I got Hacked

Regular Joined: Nov 21, 2005 Posts: 67

logout(modules//includes/functions_common.php): failed to open stream: No such file or directory in *path edited by admin*/modules/Your_Account/index.php on line 1003

Not sure what happen this Morning as I was on then my site went to a white blank page. usually the hacker says something like you got owned by, but he did not.

I had a user around the same time from Romania so I blocked his IP.

Not sure were to look as I want this guy as I had to do a full backup from yesterday and lost posts due to the Back up.

We just got our teamspeak hacked last night and now our web site.

Were should I look as this at the top is the only error message I am seeing in my c panel error logs.

I tried to just replace files in the root but that did not correct the problem, so had to do a full back up.

any advice will be helpful as I am trying to find how he got in.

Thanks in advance

I also have this mambo file that I found that I did not put there.

Sells PC To Pay For Divorce Joined: Posts: 5661

well it would have been better to check before you replaced the content with the backup..
you can check your latest visitors to....

Posted: Sun May 14, 2006 10:28 am

I tried to post some lines from it using the code thing and I hope I just didn't ban myself. sorry as I wanted someone to look at it.

Posted: Sun May 14, 2006 10:30 am

Thanks Hitwalker I found a mambo file with starnge letters, I saved it to desktop and deleted.

I know Should have looked first but even with the backup this file is still there, maybe planted I don't know

PHP.RSTBackdoor is a back door Trojan that is written in PHP. It runs only on HTTP servers with PHP interpreters installed.

Posted: Sun May 14, 2006 10:31 am

well a bit confusing....
what do you want now ?

Posted: Sun May 14, 2006 10:35 am

is there also a r57shell.php ?

Posted: Sun May 14, 2006 10:38 am

Posted: Sun May 14, 2006 10:40 am

but is all ok now or not?

Posted: Sun May 14, 2006 10:48 am

Its fine, I was just wondering if anyone had the same with this mambo file. I am going thru everything.

Just not sure how they uploaded.

Thanks bro

Posted: Sun May 14, 2006 10:50 am

as far as i know of mambo and joomla aren't a security risk.
if it has weird whatever in it ,then show me..

Posted: Sun May 14, 2006 11:04 am

i think your post was deleted ...
out of security reasons...probably..
but yes i saw it....
again.....if you or anyone else give rights on a server to upload anything then things like this can happen...

Posted: Sun May 14, 2006 11:06 am

Deleted file

Posted: Sun May 14, 2006 11:07 am

I had to put it in another file you can look at it thru this link I posted i hope

you will have to disable your anti virus to see it

Posted: Sun May 14, 2006 11:12 am

yes i already saw it the first time...
if you look you see who is behind this....
allthough this doesnt mean anything...
search in the file for .com

Posted: Sun May 14, 2006 11:14 am

ok let me get this file off my server first i don't even want it near anything

They uploaded to my root, not to any file that allows uploading into.

I think it may have to do with a program I use vwar as i updated and patched this program as was told to do but think there are still holes in it.

Posted: Sun May 14, 2006 11:15 am

http://unsecured-clanz.com

Posted: Sun May 14, 2006 1:44 pm

yes indeed but do take out the link...
just take away all options to upload anything..