germ Posted August 23, 2010 Posted August 23, 2010 I came across a "Youtube like" hack this past weekend that spans thousands of sites. I'm not too sure of the real purpose of the hack. It creates links on g00gle to Youtube like pages. At least I don't think they link to real Youtube pages. It might be a fake site that tries to load malware on your PC. I didn't click the link to find out (call me "chicken" if you like :P ). Details of the hack that I have come across. 1. Seems to affect RC version sites where the admin hasn't been renamed and the admin isn't protected by a .htaccess file. Most likely victims of the "admin vulnerability" hack. 2. Creates these folders in the /catalog/images folder: .cch/ .news/ Hidden folders full of html files used in the hack. 3. Other files I have found in most infected sites in the /catalog/images folder: news.php (hacker code) news.txt (record of g00glebot hits) news.dot (displays youtube like page) page.php (hacker code) sitemap.php (hacker code) .sys.php (hacker code) sites.txt (list of around 150 to 170 infected sites) style.css (stylesheet used in the hack) key.txt (key phrase list that appears on g00gle, like "Hot Video: <phrase here>") load.swf (swf file used in the hack) It's been going on for at least a week. Most of the sites I visited where I could see the dates on the files they were Aug. 15th of this year. This would seem to be another affirmation to rename your admin and shelter it with a .htaccess file. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
germ Posted August 28, 2010 Author Posted August 28, 2010 An update. I believe the purpose of the hack is to load malware on your PC. It's probably been going on for a while. I noticed on one of the infected sites the sites.txt file has been modified in the last couple of days. The hack makes links that look like this on g00gle: Hot Video: <keyword here>www.site.com/catalog/images/news.php?page=<keyword here> Hot Video: <keyword here> www.site.com/catalog/images/page.php?page=<keyword here> So if you're a Youtube (or other video) aficionado look at that link closely before you click it. If it links to a PHP file in somone's images folder you might get more than you asked for... :-" If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
germ Posted August 28, 2010 Author Posted August 28, 2010 Looks as if I'm a few months behind the curve.... :blush: Scores of spoofed youtube pages lead to malware (Posted June 09, 2010) If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
tle Posted October 9, 2010 Posted October 9, 2010 Looks as if I'm a few months behind the curve.... :blush: Scores of spoofed youtube pages lead to malware (Posted June 09, 2010) Hi.. This has happened to my site! I have found hidden directories in the images folder .cch .news .lost .view. I have tried to delete them but they keep coming back. I have also found some of the other files that you have mentioned and since have removed them. Ive also changed passwords and tried changing permissions..but they are still able to get in. No idea how they are doing it. What else can I do to kill this hack?
germ Posted October 9, 2010 Author Posted October 9, 2010 Just deleting the files does nothing to fix the security shortfall that allows it to happen in the first place. Visit the link below: How to Secure Your Site Pay close attention to "SECURING THE ADMIN" - Yours is probably ulnerable. All the stores I've seen with this hack have suffered from the "admin vulnerability". If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
Belsh Posted October 22, 2010 Posted October 22, 2010 Just deleting the files does nothing to fix the security shortfall that allows it to happen in the first place. Visit the link below: How to Secure Your Site Pay close attention to "SECURING THE ADMIN" - Yours is probably ulnerable. All the stores I've seen with this hack have suffered from the "admin vulnerability". I've installed all the security fixes but .news and .cch keep returning and images slowly build up in them, I must be missing a rogue file somewhere that repopulates these folders?
