. Now it is not visible..


I would never post the contents.. but do you think the backdoor file might have been how they were getting in???

I intend to change all passwords...


#36 michaellunsford

michaellunsford
  • Members
  • PipPipPip
  • Advanced Member
  • 1,023 posts
  • LocationLouisiana, USA

Posted 03 October 2006 - 06:33 PM

if you look over the code of the file, it certainly will reveal much of how it works and what it does. How the file got there in the first place is the ten thousand dollar question.

#37 michaellunsford

michaellunsford
  • Members
  • PipPipPip
  • Advanced Member
  • 1,023 posts
  • LocationLouisiana, USA

Posted 03 October 2006 - 06:35 PM

Apparently it spawns some more files... Check this out and make sure you kill everything in the list:
http://www.symantec....4217-99&tabid=2

#38 moneymic313

moneymic313
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 03 October 2006 - 06:36 PM

I just found it... It was hidden as a protected operating system file..

So I have deleted the back door php file from the server.. deleted the dhh.swf file from the server and I am going to change my passwords right now..

I guess we can see if this all works.. If not there has got to be some sore of script recreating this file...



#39 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 03 October 2006 - 06:41 PM

Make sure you use a totally random password - something like: F8hkh8y3ha (even better if there are special characters like !,.-$ etc. in it).

Nothing may be a word in any dictionary forward or backwards. Nothing may be ralted to you (birthday etc.).

#40 moneymic313

moneymic313
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 03 October 2006 - 06:42 PM

And again.. Thank you to all who took the time to assist me with this.. I know it got off the php subject for a minute but thanks again for your help...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users