desithugg Posted April 4, 2007 Share Posted April 4, 2007 Umm I came home at lunch time from school today and was checking out my website when I saw this hacked page. Saying how i've been hacked by some team. Nothing was deleted,lost or even touched. The only thing is whenever i try to go to a file with .php extention it shows me a hacked page. I did change all my passwords immediatly but i'm not sure how to get rid of that hacked page problem. http://pcaworld.net/site.php?who=saad430 You might have to refresh when your there to see the page, Im not sure but I think he might have messed around with the php installation or something. Quote Link to comment Share on other sites More sharing options...
Caesar Posted April 4, 2007 Share Posted April 4, 2007 Are you using a CMS written in PHP? If so, they likely just used a known exploit in the system you are using. Unless they got access to Apache or your server....they didn't "hack PHP". Quote Link to comment Share on other sites More sharing options...
desithugg Posted April 4, 2007 Author Share Posted April 4, 2007 Umm I'm not sure but i think they got into cPanel where there is some apache handler thing but i don't see aything changed in the extention handler thing. I was just assuming that they did something with the php installation or something because the hacked page only came up with .php extention files. Quote Link to comment Share on other sites More sharing options...
obsidian Posted April 4, 2007 Share Posted April 4, 2007 Does the following mean anything to you? Warning: main(/QueryString.php) [function.main]: failed to open stream: No such file or directory in /home/pcaworld/public_html/SSI.php on line 57 Fatal error: main() [function.require]: Failed opening required '/QueryString.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/pcaworld/public_html/SSI.php on line 57 That's what appears at the bottom of the "hacked" page. Quote Link to comment Share on other sites More sharing options...
Mutley Posted April 4, 2007 Share Posted April 4, 2007 If they got into Cpanel there will be login logs you can check. Quote Link to comment Share on other sites More sharing options...
desithugg Posted April 4, 2007 Author Share Posted April 4, 2007 Does the following mean anything to you? Warning: main(/QueryString.php) [function.main]: failed to open stream: No such file or directory in /home/pcaworld/public_html/SSI.php on line 57 Fatal error: main() [function.require]: Failed opening required '/QueryString.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/pcaworld/public_html/SSI.php on line 57 That's what appears at the bottom of the "hacked" page. nope that doesn't apply to me i havn't made any file like that or anything. Quote Link to comment Share on other sites More sharing options...
desithugg Posted April 4, 2007 Author Share Posted April 4, 2007 If they got into Cpanel there will be login logs you can check. Umm unfortunaly i can't find the logs It does say last logged in by : ip address but that's my ip address i logged in twice (i didn't notice that it showed the ip untill now) Quote Link to comment Share on other sites More sharing options...
obsidian Posted April 4, 2007 Share Posted April 4, 2007 Find this file and open it up: /home/pcaworld/public_html/SSI.php It's apparently the one that's causing the problems by being included into your pages. Not positive, but it's worth a look-see. Notice that the path is absolute from your host root, so you'll want to look in your web root for that file. If it's a legitimate file, figure out what in it is causing problems. Quote Link to comment Share on other sites More sharing options...
desithugg Posted April 4, 2007 Author Share Posted April 4, 2007 Umm I already looked at that there's no such file in my root folder or any other folder well I can't seem to spot it. Quote Link to comment Share on other sites More sharing options...
dough boy Posted April 4, 2007 Share Posted April 4, 2007 Do you have any "new" files that are not yours? I.e. a .htaccess file? They could be using mod_rewrite to redirect someone that goes to any .php page to a page of their choice. What happens when you create a new .php page? Is it immediately "hacked"? Quote Link to comment Share on other sites More sharing options...
desithugg Posted April 4, 2007 Author Share Posted April 4, 2007 Do you have any "new" files that are not yours? I.e. a .htaccess file? They could be using mod_rewrite to redirect someone that goes to any .php page to a page of their choice. What happens when you create a new .php page? Is it immediately "hacked"? Umm I don't see any new files, I did already have a .htaccess page and I looked in all of those already and didn't see any redirection or anything of that type. Umm here something the hacked page only shows up for site.php index.php (i assumed it was every file since it had it on both of them) Umm nevermind wait something else. Well I have a smf (simple machines forum) board installed in public_html and they have a file SSI.php (which you can use to password protect pages) and now I see that all files that had that page included are showing up with that hacked page. I'll check out the content of the SSI.php page and see what's in it Sorry I didn't notice the file earlier just been really stressed latley and now really mad cuz theres weeks of work in there. Quote Link to comment Share on other sites More sharing options...
desithugg Posted April 4, 2007 Author Share Posted April 4, 2007 umm don't see anything unusual in the file however i'll try replacing it the smf site seems to be down temporairly. Quote Link to comment Share on other sites More sharing options...
obsidian Posted April 4, 2007 Share Posted April 4, 2007 What version of SMF are you using? If you haven't updated to the latest, it's quite possible that's where your hole is. Also, unless you've made changes to your SSI, you may be able to just upgrade and let SMF overwrite the SSI file to the newest. Quote Link to comment Share on other sites More sharing options...
desithugg Posted April 4, 2007 Author Share Posted April 4, 2007 I'm using the latest version Quote Link to comment Share on other sites More sharing options...
desithugg Posted April 4, 2007 Author Share Posted April 4, 2007 Il just try re-installing smf than. Quote Link to comment Share on other sites More sharing options...
per1os Posted April 4, 2007 Share Posted April 4, 2007 Check the .htaccess it seems that that could be the problem. Try re-installing if it still shows up that means that they goto your apache and or php system files and changed something there. Probably something that makes all .php extensions point to a certain file. Quote Link to comment Share on other sites More sharing options...
desithugg Posted April 4, 2007 Author Share Posted April 4, 2007 Umm finally got rid of it, I reinstalled smf and it was all good. I'll report to smf just incase there's something in their code. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.