germ Posted October 22, 2010 Author Posted October 22, 2010 There are other things to security other than installing add-ons. You should: 1. Remove the /admin/file_manager.php and /admin/define_langugage.php 2. Rename the admin and protect it with a .htaccess file. 3. Be sure no folder on the site has permissions higher than 755 If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
Belsh Posted October 23, 2010 Posted October 23, 2010 There are other things to security other than installing add-ons. You should: 1. Remove the /admin/file_manager.php and /admin/define_langugage.php 2. Rename the admin and protect it with a .htaccess file. 3. Be sure no folder on the site has permissions higher than 755 Done all that fella and it still happening, got .htaccess files in nearly every folder now. Does this look Right? IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* <Limit GET POST> #The next line modified by DenyIP order allow,deny #The next line modified by DenyIP #deny from all allow from all </Limit> <Limit PUT DELETE> order deny,allow deny from all </Limit> AuthName ninjagamer.co.uk <Files 403.shtml> order allow,deny allow from all </Files> deny from 216.129.119.10 # filter for most common exploits RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR] RewriteCond %{QUERY_STRING} tool25 [OR] RewriteCond %{QUERY_STRING} cmd.txt [OR] RewriteCond %{QUERY_STRING} cmd.gif [OR] RewriteCond %{QUERY_STRING} r57shell [OR] RewriteCond %{QUERY_STRING} c99 [OR] # ban spam bots RewriteCond %{HTTP_USER_AGENT} almaden [OR] RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR] RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR] RewriteCond %{HTTP_USER_AGENT} ^attach [OR] RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR] RewriteCond %{HTTP_USER_AGENT} ^BackWeb [OR] RewriteCond %{HTTP_USER_AGENT} ^Bandit [OR] RewriteCond %{HTTP_USER_AGENT} ^BatchFTP [OR] RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR] RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:[email protected] [OR] RewriteCond %{HTTP_USER_AGENT} ^Buddy [OR] RewriteCond %{HTTP_USER_AGENT} ^bumblebee [OR] RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [OR] RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR] RewriteCond %{HTTP_USER_AGENT} ^CICC [OR] RewriteCond %{HTTP_USER_AGENT} ^Collector [OR] RewriteCond %{HTTP_USER_AGENT} ^Copier [OR] RewriteCond %{HTTP_USER_AGENT} ^Crescent [OR] RewriteCond %{HTTP_USER_AGENT} ^Custo [OR] RewriteCond %{HTTP_USER_AGENT} ^DA [OR] RewriteCond %{HTTP_USER_AGENT} ^DIIbot [OR] RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR] RewriteCond %{HTTP_USER_AGENT} ^DISCo\ Pump [OR] RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR] RewriteCond %{HTTP_USER_AGENT} ^Download\ Wonder [OR] RewriteCond %{HTTP_USER_AGENT} ^Downloader [OR] RewriteCond %{HTTP_USER_AGENT} ^Drip [OR] RewriteCond %{HTTP_USER_AGENT} ^DSurf15a [OR] RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR] RewriteCond %{HTTP_USER_AGENT} ^EasyDL/2.99 [OR] RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR] RewriteCond %{HTTP_USER_AGENT} email [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^EmailCollector [OR] RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR] RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR] RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR] RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR] RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR] RewriteCond %{HTTP_USER_AGENT} ^FileHound [OR] RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR] RewriteCond %{HTTP_USER_AGENT} FrontPage [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR] RewriteCond %{HTTP_USER_AGENT} ^GetSmart [OR] RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR] RewriteCond %{HTTP_USER_AGENT} ^gigabaz [OR] RewriteCond %{HTTP_USER_AGENT} ^Go\!Zilla [OR] RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR] RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR] RewriteCond %{HTTP_USER_AGENT} ^gotit [OR] RewriteCond %{HTTP_USER_AGENT} ^Grabber [OR] RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR] RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR] RewriteCond %{HTTP_USER_AGENT} ^grub-client [OR] RewriteCond %{HTTP_USER_AGENT} ^HMView [OR] RewriteCond %{HTTP_USER_AGENT} ^HTTrack [OR] RewriteCond %{HTTP_USER_AGENT} ^httpdown [OR] RewriteCond %{HTTP_USER_AGENT} .*httrack.* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^ia_archiver [OR] RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR] RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR] RewriteCond %{HTTP_USER_AGENT} ^Indy*Library [OR] RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR] RewriteCond %{HTTP_USER_AGENT} ^InternetLinkagent [OR] RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR] RewriteCond %{HTTP_USER_AGENT} ^InternetSeer.com [OR] RewriteCond %{HTTP_USER_AGENT} ^Iria [OR] RewriteCond %{HTTP_USER_AGENT} ^JBH*agent [OR] RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR] RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR] RewriteCond %{HTTP_USER_AGENT} ^JustView [OR] RewriteCond %{HTTP_USER_AGENT} ^larbin [OR] RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR] RewriteCond %{HTTP_USER_AGENT} ^LexiBot [OR] RewriteCond %{HTTP_USER_AGENT} ^lftp [OR] RewriteCond %{HTTP_USER_AGENT} ^Link*Sleuth [OR] RewriteCond %{HTTP_USER_AGENT} ^likse [OR] RewriteCond %{HTTP_USER_AGENT} ^Link [OR] RewriteCond %{HTTP_USER_AGENT} ^LinkWalker [OR] RewriteCond %{HTTP_USER_AGENT} ^Mag-Net [OR] RewriteCond %{HTTP_USER_AGENT} ^Magnet [OR] RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR] RewriteCond %{HTTP_USER_AGENT} ^Memo [OR] RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [OR] RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR] RewriteCond %{HTTP_USER_AGENT} ^Mirror [OR] RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR] RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*Indy [OR] RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*NEWT [OR] RewriteCond %{HTTP_USER_AGENT} ^Mozilla*MSIECrawler [OR] RewriteCond %{HTTP_USER_AGENT} ^MS\ FrontPage* [OR] RewriteCond %{HTTP_USER_AGENT} ^MSFrontPage [OR] RewriteCond %{HTTP_USER_AGENT} ^MSIECrawler [OR] RewriteCond %{HTTP_USER_AGENT} ^MSProxy [OR] RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR] RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR] RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR] RewriteCond %{HTTP_USER_AGENT} ^NetMechanic [OR] RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR] RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR] RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR] RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [OR] RewriteCond %{HTTP_USER_AGENT} ^Ninja [OR] RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR] RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR] RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR] RewriteCond %{HTTP_USER_AGENT} ^Openfind [OR] RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR] RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR] RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR] RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR] RewriteCond %{HTTP_USER_AGENT} ^Ping [OR] RewriteCond %{HTTP_USER_AGENT} ^PingALink [OR] RewriteCond %{HTTP_USER_AGENT} ^Pockey [OR] RewriteCond %{HTTP_USER_AGENT} ^psbot [OR] RewriteCond %{HTTP_USER_AGENT} ^Pump [OR] RewriteCond %{HTTP_USER_AGENT} ^QRVA [OR] RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR] RewriteCond %{HTTP_USER_AGENT} ^Reaper [OR] RewriteCond %{HTTP_USER_AGENT} ^Recorder [OR] RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR] RewriteCond %{HTTP_USER_AGENT} ^Scooter [OR] RewriteCond %{HTTP_USER_AGENT} ^Seeker [OR] RewriteCond %{HTTP_USER_AGENT} ^Siphon [OR] RewriteCond %{HTTP_USER_AGENT} ^sitecheck.internetseer.com [OR] RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR] RewriteCond %{HTTP_USER_AGENT} ^SlySearch [OR] RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR] RewriteCond %{HTTP_USER_AGENT} ^Snake [OR] RewriteCond %{HTTP_USER_AGENT} ^SpaceBison [OR] RewriteCond %{HTTP_USER_AGENT} ^sproose [OR] RewriteCond %{HTTP_USER_AGENT} ^Stripper [OR] RewriteCond %{HTTP_USER_AGENT} ^Sucker [OR] RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR] RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR] RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR] RewriteCond %{HTTP_USER_AGENT} ^Szukacz [OR] RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR] RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR] RewriteCond %{HTTP_USER_AGENT} ^URLSpiderPro [OR] RewriteCond %{HTTP_USER_AGENT} ^Vacuum [OR] RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR] RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR] RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR] RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR] RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[bb]andit [OR] RewriteCond %{HTTP_USER_AGENT} ^webcollage [OR] RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR] RewriteCond %{HTTP_USER_AGENT} ^Web\ Downloader [OR] RewriteCond %{HTTP_USER_AGENT} ^WebEMailExtrac.* [OR] RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR] RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR] RewriteCond %{HTTP_USER_AGENT} ^WebHook [OR] RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR] RewriteCond %{HTTP_USER_AGENT} ^WebMiner [OR] RewriteCond %{HTTP_USER_AGENT} ^WebMirror [OR] RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR] RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR] RewriteCond %{HTTP_USER_AGENT} ^Website [OR] RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR] RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR] RewriteCond %{HTTP_USER_AGENT} ^Webster [OR] RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR] RewriteCond %{HTTP_USER_AGENT} WebWhacker [OR] RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR] RewriteCond %{HTTP_USER_AGENT} ^Wget [OR] RewriteCond %{HTTP_USER_AGENT} ^Whacker [OR] RewriteCond %{HTTP_USER_AGENT} ^Widow [OR] RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR] RewriteCond %{HTTP_USER_AGENT} ^x-Tractor [OR] RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR] RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR] RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR] RewriteCond %{HTTP_USER_AGENT} ^Zeus RewriteRule ^.* - [F,L] <FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module|exe)$"> deny from all </FilesMatch> <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy All </Files> <Files ~ "includes\configure.php$"> deny from all </Files> <Files site> ForceType application/x-httpd-php </Files> <Limit GET PUT POST> order allow,deny # ban domains deny from .br.geocities.com # ban entire country ~ Turkey deny from 62.29.0.0/17 deny from 62.56.128.0/22 deny from 62.85.128.0/19 deny from 62.108.64.0/19 deny from 62.113.0.0/19 deny from 62.184.58.0/27 deny from 62.185.166.64/26 deny from 62.184.178.96/29 deny from 62.186.77.0/26 deny from 62.201.192.0/18 deny from 62.229.128.0/24 deny from 62.229.130.0/24 deny from 62.244.192.0/18 deny