HACKED** MY SITE REDIRECTS TO THE CHURCH OF SATAN... I NEED TO FIX ASAP!!

[moneymic313]

yes it is back.. But there is no file that I see similar to the dhh.swf that was created before... I am still looking but I dont see any .swf file that is new...

So I just redirected the intro page to point to a different page until I figure this out...

[JayBachatero]

Do you have a file upload script somewhere on your site?

[.josh]

or are you using $_GET without checking it?

[moneymic313]

Actually I move it up directly thru windows Explorer.... and log into the ftp like that..

[moneymic313]

I searched thru every folder and I did find a file called r57.php and when I copied it down to examine it my pc removed a virus called the PHP.RSTBackdoor.

Here is Symantec's description of the threat..
"Opens a back door that allows the attacker to have unauthorized remote access to the compromised computer"

but I still havent found the file that is redirecting them back to that damn site...

[JayBachatero]

The file is located in /images/mainpage/.  Can you post the contents of the file here?  The PHP file that is.

[Daniel0]

Chances are somebody got your password so you better change it.

[michaellunsford]

A few more ideas:

First change all of your passwords (mentioned by Daniel0).

If you're connecting from the local coffee house, anyone there has the ability to see your login and password. Check with your host and see if they permit SFTP and how to configure it. If they don't permit it, you might want to switch hosts.

If you're on a shared hosting solution, you can also ask your ISP to switch your server.

[b]and whatever you do, DON'T post the contents of that file here. the last thing we want is to train someone else how to install a root kit.[/b]

[tomfmason]

[quote author=michaellunsford link=topic=110382.msg446110#msg446110 date=1159893651]
Now the more powerful part of the question, how to prevent this from happening again?

I have been very fortunate to not have had this problem yet, but it lurks ominously in the shadows as a very real possibility. The problem is compounded by the fact that no one wants to publicly post how to test your website because some idiot will inevitably use the information to break someone else's. So, the question persists: how do you ensure your website is relatively hacker resistant?
[/quote]

[url=http://www.developerfusion.co.uk]Developer Fusion[/url] has several nice articles on security..

I don't think that this was your problem but here is an article on [url=http://www.developerfusion.co.uk/show/4656/]Sql Insertion[/url]

Good Luck,
Tom

[moneymic313]

Yes but it is not physically there anymore.. I have looked 10 times thinking I am over looking it but it is not there...

There is no dhh.swf file viewable in the images/mainpage/  hmm..

I have already removed it once but the first time I saw it plain as day.. Now it is not visible..


I would never post the contents.. but do you think the backdoor file might have been how they were getting in???

I intend to change all passwords...

[michaellunsford]

if you look over the code of the file, it certainly will reveal much of how it works and what it does. How the file got there in the first place is the ten thousand dollar question.

[michaellunsford]

Apparently it spawns some more files... Check this out and make sure you kill everything in the list:
http://www.symantec.com/security_response/writeup.jsp?docid=2005-071322-4217-99&tabid=2

[moneymic313]

I just found it... It was hidden as a protected operating system file..

So I have deleted the back door php file from the server.. deleted the dhh.swf file from the server and I am going to change my passwords right now..

I guess we can see if this all works.. If not there has got to be some sore of script recreating this file...

[Daniel0]

Make sure you use a totally random password - something like: F8hkh8y3ha (even better if there are special characters like !,.-$ etc. in it).

Nothing may be a word in any dictionary forward or backwards. Nothing may be ralted to you (birthday etc.).

[moneymic313]

And again.. Thank you to all who took the time to assist me with this.. I know it got off the php subject for a minute but thanks again for your help...

[michaellunsford]

Even the most complex password ever concieved can't defend against packet sniffing. Secure FTP (SFTP) is your friend.

[Daniel0]

But it helps against dictionary attacks, but then there is of course rainbow tables.

[moneymic313]

FYI... Even after I delete dhh.swf some sort of code is recreating the same file in the same place...

[moneymic313]

For now I just edited the dhh.swf and blanked it out and put it back in its place and it is not redirecting anymore.. Hopefully the code will see that the file is in place and not update or replace it.

This will have to work until I find the source of the issue..

[Ninjakreborn]

I know I shouldn't, but this was the funniest post I have ever read in my entire life.

[moneymic313]

Glad you find humor in this BM... But it is actually quite serious..

It recreated the file and replaced my blank file... The redirect is back again..


BM do you have a solution that might help me fix this?????????????????????????????

[michaellunsford]

have you contacted your host's tech support? Perhaps they can see what is making that file over and over again.

[Ninjakreborn]

If you trust me.

Email me your ftp information, I will take a few minutes to find it and fix it for you, but it has to be within the next 45 minutes, I am stopping work here soon, if the ftp works, I can look around see if I can find out what's causing it, that's all I can do.

[moneymic313]

When I check the properties of the dhh.swf file.. it says the below..
ftp://dhh@ftp.detroithiphop.com/httpdocs/images/mainpage/dhh.swf

Does this mean that it is automatically uploading thru FTP?? So to me that would mean that it isnt taking place physically on the server..