Hacked

[bwyatt]

Yesterday, I was hacked. They rewrote index.php to contain their own crap, so I replaced it with my own and all seemed well. I was running 2.3.5, I googled exploits and there were a few, so I wasted no time in purchasing another 6 months and upgrading to 3.0.2. I changed the passwords for FTP, cPanel, my account and those of my staff. I locked down as much as I could to prevent it happening again.

I don't know how they did it, or if they did anything to my SQL - and that's my question.

Is there a way to find out if my SQL has been tinkered in any way?

There are tons of tables and indexes and so on, so it would be impractical for me to search everything manually.

I've never had this before, so any advice would be lovely.

Cheers guys.

PS. I posted this in here because it's about SQL, and thus technically falls into server stuff... I guess. Sorry if I'm wrong!

[rct2·com]

I think that is a good place to be. It's more about Server Management than MySQL though.

In my experience of being hacked, the hackers generally don't damage anything, they just do it for 'fun', then brag to their friends, give links etc.

But they frequently leave at least 1 'payload' behind. There are at least 3 types.

[*]Edit some of your web pages so they are serving up ads/adware/malware/viruses to your visitors [*]leave an IRC bot running so they can use your mail server to generate spam [*]leave a 'rootkit' behind (for example r57shell.php) so that they can easily get back onto your server after you have plugged the exploit. I cannot recommend a single utility to look for all this kind of stuff. Over the years I have just learned Linux command line commands to look for the signs and get rid of them. As a general rule of thumb you need to search for files that have been created/modified since the date/timestamp of when you think that the attack took place. The hackers target files/folders that are world writable, and that they can access through a URL. Such files have normally been created/modified by a script they have managed to upload through an exploit, and (since the script runs as a URL) the files normally belong to user apache, group apache. Edit: The best way to find out how they got in is to look in your server access and error logs.

1. 
   
   
   
   
   
   
   
   
   
   

[bwyatt]

Okay, I did some searching. Obvious place, I checked /cache/. There a malicious script lay.

Code: http://pastebin.com/m41f6909e

Removing all instances now.

Cheers.

PS. Thanks for the backup cron tutorial, I changed it to do my sql every night, it's great. :)

[.Ian]

Not sure it is a good idea to post the script, which could be used by others.

[bwyatt]

I'm pretty sure if they know how to use/code a script and have the intention to hack, they wouldn't be looking on the official forum of a product they want to break into for ideas. ;)

[rct2·com]

[quote name='isdoo' date='24 August 2009 - 10:35 PM' timestamp='1251149757' post='1848560']
Not sure it is a good idea to post the script, which could be used by others.


The fact that such a script exists is not really the issue. Now if this topic included instructions on how to 'inject' that script onto a site through a vulnerability in IPS product, then I agree we should all be worried and screaming for the topic to be removed.

[bwyatt]

I've been hacked again. Someone doesn't like me.

My database got messed up, so I repaired and all seems well. Is there no way I can repel these attacks? I can't do anything else security wise. :@

[mediabrat]

It's possible that there's vulnerabilities in cPanel or some other server software that the hackers are exploiting. Unfortunately, if you're in a position where you don't control that level of the server (e.g. you're on shared hosting), there's not much you can do except ask your host to upgrade their servers or find a new host.

[bwyatt]

Okay. Been speaking with him, should have got it sorted now. Despite the fact that the IPB guide says cache etc should be 777, they work fine on 755. Someone please tell me why we're asked to chmod to 777 when 755 works fine?

[Michael]

[quote name='bwyatt' date='03 September 2009 - 04:16 PM' timestamp='1252008995' post='1852239']
Okay. Been speaking with him, should have got it sorted now. Despite the fact that the IPB guide says cache etc should be 777, they work fine on 755. Someone please tell me why we're asked to chmod to 777 when 755 works fine?

Because that varies depending on the server setup, and your setup is uncommon compared to most. Your host should have communicated this to you already.