[SOLVED] Looks like my server may have been hacked (this is the correct forum, I think)

[Clarkey_Boy]

Hi,

I need some SERIOUS help with this. I have started making a recipe site. I have made 2 recipes just to test the display recipe function. It worked fine when I first coded it several months ago, then I gave coding a break for a while and came back to it today. When I tested it today, I made a backup before doing any work to the original files as I was altering them quite a bit. I then noticed that, for one of the recipes, it works fine, but for the other one, it comes up with something like the following:

hè?ˆw?Xl�/À}ZÀ}ZXl�psûÞŒTP,processorArchitecture="x86",publicKeyToken="6595b64144ccf1df",type="win32",version="5.1.3790.1830"C:\WINDOWS\WinSxS\manifests\x86_Microsoft.Windows.WinHTTP_6595b64144ccf1df_5.1.3790.1830_x-ww_74150EFB.manifestx86_Microsoft.Windows.WinHTTP_6595b64144ccf1df_5.1.3790.1830_x-ww_74150EFBMicrosoft.Windows.Networking.DxmRtpdH

There are LOADS of different characters... at a guess its about 20000 characters long - about 10 screens long by 8 rows... solid text / characters.

Has anyone come accross this before? I also checked the old version of the files, and the same happened there. I checked the database... no text even vaguelly similar there... I have NO idea whatsoever about what has happened here. Another thing I noticed was that, everytime I refresh the page, the characters change and different phrases appear within the block of writing.

Any help would be great.

Thanks,

RC

[hvle]

It is very unlikely that your website got hacked, provided that you are just starting on it, that it is a site about recipes.
It might have been that one of the files was encoded with unicode and you're viewing using an ascii application.

[Clarkey_Boy]

I have actually had my website for about 18 months now - the recipe site is just a subdirectory within my site. I'll look into that unicode thing. Surely if it works for one recipe, it should work for another, shouldn't it? (Its the same columns in the database which are filled in for both recipes).

RC

[DarkendSoul]

Each and every file (if you are reading it from a file) can be encoded many different ways. This on the other hand looks like your trying to open up a .exe or something... if you are reading it from a file type tell us which.

[Clarkey_Boy]

I basically have one page which has some functions in it (such as contents, view recipe etc). I then include this file in all the other pages. The file is called functions.php. I then have another file, which is also included in all the other pages, called variables.php. This file has variables such as sitename (it is called "megabyte" for now - as in megabite...), bgcolor etc. This is so that I can change one variable and it will change site wide. The strange thing, as I have said before, is that it displays half of a recipe, then gives me all that gibberish. That would suggest it is an error in that entry in the database or in the function. It then displays the other recipe perfectly... its weird. I have kept all the encoding stuff that appears at the beginning of an html file as it is standardly when loading a new page in dreamweaver.

RC

ps

These are the only 2 lines I can find which I think could possible be the encoding thing you are talking about:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

[btherl]

Have you tried another browser or another computer?

If you get the same behaviour on another browser and/or another computer, then can you post your code here?

[hvle]

Maybe I can look at it if you can provide the website, the url to the potential hacking file with comfortability.

[Clarkey_Boy]

The url is www.clarkeyboy.co.uk/megabyte. Username: test, password: test.

The code will follow shortly... got some bills to sort out first, so that we still have an internet connection, then I will post it.

RC

[Clarkey_Boy]

The code is as follows:

The view recipe function:

[code]

