Problem with DestineThemes (account suspended error on load)

Hangin' Around Joined: Jul 28, 2008 Posts: 25

It is now forwarding to
http://freedom.highqualityhost.net/suspended.page/

I have no idea of how the achieved this hack, I see no updated files, only updated direcotires.

I have replced my index.php and my mainfile.php and also the WHOISWHERE directory in modules (and the corresponding Table)

Can anyone lend some insight?

Thanks

registered · Posted: Mon Mar 23, 2009 8:23 pm

It looks like your hosting company suspended your account.

Posted: Mon Mar 23, 2009 8:38 pm

nuken wrote:

It looks like your hosting company suspended your account.

No, the host is 1and1.com

They have not suspended our account, that is just a redirect to that suspended page.

Posted: Mon Mar 23, 2009 9:01 pm

Have you looked in your CPanel or what ever control panel 1and1 uses to see if a foward has been put in?

Posted: Mon Mar 23, 2009 9:09 pm

nuken wrote:

Have you looked in your CPanel or what ever control panel 1and1 uses to see if a foward has been put in?

It hasn't, it's definately one of the includes or something.

I re-created an index.php with just phpinfo (); in it, and it comes up when we go to our URL.

registered · Posted: Mon Mar 23, 2009 10:24 pm

And your site URL is? (We need to see whether its a Javascript or a server-level redirect)

Posted: Tue Mar 24, 2009 5:42 am

evaders99 wrote:

And your site URL is? (We need to see whether its a Javascript or a server-level redirect)

Additionally, the person shelled in, and left this in .bash_history:

cat * | grep freedom.highqualityhost.net
cat *.php | grep freedom.highqualityhost.net
dir
ls -al
more .htaccess
ls -al
cd esaw
dir
cd sigs/
ls
cd ..
ls -al
more .htaccess
cd ..
ls
dir
vi index.php
vi -o index.php mainfile.php
vi modules/RWS_WhoIsWhere/includes/RWS_wiw.inc.php

And this in file called viminfo:

# This viminfo file was generated by Vim 7.0.
# You may edit it if you're careful!

# Value of 'encoding' when this file was written
*encoding=latin1

# hlsearch on (H) or off (h):
~H
# Command Line History (newest to oldest):
:q!

# Search String History (newest to oldest):

# Expression History (newest to oldest):

# Input Line History (newest to oldest):

# Input Line History (newest to oldest):

# Registers:

# File marks:
'0 81 0 ~/modules/RWS_WhoIsWhere/includes/RWS_wiw.inc.php
'1 179 0 ~/mainfile.php
'2 29 48 ~/index.php

# Jumplist (newest first):
-' 81 0 ~/modules/RWS_WhoIsWhere/includes/RWS_wiw.inc.php
-' 1 0 ~/modules/RWS_WhoIsWhere/includes/RWS_wiw.inc.php
-' 179 0 ~/mainfile.php
-' 29 48 ~/index.php
-' 1 0 ~/index.php
-' 179 0 ~/mainfile.php
-' 29 48 ~/index.php
-' 1 0 ~/index.php

# History of marks within files (newest to oldest):

> ~/modules/RWS_WhoIsWhere/includes/RWS_wiw.inc.php
" 81 0

> ~/index.php
" 44 0

> ~/mainfile.php
" 179 0

Posted: Tue Mar 24, 2009 6:38 am

If you are using RN 2.20.00 you should really upgrade, or at least patch the files. There was a security annoucement recently and this needs to be addressed ASAP!

I would wipe your site and upload a backup of your database and files. Then you can patch the files.

Posted: Tue Mar 24, 2009 7:16 pm

It does seem to be a server-level redirect. I would suggest do thorough cleaning, ask your host to format their server, rebuild from clean files.

Posted: Tue Mar 24, 2009 7:48 pm

evaders99 wrote:

It does seem to be a server-level redirect. I would suggest do thorough cleaning, ask your host to format their server, rebuild from clean files.

Yeah, we're getting our latest backup from the host currently, and we'll update to 2.3

I have a question, does ravennuke run on PHP5?

Also, thanks all for your responses.

Posted: Wed Mar 25, 2009 12:57 am

Yes RN does run on php5. Very Happy

registered · Posted: Wed Mar 25, 2009 9:25 am

But that is not a guarantee that what you ADD to it does... just keep that in mind. The core distro works just fine on PHP5.

Posted: Mon Mar 30, 2009 7:43 am

OK, just an update:

The good news:

Our site was NOT hacked.

The bad news:

I feel like a giant jackass. Smile

OK, so here's the real scoop. We had apparently been using a theme we bought from www.destinethemes.com
AT the time of loading, the script goes through an authentication process making a call to, you guessed it, www.destinethemes.com Uh, go ahead and click that link, and you'll see where the problem arose.

There had been a perfect storm of coincidences, which led to our site being down for 4 days, our host threating us with a TOS violation, and many, many angry hours spent on hold with our host (in the attempt to get a backup)

Anyway, just in case anyone else may be using a theme from those guys, and has the same issue, I figured that I'd post the answer and save them the headache.

Posted: Tue Mar 31, 2009 6:43 am

I am sure you are glad to have that one behind you.

EDIT: Please update your thread title to something other than the "hacked" part as it leaves a false impression. Wink

Thanks.