Guest Posted December 21, 2004 Posted December 21, 2004 Hi, I had a store of mine hacked... basically said: This site defaced... Some Worm something or other.... Both the Admin and Catalog dirs were messed up... Had to upload and overwrite the files in the root of the includes directory and the index.php in the languages/english dir.... My question is... how did this happen and how do I prevent it from happening again?
Guest Posted December 21, 2004 Posted December 21, 2004 without knowing what the exact is, kind of hard to say if it was done that way or not. to keep yourself from being hacked, use passwords with many characters, upper / lowwer, #'s, extended characters and harder user names.
Jan Zonjee Posted December 21, 2004 Posted December 21, 2004 Not by chance the Santy.A worm: http://news.zdnet.com/2100-1009_22-5499725.html ? The Santy worm uses a flaw in the widely used community forum software known as the PHP Bulletin Board (phpBB) to spread, according to updated analyses. The worm searches Google for sites using a vulnerable version of the software, antivirus firm Kaspersky said in a statement. After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm.
tuxlx Posted December 22, 2004 Posted December 22, 2004 how did this happen and how do I prevent it from happening again? Well, how ?
Guest Posted December 22, 2004 Posted December 22, 2004 The hack is back just overnight... NeverEverNoSanity WebWorm generation 18. What can do I do to prevent this???????
Guest Posted December 22, 2004 Posted December 22, 2004 Do a google searcha n you'll find it's ALL OVER THE PLACE... certainly this has been addressed here?
bobg7 Posted December 22, 2004 Posted December 22, 2004 This is from PHPBB.COM Recently a serious exploitable issue was discovered in PHP (the scripting language in which phpBB, IPB, vB, etc. are written) versions prior to 4.3.10. The problematical functions include unserialize and realpath. phpBB (along with a great many other scripts including IPB, vB, etc.) use these two functions as a matter of course. It has come to our attention that code has now been released which uses this exploit in PHP to obtain confidential information in phpBB. Such information includes data contained in phpBB's config.php file. We therefore recommend the following: 1) If you maintain your own server be sure to upgrade to the newest available release of PHP (both versions 4 and 5). Be aware that at this time phpBB 2.0.x has problems functioning under PHP5 without modification. 2) If you pay for hosting ensure you hosting provider has upgraded thier installation of PHP (again remember that phpBB 2.0.x and other scripts will not function under PHP5 without modification). Please do not submit this PHP issue to our security tracker, it is beyond our control. Fixed versions of PHP do exist and as above we encourage you to ensure your system is running such a version. Equally please examine any "hacking" issues you have carefully to ensure they are not caused by this PHP problem (rather than phpBB). Remember, this is not a phpBB exploit or problem, it's a PHP issue and thus can affect any PHP script which uses the noted functions. Installed Contributions: CCGV, Close Popup, Dynamic Meta Tags, Easy Populate, Froogle Data Feeder, Google Position, Infobox Header Entire Row, Live Support for OSC, PayPal Seal with CC images, Report_m Sales, Shop by Price Revised, SQL Updater, Who's Online Enhancement, Footer, GNA EP Assistant and still going.
Jan Zonjee Posted December 22, 2004 Posted December 22, 2004 http://marc.theaimsgroup.com/?l=bugtraq&m=...65752909029&w=2 : After checking the phpbb site, it turns out that this is a vulnerabilityposted the 18th of November, called Hilight; we didn't update to prevent it because the client whose domain it was has their own admin, and we thought he was taking care of phpBB. Oops. The exploit is described here: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513 See also Slashdot: http://slashdot.org/index.pl?issue=20041221 "Net Worm Uses Google to Spread"
Guest Posted December 22, 2004 Posted December 22, 2004 http://marc.theaimsgroup.com/?l=bugtraq&m=...65752909029&w=2 : See also Slashdot: http://slashdot.org/index.pl?issue=20041221 "Net Worm Uses Google to Spread" <{POST_SNAPBACK}> Just curious as to whether anyone has made the change suggested by the post cited above (http://marc.theaimsgroup.com/?l=bugtraq&m=...65752909029&w=2 ) on a defaced site, and whether that seems to have solved the problem. The change is: Open viewtopic.php in any text editor. Find the following section of code: Code: // // Was a highlight request part of the URI? // $highlight_match = $highlight = ''; if (isset($HTTP_GET_VARS['highlight'])) { // Split words and phrases $words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight'])))); for($i = 0; $i < sizeof($words); $i++) { and replace with: Code: // // Was a highlight request part of the URI? // $highlight_match = $highlight = ''; if (isset($HTTP_GET_VARS['highlight'])) { // Split words and phrases $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight']))); for($i = 0; $i < sizeof($words); $i++) {
Guest Posted December 22, 2004 Posted December 22, 2004 best bet is to go to phpbb.com for answers on phpbb . . .
Guest Posted December 22, 2004 Posted December 22, 2004 The post I made is OS COmmerce not PHPBB... I don't have PHPBB installed at this site... just OS commerce... I think the above guys were sharing similar problems... Thanks for all who have shared... now maybe someone has seen this particular worm on OS commerce? best bet is to go to phpbb.com for answers on phpbb . . . <{POST_SNAPBACK}>
Guest Posted December 22, 2004 Posted December 22, 2004 after reading up on that worm, it is supposed to only have an effect on sites with phpbb. are you on a shared server? ask your host if other web sites on the server are down. could be it took over the whole server.
Guest Posted December 22, 2004 Posted December 22, 2004 this is other info you need to check on your server: If successful, it copies itself as the file, m1h020f. Overwrites files with the following extensions: .asp .htm .jsp .php .phtm .shtm with the following text: This site is defaced!!! NeverEverNoSanity WebWorm generation X once infected, you need to go thru your site completely and there are tons of sites out there infected, a webmaster's nightmare
e-stim Posted December 22, 2004 Posted December 22, 2004 I think the issue is since the problem is a PHP issue, with PHPBB being vunerable to it, is OS commerce also vunerable??? Wayne www.e-stim.co.uk
Muaddib Posted December 23, 2004 Posted December 23, 2004 Good morning all... I experienced the same problem with osCommerce just the other day. The permissions were set incorrectly on the "mainpage.php" file, which allowed it to be modified by the worm. All other files were A-OK! Of course, these types of issues are bound to happen from time to time. Just make sure you keep frequent backups of your sites and your databases at all times! Good luck! ~Kevin
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.