Recently Hacked 0.o

Involved Joined: Feb 08, 2005 Posts: 290 Location: USA

Well I have been dreading upgrading and now I'm hacked LOL.

Seems they got into the /includes folder to do their dirty work, I see at least three files and the .htaccess there are changed. I managed to get the main page back by overwriting that .htaccess file to what I had it but I can't seem to find my includes folder to overwrite the others. Aside from that I'm not sure what else has been hacked. Can anyone tell me step by step how to ...

1) Lock this person out of my site/FTP to keep them from doing any further damage?

2) How to either delete all PHP/CMS related pages/databases/etc or update them to something more secure?

Links to *still hacked* pages are:
/includes/
configs.php, index.php, includes.php and the main .htaccess as well as the includes folder .htacess files. There may be more but I'm not sure. I can give you my site url if you want to see the hacked pages, which I've not yet removed because I don't really know how 0.o

I have not done a database restore, I just overwrote the one .htaccess page in the main nuke folder and that seems to have restored everything but those other files are still in includes folder as I said (and not sure what if any others might be in there as well). Interestingly, the changed php pages are dated 01/22/07 but the changed .htaccess pages are dated 09/13/08 which is when I think the actual hack occured. I'm just noticing it now, haven't looked at the site in a while.

Thanks!

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

This sounds like an inside job... Have you checked access logs to see what happened?

Do you allow uploads (e.g. images) on the site? If so, you might check that to make sure there aren't problems after you recover.

I would use a comparison tool like winmerge (free) or Beyond Compare (better) to compare the download to the current site to see what's different (and to restore affected files).

I'm not aware of any tool to easily restore affected content (pages, database). Check a database backup for that.

Posted: Fri Sep 19, 2008 4:40 am

I'm the only one that accesses this site to my knowledge. I really don't know how to check logs. I've checked the site tracker but I don't see anything that I can pinpoint as unusual. What do you mean an inside job?

Posted: Fri Sep 19, 2008 5:00 am

Inside job means that possibly a program on your server (maybe even from another account) caused it. But an uploaded file could do the same thing.

Posted: Fri Sep 19, 2008 5:04 am

Well I knew what you meant by the term but not who you may have meant. I do have admins but they never log in or admin. I'm the only one that's been doing that. I still need to know how to get rid of the hacked files in includes folder and how to lock this person out. Thanks for your replies tho.

registered · Posted: Fri Sep 19, 2008 5:47 am

Bluezzz, kguske already suggested how to determine which files were hacked. You need to take a backup of your site files, bring them down to your PC, and compare them against your local copy of "good" site files. If you do not have such a thing... shame on you. Wink

Do you have previous good backups that maybe you can compare against?

How to lock this person out? You need to find out how they got in. This is why kguske is suggesting looking at the access logs. If you don't know how to do this, you may need your host's help.

Posted: Fri Sep 19, 2008 10:20 am

You might also want to list and third party modules etc you have installed in case we can identify one with known issues - this won't help you restore the site but it might help prevent a repeat if it was indeed conducted through a third party module and not some other site on the same server.

Posted: Fri Sep 19, 2008 12:53 pm

I don't know what you mean by third party module.

registered · Posted: Fri Sep 19, 2008 1:07 pm

Bluezzz wrote:

I don't know what you mean by third party module.

Third party modules are modules, blocks, etc that did not come with the original RavenNuke distribution that you may have installed.

Posted: Fri Sep 19, 2008 1:20 pm

Some clarifications ...

Yes I have site backups but I was having trouble lately getting them to d/l so the ones I do have are older rather than newer ... still, I haven't done anything with the site except u/l and post some desktop wallpaper I've done.

No, I so don't know how to compare those to the current changes.

Yes, I'm in touch with my host company to see if they can track down how this person got in.

I have no idea now which third party modules & blocks I added. I have the Sommaire Site Menu block but I don't remember what others I've added, the site has been secure with Raven's NukeSentinel 2.4.2pl5 up until now.

If I were to upload/install the newest RavenNuke (or whatever it may be called now) can I install that so as not to loose everything I have done or is my current version too old to be updated without hair pulling? I would think it's not worth the trouble until I find out how he got in and plug that first right?

And yes I have entire site copy as well as backup folders on my old computer, which would be a royal pita for me to hook up (I'd have to unplug everything on this one and plug that one in as I don't have extra cables, etc). I'm on a new computer so my files are not on this one. I may have them on CDs and will look for that soon. But again, priority I'd think would be to lock him out before I proceed with site restoration?

As I said, I left his altered pages in includes folder as I don't know what he changed or if those pages (listed above) are needed, new (from him) or what. I'm waiting to hear from my host now and will go from there. I can PM you the urls to those and my main site if you want to see, perhaps you'd recognize his work ... says he's an *Arabian* 0.o

Thanks ...

Posted: Sat Sep 20, 2008 3:52 am

Well my host wasn't any help, as I feared 0.o

Posted: Sat Sep 20, 2008 4:15 am

Please PM me a valid ftp log-in for the site and the url, I can at least take a look to see what you have installed.

Hangin' Around Joined: Feb 28, 2007 Posts: 34

Bluezzz wrote:

I have no idea now which third party modules & blocks I added. I have the Sommaire Site Menu block but I don't remember what others I've added, the site has been secure with Raven's NukeSentinel 2.4.2pl5 up until now.

I think we found the problem! There are known issues with 2.4.x, and there have been 20+ versions since then. You need to keep up-to-date with NukeSentinel!

Posted: Sat Sep 20, 2008 2:37 pm

I had issues with NS for the version I have, which I posted here way back when but never did get around to figuring out how to *fix it*. None the less it's kept me secure until now.

The headaches involved with keeping a PHP site *secure* have indeed been a deterent to my upgrading 0.o My bad! I love the look of PHP sites but keeping them constantly updated and secure is a major headache that I avoid until I have to do it (such as now LOL).

I know, you pros would just say "don't bother using PHP then". Have patience ... not everyone using PHP is a pro and nor will most of us ever be!

Posted: Sun Sep 21, 2008 6:37 am

Upgrading NS isn't really that difficult though. I don't consider myself a pro and I am not a coder, but I always keep everything up to date. The time spent trying to fix the site after a hack is considerably more than just keeping the site up to date.

Anyway hopefully we can get you back up and running, that is the most important thing now.