My Site was Hacked by GHoST61! Help PLease!

Hangin' Around Joined: Apr 30, 2007 Posts: 41

my website was hacked. The main page displays the following:

Hacked by GHoST61
Spyhackerz.com // For Türkiye !!!

Also, whenever you go to any extension that is not available on my site, it will display a 404 error - not found message. Below the message is a website for google adsense ads. When links/contents are clicked, it will be directed to the address below:

http://searchportal.information.com/?epl=02000020R1UMXGYWVlEFDVBTCV1XA1kAUQdFUVgMAFxbVllZVFhFXAFWWBYdWgRERBBdBBRQCWsWWBAIWgAIW2pUXVJFOllVDFxQC1QSElUDEVsNOUcYRAMKD1xZCkdBXFVRWlY6Wl0GZ1gMV2sNXw0ITRVbA08EUwFSDANRVwIFCAkHBVcNEgNnUAEOAFACU1MeDhFsE1UIXF4E&query=Phone

Any help in restoring my site will be greatly appreciated.

Thanks!

Posted: Sun Sep 23, 2007 5:58 pm

Do you have any backups?

Do you have access to the site vie FTP?

Do you have access vie SSH?

I would go and change every password on the site/server.

I would take the site offline vie sentinal or by putting up some other page to stop all access.

I would start with looking at the "Last Modified" date in the FTP. That should give you some clue about what got worked over.

Once access to the site/server has been stopped It is time to try and figure out who/why.

Dawg

Worker Joined: Aug 26, 2007 Posts: 236

To me it sounds as if your index.php or config.php has been changed by the hacker. They can sometimes succeed to upload a new index.php or config.php to the site. This has happened many times for me and especially for Turkish hackers.

My suggestion is that you login by ftp and look at the file date, if index.php or config.php has been changed quite recently. If it is changed upload the original one from your backup and your site should be fixed.

registered · Posted: Mon Sep 24, 2007 6:01 am

salongaopm, get the site off-line first and foremost and change your passwords (on everything - don't forget the database). Unfortunately, then you are going to have to figure out how they got in. Likely culprits (not in any particular order):

1. PHP-Nuke 7.7 or greater, especially if it is unpatched (see Only registered users can see links on this board! Get registered or login! for the patches)

2. Not using Only registered users can see links on this board! Get registered or login! (latest always).

3. Using ANY add-on or hack which allows for file uploading. The usual suspects: Coppermine (or other photo sharing type add-ons), chat, phpBB upload hacks.

You should also review your site for files that should not be there. These could be their "kits" that they uploaded which can allow them to do just about anything your host account will allow...

Good luck. This is NOT an easy task. There are other threads here which discuss hack recovery, but YOU really have to be a "sleuth" and might need your host's help as well depending.

Posted: Mon Sep 24, 2007 9:11 am

Thank you guys for all the response.

I am using raven 2.10 with phpbb activated and gallery2 integrated. I also added cnbya 4.2. I am using the NukeSentinel that is included with the raven.

I still have access to the site, via ftp or via the admin page.

"Do you have access vie SSH? "

I am not sure...what is SSH?

In my initial search of the site, it seems that the only new file that I can see is the index.html. It was modified 9/18/07. Where else could they have added or modified a file?

How do i get my site off-line? If i get my site offline, will i loss my files? My site is still new but i can't remember where or what files where i can change the passwords. Any help will be greatly appreciated.

Thanks!

Posted: Mon Sep 24, 2007 9:25 am

I do not have a back up of my index.html or my files...how do i restore it?

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

It's likely that index.html is the culprit. Rename that file, and check your site logs to see how it was uploaded. As montego said, first change all passwords: control panel, database user, Nuke admin, admin authentication. It may have been uploaded through gallery - check the directories that contain photos to see if there are any new ones.

You might also be able to change the order in which your webserver reads index pages. For example, if you tell it to read index.php before index.html, it's likely that this wouldn't have hurt anything. I don't remember how to do that, but it's probably through an htaccess directive.

Posted: Tue Sep 25, 2007 6:14 am

Crap! I wonder if G2 has a hole in it... And you are certain that you have no other add-ons to RN than what you have mentioned?

Is G2 integrated into your forums or do you mean as a module within RN?

Posted: Tue Sep 25, 2007 7:29 am

Montego,

G2 has a hole in it possibly, I am fairly certain that I had "albums directory" set to 755, that is where they dropped off a few tar's. I recently got hit, my G2 I have never placed inside of Nuke. I am not suggesting that is what happened to the OP's site. However as I go through my backups (the compromised ones) I am learning more and more. I have located a Linux root kit that connects to an IRC server as well as several other scripts to perform Ddos attacks, ftp, file serving etc. Somehow they uploaded this data into several of my album folders and the executed from there.

Also Plesk 8.x - has a hole in it as well, 1&1 just sent out a Root server advisory about it.

The Gallery was a Linux/Exploit SmallF Trojan
Plesk was a Perl/Shellbot.B

This happened roughly the same time I was monitoring logs (login attempts, the dictionary brute force type) and decided to update security. I updated some firewall rules, created some new ones, and also installed denyhosts. Then boom, they set off a Ddos attack and within 5 minutes the server was shut down due to 1&1 security measures.

It is not fun, and what is actually ironic is the same people who hacked in and in text messages laughing about it, like they actually have skills, did NOT even write any of the scripts they uploaded. Rolling Eyes

Posted: Tue Sep 25, 2007 9:20 am

Hi!

I was told by my host that they can restore my website back. Somehow they have a backup. I hope it is true.

I changed the password on the control panel. I tried to changed my password on the admin...but i was somehow got banned instead. Now, everytime i try to access my site it ask for my username and password. I will enter them but it will just give me a 404 error with the same adsense page.

I only have G2, cnbya 4.2 & phpbb. The G2 was integrated to rn as a module by using the instruction from the link below:

http://www.nukedgallery.net/

I also modified the CNBYA 4.2 using the instruction on post Number 21 in the link below:

http://www.ravenphpscripts.com/postt5274.html

Posted: Wed Sep 26, 2007 5:49 am

salongaopm, restoring your site is one thing, but getting rid of everything they added is another one, plus the most important thing of all is finding out how they got in and patching that up.

I am discouraged by TAd's post. I guess the only thing I can offer up is to always keep pace with all software updates on G2 and phpBB and keep your own good backups as well.

Good luck to you.

Posted: Wed Sep 26, 2007 8:59 pm

Thanks for the reply. I keep looking for any files that was just recently added or coincides with the date that my index.html was changed....but no luck. How can I spot the files that they've added?

Posted: Thu Sep 27, 2007 6:09 am

Unfortunately, if you do not have SSH access, you may have to find a tool/script which can do this OR use your control panel to back up all your files for your account, then bring that down to your PC, uncompress it, and use a comparison utility such as Winmerge or Beyond Compare 2 to try and spot modified or new files. Of course, this implies that you have clean copy of your production site files on your local PC (if you don't, you should consider getting yourself XAMPP installed on your PC so that you can test site changes before you upload them).