HELP I GOT HACKED !!!!

Posted: Sat Feb 04, 2006 4:17 pm

Good i did draw your attention Laughing

This topic will explain to you why you did get hacked and how you can prevent this from happening again.

Database

So you've created a database thru cPanel, Plesk or whateffa and then modified your config.php to access the database with you login details...
bad mistake
If someone ever gains access to your config.php he receives access to your account and can change everything... YES EVERYTHING!!!!
Why? well that's easy. Due to your lack of knowledge it never popped into your mind that you should have added a database user with a new password.
not the same user and password as your account
Then modify config.php to use that new login account for your database.
Because the default login account is used for FTP, cPanel, email and who knows what else

I could go in further detail, but you should be smart enough to understand what i just wrote. If not then stop reading from now on cos you won't able to manage your website anyway.

I just said stop reading. If you didn't read that go out and have a beer now, else continue.

Write access

Most people are on shared hosting. PHP is setup in one of the two ways on Apache: MODULE or SUEXEC.
When PHP is setup as module it is fast but also vulnerable since it runs as the UID for webservices (mostly 'nobody' on linux). This UID has no write access to anything that is not owned by this UID and has no write permission for anyone (CHMOD 0744)
But when a directory or file has 0777/0666 access then the UID can write to it anyway it wants.
This hole allows virusses, trojans or a bad customer to gain access on your account and modify to their liking.

When run as SUEXEC php/apache runs as the UID of yourself (like 'raven' or whateffa your login name is). It is slower then as module since it needs to load PHP into memory on every webpage request.
Aside of the slower execution it does add more security since no-one can access anything unless it is you, this because you don't need 0777 or 0666 to have write access for your scripts, they have access to 0700 and 0600 anyway.

If you understand all of this then i don't need to explain more about security since you are already smarter then most hosting providers anyway.

For more information you could contact me but an consult costs $35 an hour just as for anyone else (including providers)

I'm not in anyway related with php-nuke so this doesn't explain anything about nuke issues. Afterall if i did mention nuke's security issues then you would have created a complete new portal and that is not my intention anyway.

Sells PC To Pay For Divorce Joined: Posts: 5661

no...no....no...i knew you were joking maze... killing me

But you know how it goes...from the 10 that fall for this story 1 or 2 actualy read this,from those 2 maybe....i say maybe 1 follows the advice...

Posted: Sat Feb 04, 2006 5:45 pm

if only one reads this you should lock forums about security cos they get hacked anyway ROTFL

Posted: Sat Feb 04, 2006 5:51 pm

got a point there...
i just got mail from my 404 saying some idiot was trying to link into a mod i dont even have..
like...../pnadodb/cmd.txt....etc...etc...
linked to my site...
the site that was hacked says......community building with open software..
big laugh...

Posted: Sat Feb 04, 2006 6:15 pm

I just redirect everything to your site hit Wink

Posted: Sat Feb 04, 2006 6:15 pm

:::Puts head back into the sands:::

Posted: Sat Feb 04, 2006 6:16 pm

oh thats ok guardian...i have a big shoebox.....there's enough space for more ip's......lol

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Thanks, as always for your many contributions, djmaze. I would be interested in your thoughts on how config.php might be compromised.

Offtopic: Six! You're back! Have you seen any of the latest posts on CNB YA?

Posted: Sun Feb 05, 2006 1:07 pm

kguske wrote:

Thanks, as always for your many contributions, djmaze. I would be interested in your thoughts on how config.php might be compromised.

1. Create account on server
2. echo get_file_content('/home/TARGET_USER/public_html/config.php');
3. good luck

Tougher:
1. Hack into php-nuke and echo login details

Much Tougher (needs website that allows uploading):

1. upload php file
2. execute uploaded php file

Posted: Sun Feb 05, 2006 1:11 pm

now thats why i dont have a config.php anymore,atleast not where it should be... killing me

Posted: Sun Feb 05, 2006 1:16 pm

Thanks for quick followup, djmaze!

Just to clarify, the first (easy? tough?) approach assumes you can get an account on the same server and that you know that root path of the target, right?

That's another good reason not to post your unedited PHP error messages that include the base path here or on other supports sites!

Posted: Sun Feb 05, 2006 3:39 pm

hitwalker wrote:

now thats why i dont have a config.php anymore,atleast not where it should be... killing me

Useless since i use echo get_file_content() so if you move the file i can get it anyway.

chmod to 0400 works on suexec Very Happy

Posted: Sun Feb 05, 2006 3:44 pm

well im confident the servers im on are safe,and my config is way out of reach...
if that all was possible,raven ...you....burzi ,everybody would be hacked by now..

Posted: Sun Feb 05, 2006 5:53 pm

incorrect hitwalker, i'm on dedicated hosting and that's a big difference here.

Posted: Sun Feb 05, 2006 6:02 pm

well im not a bit concerned with my stuff.

registered · Posted: Sun Feb 05, 2006 7:03 pm

djmaze wrote:

1. Create account on server
2. echo get_file_content('/home/TARGET_USER/public_html/config.php');
3. good luck

Where are you putting that, cowboy?

registered · Posted: Sun Feb 05, 2006 8:54 pm

Well if they can get an account on your server, they don't need your config.php file Wink