from 62.248.0.0/17 deny from 64.18.138.0/24 deny from 64.28.128.0/20 deny from 65.182.7.0/24 deny from 66.178.5.0/24 deny from 66.178.52.0/24 deny from 66.205.36.0/22 deny from 69.30.204.0/23 deny from 80.71.128.0/20 deny from 80.88.138.224/27 deny from 80.88.141.160/27 deny from 80.251.0.0/20 deny from 80.251.32.0/20 deny from 81.6.64.0/18 deny from 81.8.0.0/17 deny from 81.21.160.0/20 deny from 81.22.97.0/24 deny from 81.31.193.224/29 deny from 81.31.195.112/29 deny from 81.31.195.136/29 deny from 81.31.195.216/30 deny from 81.31.196.172/30 deny from 81.31.197.16/29 deny from 81.31.197.64/30 deny from 81.31.197.128/30 deny from 81.31.198.152/29 deny from 81.31.198.216/29 deny from 81.31.199.72/29 deny from 81.31.199.140/30 deny from 81.31.199.160/29 deny from 81.31.200.64/29 deny from 81.31.200.76/30 deny from 81.212.0.0/14 deny from 82.145.224.0/19 deny from 82.151.128.0/19 deny from 82.222.0.0/16 deny from 83.66.0.0/16 deny from 83.166.48.0/28 deny from 84.11.37.192/26 deny from 84.17.64.0/19 deny from 84.44.0.0/17 deny from 84.51.0.0/18 deny from 85.96.0.0/12 deny from 85.153.0.0/16 deny from 85.158.96.0/21 deny from 85.159.64.0/21 deny from 85.235.64.0/24 deny from 86.108.128.0/17 Deny from 88.240.0.0/16 deny from 139.179.0.0/16 deny from 144.122.0.0/16 deny from 155.223.0.0/16 deny from 160.75.0.0/16 deny from 161.9.0.0/16 deny from 168.139.0.0/16 deny from 192.70.133.0/23 deny from 192.129.87.0/24 deny from 192.160.21.0/24 deny from 193.23.156.0/24 deny from 193.25.124.0/23 deny from 193.41.2.0/23 deny from 193.42.216.0/24 deny from 193.95.0.0/17 deny from 193.108.213.0/24 deny from 193.109.134.0/23 deny from 193.110.170.0/23 deny from 193.110.208.0/21 deny from 193.140.0.0/16 deny from 193.178.218.0/24 deny from 193.188.198.0/23 deny from 193.192.96.0/19 deny from 193.201.149.192/26 deny from 193.201.157.0/25 deny from 193.218.113.0/24 deny from 193.218.200.0/24 deny from 193.219.208.0/30 deny from 193.220.68.0/24 deny from 193.243.192.0/19 deny from 193.254.228.0/23 deny from 193.254.252.0/23 deny from 193.255.0.0/16 deny from 194.9.174.0/24 deny from 194.24.224.0/23 deny from 194.27.0.0/16 deny from 194.29.208.0/21 deny from 194.54.32.0/19 deny from 194.67.205.0/23 deny from 194.69.206.0/24 deny from 194.117.97.172/30 deny from 194.117.110.80/28 deny from 194.117.113.72/30 deny from 194.117.114.4/30 deny from 194.117.118.40/30 deny from 194.117.119.4/32 deny from 194.117.119.18/32 deny from 194.117.119.20/32 deny from 194.117.119.22/32 deny from 194.117.119.24/32 deny from 194.117.119.27/32 deny from 194.117.119.34/32 deny from 194.117.119.53/32 deny from 194.117.119.55/32 deny from 194.117.119.58/32 deny from 194.117.119.61/32 deny from 194.117.119.73/32 deny from 194.117.119.76/32 deny from 194.117.119.80/32 deny from 194.117.119.86/32 deny from 194.117.119.93/31 deny from 194.117.119.96/32 deny from 194.117.119.99/31 deny from 194.117.119.108/32 deny from 194.117.120.15/32 deny from 194.117.120.114/32 deny from 194.117.120.233/32 deny from 194.117.121.30/32 deny from 194.117.121.70/32 deny from 194.117.121.96/32 deny from 194.117.121.101/32 deny from 194.117.121.168/32 deny from 194.117.121.192/31 deny from 194.117.121.217/32 deny from 194.125.232.0/22 deny from 194.126.230.0/24 deny from 194.133.65.0/24 deny from 194.133.160.0/20 deny from 194.133.240.0/23 deny from 194.133.251.0/24 deny from 194.133.253.0/28 deny from 194.133.255.0/24 deny from 194.242.32.0/24 deny from 195.8.109.0/24 deny from 195.33.192.0/18 deny from 195.39.224.0/23 deny from 195.46.128.0/19 deny from 195.49.216.0/21 deny from 195.64.128.0/18 deny from 195.74.32.0/19 deny from 195.75.202.0/26 deny from 195.75.202.128/25 deny from 195.75.222.0/28 deny from 195.75.222.24/29 