actionjackson Posted October 3, 2008 Share Posted October 3, 2008 hi, my site was hacked. i already use the secure login enhancement, but it seems they used it against me somehow. here is server log of attacking ip: 209.234.171.37 - - [03/Oct/2008:05:45:02 -0500] "GET /admin/logoff.php HTTP/1.0" 200 2020 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:05 -0500] "GET /admin/pages.php?action=new_page HTTP/1.0" 302 16293 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:06 -0500] "GET /admin/login.php?refer=%2Fadmin%2Fpages.php%3Faction%3Dnew_page HTTP/1.0" 200 1990 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:10 -0500] "GET /admin/pages.php?action=setflag&flag=0&pID=1 HTTP/1.0" 302 375 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:10 -0500] "GET /admin/pages.php?pID=1 HTTP/1.0" 302 22180 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:10 -0500] "GET /admin/login.php?refer=%2Fadmin%2Fpages.php%3FpID%3D1 HTTP/1.0" 200 1980 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:15 -0500] "GET /admin/pages.php?action=setflag&flag=0&pID=11 HTTP/1.0" 302 376 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:20 -0500] "GET /admin/pages.php?action=setflag&flag=0&pID=16 HTTP/1.0" 302 376 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:26 -0500] "GET /admin/pages.php?action=setflag&flag=0&pID=17 HTTP/1.0" 302 376 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:31 -0500] "GET /admin/pages.php?action=setflag&flag=0&pID=18 HTTP/1.0" 302 376 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:36 -0500] "GET /admin/pages.php?action=setflag&flag=0&pID=2 HTTP/1.0" 302 375 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:41 -0500] "GET /admin/pages.php?action=setflag&flag=0&pID=3 HTTP/1.0" 302 375 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:46 -0500] "GET /admin/pages.php?action=setflag&flag=0&pID=4 HTTP/1.0" 302 375 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:51 -0500] "GET /admin/pages.php?action=setflag&flag=0&pID=6 HTTP/1.0" 302 375 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:56 -0500] "GET /admin/pages.php?pID=1&action=delete_page HTTP/1.0" 302 22211 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:45:56 -0500] "GET /admin/login.php?refer=%2Fadmin%2Fpages.php%3FpID%3D1%26action%3Ddelete_page HTTP/1.0" 200 1999 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:01 -0500] "GET /admin/pages.php?pID=1&action=new_page HTTP/1.0" 302 23416 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:01 -0500] "GET /admin/login.php?refer=%2Fadmin%2Fpages.php%3FpID%3D1%26action%3Dnew_page HTTP/1.0" 200 1996 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:06 -0500] "GET /admin/pages.php?pID=11&action=new_page_preview&read=only HTTP/1.0" 302 14882 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:06 -0500] "GET /admin/login.php?refer=%2Fadmin%2Fpages.php%3FpID%3D11%26action%3Dnew_page_preview%26read%3Donly HTTP/1.0" 200 2015 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:11 -0500] "GET /admin/pages.php?pID=16&action=new_page_preview&read=only HTTP/1.0" 302 14094 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:11 -0500] "GET /admin/login.php?refer=%2Fadmin%2Fpages.php%3FpID%3D16%26action%3Dnew_page_preview%26read%3Donly HTTP/1.0" 200 2015 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:16 -0500] "GET /admin/pages.php?pID=17&action=new_page_preview&read=only HTTP/1.0" 302 13774 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:16 -0500] "GET /admin/login.php?refer=%2Fadmin%2Fpages.php%3FpID%3D17%26action%3Dnew_page_preview%26read%3Donly HTTP/1.0" 200 2015 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:27 -0500] "GET /admin/pages.php?pID=18&action=new_page_preview&read=only HTTP/1.0" 302 12082 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:27 -0500] "GET /admin/login.php?refer=%2Fadmin%2Fpages.php%3FpID%3D18%26action%3Dnew_page_preview%26read%3Donly HTTP/1.0" 200 2015 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:32 -0500] "GET /admin/pages.php?pID=2&action=new_page_preview&read=only HTTP/1.0" 302 12429 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:32 -0500] "GET /admin/login.php?refer=%2Fadmin%2Fpages.php%3FpID%3D2%26action%3Dnew_page_preview%26read%3Donly HTTP/1.0" 200 2014 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:37 -0500] "GET /admin/pages.php?pID=3&action=new_page_preview&read=only HTTP/1.0" 302 12296 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:37 -0500] "GET /admin/login.php?refer=%2Fadmin%2Fpages.php%3FpID%3D3%26action%3Dnew_page_preview%26read%3Donly HTTP/1.0" 200 2014 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:42 -0500] "GET /admin/pages.php?pID=4&action=new_page_preview&read=only HTTP/1.0" 302 12170 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:46:42 -0500] "GET /admin/login.php?refer=%2Fadmin%2Fpages.php%3FpID%3D4%26action%3Dnew_page_preview%26read%3Donly HTTP/1.0" 200 2014 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:47:22 -0500] "GET /admin/pages.php?pID=6&action=new_page_preview&read=only HTTP/1.0" 302 15300 "-" "ia_archiver" 209.234.171.37 - - [03/Oct/2008:05:47:22 -0500] "GET /admin/login.php?refer=%2Fadmin%2Fpages.php%3FpID%3D6%26action%3Dnew_page_preview%26read%3Donly HTTP/1.0" 200 2014 "-" "ia_archiver" all they managed to do was disable pages. i have just now installed security pro contrib. anyway can anyone tell me of a fix to prevent this from happening. aj Link to comment Share on other sites More sharing options...
