All index.php files hacked..

Regular Joined: May 17, 2005 Posts: 66

Woke up this morning with a website that didn't work. After investigating, somehow someone added code to every index.php file. The code is:

after removing that code, the site worked fine.

so my questions are: what is it and what will it do and more importantly, how do I find out who did it?

thx for any ideas.

Regular Joined: Mar 16, 2005 Posts: 74

That hacking happens in system level not phpnuke level.
Very recently, those types of hackings are full across the planet.

First off, such types of hacking is not possible to change your files directly from php engine but it happens in /tmp/ files and SSH hack.

Similar hacking is online casino spams. This online casino spmmers are really and deadly cirtical. If your server or hosting directory has some odd php file names in hidden mode such as cas.t.ph, p.ost.php etc, they are all parasited spammers and your hosting or your email ccounts exposed within your site will be reported as abusive spmmers.

Primarily, your hosting services are in charge.
Secondly, you may change 644 permission on all index.html file. (if your server account got hacked, this does not work).
Thirdly, put .htaccess.

Now, I would like you to open raw logs of your apache or any types of web-server engine. Find ips that scratched your files. and put C class IPs in your .htaccess.

I wrote under an assumption that you are running *NIX mahines. Windows servers are more or less different.

Posted: Tue Jun 09, 2009 11:44 am

online casino IPs are captured and reported in security sites.
So, find them and add blocking IPs in your web-server engine. That is not related with your nuke.

registered · Posted: Tue Jun 09, 2009 7:07 pm

Looks like someone tried to put their Google Analytics code all over your pages. You'll need to go through your server access logs to determine how this guy got in

Posted: Wed Jun 10, 2009 2:58 pm

evaders99 wrote:

Looks like someone tried to put their Google Analytics code all over your pages. You'll need to go through your server access logs to determine how this guy got in

how do I find this out using the logs?

my index.php file always has 644 permissions. can I change that to 444?

Posted: Wed Jun 10, 2009 3:10 pm

okay, found this in one file:

HackeD By ChaLLenGer

anyone know this guy so I can ram my foot down his throat Wink

registered · Posted: Wed Jun 10, 2009 3:23 pm

I had a similar situation a while back on a server that was not well protected. They uploaded the files through FTP. Before I switched servers, I changed all my control panel and ftp usernames and passwords using random combinations of numbers and letters changing to uppercase and lowercase. I did not get hacked again.

registered · Posted: Wed Jun 10, 2009 7:19 pm

yeah, sounds like you may need some help from your host too to find out how they got in and how to secure the server. I know that I am not supposed to "hate", but I sure wish these jokers would find something good to do with their skills. Sad

Worker Joined: Oct 26, 2004 Posts: 134 Location: Boston

montego wrote:

yeah, sounds like you may need some help from your host too to find out how they got in and how to secure the server. I know that I am not supposed to "hate", but I sure wish these jokers would find something good to do with their skills. Sad

I agree

Posted: Sat Jun 20, 2009 9:28 am

server host won't do anything (lunarpages.com)..

also, the hacker has changed the script:

isn't there anything I can do to track who is doing this?

also, it looks like it's some sort of script that does all the index.php files at the same time. he also hacked into a auth.php file

Posted: Sat Jun 20, 2009 9:50 am

Do you have a folder in your root file system that is not a part of RavenNuke? One that was put there by the hacker? Compare your directory and see if that is how they are attacking your site.

Posted: Tue Oct 13, 2009 3:35 am

Plasma wrote:

Woke up this morning with a website that didn't work. After investigating, somehow someone added code to every index.php file. The code is:

after removing that code, the site worked fine.

so my questions are: what is it and what will it do and more importantly, how do I find out who did it?

thx for any ideas.

Change ALL your Passwords on your Server (root, user, database and the RN) like this:

N%gt638Dmls!hDrg645mlH

or this:

Ngt638DmlshDrg645mlH

DONT use Names and Names Numbers Combinations !!!!!

Best Regards

Peter

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

bdmdesign,

Great advice Wink

!

Posted: Tue Oct 13, 2009 5:07 pm

@ Raven:

thanx, the most People use unsafely Passwords like this:

cabonara, cabo1856nara, 45cabonara56

Best Regards

Peter

Worker Joined: Aug 26, 2007 Posts: 236

Read about how hackers with spyware on your PC, can find out your ftp-password and then introduce scripts on your site that modifies index.php:
http://rzaman.com/remove-iframe-hack/

I have stopped this possibility by using KeePass Professional to encrypt my usernames and passwords and I don't use FileZilla anylonger, but instead the web hotels Ftp-program from the controlpanel that is secured.

New Member Joined: Jun 28, 2021 Posts: 2

Plasma wrote:

Woke up this morning with a website that didn't work. After investigating, somehow someone added code to every index.php file. The code is:

after removing that code, the site worked fine.

so my questions are: what is it and what will it do and more importantly, how do I find out who did it?

thx for any ideas.

It's June 28, 2021 - This happened to all my index.php on my server and can't find out what caused this at the filesystem level. As the mystery deepens, I am extremely curious about how this could have happened.

I posted this question on stackoverflow, and my post was closed quickly with no clear answers.

Here is what happened:

This script will redirect URL to a allowandgo site and it is incredibly smart that the hacker encoded the javascript with some bullshit characters with a decode function. How was the payload delivered to all index.php is a mystery. I also want to add that this is only website that has a accurate description of the situation encounter by me. Shockingly this happened in 2009, something hasn't changed since then.

Admin-Edit: script-code removed!

I removed everything with a single command, but curious how it all go down.

registered · Site Admin Joined: Aug 22, 2007 Posts: 1775

sundern wrote:

Shockingly this happened in 2009, something hasn't changed since then.

As it was answered before clearly, this is only possible with access on the server-side. Change all your passwords, check your server-logs and contact your hosting-company.

Posted: Mon Jun 28, 2021 8:52 am

neralex wrote:

sundern wrote:

Shockingly this happened in 2009, something hasn't changed since then.

As it was answered before clearly, this is only possible with access on the server-side. Change all your passwords, check your server-logs and contact your hosting-company.

I have extensive unix sysadmin background, and there is no need to change the password since my server can only be logged onto with a public key.

in SSH config: PasswordAuthentication no

No one can login to the system with a password., unless someone has stolen my public key.

Next possibility is that I might have installed something on the system which created had a malware that changed all my index.php files with a encoded URL. I don't know what could that be.

How could something that could infect all index.php regardless of whether they are serving the websites ? Even index.php in junk folders were updated with the malware encoded URL.

Thanks for the response though, appreciate it.

Posted: Mon Jun 28, 2021 11:17 am

sundern, maleware could it be because normally all files in the web-directory should have CHMOD 644 - typically for all index.php files. Only files and/or folders which needs write-acccess should have CHMOD 775. In this case only members of the affected user-group get the file-access. Maybe some old 3rd-party-addons have outdated and/or unsecure php upload-funtions in public, which are not checking things like the mimetype while uploading the files. But if someone was able to upload an exutable file, which could start a loop through all files of the web-directory, then it needs also a functionality to execute it directly with the webserver-components. Back in the days addons like the coppermine-gallery or other big bug-wholes likes this were able to do this.