deny from 195.75.222.160/27 deny from 195.75.236.0/28 deny from 195.75.236.96/29 deny from 195.75.236.112/28 deny from 195.75.238.0/25 deny from 195.79.199.192/29 deny from 195.79.204.192/27 deny from 195.85.242.0/24 deny from 195.85.255.0/24 deny from 195.87.0.0/16 deny from 195.112.128.0/19 deny from 195.112.160.16/30 deny from 195.112.166.12/30 deny from 195.112.166.52/30 deny from 195.112.166.60/30 deny from 195.112.166.68/29 deny from 195.112.166.80/30 deny from 195.128.32.0/21 deny from 195.128.254.0/23 deny from 195.137.222.0/23 deny from 195.140.196.0/22 deny from 195.142.0.0/16 deny from 195.149.85.0/24 deny from 195.149.116.0/24 deny from 195.155.0.0/16 deny from 195.174.0.0/15 deny from 195.177.206.0/23 deny from 195.177.230.0/23 deny from 195.183.236.192/26 deny from 195.212.230.0/24 deny from 195.212.244.8/29 deny from 195.213.69.144/28 deny from 195.214.128.0/18 deny from 195.234.165.0/24 deny from 195.242.122.0/23 deny from 195.244.32.0/19 deny from 195.245.227.0/24 deny from 195.254.128.0/19 deny from 196.3.132.0/20 deny from 196.29.64.0/19 deny from 196.32.32.0/19 deny from 196.203.0.0/16 deny from 199.89.210.0/24 deny from 200.3.176.0/21 deny from 200.9.216.0/24 deny from 200.108.0.0/19 deny from 201.238.64.0/18 deny from 209.94.192.0/19 deny from 212.2.192.0/19 deny from 212.12.128.0/19 deny from 212.15.0.0/19 deny from 212.21.197.240/29 deny from 212.29.64.0/18 deny from 212.31.0.0/19 deny from 212.33.0.0/19 deny from 212.45.64.0/19 deny from 212.48.224.0/19 deny from 212.50.32.0/19 deny from 212.57.0.0/19 deny from 212.58.0.0/19 deny from 212.63.170.168/30 deny from 212.63.172.212/30 deny from 212.63.172.224/30 deny from 212.63.180.0/30 deny from 212.63.180.8/30 deny from 212.63.180.16/30 deny from 212.63.180.28/30 deny from 212.63.180.40/29 deny from 212.63.180.56/30 deny from 212.63.180.68/30 deny from 212.63.180.84/30 deny from 212.63.180.92/30 deny from 212.63.180.108/29 deny from 212.63.180.120/29 deny from 212.63.180.200/30 deny from 212.64.192.0/19 deny from 212.65.128.0/19 deny from 212.79.96.0/22 deny from 212.79.122.0/23 deny from 212.98.0.0/19 deny from 212.98.192.0/18 deny from 212.101.96.0/19 deny from 212.108.128.0/19 deny from 212.109.96.0/19 deny from 212.109.224.0/19 deny from 212.115.0.0/19 deny from 212.125.0.0/19 deny from 212.127.96.0/19 deny from 212.133.128.0/17 deny from 212.146.128.0/17 deny from 212.154.0.0/17 deny from 212.156.0.0/16 deny from 212.174.0.0/15 deny from 212.252.0.0/15 deny from 213.14.0.0/16 deny from 213.31.190.48/28 deny from 213.31.223.144/28 deny from 213.43.0.0/16 deny from 213.62.14.64/26 deny from 213.62.40.192/26 deny from 213.74.0.0/16 deny from 213.138.0.0/19 deny from 213.139.192.0/18 deny from 213.143.224.0/19 deny from 213.144.96.0/19 deny from 213.148.64.0/19 deny from 213.150.160.0/19 deny from 213.153.128.0/17 deny from 213.155.96.0/19 deny from 213.159.32.0/19 deny from 213.161.128.0/19 deny from 213.181.38.192/26 deny from 213.186.128.0/19 deny from 213.194.64.0/18 deny from 213.202.0.0/19 deny from 213.204.64.0/18 deny from 213.208.3.192/29 deny from 213.208.39.0/24 deny from 213.209.169.144/29 deny from 213.232.0.0/18 deny from 213.236.32.0/19 deny from 213.238.128.0/18 deny from 213.243.0.0/18 deny from 213.248.128.0/18 deny from 213.254.128.0/19 deny from 216.139.188.192/27 deny from 217.17.144.0/20 deny from 217.21.68.0/22 deny from 217.23.110.96/27 deny from 217.31.224.0/19 deny from 217.64.144.0/20 deny from 217.64.208.0/20 deny from 217.68.208.0/20 deny from 217.77.241.113/32 deny from 217.77.241.218/32 deny from 217.77.242.169/32 deny from 217.77.246.192/30 deny from 217.131.0.0/16 deny from 217.138.38.248/29 deny from 217.169.192.0/20 deny from 