been hacked.

desithugg · April 4, 2007

Umm I came home at lunch time from school today and was checking out my website when I saw this hacked page. Saying how i've been hacked by some team. Nothing was deleted,lost or even touched. The only thing is whenever i try to go to a file with .php extention it shows me a hacked page. I did change all my passwords immediatly but i'm not sure how to get rid of that hacked page problem.

http://pcaworld.net/site.php?who=saad430

You might have to refresh when your there to see the page, Im not sure but I think he might have messed around with the php installation or something.

Caesar · April 4, 2007

Are you using a CMS written in PHP? If so, they likely just used a known exploit in the system you are using. Unless they got access to Apache or your server....they didn't "hack PHP".

desithugg · April 4, 2007

Umm I'm not sure but i think they got into cPanel

where there is some apache handler thing but i don't see aything changed in the extention handler thing. I was just assuming that they did something with the php installation or something because the hacked page only came up with .php extention files.

obsidian · April 4, 2007

Does the following mean anything to you?

Warning: main(/QueryString.php) [function.main]: failed to open stream: No such file or directory in /home/pcaworld/public_html/SSI.php on line 57

Fatal error: main() [function.require]: Failed opening required '/QueryString.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/pcaworld/public_html/SSI.php on line 57

That's what appears at the bottom of the "hacked" page.

Mutley · April 4, 2007

If they got into Cpanel there will be login logs you can check.

desithugg · April 4, 2007

Does the following mean anything to you?

Warning: main(/QueryString.php) [function.main]: failed to open stream: No such file or directory in /home/pcaworld/public_html/SSI.php on line 57

Fatal error: main() [function.require]: Failed opening required '/QueryString.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/pcaworld/public_html/SSI.php on line 57

That's what appears at the bottom of the "hacked" page.

nope that doesn't apply to me i havn't made any file like that or anything.

desithugg · April 4, 2007

If they got into Cpanel there will be login logs you can check.

Umm unfortunaly i can't find the logs It does say last logged in by : ip address but that's my ip address i logged in twice (i didn't notice that it showed the ip untill now)

obsidian · April 4, 2007

Find this file and open it up:

/home/pcaworld/public_html/SSI.php

It's apparently the one that's causing the problems by being included into your pages. Not positive, but it's worth a look-see. Notice that the path is absolute from your host root, so you'll want to look in your web root for that file. If it's a legitimate file, figure out what in it is causing problems.

desithugg · April 4, 2007

Umm I already looked at that there's no such file in my root folder

or any other folder well I can't seem to spot it.

dough boy · April 4, 2007

Do you have any "new" files that are not yours? I.e. a .htaccess file? They could be using mod_rewrite to redirect someone that goes to any .php page to a page of their choice. What happens when you create a new .php page? Is it immediately "hacked"?

desithugg · April 4, 2007

Do you have any "new" files that are not yours? I.e. a .htaccess file? They could be using mod_rewrite to redirect someone that goes to any .php page to a page of their choice. What happens when you create a new .php page? Is it immediately "hacked"?

Umm I don't see any new files, I did already have a .htaccess page and I looked in all of those already and didn't see any redirection or anything of that type.

Umm here something the hacked page only shows up for

site.php

index.php (i assumed it was every file since it had it on both of them)

Umm nevermind wait something else.

Well I have a smf (simple machines forum) board installed in public_html

and they have a file SSI.php (which you can use to password protect pages) and now I see that all files that had that page included are showing up with that hacked page. I'll check out the content of the SSI.php page and see what's in it

Sorry I didn't notice the file earlier just been really stressed latley and now really mad cuz theres weeks of work in there.

desithugg · April 4, 2007

umm don't see anything unusual in the file however i'll try replacing it the smf site seems to be down temporairly.

obsidian · April 4, 2007

What version of SMF are you using? If you haven't updated to the latest, it's quite possible that's where your hole is. Also, unless you've made changes to your SSI, you may be able to just upgrade and let SMF overwrite the SSI file to the newest.

desithugg · April 4, 2007

I'm using the latest version

desithugg · April 4, 2007

Il just try re-installing smf than.

per1os · April 4, 2007

Check the .htaccess it seems that that could be the problem.

Try re-installing if it still shows up that means that they goto your apache and or php system files and changed something there. Probably something that makes all .php extensions point to a certain file.

desithugg · April 4, 2007

Umm finally got rid of it, I reinstalled smf and it was all good. I'll report to smf just incase there's something in their code.

Sign In

been hacked.

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived

Important Information