<?php
function viewrecipe($id, $status)
{
include "variables.php";
for($recipe = $conn->Execute("SELECT * FROM recipes WHERE ID = $id"); !$recipe->EOF; $recipe->MoveNext())
{
$title = $recipe->Fields("title");
if($status == 1)
{
title($title);
subtitle("Ingredients");
echo "<table width=100%>";
for($counter = 1; $counter <= 10; $counter++)
{
$ingredient = $recipe->Fields("ingredient".$counter);
$amount = $recipe->Fields("amount".$counter);
$measurement = $recipe->Fields("measure".$counter);
if($ingredient <> "" && $amount <> "" && $measurement <> "")
{
$ingredient = strtoupper(substr($ingredient, 0, 1)).substr($ingredient, 1, 100);
for($counter2 = 0; $counter2 < strlen($ingredient); $counter2++)
{
if(substr($ingredient, $counter2, 1) == " ")
{
$ingredient = substr($ingredient, 0, $counter2 + 1).strtoupper(substr($ingredient, $counter2 + 1, 1)).strtolower(substr($ingredient, $counter2 + 2, 255));
}
}
echo "
<tr><td width=5%></td><td width=45%><font style='color:#ffffff'>".$ingredient."</font></td><td width=45%><font style='color:#ffffff'>".$amount.$measurement."</font></td><td width=5%></td></tr>";
}
}
echo "</table>";
subtitle("Instructions");
echo "<table width=100%><tr><td width=100%>";
for($counter = 1; $counter <= 10; $counter++)
{
$instruction = $recipe->Fields("instruction".$counter);
echo $instruction;
}
echo "</table>";
subtitle("Comments");
for($selectcomments = $conn->Execute("SELECT * FROM comments WHERE recipeid = $id"); !$selectcomments->EOF; $selectcomments->MoveNext())
{
echo "<table width=100%>";
$submitter = $selectcomments->Fields("userid");
$recipecomment = $selectcomments->Fields("recipeid");
$comment = "";
for($counter = 1; $counter <= 10; $counter++)
{
$comment .= $selectcomments->Fields("comment".$counter)->Value;
}
for($selectcurrentuser = $conn->Execute("SELECT * FROM users WHERE username = '$username' AND password = '$password'"); !$selectcurrentuser->EOF; $selectcurrentuser->MoveNext())
{
$currentid = $selectcurrentuser->Fields("ID");
}
if($submitter == $currentid)
{
$comment .= "[Edit]";
}
echo "<tr><td width=100%><font style='color:#ffffff'>".$comment."</font></td></tr>";
echo "</table>";
}
}
elseif($status == 0)
{
subtitle("<font style='font-size:25px; color:white'>Recipes</font>");
$subtitle = "<a href=viewrecipe.php?rid=".$id.">".$title."</a>";
subtitle($subtitle);
}
}
}
?>

[/code]

(There is nothing wrong with any functions used inside this function, such as bodytext() and subtitle().)

The view recipe page (this is different to the function - the functions page is included in this page then the function drawn out of it):

[code]

<?php
session_start();
include "variables.php";
include "functions.php";
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title><?php echo $gamename." - Homepage"; ?></title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor=<?php echo $bgcolor; ?>>
<?php
if(isset($_SESSION["username"]) && isset($_SESSION["password"]))
{
identifyUser();
}
$page = 5;
$pospage = 5;
$userGroup = $_SESSION["usergroup"];
$loggedIn = $_SESSION["loggedin"];
$colour = "darkblue";
siteheader("Welcome to ".$sitename, $headercolour);
echo "<table width=100%><tr><td width=25%>";
contents($page, $userGroup, $headercolour);
echo "</td><td width=50%>";
if($loggedIn == 1)
{
$title = "View Recipe";
title($title);
$rid = $_GET["rid"];
viewrecipe($rid, 1);
}
echo "</td><td width=25%>";
if($loggedIn == 0)
{
login();
register();
}
echo "</td></tr></table>";
?>
</body>
</html>

[/code]

[hvle]

look like somebody post a bunch meaningless code as recipe.
You should do a back trace to see which record contains these gibberish
viewrecipe.php?rid=1

look like recipe id 1.
open phpMyadmin and view this record

[Clarkey_Boy]

I checked the record. I noticed that, like with the other record, there are amounts and measurements listed which should appear before the sub heading "instructions". For some reason, these details are missed out for id 1 but are there for id 2. Then, it skips on to writing "instructions". If there was an error, "instructions" would not appear, would it? All that gibberish is not ANYWHERE to be seen in the table.

RC

Edit: Thats another good point... how could the gibberish be in the table when it changes on every refresh?

Ps I have added another recipe (just put random letters in for all the field) and that seems to work fine - just id 1 that seems to be gibberish. I could just delete it but I really wanna find out where it comes from so that I can try to prevent it happening again in the future.

[Clarkey_Boy]

Sorry for the double post but...

Just looked through the gibberish and noticed it says "manifests" quite a lot, and gives a mention to the exact location of the view recipe page on the server, and the location "C:/Windows/Win32/rtcres.dll". I know there is a directory, in "C:/ Windows/WinSxS", called "manifests" but have no idea what any of it means. It seems to be pointing at quite a few of the files I have in my windows folder, and 1 from the folder on the server.

RC

[hvle]

You should double check the recipe posting script.

[Clarkey_Boy]

ok... weird... I checked it again, and could not find any gibberish in any of the instruction cells. I then typed in the cells and reuploaded the database and it all seems to work fine now. I then went back to the old database and found that, still, I could not find ANY gibberish what-so-ever.

Thanks for the help,

RC