217.173.157.128/28 deny from 217.173.157.192/27 deny from 217.173.158.64/27 deny from 217.174.32.0/20 deny from 217.174.224.0/20 deny from 217.194.135.160/28 deny from 217.195.192.0/20 # Ban a few extra ips deny from 81.169.137.114 deny from 74.53.46.98 deny from 75.126.134.16 deny from 203.194.159.159 deny from 203.196.161.116 deny from 201.72.166.36 deny from 212.65.64.19 deny from 212.12.114.142 deny from 212.241.213.57 deny from 219.95.39.53 deny from 209.200.253.165 deny from 201.72.166.36 deny from 213.203.223.25 deny from 66.249.67.86 deny from 200.140.15.3 deny from 83.11.204.75 deny from 83.11.202.74 deny from 83.11.241.28 deny from 83.240.152.23 deny from 83.217.84.73 deny from 83.145.82.134 deny from 85.108.245.115 deny from 61.222.92.150 deny from 24.83.72.98 deny from 59.94.170.4 allow from all </Limit> Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index_error.php [F,L] RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]
germ Posted October 23, 2010 Author Posted October 23, 2010 Denying users by IP address because of a security flaw is only temoporary at best. You really need to fix the leak. My only guesses would be either you've missed some hack code somewhere, or at least one of your passwords has been compromised (.htaccess, admin, FTP, cPanel). And if you have a keylogging trojan on the PC you use to make changes, just changing paswswords won't work (obviously). Security, like a chain, is only as strong as the weakest link. :blush: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
Belsh Posted October 24, 2010 Posted October 24, 2010 I've just found this in my index page, could this be the problem? <meta name="WT.seg_1" content="GS" /> <meta name="WT.sp" content="GS" /> <meta name="WT.sv" content="172.20.202.33" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> Thanks for all your help.
germ Posted October 24, 2010 Author Posted October 24, 2010 I doubt it. While it does appear somewhat strange to me (never seen a meta tag with an IP address in it before) I don't think it's a hack. I put that code in a test page on the site I manage and suffered no ill effects accessing the page. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
Belsh Posted October 24, 2010 Posted October 24, 2010 It's not something I added the index page it was in was a simple html page in the public html folder with links to our store and forum, that code had been added and a load of links to xxx sites that where only visable when viewed as code.
germ Posted October 24, 2010 Author Posted October 24, 2010 If someone other than you is modifying files on the site that means you still have a security issue. I can't fix it for you and I've already posted all the relevant help links I am aware of. :blush: It's possible that the security issue is with the host and not your site, although you'll never get them to admit that even if it was true... :-" If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
Belsh Posted October 24, 2010 Posted October 24, 2010 I know exactly what you mean fella I've already been down that road lol, thanks again for all your help I've taken the site down wiped it off server gunna work on it on my pc until I'm sure it's safe and bug free then I'll re upload.
germ Posted October 24, 2010 Author Posted October 24, 2010 I don't want to pi$$ on your Post Toasties, but you can't be certain it's "unhackable" until it's on the server a while and no one defiles it. :blush: Maybe you should talk to your host. The server logs will reveal "who is doing what" on the site and "how". Just a thought. :) If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
Recommended Posts
Archived
This topic is now archived and is closed to further replies.