php_Guy Posted October 3, 2008 Share Posted October 3, 2008 Install all of these mods You might also try putting an .htaccess file in your admin directory: # Deny access to everyone except for my IP Order Deny,Allow Deny from all Allow from xx.xx.xx.xx where xx.xx.xx.xx is your IP Link to comment Share on other sites More sharing options...
germ Posted October 3, 2008 Share Posted October 3, 2008 It's not a "hack". It's the Alexa crawler. :huh: Alexa Webmaster Info If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
actionjackson Posted October 3, 2008 Author Share Posted October 3, 2008 It's not a "hack". It's the Alexa crawler. :huh: Alexa Webmaster Info must be a hack. certain pages have been disabled. this has happend for two days in a row now. each time i re-enable the pages and then the next day the pages are disabled again. beside, look at the info in the log "/admin/pages.php?action=setflag&flag=0&pID=4" etc... aj Link to comment Share on other sites More sharing options...
actionjackson Posted October 3, 2008 Author Share Posted October 3, 2008 Install all of these mods You might also try putting an .htaccess file in your admin directory: # Deny access to everyone except for my IP Order Deny,Allow Deny from all Allow from xx.xx.xx.xx where xx.xx.xx.xx is your IP hi, thanx for the great info, i will use all of it. aj Link to comment Share on other sites More sharing options...
germ Posted October 3, 2008 Share Posted October 3, 2008 Think what you want. <_< The IP address and the user agent say it's Alexa. The big question is how is it that your admin isn't requiring a login? :unsure: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
php_Guy Posted October 3, 2008 Share Posted October 3, 2008 must be a hack. certain pages have been disabled. this has happend for two days in a row now. each time i re-enable the pages and then the next day the pages are disabled again. beside, look at the info in the log "/admin/pages.php?action=setflag&flag=0&pID=4" etc... aj It's very possible that Alexa is just a benign crawler as it appears and that you got hacked by someone else during the same time frame. Keep in mind that not all hacks will appear in your logs. If someone runs a password cracker on your admin they can potentially come up with your password fairly quickly. Running a program like that on your admin password will go undetected by the system so they could also run it as long as it takes. An .htpasswd on the otherhand will get the hacker's ip banned (on a properly configured server) after x numbr of attempts. That .htaccess script should keep them from even being able to attempt a login though. Link to comment Share on other sites More sharing options...
arietis Posted October 3, 2008 Share Posted October 3, 2008 you can also use the robots.txt file to tell all the search engines not to bother indexing your admin pages. there's no need for that. the link that jim referenced has information on doing that and there lots of other resources available on the robots.txt file. but better yet, change the name of your admin folder to something that only you know about. that will keep out the crawlers as well as the hackers. Link to comment Share on other sites More sharing options...
actionjackson Posted October 5, 2008 Author Share Posted October 5, 2008 It's very possible that Alexa is just a benign crawler as it appears and that you got hacked by someone else during the same time frame. Keep in mind that not all hacks will appear in your logs. If someone runs a password cracker on your admin they can potentially come up with your password fairly quickly. Running a program like that on your admin password will go undetected by the system so they could also run it as long as it takes. An .htpasswd on the otherhand will get the hacker's ip banned (on a properly configured server) after x numbr of attempts. That .htaccess script should keep them from even being able to attempt a login though. thanx very much for the info. i have taken every step and installed all security contribs. aj Link to comment Share on other sites More sharing options...
actionjackson Posted October 5, 2008 Author Share Posted October 5, 2008 Think what you want. <_< The IP address and the user agent say it's Alexa. The big question is how is it that your admin isn't requiring a login? :unsure: i have always been using the secure login contrib. now i have also added .htpassword and a buch of other stuff. thanx for all the assistance. aj Link to comment Share on other sites More sharing options...
actionjackson Posted October 5, 2008 Author Share Posted October 5, 2008 It's very possible that Alexa is just a benign crawler as it appears and that you got hacked by someone else during the same time frame. Keep in mind that not all hacks will appear in your logs. If someone runs a password cracker on your admin they can potentially come up with your password fairly quickly. Running a program like that on your admin password will go undetected by the system so they could also run it as long as it takes. An .htpasswd on the otherhand will get the hacker's ip banned (on a properly configured server) after x numbr of attempts. That .htaccess script should keep them from even being able to attempt a login though. one more thing. you said "If someone runs a password cracker on your admin". i use the secure login contrib which uses the mysql password() function to encrypt the password, so how is it still possible to crack the password. aj Link to comment Share on other sites More sharing options...
Dennisra Posted October 5, 2008 Share Posted October 5, 2008 First of all change the name of your "admin" folder. Link to comment Share on other sites More sharing options...
♥Vger Posted October 5, 2008 Share Posted October 5, 2008 one more thing. you said "If someone runs a password cracker on your admin". i use the secure login contrib which uses the mysql password() function to encrypt the password, so how is it still possible to crack the password Password Crackers run at a blistering rate, thousands of times per minute, trying random combinations of letters and numbers until they hit the right combination. An admin login which is secured by an entry in the database does nothing to prevent the Password Cracker from running. As someone has already told you, if you protect the whole of the 'admin' folder with .htaccess protection using the Password or Directory Protect function in your Web Hosting control panel then on a properly secured server it will recognise the hack attempt and automatically block the IP address from the whole server. This will not happen if you independently upload your own .htaccess files. They must be generated by the server using the Password or Directory Protection feature. Before protecting the 'admin' folder it should be renamed to something unique (not admin2 or newadmin) and your admin/includes/configure.php file edited to match the new name. The name of the 'admin' folder should not be added to a robots.txt file, because that just tells the hackers the name of it. Vger Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.