been hacked.

[desithugg]

Umm I came home at lunch time from school today and was checking out my website when I saw this hacked page. Saying how i've been hacked by some team. Nothing was deleted,lost or even touched. The only thing is whenever i try to go to a file with .php extention it shows me a hacked page. I did change all my passwords immediatly but i'm not sure how to get rid of that hacked page problem.

http://pcaworld.net/site.php?who=saad430

You might have to refresh when your there to see the page, Im not sure but I think he might have messed around with the php installation or something.

[Caesar]

Are you using a CMS written in PHP? If so, they likely just used a known exploit in the system you are using. Unless they got access to Apache or your server....they didn't "hack PHP".

[desithugg]

Umm I'm not sure but i think they got into cPanel

where there is some apache handler thing but i don't see aything changed in the extention handler thing. I was just assuming that they did something with the php installation or something because the hacked page only came up with .php extention files.

 

 

[obsidian]

Does the following mean anything to you?

Warning: main(/QueryString.php) [function.main]: failed to open stream: No such file or directory in /home/pcaworld/public_html/SSI.php on line 57

Fatal error: main() [function.require]: Failed opening required '/QueryString.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/pcaworld/public_html/SSI.php on line 57

 

That's what appears at the bottom of the "hacked" page.

[Mutley]

If they got into Cpanel there will be login logs you can check.

[desithugg]

Does the following mean anything to you?

Warning: main(/QueryString.php) [function.main]: failed to open stream: No such file or directory in /home/pcaworld/public_html/SSI.php on line 57

Fatal error: main() [function.require]: Failed opening required '/QueryString.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/pcaworld/public_html/SSI.php on line 57

 

That's what appears at the bottom of the "hacked" page.

nope that doesn't apply to me i havn't made any file like that or anything.

[desithugg]

If they got into Cpanel there will be login logs you can check.

Umm unfortunaly i can't find the logs It does say last logged in by : ip address but that's my ip address i logged in twice (i didn't notice that it showed the ip untill now)

[obsidian]

Find this file and open it up:

/home/pcaworld/public_html/SSI.php

 

It's apparently the one that's causing the problems by being included into your pages. Not positive, but it's worth a look-see. Notice that the path is absolute from your host root, so you'll want to look in your web root for that file. If it's a legitimate file, figure out what in it is causing problems.

[desithugg]

Umm I already looked at that there's no such file in my root folder

or any other folder well I can't seem to spot it.

[dough boy]

Do you have any "new" files that are not yours?  I.e. a .htaccess file?  They could be using mod_rewrite to redirect someone that goes to any .php page to a page of their choice.  What happens when you create a new .php page?  Is it immediately "hacked"?

[desithugg]

Do you have any "new" files that are not yours?  I.e. a .htaccess file?  They could be using mod_rewrite to redirect someone that goes to any .php page to a page of their choice.  What happens when you create a new .php page?  Is it immediately "hacked"?

Umm I don't see any new files, I did already have a .htaccess page and I looked in all of those already and didn't see any redirection or anything of that type.

Umm here something the hacked page only shows up for

site.php

index.php (i assumed it was every file since it had it on both of them)

Umm nevermind wait something else.

Well I have a smf (simple machines forum) board installed in public_html

and they have a file SSI.php (which you can use to password protect pages) and now I see that all files that had that page included are showing up with that hacked page. I'll check out the content of the SSI.php page and see what's in it

 

Sorry I didn't notice the file earlier just been really stressed latley and now really mad cuz theres weeks of work in there.

[desithugg]

umm don't see anything unusual in the file however i'll try replacing it the smf site seems to be down temporairly.

[obsidian]

What version of SMF are you using? If you haven't updated to the latest, it's quite possible that's where your hole is. Also, unless you've made changes to your SSI, you may be able to just upgrade and let SMF overwrite the SSI file to the newest.

[desithugg]

I'm using the latest version

[desithugg]

Il just try re-installing smf than.

[per1os]

Check the .htaccess it seems that that could be the problem.

 

Try re-installing if it still shows up that means that they goto your apache and or php system files and changed something there. Probably something that makes all .php extensions point to a certain file.

[desithugg]

Umm finally got rid of it, I reinstalled smf and it was all good. I'll report to smf just incase there's something in their code.